Read the full analysis from Clarity Security →
Most identity security programs were built for the organisation as it existed when the program was designed. The problem is that organisations don’t stay still. Acquisitions happen. Headcount surges. AI tools get adopted at the department level before IT knows they exist. And each of these events widens the gap between what the security program governs and what is actually running in the environment.
In this piece, Clarity Security CEO Alexis Moyse sets out why that gap is structural — not a failure of the security team — and what it actually takes to close it.
Three growth patterns that test every security program
Moyse identifies three recurring scenarios where traditional identity governance breaks down.
The first is mergers and acquisitions. Every acquisition inherits a different identity environment — separate Active Directory forests, unfamiliar access policies, service accounts with no owner and no expiration date. The average enterprise already carries a 144:1 ratio of non-human to human identities before an acquisition adds another institution’s environment on top. Most programs respond with a manual reconciliation effort that winds down before it’s complete, leaving a partially mapped identity inventory that compounds as a legacy risk over time.
The second is headcount growth and role change. At scale, the joiner-mover-leaver problem overwhelms ticket-based processes. Employees accumulate entitlements across every role they have held. Leavers create time pressure on offboarding that manual processes routinely fail to meet — a direct compliance exposure under frameworks like NYDFS Part 500 that require immediate access revocation. A mid-level employee who joined a decade ago and changed departments three times may be carrying credentials that no manager currently has visibility into and no access review has flagged.
The third is AI and technology adoption. SaaS tools and AI platforms are being connected to production systems at department level, creating non-human identities — service accounts, API keys, OAuth connections — that never appear in the HR system, have no manager, and will persist long after the use case that created them has been forgotten. A governance program built around human identity lifecycle management is structurally blind to this entire category.
What a scalable program actually looks like
The answer, Moyse argues, is not a larger program — it is a fundamentally different one. A scalable identity security program is built around three capabilities: lifecycle governance that runs automatically when business events occur rather than waiting for tickets; visibility that covers every identity in the environment including non-human, shadow-adopted, and acquisition-inherited; and audit evidence that is continuously produced as a function of how the program operates every day, not assembled in a sprint before an examiner arrives.
The business case
The article makes an explicit operational argument alongside the security one. Every manual access review cycle, every provisioning backlog, every post-acquisition reconciliation effort carries a real cost in team capacity and productivity that rarely appears on a security budget line but gets absorbed somewhere in the business. Automating the work that does not require human judgment eliminates most of that overhead and frees the security team to govern policy rather than process tickets.
The diagnostic question Moyse leaves practitioners with is a sharp one: when your next acquisition closes or your next hiring surge begins, will your security program govern those events — or spend the following year responding to them?
