Summary: Most IT and security leaders already know what good identity management looks like. The Thales Digital Trust Index 2026 shows that 87% recognize passkeys as important, yet fewer than half have deployed them. This is not primarily a knowledge problem. It is an execution problem, driven by siloed identity solutions, disjointed processes, and a persistent tendency to treat access management as a security discipline rather than a business one. Until that changes, the gap between what organizations intend and what users experience will keep widening.
—
Are organizations modernizing their identity strategy faster than they are modernizing their identity experience?
It’s a good question, and one I frequently encounter as a CIAM professional. Modern frameworks require strong authentication, encryption, and granular data access controls; organizations have weak passwords, patchy MFA, and difficulty enforcing IAM policies across the board.
Case in point: the Thales Digital Trust Index 2026 report reveals that 87% of IT decision-makers say passkeys are important. But less than half (49%) have actually deployed them.
In the widening gap between identity goals and operational reality, users are the ones most affected. But second are the companies that lose clients and trust because these problems go unaddressed or misunderstood.
This is beyond bad security; it’s bad business.
Misunderstanding Why Customers Leave
Bad business comes from bad information. Without understanding the problem, you can’t implement the right solution. For instance, we see this with ITDMs underestimating the scale of the problem posed by excessive data requests.
In the recent Thales report, only 11% of IT and security leaders blamed clunky initial data collection for clients walking out on a business. In reality, over a quarter (28%) of customers reported leaving an online brand because it asked for too much of their personal data.
People want to do business online, and they understand that data is the cost, but companies need to understand the line and where it falls for consumers.
Even business partners get bugged when information is requested without explanation: the study reports that 70% of partner users say they are asked for information that doesn’t feel necessary in the line of business.
For customers, it may or may not even matter what the explanation is: too much is too much. If businesses fail to match their data requesting policies with consumer trend realities, they will continue to lose paying customers (while grasping at data straws).
Misunderstanding Consumer Trust
There is another comprehension gap that causes companies to lag on IAM delivery. It’s between what IT decision-makers think they understand about consumer trust and the facts.
According to the report, 44% believe consumers completely trust their digital interactions with the company, and half believe trust is moderate. This might be true, but that trust could be unfounded: 62% of organizations have uncovered fake consumer accounts (most likely bots) using spoofed identities to impersonate customers.
But the misunderstandings don’t start or end with customers. Poor data on how IAM practices impact the business extends the pain to the partner ecosystem as well.
Misunderstanding Why Partners Share Credentials
When partners share login details, leaders are quick to assume sloppiness, laziness, or even malicious intent. Per the report, 39% of security leadership believes it happens for operational expediency.
Only 22% of partner users report being given the necessary login/access details immediately upon starting. Nearly all (92%) experienced access issues with their external partner within the last twelve months (and 89% delayed or abandoned work altogether due to an issue with the website or app).
Anxious to start delivering value, it is no wonder that 66% of partners admitted to using someone else’s credentials to log in. The real reason partners share credentials? Slow official processes (53%).
We’ve gotten beyond the point where IAM “just” enhances trust or prevents breaches. It also facilitates business, and the biggest gap in perception could be treating access management as a security-only discipline.
But even when the business value of strong authentication is realized, it’s not always enforced.
Which brings us to our last gap.
The Gap Between IAM Knowing and Doing
Most IT decision-makers know the “right answers.” And so do users.
As the Thales report states, 68% of consumers would increase their trust in a company if it offered passkeys. Nearly nine out of ten (87%) IT and security leaders agree: providing passkeys is important.
But when a real-world inventory is taken, only 49% of organizations actually offer passkeys as an option. Something is going wrong: while chronic misunderstandings play a part in IAM strength lagging behind, this last example highlights that it’s not the only problem.
Even when security teams see the picture right, there’s still an obstacle bigger than their ability to fix it. In traditional IAM setups, that’s typically disjointed processes and the lag they introduce.
What It Takes to Bring IAM Execution Up to Speed
Even when ITDMs understand the importance of passkeys, streamlined data request forms, and timely access provisioning, their organizations might not have the technology to enforce those practices at scale.
Stacking point solutions like SSO, MFA, identity governance, and CIAM is not the same as running them from a single place. There’s no orchestration layer, so policies can be duplicated, disconnected, or enforced differently in different scenarios.
This is where platforms come into play, and a lot of security buzzwords get thrown around: automation, unification, streamlined workflows. But the truth is that adversaries are using these same tools (to incredible effect) and creating identity-centric attack campaigns that are overwhelming non-orchestrated IAM processes.
As noted in PwC’s recent report, AI is being used to “automate reconnaissance, generate convincing phishing lures…and scale social engineering across languages and platforms.” Consequently, “autonomous AI agents capable of executing entire attack sequences without human intervention are a prime concern.”
This is the kind of coordinated action that led multi-step fraud attacks to rise by 180% YoY in 2025.
Against this level of orchestration, IAM processes that aren’t centralized, automated, and driven by AI will fall behind. Digitization without orchestration creates inconsistency. IAM practices are no exception.
Make IAM align with business realities
Out-of-date IAM perceptions and disjointed IAM aren’t good enough against AI-powered attackers who can target identities on autopilot.
Registration workflows can be automated to streamline the onboarding process. Access-related incidents can be connected across environments to assess overall risk (not risk in siloes). Modern IAM platforms can give teams visibility into complex identity interactions across B2C, B2B, and gig markets.
In 2026, the tools exist to make IAM align with business realities: ITDMs just need to catch up.
