Identity governance: the cost control finance teams are missing

TL;DR: Identity-related breaches now average $4.4 million, with detection and escalation alone costing $1.47 million and mean containment taking 241 days, according to IBM’s 2025 Cost of a Data Breach Report. The financial case has shifted from compliance support to proactive identity governance as a core control for reducing breach loss, audit friction, and operational waste.

NHIMG editorial — based on content published by Gathid: identity governance as a CFO risk control

By the numbers:

• Healthcare is the most expensive industry for breaches at $7.42 million.
• The mean time it took defenders to identify and contain a breach was 241 days.

Questions worth separating out

Q: How should finance teams evaluate identity governance spend?

A: Finance teams should evaluate identity governance by the cost it prevents, not just the cost it adds.

Q: Why do poor identity controls create hidden business costs?

A: Poor identity controls create hidden business costs because they force teams to spend time proving who has access, why they have it, and whether it should still exist.

Q: What should organisations prioritise first in identity governance?

A: Organisations should prioritise the highest-cost access problems first: orphaned accounts, excessive privilege, and manual review bottlenecks.

Practitioner guidance

• Recast identity governance in financial terms Map identity controls to breach loss, audit labour, and downtime exposure so budget decisions reflect avoided cost rather than tool count.
• Quantify manual governance overhead Measure the time spent on access reviews, exception handling, and reconciliation across human accounts, service accounts, and machine access.
• Reduce standing access and orphaned entitlements Prioritise removal of unused accounts, excessive roles, and access paths without a clear business owner because each one adds recurring risk and support cost.

What's in the full article

Gathid's full article covers the operational detail this post intentionally leaves for the source:

• Specific examples of how cloud-native identity governance platforms reduce manual access review work
• Implementation framing for knowledge graph technology and digital twins for identity in hybrid estates
• The article's CFO-oriented discussion of budget prioritisation, operational efficiency, and governance ROI
• How the vendor positions identity governance as a tool for audit preparation and internal control improvement

👉 Read Gathid's analysis of identity governance as a CFO risk control →

Identity governance: the cost control finance teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →