Identity governance in 2025: are current IAM controls keeping up?

TL;DR: Omada’s 2025 State of Identity Governance Report says 95% of leaders now treat identity security as a critical part of cyber strategy, while more than 86% are worried about identity-based threats, based on a survey of over 500 IT and business executives. The evidence points to a governance gap, where manual processes, TCO pressure, and cloud migration are still slowing effective IGA.

NHIMG editorial — based on content published by Omada Identity: State of Identity Governance Report 2025

By the numbers:

• 95 percent of leaders now treat identity security as a critical component of their overall cybersecurity strategy.
• 86 percent express concern about the risks of, e risks of identity-based threats.

Questions worth separating out

Q: How should organisations improve identity governance without making reviews slower?

A: Start by measuring where governance work stalls, then automate the repeatable steps that do not require human judgement.

Q: Why do manual access reviews fail in modern IAM programmes?

A: Manual reviews fail because they cannot reliably keep pace with access change velocity.

Q: How can teams tell whether identity governance is actually working?

A: Look for three signals: review completion on schedule, revocation after exceptions, and clean evidence for auditors or control owners.

Practitioner guidance

• Baseline governance throughput against access change velocity Measure how long it takes to approve, certify, and revoke access across employees, contractors, applications, and service identities.
• Replace spreadsheet recertification with evidence-backed workflows Move access reviews into systems that can prove who approved what, when exceptions were granted, and when revocation actually occurred.
• Extend lifecycle governance to non-human identities Apply the same joiner-mover-leaver discipline to service accounts, API keys, tokens, and certificates that you apply to employees.

What's in the full report

Omada Identity's full report covers the operational detail this post intentionally leaves for the source:

• Survey cuts by role and responsibility, including identity governance, compliance, cybersecurity, and IT management
• The full breakdown of what respondents said about SaaS-based IGA adoption and current platform constraints
• Additional commentary on why AI and automation are becoming selection criteria for IGA decisions
• The webinar tied to the report findings, for teams that want the original presentation format

👉 Read Omada Identity's 2025 State of Identity Governance Report →

Identity governance in 2025: are current IAM controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →