Where Identity Governance Stalls, Breach Risk Concentrates

Eighty-seven percent of organizations consider identity governance very important. Despite this, thirty percent have abandoned or scaled back IGA or Zero Trust programs. Of those that scaled back, 56.4% experienced an identity-related breach in the past year, against 18.7% of those that did not. Stalled governance and elevated breach incidence are tightly correlated in the data.

EMA’s Navigating the Identity Crisis examines why identity governance programs stall and what the consequences are for organizations that let them. The findings draw on a January 2026 survey of 135 IT decision-makers and practitioners at enterprises with 750 or more employees.

Strategic alignment is universal. More than half of organizations rank improving security posture as their single most important priority for investing in Identity Governance and Administration (IGA), ahead of compliance, hybrid environment support, and workflow automation. IGA Programs are now justified by what they prevent, not by what they document.

Operational execution is breaking. The 30% who have scaled back have not lost strategic conviction. They have run into tools that do not integrate, systems that do not scale, and processes overwhelmed by complexity. The IGA test has shifted: a program is now measured by whether it can be sustained, not by whether it can be deployed.

The sections that follow examine why programs stall, the risk that accumulates when they do, and what the operating model that sustains governance looks like.

Programs stall on operating model, not strategy

The data is consistent: when IGA programs fail, they fail on execution, not intent.

Integration with existing systems is the most-cited IGA challenge, named by 60.7% of organizations, followed by complexity of use at 53.3%. Nearly two-thirds find scaling their current solution difficult, with almost a quarter calling it the single hardest aspect of their implementation. These are not strategic failures, they are operational ones.

Switching vendors does not solve this. The 12.6% of organizations who have already switched IGA vendors in the past two years due to dissatisfaction, and the 3.7% planning to will not remedy this unless the replacement also changes the integration model, governance design, and operating burden that produced the dissatisfaction.

Where governance pauses, exposure builds

Forty-three percent of EMA respondents name overprovisioning and privilege creep as the most pressing risk facing their organization, more than double the share who cite insider threats. Access accumulates faster than reviews catch it, roles expand past their original boundaries, and non-human identities multiply across environments without consistent ownership. This is access drift: the widening gap between the access an identity has and the access it needs. The longer a program sits in scaled-back mode, the more drift compounds.

The next IGA operating model must close three control gaps

Whether legacy IGA models need to change is no longer in dispute. 59.3% of organizations are actively transitioning from legacy or homegrown systems, 28.9% have completed the transition, and only 2.2% have no plans to move. The question is whether those transitions close the gaps that caused governance to stall in the first place. Three shifts in the operating model determine whether they do.

1. AI must improve identity decisions without removing accountability for them. The demand for AI in IGA is strong: 85.5% of organizations rate AI functionality as extremely or very important. The boundary of that demand is equally clear. Only 23.4% would trust an agentic AI to make identity decisions without human oversight, and 73% require humans to remain in the loop. AI’s near-term role is to absorb manual workload, surface anomalies, and recommend actions, not to make access decisions on its own.
2. Security and control requirements must drive tool selection, not the other way around. Tool-led IGA programs reproduce the workflow the platform makes easiest, not the controls the business requires. Only 53.2% of organizations have defined vendor-agnostic best practices; 38.7% have them partially, and 8.1% have none. Nearly half of all programs are letting tool capabilities define their security policy
3. Deployment architecture must fit the organization’s control requirements. 55.6% of organizations still run identity governance on-premises or in private cloud, often because regulatory, sovereignty, or audit obligations rule out shared multi-tenant environments. Moving away from legacy has historically meant choosing between staying on-premises or moving to multi-tenant SaaS and surrendering tenant ownership. Customer-tenant cloud deployments now offer a third path: full cloud-native IGA capability with data, identity records, and platform resources kept inside the organization’s own cloud boundary.

What sustains identity governance is how it is run, not what it runs on.

Across the EMA findings, the programs that have not stalled share three properties: they pair AI capability with human oversight, they let security and control requirements drive tool selection, and they choose deployment architectures that fit those requirements. These are choices about how the program is built and run, not about what technology was bought, and they are the choices that will separate programs that sustain from those that stall.

EMA’s Navigating the Identity Crisis contains the full data behind these findings, the governance principles informing them, and the benchmark organizations can use to position their own programs against peers.

For organizations whose control requirements include tenant ownership, data residency, or change-control authority, deployment architecture is part of the governance decision. Omada Identity Cloud Private delivers cloud-native identity governance inside the organization’s own cloud tenant, for the regulated and sovereignty-constrained segment the EMA data describes. To see what continuous, integrated identity governance with full tenant ownership looks like in practice, schedule a conversation with Omada.