There is a recurring theme in every “Top Cybersecurity Trends for 2026” list: Back to the Basics. In theory, if security leaders master identity hygiene, enforce MFA, rotate privileged credentials, and conduct regular access reviews, you eliminate the vast majority of the identity attack surface. But for identity leaders of a global enterprise with 20,000 employees and a fifty-year trail of M&A and technical debt, “getting back to basics” is not trivial to pull of in practice.
The reality for large or regulated enterprises is that “the basics” don’t scale linearly. Getting to a target maturity state is rarely a straight forward, up-and-to-the-right exercise.
The Delta Between Policy and Infrastructure
Every large scale organization built before 2000 has a written security policy that aligns with security frameworks. These policies are fantastic on paper. They typically mandate least privilege access and 100% visibility into admin accounts. But beneath that policy lies multiple layers of infrastructure that predate REST API’s and other modern standards.
When we talk to IAM leaders who are stuck, their challenges typically boil down to the widening gap between their IGA and PAM tools and the technical reality of their legacy environment. Many of the leading IGA and PAM platforms have been optimized for the modern infrastructure era. They can manage SaaS applications, cloud infrastructure, and anything with a clean REST API. But if you’ve been in business for 25 years, your most critical systems probably weren’t built with LDAP or SCIM in mind.
Where the Basics Break
To understand why enterprise identity security stalls, you have to look at the specific technical blockers that modern connectors simply can’t solve:
- The Mainframe Problem: We recently worked with a firm where their system of record for financial transactions is AS/400. This is the dominant platform for large swaths of the global financial services industry. While their SailPoint implementation was managing O365 and Salesforce perfectly, it had zero visibility into the local user profiles on the AS/400. There was no connector that could accurately find and map those profiles to actual human identities.
- Proprietary SQL Governance: Many enterprises rely on custom-built ERP or HR systems developed twenty years ago. These systems often store permissions in convoluted, undocumented SQL tables. Without a way to extract and normalize that data, access reviews for these systems remain manual and spreadsheet-driven resulting in governance this is prone to massive human error.
- Non-Human Identity (NHI) Sprawl (aka: Service Accounts). This is the biggest basic that we’ve seen fail at scale. In a 20,000-person company, there are often 10x more service accounts than human accounts. Many of these are hard-coded into legacy scripts or orphaned accounts left over from retired projects. They have Admin or DBA rights, but they never rotate their passwords, and they are invisible to the PAM tool because often no one knows they exist to onboard them.
Spending More to Fix the Basics
This is where your sunk cost frustration may be setting in. You’ve spent millions on a top-tier identity platform, but your audit report still shows 40% of your critical infrastructure as out of scope.
Modern IGA and PAM platforms are essential engines of identity security governance and access control. But an engine cannot run without a fuel line. In the enterprise, that fuel line is identity data. If you cannot extract, clean, and feed data from your legacy and non-standard systems into your governance engine, the engine will sit idle.
This is where we have seen our most significant enterprise wins over the past several months. We’ve acted as that AI-enabled extraction layer to the mission-critical engines that are critical to enterprise cyber defense. Instead of requiring a team of developers to spend six months writing a custom Java connector for a legacy app, we’ve used AI to hunt through the unstructured data, map the permissions, and normalize the output.
Moving From Point-in-Time to Continuous Program
Most of IAM projects have often been viewed from a lens of a “done date” or “completion date.” Identity is not something that’s ever “done.” Enterprise infrastructure is dynamic with new users, applications, systems, and patterns of access changing as the business evolves. Unfortunately, most IAM programs have been built in heavy siloes, with often ad-hoc coordination and not sufficient cohesion. IAM programs thus must also mature from point-in time to a continuous program of observation.
If you are only conducting access reviews once a quarter based on manual data pulls, you might be compliant on paper. But, you are also living in the “identity drift,” the period of time between when an unauthorized change happens in a system and when you eventually catch it in an audit fire-drill.
Success in 2026 requires honesty about the messy realities of enterprise infrastructure. Off-the-shelf enterprise IAM products have been built for customers to adapt to the vendor’s tool constraints, and not the other way around. Our customers have succeeded in breaking through technical log-jams by focusing on the data. Knowing where it lives and maintaining a persistent bridge to those applications allows you to get more ROI out of the IGA and PAM tools you’ve already paid for.
The basics at scale are hard, but they aren’t impossible. You just have to stop looking at the tool and start looking at the data.
