In 2024, organizations spent an estimated $22.9 billion on identity and access management (IAM) platforms, a figure projected to grow
to $34.3 billion by 2029, according to MarketsandMarkets. Yet breaches tied to identity flaws show no signs of slowing.
Human error still plays a role in 95% of security incidents, Mimecast found, and more than three-quarters of security leaders surveyed by ConductorOne said their organizations suffered breaches due to misconfigured or overprivileged accounts — even with mature IAM platforms in place.
[Editor's Note: This is the third part of a three part series highlighting Identity and Credentials. Read Part One: Identity debt: What is it, how to spot it & Part Two: The MFA mirage: Why attackers are bypassing passwords and targeting your people]The numbers paint a clear picture: spending on IAM is up, but outcomes are not improving.
“You can’t fix identity with a product,” said Dr. Dustin Sachs, chief technologist at CyberRisk Collaborative, during a
recent SC Media webcast. “You fix it by aligning people, policies, and processes — and then choosing the tools to support that framework.”
[Editor's Note: Watch the webcast:
From fragmented to unified: Rethinking network security operations in the AI era]
That perspective, echoed throughout
SC Media’s identity webcast series, turns conventional IAM wisdom on its head. Rather than investing in tooling first, security leaders now say the foundational work of governance — ownership, lifecycle management, access policies — must come first.
Identity is not an IT problem. It’s an organizational one
Carlota Sage, a virtual CISO and founder of Pocket CISO, said many of her clients struggle to answer the simplest question: who owns identity?
“Often, no one knows,” Sage said. “It’s treated like an IT function. But as companies scale, that model breaks down. You get multiple teams managing their own platforms, no central policy, and no visibility.”
That fractured model results in access decisions that reflect departmental habits, not business logic. Sage has worked with startups where employees still used shared logins and personal Gmail accounts for production systems. Larger organizations, she said, often fail to revoke access for contractors or employees who left months ago.
[Editor's Note: Watch the webcast Innovative IAM Strategies: New Tools and Guidance for Modern Identity Security]Simon Gooch, Field CIO at Saviynt and a former global IT transformation leader at Accenture, said identity architectures tend to mirror the org chart, not operational needs.
“Most companies don’t have one identity system — they have five,” Gooch said. “Each department sets its own rules. And no one has end-to-end visibility into what access has been granted and why.”
Access approvals vary. Revocations go unmonitored. And in these environments, IAM becomes a reflection of organizational dysfunction rather than a control point.
When automation accelerates dysfunction
Automation, in theory, should help. But without governance, it often magnifies the very problems it’s meant to solve.
“If HR and IT aren’t aligned, you’re just automating dysfunction,” Sachs said.
That misalignment creates what Sachs and others refer to as identity debt: a backlog of legacy entitlements, unused accounts, and over-provisioned roles that compound risk over time. Like technical debt, identity debt accrues quietly — until a breach exposes its cost.
Sage said she’s seen companies implement privileged access management tools before determining who actually needs elevated access. “So access is granted by default, and revocation only happens after something breaks,” she said. “That's not risk management — that's wishful thinking.”
Culture eats controls for breakfast
Technology alone can’t overcome bad habits or misaligned incentives. Employees bypass controls not because they’re reckless, but because the controls slow them down.
[Editor's Note: Watch the webcast: Stolen credentials: The New Front Door to Your Network]“If your identity stack adds friction, people will find workarounds,” Gooch said. “They’ll spin up shadow SaaS, reuse personal credentials, or bypass internal approvals.”
Attackers know this. Increasingly, they’re targeting the seams in workflows rather than the tech itself. During
SC Media’s webcast series, multiple speakers described how phishing proxies, AI voice cloning, and token theft are being used to sidestep multifactor authentication and exploit help desk processes.
Instead of focusing only on strengthening the lock, Sachs said, organizations need to examine who has the keys — and how those keys are handed out.
A new way forward: outside-in identity
So what does a better IAM strategy look like?
Sachs and other panelists advocate for an “outside-in” approach. Start with policy, governance, and clarity of ownership. Map the identity lifecycle from onboarding to deprovisioning. Define what sensitive access looks like. Establish who approves it and under what conditions.
Only then should organizations deploy automation. And even then, automation should support — never replace — well-defined processes.
IAM, said Gooch, should function like an operating system for trust. “If it’s built to reflect your integrations instead of your business logic, it’s going to break under pressure,” he said.
Sage agreed. “IAM isn’t just a security product. It’s a business capability. And if you don’t treat it that way, you’re going to keep solving the wrong problem.”
Governance, not gadgets
Enterprise IAM spending continues to rise. In addition to the $34 billion projected by MarketsandMarkets,
Precedence Research estimates the broader IAM services market will hit $77.1 billion by 2034. But unless organizations prioritize governance, those investments may fail to deliver meaningful risk reduction.
“Tooling helps, but it only works when it's reinforcing the right structure,” Sachs said. “If you don’t get identity governance right, you’re just building on sand.”
[Editor's Note: This is the third part of a three part series highlighting Identity and Credentials. Read Part One: Identity debt: What is it, how to spot it & Part Two: The MFA mirage: Why attackers are bypassing passwords and targeting your people]-Edited by Tom Spring
(Editor’s Note: A portion of this content used a large language model to distill a single source of original content, such as a transcript, data, or research report. This content was conceived, crafted and fact-checked by a staff editor, and any sourced intellectual property used is clearly credited and disclosed.)
