For many organizations, identity security appears to be under control. On paper, everything checks out. But new research from Cerby, based on insights from over 500 IT and security leaders, reveals a different reality: too much still depends on people—not systems—to function. In fact, fewer than 4% of security teams have fully automated their core identity workflows.
Core workflows, like enrolling in Multi Factor Authentication (MFA), keeping credentials secure and up to date, and revoking access the moment someone leaves—are often manual, inconsistent, and vulnerable to error. And when security execution relies on memory or follow-up, gaps appear fast.
Human error remains one of the biggest threats to enterprise security. Verizon’s 2025 Data Breach report found that the human element was involved in 60% of breaches. The same manual missteps that led to breaches a decade ago still expose identity systems today. Cerby’s 2025 Identity Automation Gap research report shows just how widespread the issue is—and how far automation still has to go.
The last mile still runs on human error
The data reveals a persistent reliance on human action for tasks that should be automated across the identity security lifecycle.
41% of end users still share or update passwords manually, using insecure methods like spreadsheets, emails, or chat tools. They are rarely updated or monitored, increasing the likelihood of credential misuse or compromise.
Nearly 89% of organizations rely on users to manually enable MFA in applications, despite MFA being one of the most effective security controls. Without enforcement, protection becomes optional, and attackers know how to exploit that inconsistency.
59% of IT teams handle user provisioning and deprovisioning manually, relying on ticketing systems or informal follow-ups to grant and remove access. These workflows are slow, inconsistent, and easy to overlook—leaving organizations exposed to unauthorized access and compliance failures.
Organizations can’t afford to wait
The consequences are no longer hypothetical.
According to the Ponemon Institute, 52% of enterprises have experienced a security breach caused by manual identity work in disconnected applications. Most of them had four or more. The downstream impact was tangible: 43% reported customer loss, and 36% lost partners.
These failures are predictable and preventable, but only if organizations stop relying on humans to carry out what should be automated. Identity is no longer a background system. It’s one of the primary control planes in enterprise security. As attack surfaces expand and threat actors become more sophisticated, the automation gap becomes harder—and riskier—to ignore.
Why the automation gap persists
Why do these manual gaps still exist if automation is so critical to identity security? They’ve emerged as a byproduct of rapid growth, application sprawl, and fragmented infrastructure.
Disconnected applications are everywhere, and they don’t support the common identity standards required for integration into existing providers. A majority of enterprise applications fall into this category, and that number continues to grow. They span every business function and are packed with sensitive data.
IT & security teams assume tools = coverage. Environments today stretch across SaaS, mobile, cloud, and on-prem systems. Shadow IT continues to grow faster than anyone can track, as each business unit brings its own stack. Achieving full control across all applications remains highly elusive.
Stopgap solutions don’t scale. Password managers, manual scripts, and other vaulting tools are difficult to maintain and often create fragmented infrastructure. When integrations don’t exist, they’re frequently patched together—but these fixes are costly to build and fragile to sustain. What starts as a workaround quickly becomes an ongoing operational burden.
Closing the automation gap
The good news: closing the automation gap doesn’t require rebuilding or replacing your identity stack. It means completing it.
Forward-thinking organizations are bringing automation to every corner of their application ecosystem without waiting for native integrations. Some teams are also exploring AI agents to help close this gap. But trust is still evolving: 78% of security leaders say they don’t trust AI to fully automate core identity tasks—yet 45% support a collaborative human-in-the-loop model.
Cerby provides organizations with the flexibility to support both approaches—meeting teams where they are and delivering automation where it’s needed most.
Cerby’s research report, The 2025 Identity Automation Gap, includes findings from 500+ IT and security leaders and practical steps for closing one of the most overlooked risks in enterprise security.
Download the full report or schedule a 15-minute demo to see how Cerby brings automation across your entire identity surface.
