Notifications
Clear all
Topic starter
03/06/2026 2:20 pm
TL;DR: EMA’s January 2026 survey of 135 enterprise IT leaders found that 30% of organisations have scaled back IGA or Zero Trust programs, and 56.4% of that group reported an identity-related breach in the past year versus 18.7% of those that did not, according to Omada Identity. The pattern shows that governance risk concentrates where integration, complexity, and scaling failures outrun the operating model.
NHIMG editorial — based on content published by Omada Identity: Where Identity Governance Stalls, Breach Risk Concentrates
By the numbers:
- Of those that scaled back, 56.4% experienced an identity-related breach in the past year, against 18.7% of those that did not.
Questions worth separating out
Q: How should organisations stop identity governance from stalling in practice?
A: Treat IGA as an operating model problem first.
Q: Why does scaled-back governance increase breach risk?
A: When governance slows, access drift and privilege creep continue even if no single control fails outright.
Q: How do teams know if IGA is actually working?
A: Look for evidence that entitlement changes are being governed before access expands beyond need.
Practitioner guidance
- Test IGA resilience against real integration paths Map the systems, directories, and applications that must exchange identity data, then validate whether joins, movers, leavers, and exceptions still work when scale increases.
- Measure privilege creep as a programme health signal Track entitlement growth, role expansion, and unresolved exceptions between reviews so you can see whether access is accumulating faster than governance can correct it.
- Separate control requirements from platform defaults Write down the non-negotiable control requirements for audit, ownership, and data residency, then compare the platform’s operating model against those needs instead of accepting the easiest workflow path.
What's in the full article
Omada Identity's full blog covers the operational detail this post intentionally leaves for the source:
- Survey breakdown across 135 enterprise decision-makers and practitioners, including how the data was gathered and interpreted
- Detailed discussion of why 60.7% cite integration challenges and 53.3% cite complexity as the main IGA blockers
- The full control-model argument behind AI-assisted decisions, human accountability, and vendor-agnostic best practices
- Deployment model discussion covering on-premises, private cloud, and customer-tenant cloud options for regulated environments
👉 Read Omada Identity's analysis of why identity governance stalls and breach risk concentrates →
Identity governance stalls: what’s breaking in your operating model?
Explore further
03/06/2026 2:26 pm
Identity governance does not fail because leaders stop valuing it. It fails because the operating model cannot preserve control quality under integration pressure, scaling pressure, and daily exception handling. The article’s data shows that strategic support remains high while execution breaks down, which is exactly why sustainability has become the real measure of programme quality. Practitioners should read this as an operating-model problem, not a tooling preference.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when an identity governance programme fails?
A: Accountability sits with the operating model owner, not just the product owner. If control requirements, deployment architecture, and human review processes are not aligned, the programme can look compliant while still allowing exposure to build. Governance needs an explicit owner for the control outcome, not only for the platform.
👉 Read our full editorial: Identity governance stalls when operating models cannot scale
