01 · Executive summary
Identity is the program that fails twice.
The first failure is technical. The second is operational. This year's report focuses on the second.
Across 412 practitioners surveyed and the 184 engagements we delivered in 2025-2026, the pattern was the same: programs that shipped technically on-time still failed on the second audit cycle. Reviewer fatigue collapsed certifications by month 9. Vendor switches absorbed engineering cycles that should have funded operational discipline. CISO turnover reset operating assumptions every 22 months.
The teams that succeeded shared three traits: risk-tiered certifications instead of monolithic quarterly cycles, evidence-as-code wired into the build pipeline rather than a screenshot routine at quarter-end, and a written exception policy that survived ownership changes. The rest of this report unpacks each.
The platform stops mattering by month 18. The operating model is what survives the second audit and the second CISO.
02 · Identity governance
Certifications fail by the second cycle.
Reviewer fatigue is structural — risk-tiering is the fix.
Certifications collapsed in 71% of programs we surveyed by their fourth cycle. Reviewer participation dropped under 70% by cycle three; by cycle five the rubber-stamp pattern was unmistakable. The platform was not the problem in any of the failure cases — programs running on SailPoint, Saviynt, and Microsoft Entra ID Governance failed at similar rates.
71%
of programs surveyed lost certification rigor by the fourth cycle, regardless of platform.
Source · askmeidentity 2026 Practitioner Survey, n=412
The architectural fix is risk-tiering
Programs that survived more than eight cycles applied a tiered cadence: monthly reviews on 5–10% of access (privileged + SOX-relevant), quarterly on 15–20% (sensitive functional), and annually on the standard tail (with a written default-approve policy). Reviewer load dropped by an order of magnitude in tier 3 — and audit evidence improved in tier 1.
The work is policy work, not platform work. We have not seen a case where replacing the IGA platform fixed a tiering failure.
03 · Privileged access
JIT elevation eliminates 80–90% of standing privilege.
The remaining 10–20% lives in a written exception policy with named owners.
Privileged access programs that completed a full vault → broker → JIT arc reduced standing privilege by 80–90% within the first year. The teams that stalled at vault-only kept 60%+ of standing privilege intact — essentially relocating the credentials without changing the operating model.
86%
reduction in standing privilege when programs completed vault → broker → JIT, vs. 32% for vault-only.
Source · askmeidentity engagement data, 2024-2026 cohort
The pattern that ships
Programs that finished the JIT migration shared a written exception policy with named approvers and a quarterly access review for break-glass accounts. The policy is the artifact that survives a CISO change — not the platform configuration.
04 · Zero-trust
Pilot scope determines whether the program ships.
Six-week single-workflow pilots ship; full-domain pilots stall.
We tracked 47 zero-trust pilots in our 2025-2026 cohort. Of the 14 that scoped a single high-risk workflow with rollback gates, 12 shipped to production within two quarters. Of the 33 that scoped "all production access" or wider, only 4 shipped — the rest stalled at the integration phase.
86% vs 12%
of pilots shipped when scoped to a single high-risk workflow with rollback gates, versus broader pilots.
Source · askmeidentity 2025-2026 zero-trust cohort, n=47
Pilot scope is the variable that determines whether a zero-trust program ships or stalls. We size to a single high-risk workflow — not a full domain.
05 · Audit readiness
Evidence-as-code is the multiplier.
Programs that built evidence-as-code reused 60–75% of artifacts across regulators.
The teams that built evidence-as-code in their first audit cycle reused 60–75% of evidence artifacts when scope expanded to the second framework (typically SOX → SOC 2 or FFIEC → FedRAMP). The teams that collected screenshots had to redo the work entirely.
The cost of evidence-as-code is roughly 1.4x the cost of a screenshot routine in cycle one — and 0.2x by cycle four. The compounding return is the entire reason it works.
75%
of audit evidence artifacts reused across regulators when programs implemented evidence-as-code from cycle one.
Source · askmeidentity engagement data, 2024-2026 cohort
06 · Industry breakdown
What's different by vertical.
Financial services leads on PAM. Healthcare lags on zero-trust. Government leads on evidence.
Financial services
Highest PAM maturity in our cohort (median 3.8/5), driven by FFIEC IT Examination Handbook expectations and quarterly internal audit cycles. Lowest customer identity maturity — most banks treat retail platform identity as separate from workforce IAM.
Government
Highest evidence-as-code adoption (median 4.1/5), driven by FedRAMP ConMon obligations. Slowest cycle times — ATO timelines structurally multiply engineering effort.
Healthcare
Lowest zero-trust maturity in regulated industries (median 1.9/5). HIPAA Security Rule does not strongly require zero-trust patterns, and healthcare buying motions favor incremental MFA over architectural change.
07 · 2026-2027 outlook
What we expect to break next.
Three things to watch — each has at least one program in our cohort already navigating it.
- Passkeys at workforce default. Phishing-resistant MFA becomes the audit-expected baseline by Q3 2026. Programs without a FIDO2 / passkey rollout plan will start failing exam findings.
- AI agent identity. Service accounts for AI agents are the fastest-growing privileged surface we are seeing. Most IGA platforms do not yet handle them as a first-class concept; expect 2-3 vendors to ship distinct AI-identity controls in 2026-2027.
- Customer identity consolidation. The fragmentation between workforce and customer identity is becoming operationally expensive. Programs are starting to pick a single stack (typically Okta + Auth0, or Microsoft Entra workforce + Entra External ID) for both.
08 · Methodology
How the report was built.
Engagement data. 184 engagements delivered between January 2024 and April 2026 across financial services, government, healthcare, and technology verticals. Identifiers anonymized; scoring rubric mapped to the 5 IAM domains used in the askmeidentity maturity assessment.
Practitioner survey. 412 respondents from 18 industries. Survey ran February-March 2026. Respondents self-identified as IAM practitioners with at least 2 years of in-role experience. Median tenure 8 years.
Disclosure. askmeidentity is a vendor-neutral consulting firm. We hold partnerships with multiple IAM vendors. No vendor compensated inclusion or commentary in this report.
For the full data set or to request a private briefing, contact our practice.