In today’s digital-first world, identity is no longer a simple gatekeeper—it’s a strategic control plane. Identity and Access Management (IAM) has evolved into a key enabler of enterprise agility, compliance, and resilience. But according to recent research (link below) by CIO/ FoundryCo, sponsored by OpenText, many organizations are unknowingly operating with a false sense of IAM maturity.
While most security and IT leaders describe their IAM programs as “managed” or even “optimized,” the reality is much different. The data reveals that identity-related incidents are frequent, foundational practices remain underused, and integration complexity continues to stall progress.
The illusion of identity maturity
Organizations participating in the study experienced an average of four identity-related incidents in the past year. Despite this, many still believe their IAM efforts are mature. In truth:
- Only 36% enforce least-privilege access.
- Just 28% use just-in-time (JIT) access models.
- A majority struggle with consistent policy enforcement across environments.
This mismatch between perception and reality results in serious security blind spots. Without integrated, policy-driven IAM across the enterprise, risks like privilege creep, toxic entitlement combinations, and lingering access persist, leaving organizations vulnerable to insider threats, audit failures, and ransomware attacks.
Barriers to real progress
The research surfaced three main challenges slowing IAM advancement:
- Competing priorities: 53% cite misalignment between IT and security goals.
- Integration complexity: 48% say it’s difficult to unify legacy and cloud systems.
- Talent shortages: There is a widespread lack of specialized IAM expertise.
These barriers are amplified by the growth of hybrid infrastructure, non-human identities (like bots and service accounts), and the increased use of generative AI—all of which broaden the identity footprint and complicate management.
Why IAM maturity matters now
Identity-related threats are intensifying. Microsoft reports over 600 million identity attacks per day, and 90% of organizations experienced an identity incident in the past year. Meanwhile, regulatory pressure, cloud adoption, and cyber insurance requirements are forcing organizations to modernize their IAM programs—or risk exposure.
I’ll share more in my next blog about how organizations can move from reactive IAM to proactive orchestration, and how OpenText helps enterprises achieve true identity maturity through integrated governance, risk-based access, and continuous identity intelligence.
In the meantime, check out the full paper “The identity maturity curve: How to close gaps and gain value.”
