TL;DR: Identity-related breaches now average $4.4 million, with detection and escalation alone costing $1.47 million and mean containment taking 241 days, according to IBM’s 2025 Cost of a Data Breach Report. The financial case has shifted from compliance support to proactive identity governance as a core control for reducing breach loss, audit friction, and operational waste.
NHIMG editorial — based on content published by Gathid: identity governance as a CFO risk control
By the numbers:
- Healthcare is the most expensive industry for breaches at $7.42 million.
- The mean time it took defenders to identify and contain a breach was 241 days.
Questions worth separating out
Q: How should finance teams evaluate identity governance spend?
A: Finance teams should evaluate identity governance by the cost it prevents, not just the cost it adds.
Q: Why do poor identity controls create hidden business costs?
A: Poor identity controls create hidden business costs because they force teams to spend time proving who has access, why they have it, and whether it should still exist.
Q: What should organisations prioritise first in identity governance?
A: Organisations should prioritise the highest-cost access problems first: orphaned accounts, excessive privilege, and manual review bottlenecks.
Practitioner guidance
- Recast identity governance in financial terms Map identity controls to breach loss, audit labour, and downtime exposure so budget decisions reflect avoided cost rather than tool count.
- Quantify manual governance overhead Measure the time spent on access reviews, exception handling, and reconciliation across human accounts, service accounts, and machine access.
- Reduce standing access and orphaned entitlements Prioritise removal of unused accounts, excessive roles, and access paths without a clear business owner because each one adds recurring risk and support cost.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- Specific examples of how cloud-native identity governance platforms reduce manual access review work
- Implementation framing for knowledge graph technology and digital twins for identity in hybrid estates
- The article's CFO-oriented discussion of budget prioritisation, operational efficiency, and governance ROI
- How the vendor positions identity governance as a tool for audit preparation and internal control improvement
👉 Read Gathid's analysis of identity governance as a CFO risk control →
Identity governance: the cost control finance teams are missing?
Explore further
Identity governance is a balance-sheet control, not a security luxury. The article is right to frame access governance as a way to reduce financial loss, because identity failures increase both breach probability and recovery cost. The cost is not limited to incident response. It also shows up in audit friction, lost productivity, and duplicated tooling. Practitioners should treat identity control maturity as a measurable enterprise cost lever.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How can security and finance leaders align on identity risk?
A: Security and finance leaders align best when identity risk is expressed as cash impact, time impact, and control reliability. That means using metrics such as detection time, review effort, audit preparation hours, and the number of unresolved entitlements. Shared metrics turn identity governance from a technical debate into a capital allocation decision.
👉 Read our full editorial: Identity governance is a CFO risk control, not an IT line item