TL;DR: Identity security programs fail less from tooling limits than from misaligned people, unclear outcomes, and weak leadership, according to Saviynt’s conversation with iC Consult, with the human side of IAM shaping adoption and results. That makes governance, operating model, and change management as important as the platform itself.
NHIMG editorial — based on content published by Saviynt: iC Consult leaders say identity security isn’t a technology problem. It’s a people problem
Questions worth separating out
Q: How do identity security programs avoid failing after a tool rollout?
A: They define success before deployment, not after.
Q: Why do IAM initiatives often stall even when the technology works?
A: Because technology is only one part of the control system.
Q: What do security teams get wrong about identity governance maturity?
A: They often confuse operational volume with maturity.
Practitioner guidance
- Define outcome-based identity metrics Measure whether the programme is reducing access risk, improving business enablement, and clarifying ownership.
- Document the identity operating model Map who owns approvals, exceptions, reviews, and remediation across IAM, PAM, and lifecycle workflows.
- Tie rollout plans to business purpose Start each identity initiative with the business outcome it supports, then map the control to that outcome.
What's in the full article
Saviynt's full blog covers the conversation and context this post intentionally leaves at the strategic level:
- Direct quotes from Tim York and Aaron Lentz on why alignment breaks down in real identity programmes
- The episode framing around leadership, trust, and human adoption in identity security
- Additional commentary on how teams think about success beyond migrations and ticket closure
- The full discussion on how human and non-human identities are changing the scope of identity strategy
👉 Read Saviynt's discussion on why identity security programs stall →
Identity security alignment gaps: why programs stall before tools fail?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Identity security fails first as an alignment problem, not a control problem. The article reflects a pattern we see repeatedly: many IAM programmes have sufficient tooling, but no shared definition of success. When teams optimize for migrations, ticket closure, or feature deployment, the programme can look active while risk remains largely untouched. The practitioner lesson is that identity governance is an operating discipline, not a software deployment exercise.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should be accountable for identity program outcomes?
A: One accountable owner should own the outcome across IAM, PAM, and lifecycle processes, even if multiple teams operate the controls. Without a clear owner, responsibilities fragment across security, IT, audit, and application teams, and identity governance degrades into local optimisation instead of enterprise control.
👉 Read our full editorial: Identity security stalls when teams fail to align on outcomes