IAM failures and personal CISO liability: what teams should change

TL;DR: Identity and access management failures are increasingly tied to personal CISO exposure, with over half fearing they could be fired after a breach and 40% worrying about personal liability, according to Cerbos. The real issue is not tooling presence but fragmented governance, weak identity proofing, and controls that do not produce reliable accountability.

NHIMG editorial — based on content published by Cerbos: IAM failures, CISO accountability, and the hidden challenges of modern identity governance

By the numbers:

• 40% worry they might be held personally liable for a breach.
• The average enterprise uses over 10 separate identity tools.

Questions worth separating out

Q: How should security teams reduce IAM failures that create executive liability?

A: They should treat identity governance as a measurable control programme, not a collection of tools.

Q: Why do organisations with many IAM tools still struggle with governance?

A: Because tool count does not equal control quality.

Q: What should organisations look for in a stronger onboarding process?

A: They should look for identity proofing that matches the risk of the role, especially for remote hires and contractors.

Practitioner guidance

• Rebuild identity source-of-truth ownership Assign named owners for authoritative identity attributes, then reconcile HR, directory, IAM, and application records on a fixed cadence so access reviews use a single evidence set.
• Raise identity proofing assurance at onboarding Use stronger verification for remote employees and contractors, including document checks, live identity validation, and fraud screening where risk warrants it.
• Move high-risk access to policy-driven decisions Externalise sensitive authorisation decisions so device context, role, and request risk are evaluated at runtime rather than buried inside application code.

What's in the full article

Cerbos' full analysis covers the operational detail this post intentionally leaves for the source:

• Specific examples of how fragmented identity tooling creates blind spots across HR, IAM, and application ownership.
• Practical onboarding and identity proofing checks discussed for remote hiring and contractor workflows.
• Runtime authorisation patterns for dynamic policy decisions in enterprise software.
• Leadership and reporting considerations for turning identity metrics into board-level risk evidence.

👉 Read Cerbos' analysis of why IAM failures are now a CISO liability issue →

IAM failures and personal CISO liability: what teams should change?

Explore further

View Full Forum →  |  NHI Foundation Course →