Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

State of identity security in finance: what gaps do teams face?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Persistent gaps in access management, MFA, passwordless adoption, and shared account control frame the 2026 state of identity security in finance around identity debt rather than isolated authentication failures, according to Secret Double Octopus. The finance sector still has unresolved governance and operating-model issues that undermine IAM, PAM, and NHI control assumptions.

NHIMG editorial — based on content published by Secret Double Octopus: New Report on the 2026 State of Identity Security in Finance

By the numbers:

Questions worth separating out

Q: How should financial organisations govern shared accounts without losing accountability?

A: Financial organisations should minimise shared accounts, assign a named owner to every exception, and enforce detailed logging for each use.

Q: Why do MFA and passwordless controls still leave identity risk in place?

A: MFA and passwordless reduce credential theft and phishing risk, but they do not correct excessive privilege, stale access, or unmanaged exceptions.

Q: How do teams know whether identity security debt is improving?

A: Teams should measure the number of exceptions, the age of privileged accounts, the proportion of access reviewed on schedule, and the volume of shared or legacy credentials still in use.

Practitioner guidance

  • Inventory shared accounts and assign accountable owners Map every shared account to a named business owner, define approved use cases, and require review for any account that cannot be tied to a single operator or control objective.
  • Align MFA and passwordless with authorisation review Before rollout, reassess privileged entitlements, session controls, and exception paths so stronger authentication does not mask excessive access or unmanaged delegation.
  • Measure identity security debt as unresolved exceptions Track legacy access paths, dormant administrative exceptions, and accounts that bypass standard lifecycle controls, then report reduction over time as a programme metric.

What's in the full report

Secret Double Octopus's full report covers the operational detail this post intentionally leaves for the source:

  • Role-specific findings on access management and MFA in financial environments
  • Practical guidance on passwordless adoption for enterprise authentication programmes
  • How shared accounts are being handled in real-world IT support and administrative workflows
  • The report's framing of identity security debt across finance use cases

👉 Read Secret Double Octopus's report on the 2026 state of identity security in finance →

State of identity security in finance: what gaps do teams face?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Identity security debt is the right lens for finance IAM. The report’s theme points to a programme that has accumulated exceptions faster than it has retired legacy access patterns. MFA, passwordless, and access management all help, but finance teams still inherit technical debt when shared accounts, remote admin paths, and manual approvals remain in circulation. The practical conclusion is that identity maturity must be measured by how much exception handling remains, not by how many tools are deployed.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means most identity teams are still operating with incomplete machine identity inventory.

A question worth separating out:

Q: Who is accountable when a shared account or privileged login is misused?

A: Accountability should sit with the business owner of the account, the technical owner of the system, and the security team that defines the control standard. If ownership is unclear, the organisation cannot prove whether the access was legitimate, reviewed, or offboarded correctly.

👉 Read our full editorial: Finance identity security gaps show where MFA and access fail



   
ReplyQuote
Share: