Identity security’s great divide is now an ROI problem

At a glance

What this is: SailPoint’s 2025 Horizons of Identity Security report says identity security has become the highest-ROI control area, but most organisations remain in early maturity stages.

Why it matters: It matters because the same maturity gap now spans human IAM, NHI governance, and emerging autonomous identity patterns, so lagging identity teams are also lagging security and business automation.

By the numbers:

• 63% of responding organizations remain stuck in the earliest stages of identity maturity, relying on manual provisioning, fragmented tools, and static controls in an increasingly dynamic, AI-driven world.
• Only 25% of organizations view identity as a true business enabler, while 57% still treat it like a security control or compliance checkbox.

👉 Read SailPoint's analysis of the 2025 Horizons of Identity Security report

Context

Identity security now sits at the centre of how enterprises coordinate access, workflows, and decision-making across human users, machine identities, and AI-enabled systems. The problem is not whether identity matters. The problem is that many programmes still run on manual provisioning, fragmented tools, and static controls that cannot keep pace with dynamic environments.

This report frames the gap as a maturity divide rather than a point-in-time tooling issue. For IAM, NHI, and security architecture teams, that matters because the same operational weakness can show up as delayed onboarding for people, weak lifecycle governance for service accounts, or poor control over AI-driven access decisions.

Key questions

Q: How should organisations measure identity security maturity across human and non-human identities?

A: Measure maturity by how consistently identity decisions are automated, governed, and synchronized across people, service accounts, workloads, and AI-enabled actors. Strong programmes reduce manual provisioning, close lifecycle gaps, and apply repeatable policy enforcement across systems. If control quality varies by actor type, the programme is still fragmented and not yet operating as a mature identity layer.

Q: Why do fragmented identity tools slow down security and business automation?

A: Fragmented tools create inconsistent data, delayed policy enforcement, and duplicated workflows, which makes identity harder to trust as an operating layer. That slows onboarding, certification, and access changes, and it also weakens automation because each system sees a different version of the identity record. The result is more friction, not more control.

Q: When should teams prioritise identity data cleanup over new IAM features?

A: They should prioritise cleanup when synchronisation is unreliable, access reviews are noisy, or policy automation produces inconsistent results. New features cannot compensate for broken data quality because the control plane inherits those errors. Clean identity data is the prerequisite for scaling governance, especially when multiple identity types share the same programme.

Q: What should security leaders do when identity is still treated as a compliance checkbox?

A: They should reframe identity as strategic infrastructure and tie it to measurable business outcomes such as faster onboarding, better workflow automation, and lower operational drag. If identity is only funded as a control, it will remain reactive. Mature programmes justify investment by showing how governance supports resilience and execution.

Technical breakdown

Identity maturity and policy automation

Identity maturity is the progression from manual, ticket-driven administration to policy-driven, real-time control. In the lower stages, provisioning, certification, and policy enforcement are handled with disconnected tools and human effort, which creates lag and inconsistency. In the higher stages, identity data is synchronised across systems, and access decisions can respond to context rather than static role assignment. That matters because identity is no longer just an access directory. It has become the control plane for enforcing governance across systems, apps, and workloads.

Practical implication: Practitioners should map where manual work still drives identity decisions and identify which controls can be converted to policy automation first.

AI agent governance and machine identity security

The report points to AI agent governance and machine identity security as capabilities that now distinguish mature programmes. AI-enabled operations can improve real-time synchronisation and unify policy across hybrid and cloud environments, but only if the identity layer can govern non-human actors with clear lifecycle, privilege, and policy rules. Machine identities and AI agents behave differently from people because they can act at system speed and scale. That changes the governance requirement from periodic review to continuous control over issuance, scope, and revocation.

Practical implication: Security teams should treat AI agents and machine identities as first-class governed identities, not as side effects of application or automation work.

Identity data quality and deployment success

The report ties implementation outcomes to the quality of identity data and the repeatability of deployment. Clean identity data, tiered governance, and reusable templates improve the likelihood of successful rollout and reduce budget overruns. That is a technical and operational issue, not just a programme management issue, because bad identity data breaks synchronisation, certification accuracy, and policy decisions. Mature identity programmes do not simply buy more tooling. They reduce entropy in the data that the tooling depends on.

Practical implication: Teams should prioritise data remediation and reusable operating patterns before expanding the scope of identity automation.

NHI Mgmt Group analysis

The real divide is no longer between secure and insecure identity programmes, but between static and adaptive control models. The report shows that many organisations still depend on manual provisioning and fragmented tooling even as identity becomes the coordination layer for people, workloads, and AI-enabled systems. That means the core failure is architectural, not just operational. Organisations should judge maturity by whether identity can make real-time decisions across actor types, not by how much activity has been ticketed.

AI agent governance changes the identity problem because the actor can initiate, sequence, and accelerate access decisions at runtime. Once identity is no longer just a record of a human or service account, policy design must account for autonomous or semi-autonomous execution paths that move faster than review cycles. That alters the control logic for least privilege, lifecycle governance, and accountability. Practitioners need to separate automation from governance and stop assuming that existing IAM patterns will scale unchanged.

Identity data quality has become a security control, not an implementation detail. The report’s emphasis on cleaner data, tiered governance, and reusable templates reflects a broader truth: policy engines only work when the underlying identity records are reliable. Fragmented identity data produces inconsistent entitlements, weak certification outcomes, and failed synchronisation across platforms. The implication is straightforward. Programme leaders should treat identity hygiene as part of control design, not as back-office maintenance.

“The Great Divide” is a useful named concept because it describes how identity maturity now separates business acceleration from control drag. Mature programmes are not only safer. They are more able to support M&A integration, operational automation, and AI-assisted workflows without adding unmanaged access risk. That makes identity a strategic infrastructure decision. The practical conclusion is that security teams must align identity roadmaps with business transformation roadmaps.

Higher maturity now depends on governance that spans human IAM, NHI, and AI-driven identity behaviour in one operating model. The article makes clear that the next horizon is not a single tool category. It is the ability to govern different identity types with a shared policy and lifecycle discipline. That is where many programmes will stall if they keep treating each domain separately. Leaders should build cross-domain identity governance rather than isolated control stacks.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is a reminder that identity programmes still struggle with the basics of governance.
• The governance response starts with lifecycle control, so the Ultimate Guide to NHIs , Why NHI Security Matters Now is the right next resource for teams building programme urgency.

What this signals

Identity maturity will increasingly be judged by whether policy can move at system speed. The organisations that stay stuck in manual provisioning and fragmented control loops will not just trail in security outcomes, they will also struggle to support business automation without creating access debt. That is why the question for programmes is no longer whether to automate, but whether the identity layer is clean enough to trust when automation scales.

The Great Divide is also a lifecycle problem. As identity expands across humans, service accounts, and AI-enabled actors, teams will need one governance model that can distinguish between stable human access, persistent machine access, and runtime-driven agent behaviour. For readers mapping next steps, the biggest signal is whether lifecycle processes still assume access changes happen slowly enough to review.

When identity becomes the coordination layer for the enterprise, the practical risk is not only breach exposure. It is the accumulation of invisible control debt across platforms, business units, and identity types, and that debt compounds until policy no longer reflects how work actually happens.

For practitioners

• Map identity maturity by actor type Separate current-state controls for human users, service accounts, workloads, and AI-enabled identities so you can see where manual control still dominates. This exposes whether the maturity gap is concentrated in one domain or spread across the whole programme.
• Remove fragmentation from identity data flows Standardise identity sources of truth and reduce duplicated records before expanding automation. Clean data is what makes synchronisation, certification, and policy enforcement reliable across hybrid and cloud environments.
• Treat AI agent governance as a first-class programme stream Define ownership, scope, and lifecycle rules for AI-enabled identities before they are embedded into business workflows. If the programme cannot explain who approves, monitors, and revokes agent access, governance is incomplete.
• Build reusable governance templates Use standard policy, certification, and deployment patterns across business units to reduce rollout variation and budget overruns. Reuse lowers implementation risk and helps teams scale without recreating control design for every system.

Key takeaways

• Identity security has become a business and security infrastructure issue, not a back-office admin task.
• Most organisations are still operating with manual, fragmented identity controls that cannot keep up with AI-driven environments.
• The fastest path to better ROI is cleaner identity data, stronger lifecycle governance, and policy automation that spans human and non-human identities.

Key terms

• Identity maturity: Identity maturity is the degree to which an organisation can govern access through repeatable, data-driven, and policy-based controls. Higher maturity means identity is synchronised across systems, lifecycle processes are more automated, and access decisions are less dependent on manual intervention.
• Machine identity security: Machine identity security is the control discipline for service accounts, workloads, tokens, and other non-human identities that authenticate without a person behind them. It focuses on issuance, scope, rotation, revocation, and visibility so these identities can be governed with the same rigour as human access.
• Policy automation: Policy automation is the use of rules and identity data to make access decisions and governance actions happen with minimal manual handling. In mature programmes it reduces delay and inconsistency, but it only works when the underlying identity records are clean and the policy model matches reality.
• The Great Divide: The Great Divide is a shorthand for the widening gap between organisations that treat identity as static administration and those that use it as adaptive infrastructure. It describes a maturity and business-performance split, not a vendor category, and it becomes sharper as AI and machine identities grow.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: The great divide, insights from the 2025 Horizons of Identity Security report. Read the original.