Part 1 of 3

By Vidyaa Ganesh

Five independent sources, 2,000+ respondents, one conclusion: most organizations cannot measure their IAM maturity. And that is a problem.

Identity and access management has become one of the most consequential areas of enterprise security. The IDSA’s 2024 survey of 521 security professionals found that 90% of organizations experienced at least one identity-related security incident in the prior 12 months, with 84% reporting direct business impact. IBM’s 2025 Cost of a Data Breach report, based on 600 organizations and over 3,400 interviews, puts the global average breach cost at $4.88 million, with compromised credentials remaining the most common initial attack vector.

These numbers create obvious pressure for organizations to invest in IAM. And they are investing. But a harder question follows: how do you know whether your IAM program is actually working? How do you measure where you stand relative to your industry, track improvement over time, or communicate your posture to a board of directors in terms that hold up to scrutiny?

The honest answer, as of early 2026, is that most organizations cannot do any of these things reliably. There is no widely accepted, vendor-neutral framework for measuring IAM maturity. What exists instead is a patchwork of vendor-specific models, consultant-developed scorecards, and ad hoc approaches that vary from one engagement to the next. The measurements produced by these approaches cannot be compared across organizations, across time, or even across different consultants assessing the same organization.

This is the first installment in a three-part series examining this problem. In this piece, we look at what the published research actually says about where organizations stand. In Part 2, we survey the frameworks currently in use and analyze why no standard has emerged. In Part 3, we propose design principles that a credible, community-adopted standard would need to follow.

What Published Research Tells Us

Before discussing what a standard should look like, it is worth understanding what the data actually says about where organizations stand. Several independent research efforts have attempted to measure IAM maturity across large populations, and their findings tell a remarkably consistent story.

SailPoint Horizons of Identity Security (2025-2026)

SailPoint’s annual Horizons research surveyed 375 IAM decision-makers across North America, Europe, Asia, and Latin America. The study evaluates organizations across four enablement areas (strategy, technology and tools, operating model, and talent) covering 60 IAM capabilities, then assigns each organization to one of five maturity horizons using a clustering algorithm.

The headline finding is striking: over 40% of organizations remain at Horizon 1, the lowest maturity level. These are organizations where identity is not a strategic focus, capabilities are highly immature, and there is no centralized operating model for managing identities across the organization. When you include Horizon 2, the number climbs to roughly 63% of organizations stuck at the bottom two tiers.

Industry breakdowns reveal meaningful variation. In financial services, 34% are at Horizon 1, with 13% reaching Horizon 4 or above. In technology, the distribution is bimodal: 46% at Horizon 1, but 15% at Horizon 4 or higher, reflecting a split between early-stage companies with minimal IAM investment and mature enterprises with sophisticated programs.

Ponemon Institute and GuidePoint Security (2025)

The Ponemon Institute, in partnership with GuidePoint Security, surveyed 626 IT professionals on the state of IAM maturity in 2025. On a 10-point effectiveness scale, only 50% of respondents rated their IAM tools as effective (scoring 7 or higher). Just 23% qualified as high performers, rating their effectiveness at 9 or 10.

The study also found that 50% of organizations experienced an identity-related incident in the prior 12 months. Even among high performers, 39% still experienced incidents, compared to 58% for others. Manual processes remain dominant: 34% of organizations still use spreadsheets for access reviews, and only 17% use an identity governance platform for this purpose.

IDSA Trends in Identity Security (2024)

The Identity Defined Security Alliance surveyed 521 qualified security professionals at organizations with 1,000 or more employees. The findings reinforce the pattern: 90% experienced an identity-related incident, 84% reported direct business impact, and 91% invoked their incident response plans for identity-related events.

When asked to self-assess their maturity, only 8% of respondents placed their organization at the highest level. The majority clustered in the middle tiers, suggesting widespread acknowledgment that current capabilities are insufficient.

Other Sources

Bravura Security, in partnership with Gartner Peer Insights, conducted a smaller study of 100 IT leaders across North America and EMEA using a four-level maturity scale. Their finding: the average organization falls between levels 2 and 3 on a four-point scale, consistent with the other sources.

Simeio’s State of Identity research, covering 80 measures across industries, found a cross-industry average maturity of 2.4 on a five-point scale. Financial services scored highest at approximately 2.6, with healthcare and public sector trailing.

What the Data Tells Us

Five independent research efforts, using different scales, different sample sizes, and different methodologies, converge on the same conclusion: the majority of organizations, somewhere between 60% and 70%, remain at early-to-mid stages of IAM maturity. The consistency across sources is significant. This is not one vendor telling a convenient story. It is a pattern that holds up regardless of who is asking the question or how they frame it.

Table 1. Cross-source validation of IAM maturity findings

NEXT IN THIS SERIES

Part 2: A Landscape of Incompatible Approaches

Several maturity frameworks exist in the IAM space. Each offers something useful. None has achieved the status of a shared standard. We examine why.

Endnotes

1. Identity Defined Security Alliance, 2024 Trends in Securing Digital Identities (IDSA, 2024), 521 respondents.

2. IBM Security, Cost of a Data Breach Report 2025 (Ponemon Institute Research, 2025), 600 organizations, 3,470 interviews.

3. SailPoint Technologies, The Horizons of Identity Security 2025-2026 (SailPoint, July 2025), 375 IAM decision-makers.

4. SailPoint, Horizons 2025-2026, Exhibit 7, p. 15.

5. Ponemon Institute and GuidePoint Security, The State of Identity and Access Management (IAM) Maturity (May 2025), 626 IT professionals.

6. Identity Defined Security Alliance, 2024 Trends in Securing Digital Identities (IDSA, 2024).

7. Bravura Security and Gartner Peer Insights, IAM & PAM Maturity Survey (Bravura Security, 2024), 100 IT leaders.

8. Simeio, State of Identity 2024 (Simeio Solutions, 2024).

Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.

About the Author

Vidyaa Ganesh is a Senior IAM Engineer and a solutions architect with over six years of experience delivering identity governance programs for financial services, energy, telecommunications, and public sector clients. She holds a Master of Engineering from Concordia University, is a member of IDPro, and is the creator of AXIS (axis.identara.ca), an open IAM maturity assessment framework.

The post The Measurement Problem appeared first on IDPro.