Notifications
Clear all
Topic starter
12/06/2026 9:40 pm
TL;DR: While nearly two-thirds of U.S. enterprise security and identity leaders claim real-time identity risk visibility, more than half still need hours or days to assess blast radius, and 91% have already experienced or narrowly avoided an incident they believe better visibility could have prevented, according to Axiad's survey of 312 U.S. enterprise security and identity leaders. The real bottleneck is decision quality, not detection volume.
NHIMG editorial — based on content published by Axiad: The Security Bottleneck Has Shifted. Most Organizations Haven't Caught Up
By the numbers:
- Axiad surveyed 312 senior security and IT leaders at U.S. enterprises.
Questions worth separating out
Q: How should security teams prioritise identity risks when they cannot fix everything at once?
A: Start with exposure that combines high blast radius, high privilege, and business criticality.
Q: Why do identity programmes struggle even when they have strong visibility tools?
A: Visibility tells teams what exists, but prioritisation tells them what matters.
Q: How do you know if identity risk quantification is actually working?
A: It is working when the organisation can produce a repeatable, methodology-backed exposure estimate and use it to choose remediation order under pressure.
Practitioner guidance
- Measure time-to-blast-radius as a core control metric Track how long it takes your team to identify every system and application a compromised account can reach.
- Add business-impact scoring to identity triage Require every high-risk identity finding to carry a severity rating and a business-loss estimate so remediation order can be defended to the board and CFO.
- Unify identity prioritisation across human and non-human access Use one decision model for users, service accounts, tokens, and privileged accounts so teams do not optimise different identity silos against different risk assumptions.
What's in the full report
Axiad's full research covers the operational detail this post intentionally leaves for the source:
- The full survey breakdown by leader role, company size, and industry segment for identity risk visibility and prioritisation.
- The methodology-backed questions used to test whether leaders could quantify exposure and business impact.
- A deeper explanation of the Axiad Mesh workflow for discovery, prioritisation, and quantified risk scoring.
- The complete findings on AI-accelerated discovery and why it changes remediation pressure.
👉 Read Axiad's research on why identity risk has become a decision problem →
Identity risk quantification: what IAM teams are missing?
Explore further
12/06/2026 11:55 pm
Identity security has crossed from detection maturity to decision maturity. The article's central claim is that most enterprises already have enough signals, but they cannot turn those signals into ranked action fast enough. That is a governance problem, not a tooling problem. Practitioners should stop treating telemetry growth as progress unless it also shortens time to decision.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which helps explain why identity programmes still struggle to quantify blast radius quickly.
A question worth separating out:
Q: Who is accountable when identity risk cannot be quantified defensibly?
A: Accountability should sit with the identity, security, and risk leaders jointly, because quantification is a governance obligation, not a tooling output. If the programme cannot defend priority decisions, ownership has not been operationalised across control, risk, and business functions.
👉 Read our full editorial: Identity risk is now a decision problem, not a visibility problem
