Over 95 per cent of identity and security leaders now say identity security is core to their strategy. A decade ago, this wasn’t even part of the conversation. The awareness is there, but awareness alone isn’t enough. Many organisations feel secure, yet the metrics they track often tell a different story. 

In this episode of Security Strategist, EM360Tech’s Trisha Pillay sits down with Craig Ramsay, Senior Field Strategist, and Rod Simmons, VP of Product Strategy at Omada, to unpack the State of Identity Governance 2026 report. Together, they explore why confidence in identity security doesn’t always equal true protection and how AI, non-human identities, and fragmented systems are changing the rules.

Bridging the Gap Between Perception and Reality

Many organisations focus on operational metrics that are easy to measure: provisioning speed, audit readiness, and compliance. These give a sense of efficiency but not necessarily security. Simmons explains: “We can provision identities faster, but that doesn’t tell us about inherent risks. Orphaned accounts, dormant privileges, unmanaged access—these risks often go unseen.”

Ramsay adds, “It’s like home security. You might feel confident, but when was the last time you checked your back door?”

The survey revealed a clear disconnect: strategic awareness exists, but organisations are not always measuring the right things. Security leaders should not only track completed tasks, but they must also understand where risk accumulates and how quickly they can respond to incidents. Risk-based metrics, rather than activity-based metrics, are the key to true governance.

Zero Trust and the Challenge of Integration

Almost every organisation reports adopting Zero Trust principles. The execution often falls short. Policies may exist in pockets, but full implementation requires connected systems that can share signals in real time. Without this integration, Zero Trust becomes a concept rather than a functioning model.

Rod highlights the issue: “It’s one thing to want continuous evaluation, but another to have systems that actually support it. Shared signal frameworks are essential for consistent enforcement across the enterprise.” Until Zero Trust principles are fully integrated across all platforms, access control and identity governance will remain reactive rather than proactive.

Non-Human Identities, AI, and the New Frontline

Identity is no longer just about people. Non-human identities, but API keys, service accounts, and AI agents, are multiplying at unprecedented rates. Some organisations see 150 non-human identities for every human. These identities act autonomously, persistently, and at scale. Simmons explains the challenge: “With human identities, we ask what access they have. With non-human identities, we ask what they can do, and what they’ve done.”

Ramsay adds a crucial reminder: “Artificial intelligence still needs an accountable individual. Human oversight is essential, even as AI agents scale and operate independently.”

These agents create both risk and opportunity. They can automate governance, improve provisioning, and flag anomalies—but without proper visibility and ownership, they become a blind spot. Over 40 per cent of surveyed organisations admitted their AI agents still use static credentials, a simple but serious vulnerability.

One thing is for sure: you cannot govern what you cannot see. Visibility is the foundation. Only once organisations know what exists, who owns it, and how it behaves can they secure identities, human and non-human alike, effectively.

Identity security is no longer a back-office concern—it’s strategic. Organisations must move from confidence to proof, from operational reporting to risk measurement, and from fragmented controls to integrated governance. AI and non-human identities are not just a challenge; they are an opportunity to rethink how identity security can truly enable business, not just protect it.

For more insights on effective identity governance strategies, check out Omada's State of Identity Governance 2026 Report.

Takeaways

  • Over 95 per cent of security leaders now see identity as a core strategy. Identity isn’t optional anymore.
  • Feeling secure doesn’t equal being secure. Many organisations track efficiency, not actual risk.
  • Non-human identities are multiplying fast. 
  • Zero Trust adoption is growing, but integration gaps remain. 
  • AI in identity governance works, but always keep a human in the loop.