Identity security roadblocks: what keeps programmes from scaling?

TL;DR: Identity programmes stall when teams cannot explain business value, align stakeholders, or cover enough identities, according to SailPoint’s customer panel with Best Buy, Cognizant, and ExxonMobil, with its Horizons of Identity survey finding broad early-stage maturity and coverage gaps. The real constraint is not tooling alone; it is programme design that still assumes identity security can be delivered as a narrow IT project.

NHIMG editorial — based on content published by SailPoint: Blog Best Buy, Cognizant, and ExxonMobil talk all things identity security

By the numbers:

• 4 in 10 companies are in the early stages of their identity security journey.
• Even mature companies cover less than 70% of the identities in their organization.
• The Horizons of Identity report surveyed 375 identity security decision-makers.

Questions worth separating out

Q: How should organisations build a business case for identity security?

A: They should tie identity security to outcomes that business leaders already manage: audit readiness, access risk, operational efficiency, and reduced manual work.

Q: Why do identity security programmes stall in large organisations?

A: They stall when teams treat identity as an IT implementation rather than an enterprise governance capability.

Q: How do you know if an identity programme has enough coverage?

A: You know coverage is sufficient only when the inventory includes the identities that can actually create risk, including users, service accounts, and external access paths.

Practitioner guidance

• Reframe identity as an enterprise governance programme Assign explicit business sponsors from compliance, HR, finance, operations, and security so identity outcomes are discussed in risk, audit, and productivity terms, not only technical terms.
• Simplify workflows before expanding automation Review provisioning, request, and approval paths for duplicated steps, handoffs, and local exceptions.
• Measure identity coverage as a control metric Track what percentage of human identities, service accounts, and third-party access paths are actually governed.

What's in the full article

SailPoint's full blog covers the customer examples and stakeholder detail this post intentionally leaves for the source:

• Specific quotes from Best Buy, Cognizant, and ExxonMobil leaders on how they built internal sponsorship.
• The six-week steering cadence and high-touch engagement model used to keep stakeholders aligned.
• The change-management and people-strategy lessons behind multi-year identity transformation.
• The customer-panel context from Navigate 2023 that shows how the programme lessons were discussed in practice.

👉 Read SailPoint's customer panel analysis on identity security roadblocks and business value →

Identity security roadblocks: what keeps programmes from scaling?

Explore further

View Full Forum →  |  NHI Foundation Course →