Summary: When the SEC ruled that cybersecurity incidents carry the same materiality obligations as a factory fire, it drew a direct line between identity governance and board accountability. The Thales Digital Trust Index 2026 shows that most organizations have not followed that line to its conclusion. Identity risks are undermining partner ecosystems, eroding consumer trust, and leaving known security gaps unaddressed — not because leaders lack awareness, but because ownership has never been clearly assigned above the IT level. That needs to change.
Compromised Identities are no longer a tactical security issue.
Instead, it has become a governance issue with significant commercial, regulatory, and reputational consequences. Despite all this, IAM ownership remains fragmented. And the ones that should take ownership still push it off as an IT priority.
Meanwhile, identity-centric security issues are undermining business objectives: according to the Thales Digital Trust Index 2026, 69% of IT decision-makers report discovering fraudulent accounts using fake consumer identities.
Threat actors don’t need to hack in if they can just sign up. This undermines every technology investment in detection tools, allowing adversaries to launch low-and-slow attacks under legitimate accounts.
The result is that these identity attacks become virtually uncatchable without AI or threat hunting (both of which most orgs still struggle to implement at scale). Ensuing attacks impact revenue, damage compliance, harm ecosystem relationships, and impact customer trust.
With all that on the line, the fact that the onus for identity programs still sits below the board level is one of the major flaws in corporate hierarchy today.
IAM Governance Isn’t Meeting Business Demands in 2026
Most security leaders understand that there’s a lot going on on the identity front that they can’t see. In other words, current IAM policies aren’t working.
The Thales report reveals that 53% of ITDMs believe that someone may have accessed partner systems in the past year pretending to be them. More than half think that. Are partner IAM systems keeping up?
The risks persist. According to the report, most respondents (87%) believe passkeys are important for security, but fewer than half of organizations currently offer them. Security leaders understand there’s a risk, and most still operate in a space where that risk gap goes unaddressed.
That may be because IAM ownership is distributed and often unclear: only 44% are certain that their partner users have visibility over their own permissions, and only 22% of partner users receive the access they need immediately upon starting with a new external partner.
What Unaddressed Identity Risks Mean in 2026
Because IAM ownership is fragmented (roughly half of partners say it’s managed by the host; the rest is partner-managed or shared), finding and addressing identity-related issues can be an exercise in bureaucracy and pass-the-buck.
If people can’t access the things they need when they need them, it slows the pace of business. If companies are investing heavily in detection tools but weak IAM is letting threat actors through the front door, that’s bad for business. And if the right identity and access management security tools are out there, but ITDMs for some reason can’t get them in the door, that’s bad for business.
When 60% of companies engage an average of 1,000 third-party partners, sloppy IAM management issues can compound, resulting in real losses in productivity and dips in profit. They can lead to breaches: as the Verizon 2025 DBIR notes, access issues (namely, stolen credentials) remain the primary initial access vector for the second year in a row.
It’s been said before, and it’s true: identity is not a security problem in 2026 so much as it is an operations/revenue problem. Identity holes are where businesses are hemorrhaging profits, and faulty IAM governance is to blame.
If companies are struggling to align IAM practices with business imperatives now, the gap will only widen as they continue to adopt more automation, digitalization, and AI.
Identity Underpins AI and Digital Transformation
“Business is no longer going to be human-centric. So IAM is now at the core of autonomous business,” stated David Furlonger, VP and Gartner fellow at Gartner’s IAM Summit 2025.
At the Summit, it was argued that identity underpins four key pillars of modern business: security, compliance, agility, and digital transformation.
Smart IAM strategies were tied to an organization’s ability to:
- Meet the mandates of compliance frameworks (GDPR, HIPAA, PCI DSS)
- Deliver safe and diversified user and partner platforms
- Enter new markets and adopt new tech
- Secure businesses on the whole
This elevates identity far beyond the mid-level reach of most IT managers. While it’s one more bullet point on the meeting agenda and, foreseeably, a considerable addition to the workload, the fact that identity now underpins a company’s longevity, innovation, and security in a big way cannot be ignored.
Identity governance cannot be pushed solely onto IT or security teams. And it cannot be left to languish in the “we know it needs improvement, but we’re currently not working on it” gap. Making secure authentication battle-ready and stress-tested for modern environments needs to be a top priority of senior leaders until it’s done:
If for no other reason than because it’s those same senior leaders who will be called to account if identity issues escalate into breaches and lost business.
Why Identity Is Squarely a C-Suite Issue
The Securities and Exchange Commission (SEC) makes clear that what happens in cybersecurity doesn’t stay in cybersecurity: “Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors,” notes SEC Chair Gary Gensler.
This quote from the SEC’s press release on its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies is a precursor to what those Rules would mean: shifting responsibility to the board level for security oversight and disclosure.
They would also be instrumental in tying these failures back to liabilities for investors and turning what was once an IT problem into a governance issue and (therefore) an executive responsibility.
When Security Gaps Become Business Liabilities
Identity underpins cybersecurity, productivity, ecosystem partner output, and customer trust.
Companies can no longer afford to let IAM gaps go unnoticed or unresolved. When more than half of ITDMs believe they’ve been hacked in partner systems and more than half of organizations have yet to deploy passkeys that everyone agrees are important, identity issues are open doors to breaches hiding in plain sight. To say nothing of the partners that can’t provide value because they can’t obtain access.
These are no longer security gaps; they’re business liabilities. This makes identity a governance issue at the highest level.

