TL;DR: Identity governance and administration projects still take 42 months on average and remain incomplete despite $3 billion spent on technology last year, according to Gartner cited in Orchid Security’s post. The deeper problem is structural: complexity now exceeds what manual IAM operations can reliably govern, so identity programmes need better intelligence, not just more tooling.
NHIMG editorial — based on content published by Orchid Security: Identity is in bloom, and the identity market is still fragmented
By the numbers:
- The average identity governance and administration project takes 42 months and remains incomplete.
Questions worth separating out
Q: How should security teams reduce fragmentation in identity governance programmes?
A: Start by defining one governance operating model for lifecycle, access review, and evidence collection across all major identity types.
Q: When do LLMs help identity governance, and when do they not?
A: LLMs help when the task is interpretation, summarisation, correlation, or triage across complex identity data.
Q: What do teams get wrong about identity governance and administration projects?
A: They often treat IGA as a software rollout instead of an operating-model redesign.
Practitioner guidance
- Measure governance completeness across the identity estate Track how many applications, service accounts, and access paths are actually covered by certification, lifecycle, and evidence workflows.
- Map where identity evidence breaks between systems Document where entitlement data is created, transformed, and lost across IAM, IGA, PAM, and downstream operational tools.
- Use LLMs for interpretation, not approval authority Apply machine intelligence to summarise policy context, cluster access anomalies, and reduce manual triage time.
What's in the full article
Orchid Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The vendor's explanation of how its LLM approach is intended to process identity complexity across large estates.
- The specific market argument for why fragmented IAM and IGA environments need a new intelligence layer.
- The customer-facing framing around scaling identity governance through partners and delivery teams.
- The broader business narrative behind the company's position in the identity market.
👉 Read Orchid Security's perspective on why identity governance remains fragmented →
Identity governance fragmentation: what IAM teams are missing?
Explore further
Fragmentation, not lack of tools, is the real identity governance failure mode. The post’s strongest argument is that the market is fragmented because no consensus operating model exists for solving identity governance at enterprise scale. That is a governance problem, not a procurement problem. When access, application context, and compliance evidence are distributed across too many systems, the programme cannot keep a stable control picture. The practitioner implication is to assess whether your identity stack produces decision-ready evidence or only more inventory.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How can organisations tell whether identity governance is actually working?
A: Look for complete coverage of key applications, consistent evidence for access decisions, and short paths from detected exceptions to remediation. If certifications exist but do not change entitlement state, or if lifecycle actions remain manual and delayed, governance is only partially functioning.
👉 Read our full editorial: Identity governance is still fragmented because the tooling model is incomplete