Most Enterprises Think Identity Access Is Secure. New Research Suggests Otherwise

Enterprises may be more confident about identity security than they should be.

A new report from the FIDO Alliance and HID finds a striking disconnect between how organizations perceive their ability to manage employee access and what actually happens when workers leave. While nearly all surveyed organizations believe they can revoke physical and digital access within 24 hours, more than one-third admit they have failed to do so in practice.

The findings, published in The State of Physical and Digital Identity in the Enterprise, highlight growing concerns around fragmented identity governance, disconnected authentication systems, and slow adoption of phishing-resistant technologies at a time when cyber threats continue to intensify.

Based on a survey of 500 IT and cybersecurity decision-makers across North America and Europe, the report paints a picture of organizations struggling to keep pace with increasingly complex identity environments.

Confidence Is High. Security Incidents Are Higher.

The headline statistic is hard to ignore.

According to the research:

• 94% of organizations say they are confident they can revoke all physical and digital access within 24 hours of an employee leaving.
• 35% experienced delays or failures in access revocation during the past two years.
• 70% suffered at least one identity-related security incident during the same period.

That gap between confidence and execution reveals a persistent challenge for modern enterprises.

Organizations have spent years investing in identity and access management technologies, but many continue to rely on fragmented processes that leave gaps in employee offboarding and credential management.

In practice, even a small delay in revoking access can create opportunities for unauthorized entry, data exposure, or insider threats.

As organizations expand remote work, hybrid environments, and digital operations, those risks become increasingly difficult to manage.

Identity Governance Remains Deeply Fragmented

One of the report’s most concerning findings is the lack of unified ownership over identity management.

Despite identity security becoming a board-level issue, many organizations still manage physical and digital access separately.

The research found:

• Only 50% of organizations have unified reporting ownership for physical and digital identity.
• Just 48% maintain consolidated budget responsibility across both functions.

This fragmentation often creates operational blind spots.

Physical access systems, such as employee badges and facility credentials, are frequently managed separately from digital identity platforms that control application and network access.

When those systems operate independently, organizations risk inconsistent policies, delayed deprovisioning, and limited visibility into employee access rights.

The challenge is particularly acute in highly regulated industries.

Among surveyed sectors, finance showed some of the most fragmented governance structures despite strict regulatory requirements surrounding access control and risk management.

Organizations Are Managing Too Many Identity Systems

Complexity continues to be one of the biggest obstacles to effective identity security.

According to the report:

• 59% of enterprises manage three or more separate credential and authentication systems.
• 58% say digital identity management has become more complex over the past two years.

This trend reflects broader changes in enterprise technology.

Organizations now manage a mix of cloud applications, on-premises systems, mobile devices, remote workers, contractors, and third-party vendors—all requiring different forms of authentication and access control.

Each additional identity platform introduces new administrative challenges and potential security vulnerabilities.

The result is an environment where maintaining consistent security policies becomes increasingly difficult.

As organizations scale, identity sprawl is emerging as a significant operational and cybersecurity risk.

Public Sector Faces the Greatest Identity Risk

Among all industries surveyed, the public sector reported the highest levels of identity-related challenges.

The research found:

• 43% of public sector organizations experienced access revocation failures.
• Public agencies reported a 20% manual credential revocation rate, more than double that of the IT and technology sector.

The findings are significant given the sensitive nature of government data and public sector operations.

Many government agencies continue to rely on legacy infrastructure, complex organizational structures, and manual processes that can slow identity lifecycle management.

As cyberattacks targeting government institutions become more sophisticated, modernizing identity governance is becoming an urgent priority.

The data suggests many public sector organizations still have substantial work to do.

Passkeys Are Growing, But Deployment Remains Limited

The report also highlights a familiar challenge in enterprise security: awareness is not translating into implementation.

Passkeys have emerged as one of the industry’s most promising phishing-resistant authentication methods, eliminating reliance on traditional passwords while improving user experience.

Adoption appears strong on paper:

• 93% of organizations are at some stage of passkey adoption.
• 65% report high or expert-level familiarity with the technology.

However, only:

• 13% have deployed passkeys at scale across their organizations.

That gap may help explain why identity-related security incidents remain widespread.

According to FIDO Alliance Executive Director and CEO Andrew Shikiar, partial implementation limits the security benefits passkeys are designed to provide.

Threat actors target the weakest points within organizations, meaning selective deployment leaves vulnerable areas exposed even when some users are protected.

Phishing Resistance Tops Enterprise Priorities

The push toward passwordless authentication is being driven by more than convenience.

Organizations increasingly view phishing-resistant technologies as critical defensive measures against credential theft and account compromise.

Survey respondents cited:

• Reducing phishing and credential-based breach risk (45%)
• Reducing password-reset and help desk costs (44%)

as the primary reasons for adopting passwordless authentication solutions.

The findings align with broader cybersecurity trends.

Credential theft remains one of the most common attack vectors used in ransomware incidents, business email compromise schemes, and data breaches.

As attackers become more sophisticated, organizations are increasingly looking beyond passwords and multi-factor authentication toward stronger identity protections.

Identity Security Is Becoming a Governance Issue

Perhaps the most important takeaway from the report is that identity management is no longer solely a technology challenge.

According to HID, identity security is evolving into a governance issue that requires cross-functional coordination between security, IT, HR, facilities, and executive leadership.

Modern organizations must manage:

• Physical building access
• Digital credentials
• Workforce onboarding
• Employee offboarding
• Third-party access
• Compliance requirements
• Identity lifecycle management

Treating these responsibilities as separate functions creates operational inefficiencies and increases security risks.

The report suggests organizations that unify physical and digital identity management may be better positioned to reduce incidents, improve visibility, and respond more effectively to workforce changes.

Why This Matters

The FIDO Alliance and HID research exposes a critical reality facing today’s enterprises: confidence in identity security often exceeds actual preparedness.

Despite widespread awareness of access management risks, many organizations continue to operate fragmented identity ecosystems that make employee lifecycle management more difficult and less secure.

At the same time, the report reveals a significant implementation gap around passkeys and phishing-resistant authentication. While most organizations recognize the value of passwordless security, few have deployed it comprehensively enough to realize its full benefits.

As cyber threats grow more sophisticated and workforce environments become increasingly distributed, identity management is evolving from a technical function into a strategic business priority.

Organizations that unify governance, simplify authentication systems, and accelerate modern identity adoption may be best positioned to reduce risk in the years ahead.

The message from the data is clear: knowing what needs to be done is no longer the challenge. Executing it consistently at scale is.

Join thousands of HR leaders who rely on HRTechEdge for the latest in workforce technology, AI-driven HR solutions, and strategic insights