Even with modern controls in place—single sign-on (SSO), multi-factor authentication (MFA), conditional access—many financial institutions are still finding gaps they didn’t expect. According to CyberArk’s 2025 Identity Security Landscape report, 88% of breaches now stem from identity-based attacks, many involving machine identities. The exposure often lives in the details:
- dormant vendor accounts no one owns,
- access that outlives job changes
- “temporary” exceptions that never got cleaned up
An identity-driven security approach helps close those gaps. When identity is treated as shared infrastructure across security, audit, risk, and operations, teams gain a clear, common language for explaining access and the expectations around it.
How the Identity Conversation Has evolved
Not long ago, identity was mostly a security and IT topic. Today, we’re seeing it come up in conversations across risk, audit, procurement, and vendor management — and the questions have gotten more specific. Leaders are asking things like, “Who has access to our most sensitive systems, and how do we know it’s them?” or “What access do our vendors still have, and who approved it?”
Across the industry, we’re seeing identity-driven security become part of how organizations demonstrate accountability, beyond regulators and auditors. Teams that can clearly explain who has access, why they have it, and how it’s being monitored are in a much stronger position when questions come up. And in financial services, that ability to explain access builds confidence across the business.
READ NEXT: How to Build and Empower a Cyber-Resilient Financial Organization
It’s Not Just Employees
When people think about identity, they often picture employees logging into systems. But in most financial organizations, that’s just one piece of the puzzle. Today, identity includes contractors, vendors, bots, service accounts, APIs—the list keeps growing.
In 2025, Entro Labs’ The NHI & Secrets Risk Report cited a 44% year-over-year increase in non-human identities. These machine accounts now outnumber humans by a staggering 144 to 1. Many of them have access to sensitive systems, but no clear owner or lifecycle process, creating potential exposure hiding in plain sight.
Third-party access is another area where gaps tend to form. A vendor might need temporary access for a project, but months later, their credentials are still active. According to a Thales survey, third-party identities in financial services are expected to grow by 37% in a single year. With new access to track, there is also a lot of room for things to slip through the cracks.
Beyond managing employees, identity-first security builds a clear, consistent approach for every kind of identity that touches your systems.
How “Identity Debt” Slows Progress
Most identity programs stall under the weight of accumulated exceptions—access that was granted quickly and never cleaned up.
Security leaders are starting to name this for what it is: identity debt. It’s the backlog of orphaned accounts, legacy entitlements, and one-off permissions that no one ever circled back to fix. In fact, according to ConductorOne’s 2024 Identity Security Outlook Report, 77% of organizations experienced a breach tied to overprivileged or poorly managed access.
The good news is that more organizations are treating identity debt as something worth solving. While it’s not perfect yet, cleaning up legacy access, defining ownership, and building a more consistent review process creates real breathing room, whether a team is rolling out new controls, preparing for an audit, or just trying to get a cleaner picture of who has what.
What Maturity Looks Like in Financial Services
MFA is table stakes at this point. Most financial institutions have MFA in place, and many are working toward more advanced controls. When thinking about identity maturity, questions to consider as a leader are:
- Who has access to this system?
- Why do they have it?
- When was it last reviewed?
- What changed?
That’s where governance comes in. Mature programs focus less on check-the-box reviews and more on building the muscle to explain access decisions in real time. According to a 2025 survey by StrongDM, 88% of financial institutions feel confident they could pass a surprise audit. But nearly half still spend 10 or more hours each month preparing evidence. In other words, there is much room to grow and close the gap.
An identity-driven security program helps do exactly that. The teams that are furthest along aren’t just enforcing access controls — they can explain them, on demand, in plain language. That’s what readiness actually looks like.
What to Pay Attention to Next
Across financial services, identity conversations are getting more specific. The focus has shifted from broad policy questions to the operational details that actually carry risk — things like third-party account lifecycle, service account ownership, and whether privileged access can be explained clearly to an auditor.
The previously CyberArk report shows that 87% of organizations experienced at least two identity-related breaches in the past year. This is a reflection of how central identity has become to the way modern threats operate — and why more teams are turning attention to areas that used to fly under the radar: non-human identities, scattered admin rights, and reporting that’s too technical to be useful outside of security.
The organizations making the most progress share a common thread: they’ve stopped treating identity as a point-in-time checkpoint and started building it into how they operate day to day. The specifics look different for every organization, but all with the underlying goal of clearer visibility into who has access and why.
Insight Global’s security practice works with financial services teams to untangle access complexity, strengthen governance, and build programs that hold up under scrutiny. If you’re not sure where your biggest gaps are, connect with our experts today.
