Identity management was hard, AI made it harder

Identity security is becoming a core part of cybersecurity operations, but many organizations are falling behind. A new report from SailPoint shows that as AI-driven identities and machine accounts grow, most security teams are not prepared to manage them at scale. This gap creates new risks and makes identity security harder to deploy across global enterprises.

Investments in IAM provide the highest perceived ROI when compared to all other security domains (Source: SailPoint)

Most organizations are still at early maturity levels

The study, based on a global survey of 375 identity and access management (IAM) leaders, found that the majority of organizations are still in the early stages of building mature identity programs. Sixty-three percent remain in the two lowest maturity categories, relying on manual processes and basic tools to manage user access.

Only a small percentage have reached higher maturity levels where identity controls are automated and adaptive. These advanced organizations use real-time risk data and AI to manage access dynamically, but they are the minority. Technology and financial services companies are more likely to have reached these levels, while healthcare, manufacturing, and many organizations in Europe and Latin America continue to lag.

Progress is uneven. For every three organizations that advanced their identity capabilities in the past year, two regressed. This backward movement does not always reflect reduced effort. Instead, the bar for higher maturity has risen as new requirements, such as AI agent lifecycle management, have been added.

AI-driven identity management and the rise of machine identities

The report highlights a shift in identity management priorities. In the past, identity security mainly focused on human users such as employees and contractors. Now, machine identities and AI agents are growing faster than any other type of identity.

These non-human identities often operate without consistent governance, creating blind spots for security teams. Less than four in ten organizations currently govern AI agents, even though they are expected to expand over the next three to five years.

Managing these identities requires different approaches. Just-in-time access, dynamic privilege adjustments, and continuous monitoring are becoming essential. Without these controls, machine identities can accumulate excessive permissions or remain active after they are no longer needed, creating opportunities for attackers.

Why deployments fall short

Even when organizations invest heavily in identity security, many struggle to see results. Deployment problems are a common barrier.

Only 14 percent of respondents said their most recent IAM deployment was completely successful. Almost half reported projects that ran over budget, and 60 percent said deployments missed timelines by at least a month.

One of the biggest challenges is application onboarding. At lower maturity levels, teams often lack visibility into all their applications and attempt to onboard too many at once, leading to gaps and errors. As organizations mature, the complexity increases. Advanced organizations have 3.6 times more applications to manage than those at lower maturity levels, with each requiring tailored integrations and governance policies.

Data quality is another issue. Identity data is often fragmented across HR systems, cloud services, and directories. Poor data hygiene undermines access controls and slows automation efforts. Organizations that clean and standardize identity data before deploying new tools are far more likely to succeed.

Building for the future

The report shows that advanced organizations are moving toward identity systems that are both adaptive and automated. AI plays a growing role in these systems, handling tasks such as real-time privilege adjustments, anomaly detection, and automated remediation.

To move in this direction, organizations need to strengthen the basics first. Unified identity data is essential. So are structured deployment processes that prioritize critical applications first and establish governance for both human and non-human identities.

“Identity is the central control point where policies are enforced, critical decisions are made, and security operations converge. Its future is tightly connected to security and AI-driven data governance, enabling enterprises to manage every identity—human, machine or AI agent—across the enterprise. With advances in AI, data management, and threat detection, modern identity security now delivers the unified visibility, expanded governance, and automated resilience organizations need,” said Matt Mills, President, SailPoint.