Plus, a Q&A with Chris Gossett, Chief Growth Officer at SailPoint
As threats such as phishing, social engineering, and malware grow in complexity, cyber professionals should evolve identity security practices to better protect user data. Deloitte and SailPoint conducted a survey of more than 400 executives across a diverse range of industries to understand how they’ll respond to increasing risk in the coming year.
The takeaway? Cyber executives are ready to grow their identity programs, but they’re facing bottlenecks. The report looks at some of the key challenges and how leaders can overcome them with AI-driven solutions.
Identity security survey highlights
- Phishing is the No. 1 threat, according to respondents
- 75% of respondents plan to adopt an AI-driven solution
- 50% rate their identity management as mature
Currently speaking
Q&A with Chris Gossett, Chief Growth Officer at SailPoint
With identity-based threats on the rise, how do you see the role of identity security evolving in modern cybersecurity strategies?
Identity security has gone from being just one piece of cybersecurity to being the foundation. Attackers aren’t breaking in anymore—they’re logging in and using stolen credentials, over-permissioned accounts, or AI-driven phishing attacks that are scarily convincing.
The future of cybersecurity is about identity-first security. That means enforcing least privilege access, so access isn’t accumulating over time, and managing every identity—whether it’s human, bot, or AI. Organizations also need full visibility into who has access to what across all applications. If you don’t know that, you’re flying blind. In 2025, protecting identity is protecting the business.
Many organizations are shifting to an ‘identity-first’ security approach. What challenges do organizations face in implementing this model, and how can they address them?
One big challenge? Cultural resistance. Businesses and people don’t love having their access restricted, even if it’s for security. A fix? Strong identity governance-automated least privilege enforcement and clear communication. Show teams that tighter identity controls aren’t about slowing them down—they’re about keeping organizations safe.
The survey indicates that AI is playing a growing role in identity governance. How can organizations leverage AI for identity threat detection and risk mitigation?
AI in identity governance is like having a security guard who never sleeps, never takes coffee breaks, and understands your environment better than you do. One of the biggest challenges in identity security is knowing exactly what access an identity should have—and enforcing that across every application in the enterprise. Manually managing this at scale is impossible, which is why AI-powered solutions are becoming essential. AI can analyze patterns, detect excessive permissions, and automate least privilege enforcement, reducing the attack surface. Without AI, organizations sometimes guessed—and in cybersecurity, guessing can result in something being missed.
With the increasing sophistication of insider threats, what measures should organizations take to balance security with user experience while managing internal access controls?
Insider threats are tough—because these users already have access. Lock things down too much, and productivity grinds to a halt. Leave things too open, and you’re inviting risk. The key is making sure the business understands why users have the access they do. That starts with clear entitlement and role descriptions—so there’s no guesswork about who needs what. Organizations also need to prevent access creep—employees shouldn’t accumulate permissions as they change roles. And with privileged accounts, bots, and AI agents expanding the attack surface, it’s critical to map out effective access across identities, not just humans.
What are the key metrics or indicators you recommend measuring the effectiveness of an identity security program?
Measuring identity security isn’t just about counting how many accounts you’ve locked down—it’s about understanding who has access to what and whether that access makes sense. Some key metrics to track:
- Percentage of users with least privileged access: Are employees only getting the access they actually need?
- Access creep rate: How often do users retain old permissions when they change roles?
- Time to revoke access: How quickly are accounts deprovisioned when someone leaves or changes jobs?
- Privileged access visibility: Do you know who owns, the purpose and access for every privileged account, including bots and AI agents?
- Orphaned accounts: How many unused accounts are floating around, waiting to be exploited?
- Percentage of applications under identity management: How many apps are actually covered by identity security controls? If you’re only managing a fraction, the rest are blind spots.
If you’re not tracking these, you’re not measuring identity security—you’re just hoping for the best.
In the next issue: Resiliency reimagined
Uncover strategies and solutions to help your business prepare for, respond to, and recover from disruptions.
Sign up for our monthly newsletter to keep pace with the latest in cybersecurity strategies, insights, news, and views.
About the Author
Anthony Berg is a principal in Deloitte’s Cyber practice, serving as the Solution Offering Leader for Identity & Access Management (IAM). He focuses on helping clients secure their enterprises by enabling trusted identities in a connected and open world. With more than 15 years at Deloitte, Anthony oversees IAM strategy, revenue growth, talent development, technology innovation, and key client relationships.
US Identity & Access Management (IAM) Solution Offering Leader
Principal
Deloitte & Touche LLP
