TL;DR: Seventy-one percent of organizations experienced a security breach last year even though most had SSO, MFA, and regular access reviews in place, according to Clarity Security. The deeper problem is that many identity programs still optimize for compliance and documentation, not for continuously reducing security risk.
NHIMG editorial — based on content published by Clarity Security: The Three Stages of Identity Security Maturity
By the numbers:
- 71% of organizations experienced a security breach last year.
Questions worth separating out
Q: How should security teams measure whether identity security maturity is actually reducing risk?
A: Measure whether identity controls reduce standing privilege, excess entitlement, and time-to-revoke, not just whether reviews and approvals happened.
Q: Why do SSO, MFA, and access reviews still leave organisations exposed?
A: Because those controls can be correctly deployed inside a governance model that was built to document access rather than continuously constrain it.
Q: What do teams get wrong about non-human identity governance?
A: They often manage service accounts, tokens, and API keys with the same lifecycle assumptions used for human users.
Practitioner guidance
- Re-baseline maturity against exposure reduction Replace audit completion as the primary success measure with indicators that show whether access is actually shrinking risk, such as standing privilege, unused entitlements, and time-to-revoke.
- Separate human and non-human identity lifecycle controls Run distinct governance processes for employees, service accounts, API keys, and tokens so machine identities are inventoried, owned, and retired without depending on human HR workflows.
- Shorten the path from entitlement change to enforcement Reduce the delay between a role change, a privilege change, and policy enforcement so scheduled review cycles do not become the only point at which excess access is detected.
What's in the full report
Clarity Security's full report covers the operational detail this post intentionally leaves for the source:
- Stage-by-stage maturity model detail for Inherent Trust, Conditional Trust, and Adaptive Trust
- Supporting breach data and the underlying survey breakdown behind the 71% figure
- The report's full explanation of how governance priorities shifted from security to compliance
- More context on the specific control gaps affecting human and non-human identity programmes
👉 Read Clarity Security's report on the three stages of identity security maturity →
Identity security maturity stages: what gap are teams missing?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
Compliance assurance is not the same as security reduction. Identity programmes built to satisfy auditors create evidence of control activity, but evidence is not the same as reduced attack surface. The article shows that organisations can deploy SSO, MFA, and access reviews and still experience breach activity at scale. The practitioner conclusion is that identity maturity has to be measured against exposure reduction, not process completion.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when identity reviews confirm access was approved but a breach still happens?
A: Accountability sits with the identity and security owners who defined the control model, not just the reviewers who completed the checklist. If a programme treats review completion as success, it can miss the fact that access was already unsafe. Frameworks such as the NIST Cybersecurity Framework 2.0 expect controls to support protection and response, not merely evidence generation.
👉 Read our full editorial: Identity security maturity is still missing the security problem