Notifications
Clear all
Topic starter
03/06/2026 2:24 pm
TL;DR: Omada’s State of Identity Governance 2026, based on nearly 600 U.S. enterprise professionals, finds that confidence in identity security is high while evidence of consistent execution remains weak, especially as reporting still tracks activity more readily than risk and non-human identities expand. The real control gap is not belief, but provable governance at machine speed.
NHIMG editorial — based on content published by Omada Identity: Confidence In Identity Governance is High. Evidence of Execution is Not
By the numbers:
- More than 80% of leaders report concern about every major identity threat category.
Questions worth separating out
Q: How should organisations prove identity governance is reducing risk, not just activity?
A: They should measure whether access decisions change exposure, not just whether workflows complete.
Q: Why do non-human identities make identity governance harder to measure?
A: Non-human identities multiply faster than human accounts, often across teams and platforms that do not share a single source of accountability.
Q: What do security teams get wrong about Zero Trust and identity governance?
A: They often treat Zero Trust as an integration label rather than a continuous operating requirement.
Practitioner guidance
- Rebuild executive reporting around risk evidence Replace throughput-first dashboards with measures that show whether risky access, orphaned accounts, and privilege drift are being reduced over time.
- Map ownership for the full non-human identity estate Assign a single accountable owner for each service account, token, certificate, and AI agent identity, even when administration is operationally distributed.
- Validate Zero Trust signal consistency Test whether identity, security, and governance tools exchange the same access state before relying on Zero Trust claims in leadership reporting.
What's in the full article
Omada Identity's full blog covers the operational detail this post intentionally leaves for the source:
- Survey breakdown across nearly 600 U.S. enterprise identity, access management, and cybersecurity professionals.
- Executive reporting patterns for provisioning, deprovisioning, audit readiness, and identity risk indicators.
- How organisations are integrating Zero Trust principles into identity governance in practice.
- The report’s findings on non-human identity ownership, GenAI automation, and agentic AI adoption.
👉 Read Omada Identity's analysis of the identity governance execution gap →
Identity governance confidence vs execution evidence: where teams miss risk?
Explore further
03/06/2026 2:32 pm
Confidence is not evidence, and identity governance programmes that cannot prove execution are already behind. The report shows high belief in capability, but belief does not tell a board whether risky access was actually detected, constrained, or removed in time. That distinction matters because identity risk becomes more dynamic as automation expands. Leaders should treat confidence as a sentiment and execution evidence as the real control signal.
A few things that frame the scale:
- Three quarters of respondents strongly agree that identity security is central to their cybersecurity strategy, according to the 2024 ESG Report: Managing Non-Human Identities.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who should own non-human identity governance in a distributed environment?
A: Ownership should sit with a clearly accountable function, even if administration is shared across security, IAM, DevOps, and platform teams. Without a named owner for the full estate, access reviews, lifecycle actions, and risk reporting become fragmented. Clear accountability is the only way to make machine identities governable at scale.
👉 Read our full editorial: Confidence in identity governance is high, but execution evidence is thin
