Full Report
For many organizations, identity security appears to be under control. On paper, everything checks out. But new research from Cerby, based on insights from over 500 IT and security leaders, reveals a different reality: too much still depends on people—not systems—to function. In fact, fewer than 4% of security teams have fully automated their core identity workflows. Core workflows, like
Analysis Summary
# Best Practices: Identity Security Automation Gap Closure
## Overview
These practices address the critical vulnerability arising from over-reliance on manual processes—rather than automated systems—to secure the identity lifecycle. Failures in core identity workflows, such as MFA enrollment, credential management, and access revocation, are common, leading to significant breaches and business losses due to human error. The goal is to automate these processes across the entire application ecosystem.
## Key Recommendations
### Immediate Actions
1. **Audit Manual Processes:** Immediately inventory all core identity workflows (MFA enrollment, credential updates, access provisioning/de-provisioning) to identify where human action, manual review, or ticketing is currently the primary control mechanism. Focus on the top 5 critical applications involved in these manual processes.
2. **Mandate In-Application MFA Enrollment:** Cease relying on users to manually enable MFA. Enforce MFA enrollment immediately via policy or configuration within all centrally managed applications.
3. **Stop Insecure Credential Sharing Practices:** Issue an immediate, high-priority directive to all staff explicitly forbidding the sharing or updating of passwords via spreadsheets, email, or chat tools.
### Short-term Improvements (1-3 months)
1. **Automate Access Revocation:** Prioritize automating the de-provisioning of access. Establish a strict Service Level Agreement (SLA) for de-provisioning access (e.g., immediate or within one business hour of employee termination/role change) and integrate HR records directly with access control systems where possible.
2. **Secure Credential Management for Legacy Systems:** Implement a scalable, centrally managed vaulting solution (separate from fragmented manual efforts) for accessing applications that lack modern identity standards integration, reducing reliance on individual user knowledge.
3. **Deploy Unified MFA Enforcement:** Implement a solution capable of enforcing MFA across applications lacking native support, ensuring MFA is not optional across the enterprise surface.
### Long-term Strategy (3+ months)
1. **Achieve Workflow Automation:** Strategically invest in identity governance and management (IGA) and access management solutions capable of integrating with legacy and unmanaged applications to achieve automation across the majority of core identity workflows (aiming for well above the current 4% baseline).
2. **Establish Comprehensive Application Mapping:** Develop and maintain a real-time inventory of all enterprise applications (including Shadow IT instances identified via discovery tools) to ensure identity controls cover the entire attack surface.
3. **Pilot Human-in-the-Loop AI Agents:** Explore and pilot AI agent solutions to bridge integration gaps in highly fragmented systems, focusing initially on collaborative, human-verified workflows rather than full autonomy, given current trust levels.
## Implementation Guidance
### For Small Organizations
- **Prioritize MFA Enforcement First:** Focus budget and time on enforcing strong MFA across all primary SaaS applications (Email, HRIS, CRM) as this yields the highest risk reduction with moderate effort.
- **Standardize Password Handling:** Adopt a single, centrally managed password manager for all shared/legacy credentials, replacing disparate spreadsheets or local storage.
- **Use Ticketing System SLAs:** If full automation is infeasible, strictly define and enforce maximum SLAs for access changes within existing ticketing systems, reviewing compliance monthly.
### For Medium Organizations
- **Automate Core Deprovisioning:** Deploy a defined Identity Governance and Administration (IGA) process focused strictly on automating off-boarding workflows impacting critical systems first (e.g., Finance, HR data).
- **Integrate Standardized Apps:** Focus integration efforts on applications supporting modern authentication protocols (SAML, OIDC) to quickly transition MFA and provisioning to the central Identity Provider (IdP).
- **Application Sprawl Review:** Conduct quarterly reviews of newly adopted application stacks to ensure any deployment of new software includes identity integration requirements upfront.
### For Large Enterprises
- **Mandate Identity Fabric:** Require that all new application onboarding must adhere to pre-approved integration standards, or budget for integration via a dedicated automation layer that bridges disconnected systems.
- **Measure Automation Coverage:** Establish key performance indicators (KPIs) tracking the percentage of identity workflows executed without human intervention across the entire application portfolio.
- **Invest in Integration Strategies:** Focus on robust API-driven integration or robotic process automation (RPA) overlays specifically designed to interact with legacy applications that cannot support modern identity standards.
## Configuration Examples
*Note: Specific tool configurations are absent, but the principle below addresses the need for non-standard application integration.*
**Principle for Connecting Disconnected Applications:**
Utilize an **Identity Automation Layer** configured to interface with applications that do not natively support the corporate Identity Provider (IdP). This layer must be programmed to:
1. **Mimic User Action:** Programmatically log in using service accounts (securely vaulted) to execute required identity changes (e.g., enabling MFA, updating user attributes).
2. **Ensure Session Control:** Implement mechanisms to forcibly terminate sessions or log out users immediately upon access revocation events triggered from the IdP/HR system.
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Improvement aligns heavily with the **Identify** (Asset Management) and **Protect** (Identity Management and Access Control PR.AC family) functions by reducing human variability in applying security policies.
- **ISO/IEC 27002:2022:** Directly supports controls related to **5.18 Access Rights** and **8.3 Management of Priviledged Access Rights**, reducing manual entitlement management.
- **CIS Critical Security Controls (Top 4):** Automating these workflows is essential for maintaining **Control 4 (Secure Configuration of Enterprise Assets and Software)** and **Control 5 (Account Management)** effectively over time.
## Common Pitfalls to Avoid
- **Assuming Modern Apps Cover Everything:** Do not assume SaaS and cloud tools handle all identity security; legacy and departmental applications are primary sources of manual gaps.
- **Over-relying on Vault Managers Alone:** Simple password vaulting tools are insufficient if workflow logic (like MFA enrollment) still requires manual confirmation or execution outside the vault system.
- **Ignoring Trust Gaps in AI:** While exploring AI, strictly avoid granting autonomous control over high-risk identity functions (e.g., master password reset) until thorough security validation and human-in-the-loop confirmation processes are established.
- **Treating De-provisioning as Secondary:** Failing to prioritize automated off-boarding results in permanent standing access for departed users, a critical and preventable breach vector.
## Resources
- **Identity Governance and Administration (IGA) Solutions:** Evaluate platforms specializing in identity lifecycle management and governance.
- **Application Discovery Tools:** Use tools to map and inventory the full scope of applications in use to identify gaps in identity control coverage.
- **Cerby's 2025 Identity Automation Gap Report:** Provides detailed research context supporting the need for automation (Source: Provided context).