The Automation Challenges in Identity Security: A Complex Issue Requiring Immediate Attention

For numerous organizations, identity security may seem adequately managed. On surface inspection, all indicators appear satisfactory. However, recent research by Cerby, derived from insights from over 500 IT and security professionals, uncovers a disconcerting reality: considerable reliance persists on human intervention rather than system automation. Alarmingly, fewer than 4% of security teams have achieved complete automation of their core identity workflows.

Crucial workflows, such as Multi-Factor Authentication (MFA) enrollment, secure credential maintenance, and prompt access revocation once an individual departs, are typically executed manually, leading to inconsistencies and susceptibility to errors. When security operations hinge on human memory or follow-ups, vulnerabilities arise rapidly.

Human error continues to be one of the predominant threats to enterprise security. According to Verizon’s 2025 Data Breach report, the human factor played a role in 60% of breaches. The same manual oversights that precipitated breaches a decade ago still jeopardize identity systems today. Cerby’s 2025 Identity Automation Gap research report underscores the extensive nature of this issue and the significant journey ahead for automation.

The Dependence on Human Action

The data reveals a troubling dependency on human intervention for functions that should be automated throughout the identity security lifecycle.

• 41% of end users still share or update passwords manually, utilizing insecure channels such as spreadsheets, emails, or chat platforms. Such practices rarely get monitored or updated, heightening the risk of credential misuse or compromise.
• Nearly 89% of organizations depend on users to manually enable MFA in applications, despite MFA being recognized as one of the most effective security measures. In the absence of enforcement, the application of protective measures becomes optional, thereby allowing attackers to exploit these inconsistencies.
• 59% of IT teams manage user provisioning and deprovisioning manually, relying on ticketing systems or informal follow-ups to grant and rescind access. These workflows are sluggish, inconsistent, and prone to oversight, leaving organizations vulnerable to unauthorized access and compliance-related failures.

Timeliness is Critical

The repercussions of these issues are no longer speculative.

As reported by the Ponemon Institute, 52% of enterprises have encountered a security breach instigated by manual identity processes within disparate applications, with most organizations reporting four or more incidents. The repercussions were significant: 43% experienced customer attrition, and 36% lost partnerships.

Such failures are foreseeable and preventable; however, this is contingent upon organizations ceasing to depend on human efforts for processes that should ideally be automated. Identity has evolved from being a subordinate system to a pivotal control framework within enterprise security. As attack surfaces broaden and threat actors grow increasingly sophisticated, the necessity to address the automation gap becomes more pressing and perilous.

Understanding the Automation Gap

Why do these manual gaps persist in light of the imperative for automation in identity security? These gaps have arisen as unintended effects of rapid expansion, application proliferation, and fragmented infrastructures.

1. Disconnected applications are pervasive and often do not adhere to common identity standards required for seamless integration with existing solutions. A majority of enterprise applications fall into this category, and this trend is on the rise, encompassing every business function while containing sensitive data.
2. IT and security teams frequently mistake tools for comprehensive coverage. Modern environments spread across SaaS, mobile, cloud, and on-premises systems are increasingly difficulty to manage. Shadow IT continues to proliferate rapidly, as individual business units introduce their own technology stacks, making complete control across all applications a challenging goal.
3. Temporary solutions lack scalability. Tools such as password managers, manual scripts, and other vaulting systems are often cumbersome to maintain and can contribute to fragmented infrastructures. In scenarios where integrations are lacking, these workarounds may be hastily assembled, but such fixes can be costly and delicate to uphold. What initially starts as a temporary measure can quickly evolve into an ongoing operational burden.

Steps Toward Closing the Automation Gap

The positive aspect is that addressing the automation gap does not necessitate overhauling or replacing the existing identity framework; it simply requires enhancing it.

Progressive organizations are implementing automation throughout their application ecosystems, rather than waiting for native integrations. Some are also exploring the use of AI agents to bridge this gap. Nevertheless, trust in these technologies is still developing: 78% of security leaders express mistrust in AI’s ability to fully automate core identity tasks, while 45% endorse a collaborative human-in-the-loop model.

Cerby enables organizations to support both methodologies—aligning with teams wherever they are while ensuring that automation is deployed where it is most critical.

Cerby’s research report, The 2025 Identity Automation Gap, presents findings from over 500 IT and security leaders alongside actionable strategies to mitigate one of the most underestimated risks in enterprise security.