TL;DR: Identity programmes stall when teams cannot explain business value, align stakeholders, or cover enough identities, according to SailPoint’s customer panel with Best Buy, Cognizant, and ExxonMobil, with its Horizons of Identity survey finding broad early-stage maturity and coverage gaps. The real constraint is not tooling alone; it is programme design that still assumes identity security can be delivered as a narrow IT project.
NHIMG editorial — based on content published by SailPoint: Blog Best Buy, Cognizant, and ExxonMobil talk all things identity security
By the numbers:
- 4 in 10 companies are in the early stages of their identity security journey.
- Even mature companies cover less than 70% of the identities in their organization.
- The Horizons of Identity report surveyed 375 identity security decision-makers.
Questions worth separating out
Q: How should organisations build a business case for identity security?
A: They should tie identity security to outcomes that business leaders already manage: audit readiness, access risk, operational efficiency, and reduced manual work.
Q: Why do identity security programmes stall in large organisations?
A: They stall when teams treat identity as an IT implementation rather than an enterprise governance capability.
Q: How do you know if an identity programme has enough coverage?
A: You know coverage is sufficient only when the inventory includes the identities that can actually create risk, including users, service accounts, and external access paths.
Practitioner guidance
- Reframe identity as an enterprise governance programme Assign explicit business sponsors from compliance, HR, finance, operations, and security so identity outcomes are discussed in risk, audit, and productivity terms, not only technical terms.
- Simplify workflows before expanding automation Review provisioning, request, and approval paths for duplicated steps, handoffs, and local exceptions.
- Measure identity coverage as a control metric Track what percentage of human identities, service accounts, and third-party access paths are actually governed.
What's in the full article
SailPoint's full blog covers the customer examples and stakeholder detail this post intentionally leaves for the source:
- Specific quotes from Best Buy, Cognizant, and ExxonMobil leaders on how they built internal sponsorship.
- The six-week steering cadence and high-touch engagement model used to keep stakeholders aligned.
- The change-management and people-strategy lessons behind multi-year identity transformation.
- The customer-panel context from Navigate 2023 that shows how the programme lessons were discussed in practice.
👉 Read SailPoint's customer panel analysis on identity security roadblocks and business value →
Identity security roadblocks: what keeps programmes from scaling?
Explore further
Identity security fails first as a governance problem, not a tooling problem. The article’s recurring theme is that organisations struggle to communicate business value, secure sponsorship, and align stakeholders around what identity security is meant to change. That is the same failure pattern seen in immature IAM and NHI programmes: the control exists, but the operating model does not support it. The practitioner implication is that identity security must be treated as enterprise governance, not a back-office implementation.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still operate with partial control of the estate.
A question worth separating out:
Q: What should IAM leaders do before automating more access processes?
A: They should first remove process variation, document ownership, and identify where local exceptions exist. Automation should scale a clean process, not a broken one. If the underlying workflow is inconsistent, the result is faster inconsistency rather than stronger governance.
👉 Read our full editorial: Identity security programmes stall when business value is not clear