Report

The Horizons of
Identity Security
How digital identity secures
and fuels business value
State of identity report 2023-2024

The Horizons of
Identity Security
How digital identity secures
and fuels business value

2023-2024

In collaboration with
Report
The Horizons of Identity Security

Executive summary
Identity is the most important security capability that every organization must
get right. The expansion of workloads into the cloud and widespread adoption
of SaaS solutions, coupled with the growing sophistication of cybersecurity
attacks utilizing advanced techniques and AI, has rendered traditional network
perimeter-based security ineffective. With 90% of organizations experiencing
an identity-related incident in the last year, identity security programs are the
critical line of defense against mitigating potentially existential threats to the
business.

But cybersecurity risk is not the only pressure businesses are facing – there are
also increasing expectations from employees, business partners, and customers
to have trusted and seamless digital identity experiences.

A trusted and seamless digital identity capability continues to be a big leap for
many companies. Our latest survey shows 44% of companies are still at the
beginning of their identity journeys, often lacking foundational governance
and holistic visibility into the identities in their environment.

However, those that have made the leap achieved significant business impact.
One large bank accelerated the speed at which it migrated applications to the
cloud by 20% through faster provisioning of developer and machine access to
cloud infrastructure. Another financial services firm managed to reduce the time
frontline managers spent completing user access certifications by 80% through
automation based on AI-driven risk assessment – freeing them up to focus on
revenue-generating activities. An oil & gas company shortened employee and
partner onboarding from >2 weeks to less than a few hours. And a major process
manufacturer reduced IT operations expense by $1M annually by automating
self-service access requests in their IGA solution.

The key for companies that successfully harnessed identity capabilities to

secure and enable their businesses was the ability to identify and communicate
their investment value. But most security professionals are failing to build
this business case – with 91% of our survey respondents citing a “constrained
budget” as a primary obstacle to investment, and 77% citing “limited executive
sponsorship or focus”. This report, along with highlighting trends in digital
identity and providing insight into the journey to identity maturity, outlines how
sponsors of identity security can build compelling business cases that articulate
how investments in identity security will not only reduce risk but also drive value
within the context of the business.

2
Last year, SailPoint surveyed IAM decision-makers across the globe to define the
future of identity and capabilities across the different horizons of the identity
journey.

Four technology advancements were identified that would impact the future of
digital identity: AI-backed dynamic trust models, integrated identity programs,
universal ID, and frictionless access.

Organizations were then grouped into five horizons based on their strategy,
talent, operating model, and technology capabilities:
• At Horizon 1, the lowest maturity, companies lack the strategy and
technology to enable digital identities
• Those at Horizon 2 have adopted some identity technology but still
rely heavily on manual processes
• Organizations at Horizon 3 have adopted identity
capabilities at scale Building off last year’s “Horizons
of Identity Security” report
• Those at Horizon 4 have automated capabilities at scale
and use AI to enhance digital identities
• Horizon 5 is closest to the future of identity, where boundaries are blurred
between enterprise identity controls and the external identity ecosystem and
identity supports the business in next-gen technology innovations

Identity security professionals and technology executives leveraged our analysis

and maturity assessment tool to spark conversations on identity security and
drive awareness and investment into identity within their organizations.

As companies started evaluating their horizon maturities, we also realized there

was more to this story, including:
• Timelines to scale and typical barriers: Organizations at the beginning of
their identity journeys are eager to learn more about (1) the barriers their
peers face and what those journeys have looked like and (2) how they can
accelerate their own maturity journey to deliver faster value at a lower cost.
• Comprehensiveness of capability coverage: Many of the mature
organizations we spoke to felt that they had strong identity security
programs due to the fact that they have invested in developing advanced
capabilities such as AI-driven provisioning. However, many didn’t realize just
how few of the identities, data, apps, and infrastructure in their environment
were actually governed by those capabilities – resulting in unexpected risk
exposure and missed value opportunity.

In this report, we took our analysis further by exploring the identity-related

capabilities companies are investing in, the coverage of those capabilities,
timelines to scale, and typical barriers faced (and how to overcome them).

3
What we found
Our August 2023 survey gathered insights from identity security decision-makers,
including CIOs, CISOs and Directors of Identity, at more than 375 companies across
the globe. This is what we found:
• Security professionals are failing to adequately communicate the business
value of identity, with survey respondents citing a “constrained budget” as
the primary obstacle to investment, closely followed by “limited executive
sponsorship or focus”. Identity security advocates need to build executive-
friendly business cases that are tailored to their audiences’ strategic priorities
and quantify value.
• Nearly half of all companies are still in the early stages of their identity-
security journey at Horizon 1. Although about 8% of organizations made the
jump from Horizon 2 to Horizon 3 over the last year, only about 1% broke out of
Horizon 1. These results reveal that the barriers at the start of the identity journey
are often most difficult to overcome, and that those organizations in Horizon 2,
who made strategic investments in foundational identity capabilities were able
to successfully advance to Horizon 3.
• Low-maturity companies should not be afraid to adopt advanced capabilities.
Although adoption rates (i.e., % of companies that have adopted a given
capability) vary widely (from 15-90%) depending on capability complexity and
company maturity, capability coverage (i.e., the % of relevant identities, apps,
data, and infrastructure covered by a given capability) remains consistent
(at 50-70%). In other words, immature companies achieve similar success as
mature companies when scaling advanced capabilities.
• Developing a robust operating model, managing technical debt (e.g., on-
prem deployed legacy applications), and building a strong business case are
critical to breaking through Horizon 1.
• Across maturity horizons, companies need to improve the coverage of their
identity capabilities or face significant risk exposure. Even mature companies
cover less than 70% of the identities in their organization through foundational
governance capabilities (with particular gaps around 3rd party identities,
machine identities, and data). As identities grow by 6-10% in the next 3 years,
those that don’t scale rapidly will fall further behind.
• Limited access to talent is a universal challenge facing identity security
programs, particularly small and medium-sized companies. Identity security
skills are niche and hard to build; not only must identity security professionals
become experts in the tools and processes to secure an organization, they
need to have expertise in all the systems, data, and processes that they protect
– all of which vary by industry.
• Companies leveraging SaaS, AI, and automation scale 10-30% faster and get
more value from their investment through increased capability utilization.

4
Concluding statement
Companies that clearly communicate the business case for identity with an
execution roadmap can win executive buy-in. But compelling business cases
and roadmaps cannot be generic – they must be tailored to the business
and the maturity of the identity program. They should also undergo periodic
updates to incorporate new insights and adapt to changes in the business and
technology landscape. As companies start their journey, their program choices
will depend on their maturity. Immature companies should aim to “leapfrog” to
advanced capabilities that leverage SaaS, AI, and automation, which will help
them scale faster. Mature companies should prioritize scaling the coverage of
their capabilities to build holistic identity security programs that encompass
on-premises, cloud, SaaS, data, third parties, machines, and APIs.

Companies that can build these holistic programs will gain competitive
advantages as they become more nimble and more resilient in an increasingly
interconnected and diverse identity landscape.

5
Report
The Horizons of Identity Security

Chapter 1:

Advances in
technology will shape
the future of identity

6
Last year, we showed how the future of identity will be defined by integrated identity programs, dynamic
trust models, universal identities, and frictionless access – with privacy, transparency, and user
experience acting as threads in a common fabric across all four.

• Integration across technology environments including cloud, SaaS, application programming

interfaces, and data
• Dynamic trust models that evolve based on behavior and interactions
• Universal identities that can merge with federated access across domains and geographies
• Frictionless access that is dynamic, automated and code-driven

Over the past year, three things have become clear:

• “Federated identities” will be the practical means of achieving verifiable credentials and “Universal
ID”: We see a trend towards identity coalescence and desire for a unified identity experience.
Verifiable credentials, such as government-issued or trusted third-party identities, will play a critical
role in simplifying and linking identity experiences across different contexts. However, we also see an
acceptance that no single credential will replace all of a user’s identities. Instead, groups of identities
will be linked across identity management systems (such as through identity wallets) to provide
seamless user experiences.
• Mature enterprises are externalizing their Authentication and Authorization: Leading companies
are externalizing AuthNZ across their applications to their enterprise directories (e.g., Azure AD), with
exceptions for some legacy applications. This simplifies establishing a strong IAM control within the
enterprise as well as applying analytics and informing risk-based decisions.
• AI is a central enabler across all elements: Supporting any of these technology trends through hard-
coded logic and manual effort will be intractable, given the explosion of identities and information.
Organizations will need AI to understand and manage these complex relationships and datasets.

For companies that adopt future-looking identity strategies leveraging these advancements; identity
will blur boundaries between enterprise identity controls and external identity ecosystems, act as a pillar
of an organization’s broader innovation strategy, and be a foundation on which organizational risk &
resilience depends.

7
 Exhibit 1:

The future of identity will be defined by four key elements

Integrated identity program Dynamic trust models AI

Identity as the common link across Access trust evolves dynamically
environments (hybrid, cloud, SaaS), apps, based on identity’s behavior and
devices, machines, APIs, and data interactions
Identity program is integrated Al models that understand interactions
with data, cloud, and DevsecOps and across identities and environment and
enables business transformation and 1 2 adjust access accordingly
tech innovation
Zero trust architecture getting top
Easy to scale cloud solutions are priority and increasing investments in
becoming mainstream and shortening security programs
timelines to adopt & scale

Empowering
business through
identity
AI Frictionless access
Federated identities
Access will be automated,
Identities (employee, digital personas,
policy driven, and seamless
machines, legal entities, business network,
Password-less authentication 4 3 and end customers) to coalesce with
becomes the norm with seamless user federated access, creating identity groups
experience - Ubiquity of mobile device, across domains and geographies
biometrics, and the ease of adoption
Development of decentralized identity
are driving seamless passkey creation,
protocols will take time; however,
custodianship, and authentication
governments and trusted 3rd parties have
Automated privileged access accelerated movement towards becoming
management via just in time access verified federated digital identity providers

Privacy, customer experience, trust, and Al is the common fabric spanning these four elements
Artificial Intelligence: Accelerated adoption of Al in identity security, including the use of Al ‘copilots’ and decision-
support models, will enhance security and user experience. Additionally, there’s an increased focus on improving
developer efficiency for building and maintaining scalable identity security platforms.
However, this increased Al adoption also introduces risks, such as the potential for Al-driven identity compromise
or social engineering attacks, emphasizing the need for better visibility, monitoring, and transparency in Al models
and data security.
Privacy, transparency, and user experience: Identity technologies will adapt to evolving regulations and user
demands for privacy, incorporating new technologies like zero knowledge proofs, with an emphasis on enhancing
the user experience.

AI Highly impacted by Artificial Intelligence

8
 Exhibit 2:

The last 12 months have witnessed significant

technological progress across the four key elements
shaping the future of identity

Integrated Frictionless Dynamic Federated

identity program access trust models identities

National cyber strategy In a 2023 FIDO report 44% Google announced A growing number
was published by the of surveyed customers security enhancing of national and state
White House in March reported they used controls through new government entities in the
2023, outlining how to build biometrics to log into zero-trust and digital US, Australia, South Korea
and enhance collaboration accounts. In response to sovereignty controls 6 and various other countries
around five key pillars this rapid adoption, the FTC have begun piloting mobile
(i.e., defending critical issued guidelines on how In 2022, the US mandated drivers licenses
infrastructure, investing in to avoid exposing users to the implementation
resilient future, etc.) 1 associated risks such from of a federal zero trust Several initiatives and
biometrics (e.g., stalking, strategy, requiring projects have been
Fortune 500 financial reputational harm) 4, 5 agencies to implement launched to promote
institutions could generate role based access control the use of verifiable
$60 to $80 billion in run- Consumer readiness for and centralized access credentials, including
rate EBITDA by migrating passkeys is up nearly 20% management by the end the OpenID Connect
to cloud by 2030 driving from last year with 57% of of 20247 authentication protocol,
the need to secure access respondents indicating the Verifiable Credentials
in cloud 2 they were interested The Department of pilot initiated by the World
in using passkeys as Defense (DoD) released a Wide Web Consortium,
The U.S. SEC adopted rules major companies such Zero Trust strategy guide and the European
requiring companies to as Google, Apple, and outlining guidelines for Commission’s pan-
disclose material cyber PayPal begin to enable the advancement of Zero European digital identity
incidents within 4 days of functionality 4 Trust capabilities and initiative9,10
determining materiality technology 8
and to periodically disclose
their cybersecurity risk
management strategy and
governance3

Privacy, transparency, and user experience Artificial intelligence

California Privacy Rights Act (CPRA) became effective for California in US Government announced new investment to power responsible
January 2023, enforcing new GDPR-inspired statutes 11 American Al and development on topics such as education and
cybersecurity 13
The Health and Human Services Department proposed Health Data,
Technology and Interoperability act which was partially focused on 42% of digital forensics and incident response professionals are
algorithm transparency and information sharing in April of 202312 concerned that evolving cyberattack techniques pose a major problem
to their investigations 14

CrowdStrike launched Charlotte AI, a new generative AI tool to help

users understand potential security issues, hunt for threats, automate
mundane tasks, etc.15

1.
https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023. 9.
https://openid.net/developers/how-connect-works/
pdf
10.
https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/
2.
https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/three-big-moves-that-can- european-digital-identity_en
decide-a-financial-institutions-future-in-the-cloud
11.
https://thecpra.org/
3.
https://www.sec.gov/news/press-release/2023-139
12.
https://www.federalregister.gov/documents/2023/04/18/2023-07229/health-data-technology-
4.
https://www.biometricupdate.com/202305/consumers-ready-for-passwordless-technology-and- and-interoperability-certification-program-updates-algorithm-transparency-and
prefer-biometrics-fido-alliance-report
13.
https://new.nsf.gov/news/nsf-announces-7-new-national-artificial#:~:text=The%20U.S.%20
5.
https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-warns-about-misuses- National%20Science%20Foundation,National%20Artificial%20Intelligence%20Research%20Institutes
biometric-information-harm-consumers
14.
https://www.techrepublic.com/article/digital-forensics-incident-response-most-common-dfir-
6.
https://workspace.google.com/blog/identity-and-security/accelerating-zero-trust-and-digital- incidents/
sovereignty-ai
15.
https://www.crowdstrike.com/blog/crowdstrike-introduces-charlotte-ai-to-deliver-generative-ai-
7.
https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
powered-cybersecurity/
https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf
9
8.
Report
The Horizons of Identity Security

Chapter 2:

Communicating the
business value of
identity is essential

10
There is a steep cost to not investing in identity security. Inaction could mean falling short on strategic
priorities such as digital transformations, cloud migrations, mergers, divestitures, and product
innovation. One negative identity experience can result in the permanent loss of a customer, resulting in
revenue losses and potential damage to a company’s reputation.

Even though identity is a C-suite imperative, 91% of the identity security decision-makers we surveyed
said budgetary constraints were the primary obstacle to investment; 77% cited “limited executive
sponsorship or focus”. In short – security professionals are failing to communicate the value of identity
security to executive decision-makers within their organization.

Exhibit 3:

Constrained budget, limited access to technical

talent, and lack of exec sponsorship are the top
barriers to crossing horizons

Top barriers overall

% of respondents who selected barrier as top three for any enabler (e.g., tech, talent)

91% 85%
77%
72% 72%
66%
Top solution identified by respondents
Build business case with positive ROI

Constrained budget Limited access to Limited executive Inherited technical Lack of consideration Underdeveloped
technical talent sponsorship / focus debt (e.g., on-prem of impact of org asset & data
deployed legacy changes on access management
apps) models capabilities

IAM decision-makers are using business cases to Companies will need to build IAM capabilities with
overcome budget constraints and limited executive legacy integration in mind (e.g., through use of
sponsorship connectors) to properly overcome hurdles introduced
by technology debt

Source: Customer survey (IAM/IGA decision maker survey conducted in August ‘23), total N=376

Note: Survey bias adjustment accounting for the share of the vended market not reached by the survey and accounts for respondents that were terminated for not having a
formal IAM program or deploying lAM tools

11
C-level executives need to understand the advantages of a robust identity security program. Our
research and experience highlight four areas where identity security can drive business value:

•A Business agility and innovation: A strong identity security program can enable streamlined
customer and partner experiences through simplified onboarding and sign-on. It can also
accelerate organizational change, such as mergers or divestitures, by as much as 30% through
quicker integration of identities, applications, data, and infrastructure.1 Furthermore, it can
democratize and enable quick experimentation with data, accelerating development of analytics
& AI use-cases and enabling decentralized, agile decision-making – increasing the precision and
speed at which organizations can innovate.
•B Advancement of tech and organizational initiatives: Identity security capabilities can speed-up
and de-risk major technology transformations and modernization efforts such as cloud migrations
by standardizing and accelerating infrastructure provisioning, contractor onboarding, workload
migration, security testing, and product integration. By implementing a centralized identity
governance solution, for instance, a large Fortune 50 technology company was able to streamline
their cloud migration process and securely onboard 120 applications within just 12 months. By
establishing security controls and governance early in the process, the company reduced post-
migration delays and costs, which typically arise from re-establishing identity and access control
policies, while ultimately leading to a faster return on investment.
•C Efficiency gains: Streamlined and automated identity governance processes, such as access
provisioning, reviews, and certification, can reduce opportunities for human error and relieve
burdens on IT. They can also decrease the amount of time frontline managers spend on compliance
(reducing time spent on access certifications by 80% in some cases2). These efficiency gains will
continue to grow with adoption of advanced capabilities such as AI-enabled, self-service portals
that can utilize peer group analysis and identity attributes to automatically fulfill user access
requests or flag them for further review.
•D Risk reduction and compliance enablement: 90% of organizations experienced an identity-related
incident in the past year.3 Stopping just a single significant breach can be worth hundreds of millions
of dollars in lost revenue and regulatory fines. Although it’s more than just money spent, consumer
and partner trust can be severely impacted by a single breach. IP theft and competitive advantage
is another impact seen with nation state actors. Foundational identity security capabilities
accelerate incident response, prevent bad actors from authenticating into internal systems, and
limit excessive access rights for employees – which our survey respondents selected as the most
common security deficiency enabling breaches. More advanced, AI-driven capabilities continuously
monitor user activity, detect unusual behavior, alert security teams to potential attacks, and enforce
response measures in real-time. They can also reduce the burden of compliance by decreasing the
number and severity of compliance issues through automated logging and report generation.

1
Based on case-study of merger between two US-based healthcare companies
2
Based on SailPoint analysis of customer business value assurance data
3
Based on Identity Defined Security Alliance (IDSA) report: https://www.idsalliance.org/white-paper/2023-trends-in-securing-digital-identities/

12
Communicating value is just as important as identifying it, which is why most companies indicated that
“building a business case” was the most effective means to overcoming constrained budgets and lack
of executive sponsorship. However, many security professionals tell us they are not sure how best to
design a business case to garner executive support. In most cases, we recommend a five-step process:

1.1 Identify an executive-level advocate to support the business case and help align it to strategic
objectives. Successful identity programs have a business champion with conviction and support to
drive the program.
2.2 Assess the current state and needs. The identity team should make a clear-eyed evaluation of
identity security maturity, associated and industry-specific risks, and potential business impacts.
They should also assess compliance, IT, end-user and security concerns, such as failed audit
controls and over-privileged users, to identify areas needing improvement.
3.3 Evaluate opportunities. A clear business case should include all costs including human resources,
software, and external support, and the value that can be captured. This value can be framed
around improved business agility, advancement of technology or organizational initiatives, reduced
risk, and/or increased efficiency.
4.4 Draft an actionable implementation plan. The team should develop a phased plan with a clear
timeline and milestones for tracking progress, identifying the necessary resources including
personnel, funding, and technology.
5.5 Deliver the business case to senior leadership. The team should deliver the case in non-technical
language to help business leaders gain a clear understanding of return on investment (ROI).

While most senior executives are aware that identity security is important, they often think of identity
security as a technology issue without understanding how it can impact their own agendas. We have
seen identity advocates build executive engagement by tailoring their messaging to the agendas of the
decision-makers they are trying to move. A CEO, for instance, might be engaged by highlighting how
investing in identity can accelerate product innovation by speeding time to market for new products.
The CFO, on the other hand, might want to see how investing in identity security can ensure the proper
segregation of duties to prevent fraud. And the Chief Data Officer & Chief Privacy Officer might benefit
from understanding how digital identity technologies support data-driven marketing, enhance data
visibility, and boost compliance with privacy regulations. In light of the increasing prevalence of AI
adoption, organizations are also poised to designate AI champions who will seek to understand the
transformative capabilities of AI-enabled identity security while safeguarding against potential risks—an
intricate balancing act that presents both substantial challenges and opportunities. This personalized
approach significantly increases the likelihood of executive buy-in and support for identity security
initiatives.

13
 Exhibit 4

Exhibit 4:
Engaging the C-Suite by aligning
Identify a championwith
investments andbusiness
engage with executives
strategy

Value drivers Key Decision Makers 1 Data points to start a conversation on

Identify stakeholders Engage in topline business identity business values
against value drivers and impact conversations To be highlighted during conversations with
organization priorities executive and stakeholders

3-6 month faster time to market by reducing inefficiencies in

Time to market
the product development process through streamlining identity
CEO CFO/CAO CTO Business security 2
Business agility Leaders
A and innovation
M&A ~20-30% faster IT integration / separation during mergers and
divestitures when a company has foundational identity security
CEO CFO/CAO CIO capabilities, which enables them to more quickly integrate or
carve out identities and related system access 3

Digital ~10-15% greater efficiency in project timelines and budget during

transformation digital transformations and cloud migrations by reducing friction
in identity management 2
Advancement of CIO CTO
tech and
B organizational
AI Adoption ~54% of organizations have adopted Al in at least one business
initiatives function with 53% indicating cybersecurity concerns as the top risk
CIO CTO CPO/CDO AI to mitigate 4
(Privacy & Data) Champ

Security incident 90% of organizations reported an identity-related breach

in 2022 (7% YoY increase)5
CISO CRO CPO/CDO Business
Risk reduction (Risk) (Privacy & Data) Leaders

C and compliance
enablement
Breach costs 15% increase in the average cost of a data breach over the last 3
years, with the global average now standing at $4.45 million 6
CFO/CAO CTO CISO

IT cost savings 55% of companies rely on manual processes for user access.
(via automation) Automating self-service access requests saved a process
manufacturer $1M in one year on IT operations 7
CFO/CAO CIO CISO
D Efficiency gains
~80% reduction in average completion time for user access
Productivity certification campaigns, decreasing from 3 months to 3 weeks
CISO CRO Head Business
(~45 mins per user per year to ~9 mins per user per year)
(Risk) of HR Leaders — enabling frontline managers to spend more time on revenue
generating activities rather than compliance 8

1. Personas include Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Information Officer (CIO), Chief Technology Officer (CTO), Chief Privacy Officer (CPO),
Chief Risk Officer (CRO), Chief Data Officer (CDO), Chief Accounting Officer (CAO); AI champion (Al champ.): Business Leaders: Head of HR; 2. Case study of a large US-based
financial institution (2022); 3. Case study of US-based merger in the healthcare insurance sector; 4. McKinsey Global Survey: The State of Al in 2023; 5. Verizon Data Breach
Investigations Report; 2023; 6. IBM Cost of a Data Breach 2023; 7. SailPoint: Identity is the Zero Trust Keystone, 2021; 8. SailPoint BVA Data;

The benefits of a well-conceived identity program can be substantial. For example, we found that
companies can experience 3-6 months faster time to market for new products when they streamlined
their identity security,4 and that a robust IGA solution can help companies reduce completion time for
certification campaigns from ~45 minutes per user per year to ~9 minutes per user per year.5

Although external metrics such as these are useful to initially engage a champion and spur executive
interest, a strong business case needs to contextualize and quantify value more thoroughly. Common
identity security ROI metrics to consider include return on security spending, cost savings, improvement
in control performance, increase in business partner retention, acceleration of time to market, and
reduction in manual help-desk support.
4
Based on case study of large US bank
5
Based on SailPoint analysis of customer business value assurance data

14
 Examples of value quantification

~$1M+
An international retail company with 10,000 employees was struggling with an inefficient
provisioning process, specifically around access requests. On average, each access
request required ~30-60 minutes of manual labor to address. The process was not
only time consuming but also error prone, leading to inconsistent access and potential
in annual cost savings
security risks. Through the implementation of an advanced identity solution to automate
can be achieved the process, the company achieved more than $1M in reduced operational costs and
through automation of even more in reduced security risk.
governance processes Value is quantified based on an average of 30,000 user access updates per year, with each request taking around 30-60 minutes to complete
manually. Automating these access requests therefore results in an average of 20,000 hours saved per year (equivalent of ~2,500 working
days) for IT operations staff, which we tie to a dollar amount by assuming an average IT operations FTE salary of $100,000 per year. Note: FTE
calculations assume an average of 250 days worked per year.

~$2M+
A technology company encountered difficulties in effectively managing user access and
identities throughout the software development lifecycle, which resulted in operational
inefficiencies, increased security vulnerabilities, and reduced developer productivity.
By implementing an advanced identity management solution, they managed to
additional annual
streamline access control, mitigate the need for post-development security retrofits, and
revenue unlocked significantly improve overall operational efficiency.
through improved
TTM and developer Value is quantified based on assuming 20 developers earning $150k each annually and developer productivity increasing by 15% through
integrating the identity management solution, saving $450,000 yearly in productive hours. Additionally, accelerating time to market by 15%

productivity faster (enabled through increased developer productivity) results in an additional $1.5M in annual revenue (assuming average time to market
of 12 months before streamlining identity security, and one new product release per year on average with average annual revenue of $10M).
Note: FTE calculations assume an average of 250 days worked per year.

~$500K
A financial services firm faced a substantial number of low-priority identity-related
incidents, such as unauthorized access attempts or failed login attempts, which were
consuming IT resources to address. However, following the successful implementation
of an identity solution, they achieved a 50% reduction in Priority 4 incidents, resulting in
cost savings can
$500,000 in annual savings.
be achieved from
reduction in P4 identity
related incidents
Value is quantified based on the reduction in P4 identity-related incidents, from an initial 10,000 incidents to around 5,000 incidents annually,
with each incident incurring an average cost of $100 for resolution.

$3.6M+
Before implementing an advanced identity solution, a utilities company with 15,000
employees spent a significant amount of time on IAM. On average, a manager dedicated
one day every quarter to conducting certification reviews, and new employees had to
in annual productivity wait up to one week to be provisioned access. With the implementation of an identity
solution, provisioning time was reduced to a single day, and certification processes were
gains through automated automated. This enabled managers to allocate their time more strategically and enabled
certification campaigns employee productivity from day one. Additionally, the automation of access reviews
and accelerated access mitigated the risk of human error, improving overall security.
provisioning Value is quantified based on approximately 1,500 managers, each with an average annual compensation of $150,000 saving 4 working days per
year. Additionally, the productivity gain takes into account a 10% standard employee turnover rate, where the average annual salary is $50,000
and a 4-day productivity improvement from accelerated onboarding. Note: FTE calculations assume an average of 250 days worked per year.

15
15%
A regional bank, in the process of migrating 75% of their workloads to the cloud, was
experiencing friction when provisioning access to cloud resources. Several factors
contributed to this including a complex access request process, manual ticket-based
faster cloud systems and inadequate visibility into user access across the cloud environment. By
migration, unlocking implementing an advanced identity solution and cloud finops practices, they managed to

~1.5M+
streamline access provisioning from 10+ days to <24 hours per workload while enhancing
both cloud governance and cloud operational efficiency during the migration, achieving
over $1.5M in annual cost savings.
annually in Value is quantified based on reducing access provisioning for approximately 400 workloads from 10 days to less than 24 hours, saving ~3,600
days of lost productivity. Assuming an annual engineer salary of $100k per FTE, this equates to $1.5M in annual savings (for the duration of the
productivity gains migration). Note: FTE calculations assume an average of 250 days worked per year.

>$3M+
By deploying a robust identity security solution, a transportation company detected
and prevented a threat actor’s attempt to exploit Active Directory misconfigurations for
a privilege escalation attack - a technique often used by ransomware threat actors.
As a result, the organization saved themselves from incurring substantial expenses,
saved by preventing
including those related to ransom payments, digital forensics, incident response, business
ransomware payment interruptions, restoration/recovery efforts, legal expenditures, and potential privacy-
through robust identity related costs associated with data exfiltration.
security Note: Ransomware costs vary significantly depending on the nature of the attack and the organization’s specific circumstances. The reported
figure of over $3 million assumes an average ransomware payment of $1.45 million and a recovery cost of $1.82 million (as reported in Sophos:
The State of Ransomware 2023 report). These costs do not encompass expenses related to lost business or revenue, legal expenditures, or
potentially privacy-related costs associated with data exfiltration - which are often significantly greater.

15%
An insurance company struggled with the challenges posed by their legacy and
homegrown IAM systems, which led to a cumbersome identity management experience
for their business partners including brokers and agents. By modernizing their identity
system, the company was able to not only improve their security posture but also drive
increase in partner-
front line experience and productivity for business partners, improving business partner
generated revenue experience and top-line revenue.
through improved user
experience Value is quantified by evaluating the success rates of brokers and agents before and after the implementation of advanced identity
management solutions. Companies looking to build a similar business case can leverage metrics on partner usage and conversion rates
as well as interviews with partners to make assumptions about the impact of a streamlined identity experience on partner success (and, by
extension, on top-line revenue).

25%
A healthcare company focused on inorganic growth was facing challenges when it came
to onboarding new identities, applications, and data from acquired companies. Prolonged
onboarding and disparate identity systems caused inefficiencies, operational disruptions,
faster integration of and data consolidation difficulties. The implementation of an identity management
solution expedited the integration process by creating a single source of truth for all
systems during M&A identities & applications, centralizing access provisioning, simplifying management of AD
groups, and improving data visibility & governance.
Note: Integration timelines and complexities can vary based on the specific circumstances of each merger and acquisition, including the size of
the organizations involved, the complexity and maturity of their existing IT environments, and their readiness for integration. This value is quantified
by evaluating the time to integrate new identities, data, and applications before and after implementing an identity management solution (30+
days vs <20 days on average). Note that a strong identity solution also simplifies the tech/cyber diligence process and increases the chance of a
successful merger (70% of M&A are unsuccessful according to a recent Harvard Business Review report).

16
 Exhibit 5:
Demonstrating ROI to the C-Suite
Value drivers Inputs & assumptions Value quantification
Determine types of value that > Gather data points needed >
Quantify time / cost saved and revenue enabled -
the opportunity will unlock to quantify value will ultimately feed ROl calculation

A Business agility Time to market (TTM) Value from faster TTM = Average cost savings due to
and innovation • Average wait time / delays faster product development cycles + cost savings on
by engineering on access software developer productivity + opportunity cost
related issues during software savings as products have a faster time to market
development process Quick win: implement identity security capabilities
• Average per day cost of delay within heavy product development and engineering
on product launch functions to achieve 20-30% improved TTM in 3-6
months

M&A /divestiture
Value from improved integration =
• # of identities and applications Gain in productivity due to reduction in avg. time to
to be integrated/separated integrate employees in merged entity + cost savings
• Average time to onboard user in system integration by resolving identity related
post M&A (and associated cost) requirements + cost savings in reducing redundant
• Average cost to service access access related service delivery cost
related TSA requirements in M&A

Customer / business partner Note: This approach will vary by context. Post-
and user experience investment analysis will provide more granular details
into customer retention. Example below
• Average time to onboard new
customer or partner Improvement in business partner retention:
• Lead time to get full system decrease in partner onboarding time & improvement
access for business partner in customer or partner feedback scores
productivity Quick win: Develop and implement phased rollout plan
• Login success rate starting with high-value business partners
• # of user support requests
• Customer feedback scores

B Advancement Technology transfers

of tech and (e.g., cloud migration)
organizational • # of cloud workloads / Cloud gov. cost savings = (average manual vs.
initiatives applications to be migrated automated provisioning time) × # workloads (or apps)
• Average time to provision × labor cost
infrastructure access for cloud Quick win: Integrate identity sec. into top cloud
environment vs. expected time patterns to immediately accelerate deplyment by
to provision after investment 10-15%
• Cost of labor

17
 C Risk reduction Breach costs Annual savings on breach costs = (probability of a
and compliance • Probability of a breach breach) × (average cost of a breach)
enablement (likelihood determined based Cost of a breach Includes direct costs + indirect costs
on industry, historical analysis, + legal and regulatary costs
company maturity)
• Average cost of a beach
(including direct and indirect
costs)

Compliance cost
Annual savings on compliance costs = (annual # of
• Existing # of identity-related identity-related compliance issues × average cost
compliance issues to address) - (expected annual # of identity-related
• Average cost to address compliance issues post investment × average cost
compliance issue (e.g. to address) Productivity gain = average time value
manpower × time × cost of saved by front line managers by optimizing time spent
labor) on compliance related tasks
• Expected annual # of identity- Quick win: Conduct rapid assessment of historical
related compliance issues post compliance issues to determine prioritization
investment of deficiencies to address (e.g. improper SoD
configuration, access overprovisioning)

Security operations (monitoring

& response) cost
• Existing # of identity-related Annual savings on incident response = (annual #
incident tickets (by severity) and of identity-related security incidents * avg. cost to
avg. cost to address address) - (expected annual # of identity-related
security incidents issues post investment * avg. cost to
• Expected # of identity-related
address post investment)
incident tickets (by severity)
post investment and avg. cost to Quick win: implement automated policy rules to detect
address and respond to top P4 incidents resulting in immediate
• # of false positives 25-50% reduction of incidents

D Efficiency gains IT cost savings (via automation) Operations efficiency gain = (average time spent pre
• Average # of access requests vs. post automation) × average # of AR’s × labor costs
per month / Average time spent / Employee productivity gain: Average gain in worker
on each request /Average wait productivity by reducing system onboarding and
time for FTEs to get full access access time
• Cost of labor Quick win: consolidate IAM requests into a single
• Expected time spent on each interface to evaluate AR requirements, identifying
request post investment opportunities for simplification and automation across
applications with highest ticket volume resuiting in
immediate 30-50% reduction on time spent

These types of calculations can make the benefits of an identity security investment tangible. Ultimately,
the assumptions the team makes and the methods it uses to communicate the business case must be
tailored to the company’s context.

Contact SailPoint and Accenture to help craft a tailored business case for your
identity security program.

18
Report
The Horizons of Identity Security

Chapter 3:

Where companies are

in their journeys

19
The SailPoint Horizons maturity framework
As mentioned earlier, SailPoint has defined a framework for categorizing identity security programs
into five maturity horizons. An organization’s horizon is determined by its maturity in each of the four
Exhibit 6
enablement areas: its strategy, technology & tools, operating model, and talent.

Companies going through a journey

Exhibit 6:
to achieve the future vision of identity
Companies going through a journey to achieve the future
generally
vision of identityfall across
generally 5 horizons
fall across 5 horizons
5

Fragmented identity Started on identity Digitalized at-scale Advanced digital tools Extended and unified
experience across management but identity management and predictive use identity
organization mostly manual Identity program gets cases Blurring boundaries between
Identity is not a focus Identity program gets some digitalized, scaled, and gains Identity program becomes a enterprise identity controls
Lack of organization-wide attention but low adoption wider adoption across the strategic enabler for business and external identity
identity strategy and mostly tactical response organization transformation, innovation, ecosystem
to some external stress; e.g. Identity strategy is paired with security resilience IAM strategy is a pillar of
Identity capabilities are highly
compliance, security breach, metrics to measure business broader innovation strategy
immature Highly automated capabilities
or business transformation value impact for the organization
May have some legacy IT with Al driving decisions
tools to support user access Started purchasing some Identity capabilities gain based on risk estimations Technical capabilities support
management but missing any identity tools but low adoption wider organizational adoption universal ID framework,
Capabilities span across most
identity technologies with some level of automation dynamic trust model, identity
Capabilities are highly identities (workforce, business
Missing any operating model manual and basic and identity extending to cloud network) and environments integrated with security,
to organize teams and and data governance (data, cloud, APIs) frictionless access
Centralized IAM function,
manage all forms Centralized operating model Operating model enables
but primarily focused on Product driven operating
of identities across organized around capabilities collaboration with ecosystems
fulfillment of service tickets model (i.e. centered around
the organization tied to specific tools (e.g. capabilities but tool agnostic), of other companies, developer
Identity team mainly access management, IGA, communities and institutions
agile teams with clear product
composed of helpdesk, with etc.) ownership Leverage support of developer
dedicated IT team maintaining
tools Tool centric identity team Identity team dedicated community outside the
driving implementation and to identity innovation (i.e. boundaries of the organization
maintenance Data scientist/ML specialist/
(e.g. SP engineers) identity researchers) doing
primary research and analysis,
recognized as identity thought
leaders

INSUFFICIENT FOUNDATIONAL ADVANCED

To be in one horizon, customer capabilities need to cover most environments and identities

Our research this year evaluated the extent to which companies are actually using their capabilities.
We also asked respondents about the barriers they face when scaling capabilities and the time they
need to do so. Our aim was to obtain a more comprehensive and detailed understanding of where
companies stand today, identify what’s holding them back, and offer insights into how they can
accelerate their journeys to the next maturity horizon.

20
Many organizations are still at the start of their identity journeys
Comparing the identity landscape between now and 12 months ago, we found that nearly half of the
companies we surveyed still have immature identity programs and are struggling to move beyond
Horizon 1. However, many Horizon 2 companies have matured to Horizon 3. Although the barriers at the
beginning of the identity journey appear to be hardest to overcome, the movement from Horizon 2 to 3
indicates that many companies with manual but Exhibit 7
centralized identity functions have achieved success
in digitizing their identity capabilities.
Trend from last year – Horizon 2 and
3 organizationsExhibit
made 7: progress, but
Many Horizon 2 and
Horizon 3 organizations made
1 organizations progress in the
are stuck
last year, but Horizon 1 organizations are stuck
5

Fragmented identity Started on identity Digitalized at-scale Advanced digital Extended and
experience across management but identity management tools and predictive unified identity
organization mostly manual use cases

Most Horizon 2 companies have

matured to Horizon 3 (8% jump)

45% 44% 29% 20% 20% 29% 6% 7% <1% <1%

Most companies are stuck in Note: Horizon 1 is updated to include the unpenetrated 2022 Survey
Horizon 1 (44%), indicating that IAM market (who are screened out of later sections of
the survey) 2023 Survey
barriers at the beginning of the
identity journey are hardest to Horizon 2 is updated to include those respondents who
have Workforce access management, but do not have
overcome
IGA, PAM, and machine identity capabilities (who are
screened out of later sections of the survey)

Source: Customer survey (IAM/IGA decision maker survey conducted in August ‘23), total N=376 Note: Survey bias adjustment accounting for the share of the vended market
not reached by the survey and accounts for respondents that were terminated for not having a formal IAM program or deploying lAM tools

In line with overall maturity, individual capability adoption rates vary widely (from 15-90%) depending
on capability complexity and company maturity (e.g., fewer companies have adopted complex
capabilities such as AI-based access recommendations compared to more table stakes capabilities
such as manual access provisioning/de-provisioning). However, coverage of individual capability
across the environment (i.e., identity, data, applications) remains consistent (at 50-70%) regardless of
capability complexity. In other words, if an immature company can break through the initial adoption
barrier to implement an advanced capability, they can achieve similar success in scaling it across
their environment as their more mature counterparts.

21
 Exhibit 8:

Rate of adoption depends on capability complexity, but usage is

relatively consistent even for advanced capabilities

Percentage of adopted capabilities vs. average percentage of coverage across applicable identities

It’s all about adoption - capability “Immature organizations should

adoption varies from 15-90% (depending prioritize “leapfrogging” to advanced
on capability maturity), but capability capabilities, while mature orgs can
usage is fairly consistent (50-70%) even prioritize scaling usage
for mature capabilities

Coverage of applicable elements Horizon 1 Capabilities Horizon 3 Capabilities Horizon 5 Capabilities

(identities, applications, data, and infrastructure), % Horizon 2 Capabilities Horizon 4 Capabilities

100

90

80

70

60
Usage remains consistent
50 between 50-70% regardless
C30
C28 C26 of capability complexity
40

30

20 Adoption maturity ranges from 15-90% and is

directly correlated with capability complexity
10

10 20 30 40 50 60 70 80 90 100 Adoption rate, %

Lowest adopted & utilized capabilities include:

C30 ID verification through device biometrics C28 Behavior based authentication & authorization C26 Password-less login

Other than budget, talent, and executive sponsorship, the barriers companies face differ depending
on where they stand in their identity journeys. Managing technical debt (e.g., on-prem deployed legacy
apps) and developing product ownership are critical to break the initial Horizon 1 barrier; companies
further along in their journeys typically need to foster cyber cultures and bolster asset and data
management capabilities.

22
 Exhibit 8

Managing technical debt

Exhibit 9: and developing
Managingproduct ownership
technical debt are critical
and developing to breakare critical
product ownership
to break
the the initial
initial HorizonHorizon 1 barrier
1 barrier

List of barriers whose importance differs significantly by horizon (>10% difference):

HORIZON 1 HORIZON 2 HORIZON 3 HORIZON 4

Inherited technical debt (e.g.,

81% 60% 69% 75%
outdated hardware tools)

Missing product ownership 73% 60% 55% 61%

A
Underdeveloped asset & data
management capabilities
64% 80% 64% 68%

Underdeveloped cyberculture 64% 84% 58% 50%

B
Rigid compliance
requirements 46% 60% 51% 68%

Vendor lock-in 47% 52% 45% 61%

C
% of H1 companies that % of H2 companies that % of H3 companies that % of H4 companies that
selected barrier among selected barrier among selected barrier among selected barrier among
top 3 to any enabler (e.g. top 3 to any enabler (e.g. top 3 to any enabler (e.g. top 3 to any enabler (e.g.
tech, talent) tech, talent) tech, talent) tech, talent)

Managing technical debt Developing IT asset Rigid compliance

and developing product management capabilities and requirements and vendor
A B C
ownership are critical to a cyber culture are critical to lock-in only become top
breaking through Horizon 1 maturing to Horizon 3 concerns at Horizon 4+

Note: Since “constrained budget” is top barrier across horizons, it does not appear in this figure (which only
highlights barriers whose importance differs by horizon)
Source: Customer survey (IAM/IGA decision maker survey conducted in August ‘23), total N=376 Note: Survey bias adjustment accounting for the share of the vended market
not reached by the survey and accounts for respondents that were terminated for not having a formal IAM program or deploying lAM tools

After the technology sector, banking & securities and utilities companies tend to have the most
mature identity security programs, driven in part by the need to navigate stringent regulatory
environments.

Manufacturing companies follow closely behind. They, along with utilities companies, have needed to
leverage advanced IAM capabilities to manage the growing complexity of their identity ecosystems
and large attack surfaces spanning IT and OT environments. Many also rely heavily on contractors and
others in the third-party supply chain, and they tend to have a global scale, which requires them to
maintain an extended network of identities and infrastructures.

23
 Exhibit 10:

Technology, banking, and utilities companies have the most

advanced identity security programs

Distribution across horizons by industry (Survey, n=239)

Technology 27% 73% Banking & securities companies

have mature identity security
programs, likely due to their intense
Banking & Securities 29% 71%
regulatory environments
87% have access models
Utilities 33% 67% enabled and 48% use Al Utilities, healthcare, and
driven security 2 manufacturing have made the
largest strides in maturing their
Healthcare Provider 44% 56% identity programs over the last year
73% have access models
Manufacturing & utilities have
Manufacturing 45% 55% enabled and 47% use AI-
driven security 2 needed to adopt advanced IAM
capabilities given the increasing
Government 47% 53% complexity of their identity
ecosystems and large attack
surfaces (e.g., high number of
Other1 60% 40%
89% have access models enabled 2; contractors, use of IoT, global scale,
however, industry maturity is driven reliance on third parties)
Insurance 71% 29% down by smaller providers with
little identity investment

Maturity level increased >5% from last year H1, H2 H3, H4, H5

1
Other industries include Education, Transportation Telecommunication, Media & Entertainment, Retail & Wholesale
2
 ompanies using SailPoint identity security solutions. Access models enablement: Companies that have SoD enabled or more that one role per identity. Al-driven security
C
contains AI enablement, Access Insights and advanced authentication

Source: Customer survey (IAM/IGA decision maker survey conducted in August ‘23), total N=376 Note: Survey bias adjustment accounting for the share of the vended market
not reached by the survey and accounts for respondents that were terminated for not having a formal IAM program or deploying lAM tools

Among geographies, companies headquartered in North America and Europe lead in identity maturity
overall. Europe, in particular, has had to keep pace with extensive data regulations, explaining the need
to upscale identity security programs. Interestingly, there is a significant variance in maturity across the
APAC region, indicating a polarized focus on identity security in the region. This divergence can likely be
attributed to the diverse regulatory landscape. While countries like Australia, Japan, and Singapore have
well-established and relatively mature regulatory frameworks relating to identity and data security,
several countries in the region are either just beginning to adopt or are in the process of enacting
related regulations for the first time.

24
 Exhibit 11:
Exhibit 10
Large enterprises lead in identity journeys; North
Largeand
America enterprises
Europe arelead
morein identitywhile
advanced, journeys;
progress
North America andvaries
in APAC Europe are more
advanced, while progress in APAC varies

Breakdown of firm sizes by horizon (n=376 1) Breakdown of each region by horizon (n=376 1)

Small North America

55% 16% 25% 4% 40% 24% 28% 8% 0.4%

Medium EMEA

51% 22% 22% 5% 44% 16% 34% 7%

Large APAC

35% 22% 32% 10% 60% 10% 21% 8%

Larger companies tend to be more mature than smaller companies EMEA has higher Horizons 3+ representation than NA & APAC

• Stringent data protection requirements (e.g., GDPR) could be a

H1 H2 H3 H4 H5 key driver in motivating European orgs to mature their identity
security programs

Source: Customer survey (IAM/IGA decision maker survey conducted in August ‘23), total N=376 Note: Survey bias adjustment accounting for the share of the vended market
not reached by the survey and accounts for respondents that were terminated for not having a formal IAM program or deploying lAM tools

Adopting best-in-class tools isn’t enough to develop an effective identity program –

how and to what extent those tools are deployed is just as important

IAM capabilities typically cover less than 73% of workforce identities – the human identities of
employees and partners – indicating that many companies still have significant value to realize out
of their existing capabilities and that companies need to broaden coverage of IAM capabilities to
mitigate identity risk exposure. A cautious approach of implementing tech capabilities within specific
groups or departments, rather than implementing them holistically across the entire organization,
could contribute to this observed stagnation in usage. If organizations do not enhance their coverage of
identities to match the growing numbers of identities in their environments (expected to grow by 6-10%
over the next three years), this gap will persistently widen, and companies will fall even further behind.

25
 Exhibit 12:

IAM capabilities typically cover less than 73% of workforce identities

Workforce identities 1 ( =1%)

27%
of workforce identities are
currently not governed

5% less coverage at large companies

(>5K FTE) compared to medium and small
companies (<5K FTE)

Incomplete IAM coverage heightens risk, and

this risk is only set to intensify as identities
multiply and diversify. Over the next three
years, identities are expected to grow by
6%, making it imperative for companies to
accelerate the coverage of IAM capabilities to
mitigate identity exposure

Covered by IAM Not covered by IAM

capabilities 2 capabilities 2

1
Employees and internal contractors
2
We do not consider capabilities unrelated to workforce identities (e.g., PKI management)

Source: Customer survey (IAM/IGA decision maker survey conducted in August ‘23), total N=376 Note: Survey bias adjustment accounting for the share of the vended market
not reached by the survey and accounts for respondents that were terminated for not having a formal IAM program or deploying lAM tools

Coverage only decreases for elements beyond workforce identities, particularly for data, third party
identities, and machine identities. This lack of coverage makes it difficult to address the full breadth
of potential vulnerabilities. Companies should see this as an opportunity to accelerate an integrated
identity program that incorporates other elements beyond workforce identities.

26
 Exhibit 13:

Identity coverage only decreases for elements beyond

workforce identities, such as data and applications

Average coverage across identity types, %

Identities - Workforce
Organizations need to expand their
Overall, identities will grow by 6-10%
(employees, contractors) over next 3 years 73% integrated identity programs to
encompass a broader spectrum of
usage elements
Privileged infrastructure
(servers, cloud, endpoints) 69%
Incremental progress isn’t enough -
with Al adoption anticipated to fuel a
Applications 64% 9% growth in machine identities and
expand the use of structured and
unstructured data over the next three
Data years, organizations that don’t improve
(structured & unstructured)
62%
their coverage by >8% will fall further
behind
Identities - Machine
(e.g., service accounts)
9% predicted growth over next 3 years 61%

Identities - 3rd party

We see some variation in usage by
60% company maturity (H3+ companies
have 8% better overall usage), but
limited variation by industry & size

Source: Customer survey (IAM/IGA decision maker survey conducted in August ‘23), total N=376 Note: Survey bias adjustment accounting for the share of the vended market
not reached by the survey and accounts for respondents that were terminated for not having a formal IAM program or deploying lAM tools

Companies can scale up and increase capability utilization by leveraging SaaS, AI,
and automation
Leveraging SaaS accelerates time to implement and scale IGA capabilities. H4+ companies that use
SaaS save 2.2 months on average when scaling newly adopted capabilities.

27
 Exhibit 14:

Companies with SaaS-based IGA solutions scale IGA

capabilities 20% faster

Average time to scale an IGA capability, in months

H4+ company

19%

On-prem
SaaS
11.9
~2.2 months faster using SaaS

9.7
Companies can scale IGA capabilities
~20% faster if they adopt SaaS tooling
months
months

Source: Customer survey (IAM/IGA decision maker survey conducted in August ‘23), total N=376 Note: Survey bias adjustment accounting for the share of the vended market
not reached by the survey and accounts for respondents that were terminated for not having a formal IAM program or deploying lAM tools

An even stronger effect can be observed for companies that have enabled AI. Investing in an identity
platform leveraging automation and AI enables companies to scale 19% faster through time saved on
resource intensive and manual processes. These benefits only increase with maturity – H4+ companies
that have enabled AI in their identity security platforms save more than five months per capability and
scale 37% faster on average.

28
 Exhibit 15:
Investing in an identity platform leveraging automation and
AI enables companies to scale identity-related capabilities
up to 37% faster

Time to scale an IGA capability by a company in the respective horizon, in months

H3+ companies that adopted

15.2 Al enabled identity security
platform were able to scale 2+
19% 37%
12.7 months faster through time
saved on resource intensive
manual operational processes
10.3
9.5 These benefits only increase
with maturity, with H4+
companies saving 5+ months
(37%) on average

Time to scale an IGA Time to scale an IGA Without Al enablement

capability for a capability for a for identity security

Horizon 3 company Horizon 4+ company With some Al enablement

for identity security 1

1
AI enablement includes 1) automated AI based access models for separation of duties and access controls and 2) automated AI based access reviews, recertification &
provisioning

Source: Customer survey (IAM/IGA decision maker survey conducted in August ‘23), total N=376 Note: Survey bias adjustment accounting for the share of the vended market
not reached by the survey and accounts for respondents that were terminated for not having a formal IAM program or deploying lAM tools

29
Report
The Horizons of Identity Security

Chapter 4:

How leading
companies have
built mature identity
programs

30
Accenture delivered on its cloud-first mandate by modernizing its legacy on-premises IAM
infrastructure and is in the process of leveraging AI to further enhance operational efficiencies and
reduce security risks. Spanning across 120 countries with a workforce of over 700,000 employees,
Accenture faced challenges with a sprawling, multi-cloud system that had rendered its legacy on-
prem IAM tools obsolete and made it difficult to manage identities consistently across the IT landscape.
To address this, Accenture is replacing on-prem directories with a consolidated Azure AD solution
and integrated SailPoint with access request platforms throughout the organization. This strategic
transformation has not only improved user experience and operational efficiency but significantly
reduced costs and freed helpdesk staff to focus on other strategic areas relating to identity security.

Obsolete on-prem
30% Global standardization
across 120 countries
IAM tools replaced
improving operational
reduction in help and 70,000 employees efficiency, user
desk requests experience, and security

Trane Technologies unlocked efficiency in a complex identity landscape: With 48,000 employees and
a diverse user base comprising employees, partners, and customers, Trane Technologies faced the
challenge of providing secure access while rapidly deploying new applications and features across its
business. To address this, Trane deployed SailPoint Identity Security Cloud and SailPoint SaaS Workflows,
delivering a cloud-based identity governance and administration solution to securely scale to serve
over 100,000 users. This transformative solution reduced manual support tickets from 100,000 to 60,000
per year, enabled cloud-based provisioning, and automated workflows, which allowed the company to
innovate faster with fewer scripting requirements. With AI-driven identity security, Trane hopes to further
automate identity management and access control requests and even predict them in advance.

100K+ 2K+ 40%

identities managed reduction in manually
identity-related
(including employees, provisioned support
workflows automated
customers, and partners) tickets

31
Report
The Horizons of Identity Security

Chapter 5:

SailPoint and Accenture

recommendations: Your
path to the next horizon

32
Nearly every company should aspire to reach Horizon 4 to earn the greatest returns on its investments.
But investing in advanced tools isn’t enough – companies need holistic identity management programs
that encompass on-premises, cloud, SaaS, data, third parties, machines, and API.

The first step in this journey should be developing a strong business

case that addresses budget constraints and generates executive For organizations at the start
buy-in. This can be accomplished through five steps: of their identity journeys
looking to evaluate the cost
1. Identify an executive-level advocate to support the business savings they could receive
case and align it to strategic objectives from implementing an
2. Assess the current state and program needs identity governance program,
please use SailPoint’s online
3. Evaluate the opportunity, and quantify the value to be gained
tool at www.sailpoint.com/
from improved business agility, advancement of technology
identity-library/identity-
initiatives, reduction in risk, and efficiency improvement
value-calculator/
4. Draft an implementation plan with a clear timeline, milestones,
measurable outcomes, and resourcing proposal
5. Deliver the business case to senior leadership

To see where you are in your identity security maturity journey, how your usage compares to peers,
recommendations based on barriers your organization is facing, and an overview of the business value
investing in identity can provide, please use SailPoint’s online adoption assessment tool at
www.sailpoint.com/identity-security-adoption/

33
Report
The Horizons of Identity Security

Chapter 6:

Bringing it all
together to capture
the value of identity

34
Companies need to invest in their identity programs to keep up with rapidly changing technology
ecosystems and threat landscapes. However, many identity security programs are blocked by
constrained budgets and struggle to earn buy-in from executive decision-makers. Identity sponsors
can overcome constrained budgets and limited executive sponsorship through clear business
cases highlighting how identity can improve business agility, enable technical and organizational
transformations, reduce risk, and increase efficiency of IT operations.

To help develop a tailored business case, craft a transformation roadmap, or

augment technical and organizational deficiencies as you kickstart your journey,
reach out to us.

www.sailpoint.com

www.accenture.com

This report was published as part of a strategic partnership between SailPoint and Accenture –
read more about this partnership.

35
Report
The Horizons of Identity Security

Appendix

36
Approach and methodology
The insights in this report are based on an August 2023 survey of over 375 cybersecurity executives
across North America, Latin America, Asia, and Europe, supplemented with interviews of experts with IAM
experience.

Exhibit 16:
Recap: We surveyed 376 IAM decision makers from across the globe

Geo Headquarter breakdown (n=376) Firm size breakdown (n=376)

Small (<2.5K FTE) 34%

Medium (2.5K-5K FTE) 11%

26% Large (>5K FTE) 55%

12%
61%
Decision makers include (n=376)
CIO 20%

CISO 20%
1%
IT Executive -1 manager 14%

Director/Head/VP of
Information Technology 14%

Respondents came from these industries… CTO 12%

Other Director/Head/VP 12%

18% 17% 13% 13% 9% Director/Head/VP of Information
Technology Banking & Healthcare Manufacturing Retail & Security / Engineering 5%
Securities Wholesale
Director of Identity and Access
3%
7% 6% 5% 3% 3% Mgmt. (IAM)

Insurance Government Education Transportation Telecom

Comparisons made to the 2022 report throughout are based on similar sample size and related
demographic split. This survey asked several questions that stayed the same as in last year’s survey in
order to classify companies into horizons using the same methodology as last year.

Along with these questions, the 2023 survey tested 37 capabilities on their adoption and usage across
identity types, data, applications, and infrastructure. We further asked about barriers companies faced
as well as time to scale adopted capabilities.

In addition, Accenture provided expert perspectives and data insights based on their broad client
experience to inform this report.

37
Sources leveraged
White House National Cyber Strategy: https://www.whitehouse.gov/wp-content/uploads/2023/03/
National-Cybersecurity-Strategy-2023.pdf

European Digital identity Wallet: https://commission.europa.eu/strategy-and-policy/

priorities-2019-2024/europe-fit-digital-age/european-digital-identity_en

Google AI Tool: https://workspace.google.com/blog/identity-and-security/accelerating-zero-trust-

and-digital-sovereignty-ai

FIDO Alliance: https://fidoalliance.org/tech-target-why-2023-is-the-year-of-passwordless-

authentication/

Cloud-related EBITDA: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/three-

big-moves-that-can-decide-a-financial-institutions-future-in-the-cloud

SEC Mandatory Breach Reporting: https://www.sec.gov/news/press-release/2023-139

Biometrics Risks: https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-warns-about-
misuses-biometric-information-harm-consumers

Zero Trust Strategy: https://dodcio.defense.gov/Portals/0/Documents/Library/DoD-ZTStrategy.pdf

AI and IR / Digital Forensics: https://www.techrepublic.com/article/digital-forensics-incident-

response-most-common-dfir-incidents/

90% of organizations experienced an identity-related incident: https://www.idsalliance.org/white-

paper/2023-trends-in-securing-digital-identities/

Select Case Studies: https://www.sailpoint.com/identity-library/building-a-business-case-for-

identity-security/

38
 About SailPoint
SailPoint is the leading provider of identity security for the modern enterprise. Enterprise security
starts and ends with identities and their access, yet the ability to manage and secure identities today
has moved well beyond human capacity. Using a foundation of artificial intelligence and machine
learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities
and resources at the right time—matching the scale, velocity, and environmental needs of today’s
cloud-oriented enterprise. Our intelligent, autonomous, and integrated solutions put identity security
at the core of digital business operations, enabling even the most complex organizations across the
globe to build a security foundation capable of defending against today’s most pressing threats.

©2023 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo and all techniques are trademarks
sailpoint.com
or registered trademarks of SailPoint Technologies, Inc. in the U.S. and/or other countries. All other products or
services are trademarks of their respective companies.
SP2336-2310