State of the industry benchmarks expose cybersecurity priorities for 2025

At a glance

What this is: This is a 2025 cybersecurity benchmarking report that compares survey responses across people, process, and technology to show how practitioner priorities are shifting.

Why it matters: It matters because IAM, NHI, and security leaders can use the benchmarks to spot where their governance model is lagging, especially as identity scope expands across humans, machines, and AI.

By the numbers:

• The survey gathered responses from over 350 cybersecurity professionals.
• The survey was conducted between December 2024 and January 2025.

👉 Read Cyera's state of the industry report for cybersecurity benchmarks and trends

Context

Cybersecurity benchmark reports matter because they show where practitioners are actually spending attention, not where strategy decks say they should. In identity programmes, that gap often shows up first in governance, where people, process, and technology controls drift apart as NHI and AI use cases expand.

This report is useful as a maturity reference point for teams comparing their current priorities against the wider market. The underlying question is not whether cybersecurity remains important, but whether existing operating models are keeping pace with the mix of human identity, NHI, and emerging autonomous access patterns.

Key questions

Q: How should teams use cybersecurity benchmark reports in identity governance planning?

A: Use them to compare your programme’s operating assumptions with peer priorities, then check whether the gaps are in people, process, or technology. For identity teams, the most useful benchmark is not a score alone but whether human and non-human access are governed with separate metrics, ownership, and review cycles. That is where hidden risk usually shows up.

Q: What does a people, process, and technology model miss in NHI governance?

A: It misses whether the identity subject is actually the same across controls. Human access, service accounts, secrets, and AI-driven access can sit inside one governance model while requiring different review cadences, owners, and enforcement points. If teams do not separate them operationally, benchmark data can make the programme look more mature than it really is.

Q: How can security leaders tell if their identity programme is over-focused on tooling?

A: If reporting tracks product deployment more closely than access ownership, exception closure, and lifecycle review, the programme is likely over-focused on tooling. A benchmark report should be used to test whether the organisation can explain who owns human access, who owns NHI access, and how quickly either one is revalidated.

Q: Why do annual cybersecurity reports matter for IAM teams?

A: Annual reports give a repeatable reference point for whether governance priorities are shifting in the market faster than internal programmes are adapting. For IAM teams, the value is in spotting whether the organisation is still treating identity as a human-only discipline or whether NHI and autonomous access are being built into the model.

Technical breakdown

People, process, and technology as a governance model

The report is structured around the familiar triptych of people, process, and technology, which remains a practical way to assess security programmes because most failures are cross-domain rather than purely technical. People covers skills, ownership, and decision-making. Process covers how work is governed, approved, and reviewed. Technology covers the controls and platforms that enforce policy. For identity teams, this matters because NHI governance often fails when one layer is mature and another is not, creating policy that cannot be enforced or monitoring that nobody owns.

Practical implication: map identity controls to all three layers so that NHI and IAM responsibilities do not stop at tool deployment.

Cybersecurity benchmarking as a maturity signal

Benchmarking is not just a comparison exercise. It is a way to identify whether a programme is keeping pace with peer expectations and operational reality. In security governance, benchmarks can expose where teams are overconfident, under-instrumented, or missing basic lifecycle discipline. For NHI, the useful question is whether the organisation can measure visibility, ownership, and accountability for non-human access in the same way it measures human access review outcomes.

Practical implication: use benchmarking results to test whether your identity governance metrics cover both human and non-human access.

Why survey data matters for identity programmes

Survey data gives a directional view of how security teams are prioritising risks across the market. That matters because identity programmes are often redesigned only after incident pressure or audit findings, not on a stable planning cycle. A report like this can help teams decide whether their current investment is skewed toward tooling, process, or operating model change. For NHI and autonomous access, the real value is in spotting whether the market is still treating identity as a human-only domain.

Practical implication: compare the report’s priority mix with your own roadmap to see whether identity governance is still human-centred.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Benchmark reports are most useful when they expose operating-model drift, not just sentiment. A report structured around people, process, and technology is valuable because identity failures usually happen at the seams between those layers. The key question for practitioners is whether their governance model still reflects the way access is actually granted, reviewed, and monitored across humans and non-human actors.

The identity programme risk here is not lack of data, but lack of cross-domain calibration. Cybersecurity teams often collect metrics for controls that are easy to count and ignore the ones that reveal accountability gaps. That is especially relevant for NHI governance, where ownership, review cadence, and exception handling can look strong on paper while still leaving machine access effectively ungoverned. Practitioners should treat the report as a calibration exercise, not a validation exercise.

People, process, and technology only work when the identity subject is clearly defined. Human IAM, NHI governance, and autonomous access management need different control assumptions even when they share the same operating framework. A programme that benchmarks only generic security priorities risks masking whether it is actually ready for service accounts, secrets, or AI-driven access paths.

Cybersecurity benchmarking increasingly needs to include non-human identity scope as a named category. The report’s value lies in reminding security leaders that maturity discussions are incomplete when they stop at human users. If organisations cannot separate human, machine, and autonomous access in their governance model, their benchmark scores may look stable while their actual identity risk is expanding.

Governance by survey cadence: This type of annual benchmark reflects a broader assumption that identity risk can be understood on a yearly planning cycle. That assumption weakens as NHI populations, cloud access patterns, and AI-assisted workflows change faster than annual review cycles. Practitioners should rethink whether their governance cadence matches the speed of access change.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is why governance gaps persist even when teams believe their controls are broad enough.
• For a deeper control lens, see Ultimate Guide to NHIs , Key Challenges and Risks, which connects visibility gaps, over-privilege, and lifecycle exposure into one operating model.

What this signals

The market is moving toward broader identity governance language, but many programmes still measure only what is easy to count. With only 44% of organisations having implemented any policies to manage AI agents, according to the 2026 Infrastructure Identity Survey, the gap is already structural, not hypothetical.

Governance by annual snapshot: This report reinforces a familiar problem in security management, which is that annual benchmarking can hide rapid access churn between review points. Organisations need identity metrics that update with the pace of change across humans, service accounts, and emerging AI-driven workloads.

Practitioners should use this kind of benchmark to challenge whether their current programme can distinguish between human access confidence, NHI ownership, and autonomous access accountability. If those are being reported together, the programme is likely less mature than the dashboard suggests.

For practitioners

• Re-baseline identity governance against all three operating dimensions Map current controls to people, process, and technology and identify where human IAM coverage does not extend cleanly to service accounts, API keys, tokens, and AI-driven access paths.
• Separate human and non-human benchmarks in reporting Track visibility, ownership, lifecycle, and exception handling for NHIs separately from human access review metrics so that one group’s maturity does not hide the other’s gaps.
• Use the report as a roadmap checkpoint Compare your current 2025 and 2026 priorities against peer benchmarks to see whether remediation work is still centred on tooling when operating-model change is the real constraint.
• Assign explicit ownership for NHI governance metrics Make one team accountable for measuring non-human access scope, review cadence, and exception closure so that NHI control performance does not become an orphaned metric.

Key takeaways

• This report is best read as a governance benchmark, not a procurement signal.
• The survey’s value lies in showing how cybersecurity priorities are distributed across people, process, and technology.
• Identity teams should use the findings to test whether human, NHI, and autonomous access are measured with separate controls and ownership.

Key terms

• Cybersecurity Benchmarking: Cybersecurity benchmarking is the practice of comparing a programme’s priorities, controls, and maturity against peer data or prior-year results. In identity security, it is useful only when the comparisons reveal whether governance, not just tooling, is keeping pace with the changing access landscape.
• People, Process, And Technology: People, process, and technology is a simple operating model used to examine whether security capability is supported by ownership, repeatable workflows, and enforceable controls. For identity programmes, it helps show when one layer is mature while the others still leave human or non-human access exposed.
• Identity Governance: Identity governance is the discipline of defining, approving, reviewing, and revoking access across identities and systems. It covers humans, service accounts, secrets, and increasingly AI-driven access, with the core test being whether the organisation can explain who has access, why, and for how long.

Deepen your knowledge

Cybersecurity benchmarking and identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is still comparing humans and non-humans through the same lens, this is a useful next step.

This post draws on content published by Cyera: Cyber Security Tribe's 2025 Annual State of the Industry Report. Read the original.