Enterprise security teams have invested billions in identity security infrastructure over the past decade, building sophisticated systems to manage access and monitor risk. But when it comes to executing identity processes and decisions, our latest research reveals that 96% of organizations still rely on manual workflows.
Our 2025 Identity Automation Gap research report—based on input from close to 600 IT and security leaders—exposes and quantifies this automation gap. The findings are clear. Automation, where it exists, is the exception rather than the standard.
From a dashboard perspective, identity security and governance appears mature and well-controlled. Many organizations have rolled out Single Sign On (SSO), multi-factor authentication (MFA) across core systems, deployed comprehensive password management solutions, and began implementing zero trust policy.
Despite these foundational technology investments, the last mile of identity security—the handoff from policy to practice—still runs on human error.
Our study found that fewer than 4% of organizations have fully automated their core identity workflows. The remaining 96% are dependent on human-centric processes that are difficult to scale, prone to error, and inherently risky.
Critical access decisions still happen through email threads and spreadsheet updates. Our research reveals the scope of manual processes that persist across the enterprise:
Advanced tools manage only a subset of the environment. Manual processes handle the rest. The result is fragmented visibility, inconsistent enforcement, and security controls that work where applied—but leave blind spots elsewhere. At the root of the issue is a technical mismatch: most IAM tools are built for standards-compliant apps, but enterprise environments are filled with disconnected apps – those that don’t support protocols like SAML, SCIM, or OAuth. As a result, even the most sophisticated identity programs end up relying on brittle, ad hoc workarounds for a growing portion of their app ecosystem.
A fundamental mismatch between how identity platforms were built and how enterprise environments operate is responsible for this gap in automation. Traditional identity tools were built for a homogenous world, where all applications could be expected to support standard protocols such as SAML, SCIM, or OIDC.
In reality, enterprise application environments span SaaS, mobile, cloud-native, and legacy on-premise systems that don’t integrate with standard identity protocols. These disconnected apps dominate the enterprise landscape and often contain the most sensitive data.
What started as a manageable collection of edge cases has evolved into a parallel identity ecosystem that operates largely outside centralized control.
According to Ponemon, 52% of enterprises have experienced a security breach caused by manual identity work in disconnected applications. Attempting to solve this issue with custom integrations fails at scale. It’s this very reason that organizations default to manual security processes that ultimately undermine their security investments.
Manual identity workflows lead to real security, compliance, and operational incidents across enterprises. Four out of five organizations have experienced an incident due to manual execution, or know they’re vulnerable.
One of the most persistent and dangerous areas where the automation gap exists is in user deprovisioning. Our research found that 58% of teams say former employees have retained access to systems after leaving the organization. Another 23% aren’t sure because they lack the visibility to confirm.
This uncertainty creates an impossible security position. Organizations can’t effectively manage risk when they don’t know who has access to their systems. Every retained access credential represents a potential pathway for unauthorized access.
The current approach—building sophisticated tools for standards-compliant applications while accepting manual processes for everything else—has reached its limits. As applications modernize, the automation gap won’t resolve itself through traditional methods.
Instead of waiting for all applications to support SAML or SCIM, forward-thinking organizations are exploring identity automation models that can extend automated control to any application—regardless of its integration capabilities.
This shift requires moving beyond a fragmented set of point solutions and toward platforms that bridge the gap between centralized identity policy and distributed execution. The goal: bring consistency, automation, and visibility into the parts of your stack where manual processes are still the default—and where the risk is greatest.
Most organizations underestimate the scale of their application sprawl and shadow IT—especially when it comes to disconnected apps. While IT teams tend to focus on integrating core systems, business units often adopt tools that fall outside centralized identity governance. In fact, our research shows that 21% of apps are managed without any IT involvement. Gaining clear, documented visibility into what’s actually in use is the first step toward closing identity gaps.
Next, map where manual identity processes introduce the greatest risk—this is where the automation gap becomes most visible. Prioritize workflows that create compliance exposure, operational drag, or security vulnerabilities. These are the areas where automation will drive the biggest return and reduce the most friction.
Look for solutions that don’t require a rip-and-replace approach, but instead integrate seamlessly with your current identity stack. The goal is to extend your policies and controls to apps that aren’t standards-compliant—without introducing more complexity. Modern platforms can help bridge this gap by automating identity actions across disconnected applications, unlocking full coverage without sacrificing simplicity.
AI agents represent one solution that organizations are exploring to accelerate and automate identity workflows, though 78% of security professionals don't trust fully autonomous execution. Still, 45% express openness to a collaborative, human-in-the-loop approach that matches an organization’s architecture rather than forcing structural change.
Our research makes clear that identity automation remains missing exactly where it matters most. Manual execution continues as the default, yet automation has become a foundational requirement for securing the identity layer at scale.
Nearly half of our respondents identified extending automation across more applications and workflows as the single most important step they could take to reduce identity risk.
Ready to measure where your organization stands? Download the full 2025 Identity Automation Gap research report to discover how your organization compares to industry benchmarks, identify specific areas of risk exposure, and access a roadmap for extending automation across your entire application ecosystem.