Confidence In Identity Governance is High. Evidence of Execution is Not.

Omada’s State of Identity Governance 2026, based on a survey of nearly 600 identity, access management, and cybersecurity professionals at U.S. enterprises, examines how this gap is forming and what closing it will require.

Intent and investment are real. Identity is now widely recognized as a critical security control. More than 80% of leaders report concern about every major identity threat category, with AI-driven threats viewed at levels comparable to credential theft and phishing. IGA budgets continue to expand to meet those threats.

Execution has not kept pace. Automation and AI now drive most access decisions, and the governance models leadership relies on were not built for that world. Reporting still tracks activity rather than risk, identity data remains fragmented across platforms, and no single team owns or sees the full set of non-human identities.

Identity governance is shifting from a periodic, human-paced control function to a continuous, machine-paced operating layer that decides who and what can act inside the enterprise. Organizations that recognize the shift early will treat identity governance as a control surface that can be measured, integrated, and owned. Those that do not will lose the ability to explain and defend the access decisions being made across their environment.

Confidence is not the same as evidence

Risk reduction and compliance efficiency are the dominant drivers of IGA investment, with more than six in ten organizations citing each as a primary reason for spend. That investment has translated into measurable confidence: three quarters of respondents strongly agree that identity security is central to their cybersecurity strategy, and roughly half strongly agree their IGA solutions identify risky behavior, adapt to new business requirements, and support compliance reporting.

Confidence of this kind reflects belief in capability rather than evidence of consistent execution. Agreement that a solution identifies risky behavior is not the same as data showing how often risky behavior is detected before it becomes an incident. As identity environments grow more dynamic and more automated, feeling confident and being able to demonstrate control become two different things, and only one of them scales.

Executive reporting tracks activity, not risk

Executive reporting is most mature around the operational mechanics of identity. Roughly seven in ten organizations regularly track provisioning and deprovisioning timeliness for senior leadership, and incident counts and audit readiness are reported nearly as consistently.

Leading indicators of identity risk are tracked far less uniformly. Privileged access governance coverage, mean time to revoke access after termination, and the count of orphaned or unused accounts each appear on substantially fewer executive dashboards, with a meaningful share of organizations describing them as planned rather than current practice.

As a result, boards see a clear picture of yesterday’s program performance and a partial picture of today’s risk posture. Accumulating privileged access, dormant accounts, revocation delays, and ungoverned non-human access sit beneath that lens, building exposure that the dashboard was never designed to surface. Incident response is only as fast as the visibility that feeds it.

Zero Trust adoption is not Zero Trust execution

The need for Zero Trust adoption is no longer in question. Nearly half of organizations describe their identity governance programs as fully integrated with Zero Trust principles, and the remainder report some level of integration.

Yet integration in principle does not always mean enforcement in practice. Four in ten organizations cite inconsistent APIs and documentation as the leading obstacle to Zero Trust governance, and a quarter cite the lack of shared standards for how systems exchange security data. Together, these gaps prevent the continuous, real-time evaluation Zero Trust requires.

Individual systems may enforce Zero Trust decisions correctly while the organization still lacks the unified picture leadership needs. Zero Trust is an operating model, not a control, and it depends on identity, security, and governance systems that work as one.

Non-human identities outnumber humans, yet no single team owns them

Non-human identities now outnumber human identities across most enterprises. Executives report ratios of fifty to one or higher far more often than the practitioners managing those identities day to day do, suggesting most organizations are underestimating their own scale.

Ownership has not kept pace with the growth. Most organizations report accountability shared across security, IAM, DevOps, and several other functions. The result is an identity estate governed in pieces by everyone and as a whole by no one.

The same pressure driving non-human identity growth is now driving identity teams toward AI as the solution. More than six in ten organizations are using GenAI to automate identity lifecycle processes, with comparable adoption in threat detection, compliance reporting, and access reviews. The motivation is operational: manual processes cannot keep pace with environments scaling at machine speed.

Where GenAI accelerates what identity teams already do, agentic AI takes the next step and makes access decisions on its own. More than eight in ten organizations are using or piloting agentic AI today, and security is the top concern associated with it. Yet credential management for AI agents remains uneven. Static credentials and shared accounts are still common, and executive respondents report stronger practices than the teams running those agents day to day. Read together, the data describes agentic AI not as a future risk to plan for, but as one that needs to be planned for today.

From periodic control to continuous operating layer

Closing the execution gap requires governance built for the environment IGA now operates in. That environment is continuous, machine-paced, and populated by identities that act on their own. Identity governance has to operate as a continuous control surface, one that measures exposure rather than throughput, integrates the systems that today work in isolation, and accounts for identities no single team owns.

For identity and security leaders, the report offers both a benchmark and a roadmap. A benchmark because the data shows where peers actually stand, separate from where they believe they stand. A roadmap because the gaps the research surfaces are the same ones that will separate organizations governing the next phase from those governed by it. The next phase will not be defined by whether identity is important. It will be defined by whether it is governed at the speed and scale at which it now operates.

Omada’s State of Identity Governance 2026 examines how identity programs at nearly 600 U.S. enterprises are handling the shift to continuous, machine-paced governance. The report covers executive reporting practices, Zero Trust integration, non-human identity ownership, and the state of agentic AI governance, with the data behind each and the benchmark against your peers. To see what continuous, integrated governance across human, non-human, and AI agent identities looks like in practice, schedule a conversation with Omada.