In many organizations, identity governance appears healthy at the executive level. Provisioning SLAs are met. Access reviews complete on time. Audit findings are addressed.
Yet identity-related failures continue to surface in breach investigations, audit reports, and post-incident reviews.
The issue is not that identity governance processes are inactive. It is that boards are typically shown operational metrics that confirm identity workflows are executing, while security indicators that reveal current access exposure remain largely out of view.
Research from the State of Identity Governance 2026, based on responses from nearly 600 IAM, IGA, and security leaders and conducted by Omada, supports this pattern: identity programs often report strong operational performance while meaningful access risk persists.
Activity Metrics Can Mask Access Exposure
Most executive dashboards emphasize familiar operational measures:
- Provisioning and deprovisioning timeliness
- Access certification completion rates
- Workflow volume and throughput
In this context, activity metrics refer to measures that track process execution, such as provisioning SLAs, certification completion rates, and workflow throughput, rather than the state of access or exposure itself.
These metrics are useful for managing process performance, but they answer a limited question: are identity workflows executing as expected?
They are not designed to answer the questions boards need to govern identity risk, such as:
- Are access entitlements right-sized, or do users and systems retain excessive permissions?
- Are all human and non-human identities governed and clearly owned?
- How quickly is high-risk access removed when circumstances change?
Consider a common example. An organization reports that access is removed within 24 hours of an employee’s departure, which meets an internal SLA. However, if a high-risk individual retains privileged access for an entire day after leaving, that unremoved access represents real exposure the board would want to understand and manage.
Activity metrics may show that a process was completed, but they do not show whether access risk was reduced quickly enough.
Scale Makes the Reporting Problem More Urgent
This limitation becomes more significant as identity environments grow.
Non-human identities such as service accounts, APIs, bots, pipelines, and AI agents now outnumber human users by large margins in many organizations. Automation continues to accelerate this growth, with each new system, integration, or workflow introducing additional credentials and privileges.
The State of Identity Governance 2026 report highlights a striking perception gap around non-human identity exposure.
- Practitioners most often estimate non-human-to-human identity ratios between 2:1 and 10:1
- Executives are far more likely to report ratios of 50:1 or higher
When organizations conduct comprehensive discovery across directories, cloud platforms, CI/CD pipelines, secrets managers, and AI systems, the higher executive estimates are consistently closer to reality.
At this scale, operational metrics can remain stable even as access risk grows. Reporting focused solely on workflow completion does not reveal whether identity controls are keeping pace with expanding exposure.
Agentic AI Increases the Stakes
The data shows that eighty-five percent of organizations report deploying or piloting AI agents, with security vulnerabilities cited as the top concern.
In practice, practitioners point to several recurring conditions that increase identity risk in AI-driven environments:
- Static credentials reused across environments
- Excessive privileges granted to enable rapid deployment
- Agent identities that lack clear ownership or consistent governance
The research also shows a disconnect between executive expectations and operational reality. Executives are more likely to report the use of stronger credential management practices than practitioners see in practice.
As automation increases, this disconnect becomes harder to detect through activity-based reporting alone, which can confirm that processes ran without showing whether identity controls are actually enforced across production environments.
What Identity Leaders Can Take From This
One clear implication of the research is that boards need identity reporting that reflects current access exposure, not just evidence that processes are running.
For identity and security leaders, the challenge is not showing that work is being done. It is showing how identity controls reduce access risk in terms executives already use to oversee security and compliance decisions.
Guidance emerging from the data includes:
- Reporting a small set of board-level indicators tied directly to access risk
- Establishing clear ownership for both human and non-human identities
- Measuring how quickly high-risk access is removed, not only whether it is eventually removed
- Evaluating whether Zero Trust assumptions continue to hold as identity populations scale
The objective is not more reporting. It is better decisions, grounded in the right signals.
To explore the full research findings, read the State of IGA 2026 report.
About the Author: With over 25 years of global experience in cybersecurity and a focus on Identity & Access Management, Paul Walker is a seasoned professional known for his exceptional communication and problem-solving skills. Currently serving as a Field Strategist at Omada, he brings a wealth of expertise in value selling, product growth, and IAM solution evangelism. Paul has held key positions at Clear Skye, One Identity, and Dell, consistently driving technical strategy and maintaining impactful relationships with customers and partners throughout his distinguished career.
About the Company: Omada, a global market leader in Identity Governance and Administration (IGA), offers a full-featured, cloud native IGA solution that enables organizations to achieve compliance, reduce risk, and maximize efficiency. To ensure successful deployment in 12 weeks, Omada’s Accelerator package provides a reliable starting point for IGA projects with a standardized implementation approach, best-practice framework for process design, and training for efficient user adoption. Founded in 2000, Omada delivers innovative identity management to complex hybrid enterprise environments globally.
