Notifications
Clear all
Topic starter
25/06/2026 5:19 pm
TL;DR: 44% of organisations remain at the lowest maturity horizon, with many still relying on manual fulfilment, limited business alignment, and incomplete identity planning, according to SailPoint’s Horizons of Identity Security 2023-24 study, created with Accenture. The real issue is not tool sprawl alone, but programme design that cannot yet scale across human, NHI, and emerging AI-driven access models.
NHIMG editorial — based on content published by SailPoint: Navigating the digital landscape: A deep dive into the Horizons of Identity Security 2023-24 with Accenture
By the numbers:
Questions worth separating out
Q: How should identity teams move beyond the first maturity horizon?
A: Teams should start by documenting current-state controls, ownership, and gaps, then map those findings to a realistic roadmap.
Q: Why do identity programmes stall even when organisations buy modern tools?
A: They stall because tooling does not replace operating discipline.
Q: What signals show that an identity programme is actually maturing?
A: Useful signals include lower manual fulfilment, fewer help desk calls, better adoption, and clearer executive visibility into progress.
Practitioner guidance
- Baseline identity maturity before expanding scope Document current-state identity controls, ownership, and gaps across certifications, provisioning, and lifecycle management before adding new automation or platform layers.
- Tie identity metrics to business outcomes Track adoption, fulfilment speed, help desk reduction, and user friction so the programme can demonstrate measurable value to executives and business partners.
- Sequence AI after governance basics Use AI and analytics only where access rules, identity data, and approvals are already stable enough to support trustworthy automation.
What's in the full article
SailPoint's full blog covers the interview detail this post intentionally leaves for the source:
- The report's maturity model breakdown across identity horizons and how organisations typically move between them
- The adoption assessment workflow that maps your programme to peer usage and maturity gaps
- The stakeholder and business-value framing used to justify identity investment inside the enterprise
- The specific examples of how automation and strong authentication were linked to operational outcomes
👉 Read SailPoint's analysis of the Horizons of Identity Security 2023-24 study →
Identity security maturity gaps: what is holding teams back?
Explore further
25/06/2026 5:55 pm
Identity maturity is now a governance ceiling, not just a tooling gap. The article’s core message is that many organisations are still at the starting line because they lack a plan, not because they lack product options. That is a familiar failure mode in identity programmes: the control stack exists, but the operating model does not. The implication is that maturity work has to begin with current-state clarity, ownership, and measurable outcomes.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do organisations choose identity technology without locking themselves into the wrong model?
A: They should test technical fit, business fit, delivery history, and implementation support against the organisation’s real use cases. The question is not which platform looks strongest in the abstract, but which one can sustain governance over time and still work when business requirements change.
👉 Read our full editorial: Identity security maturity is still stalling in most enterprises
