June 25, 2025

In today’s complex threat landscape, Identity and Access Management (IAM) is more than just a compliance checkbox; it’s a foundational security pillar. Yet, despite years of investment and increasing regulatory pressure, most organizations are still struggling to reach IAM maturity, a recent study finds.

The survey of more than 600 IT professionals conducted by Ponemon Institute, commissioned by GuidePoint Security, offers a revealing snapshot of where organizations stand today—and what’s holding them back. The data highlights a stark divide between organizations that are thriving in their IAM efforts and those that continue to rely on manual, outdated practices.

The Problem: IAM Isn’t a Priority—Yet

While identity-based threats are escalating, only half (50%) of surveyed organizations believe their current IAM tools are highly effective. Even fewer (44%) feel confident in their ability to prevent identity-based incidents. When asked how much of a priority IAM investments are compared to other IT security technologies, less than half (47%) ranked IAM as a high priority.

This disconnect is problematic. Insider threats and mismanaged credentials continue to be top contributors to data breaches. Take, for example, the 2023 Tesla breach, where insiders leaked sensitive employee information.

What High Performers Get Right

To better understand what sets successful IAM programs apart, the report looked at “high performers:” the 23% of respondents who rated their IAM tools as highly effective (9 or 10 on a 10-point scale).

These high performers are not only less likely to experience identity-related incidents (only 39% reported any) but also show a clear pattern of adopting advanced tools and automation. Here’s what they’re doing differently:

• Biometric authentication: 64% of high performers vs. 37% of others
• Automated checks for compromised passwords: 59% vs. 34%
• Dedicated Privileged Access Management (PAM) platforms: 56% vs. 23%
• IAM for managing non-human accounts (e.g., service accounts, machine identities): 53% vs. 31%

High performers also lead in adopting emerging platforms:

• Identity Threat Detection and Response (ITDR): 37% vs. 12%
• Identity Security Posture Management (ISPM): 35% vs. 15%
• Identity Governance and Administration (IGA): 31% vs. 9%

What’s Holding Everyone Else Back?

Despite increased awareness, most organizations are still operating behind the curve as it relates to IAM. Here are a few of the key challenges:

• Manual Processes: Many organizations still use spreadsheets or homegrown tools for periodic access reviews and deprovisioning—both for human and non-human identities.
• Lack of Resources and Expertise: Over half (54%) say they don’t have the right technologies, and 52% cite a lack of in-house expertise.
• Misaligned Priorities: Shockingly, 45% of respondents say the top driver for IAM investment is improving user experience—not security.

Automation, policy integration, and better lifecycle management are sorely lacking in most IAM programs. For example, only 41% say their IAM platforms are used for deprovisioning non-human identities, and nearly half of those still do it manually.

The Bottom Line: IAM Maturity Requires Focused Investment

IAM maturity isn’t a luxury—it’s a necessity. The gap between high performers and everyone else illustrates that success requires more than basic tooling. It demands strategic investment, automation, and executive-level prioritization.

Want to learn how to strengthen your IAM posture and join the ranks of high performers?

Download the full report now to get deeper insights and actionable strategies.