On the surface, identity security at most organizations appears well-managed. MFA is available. Credentials are documented. Access control policies are in place. But beneath the dashboards and checklists, a deeper issue persists: security workflows still rely heavily on people, not systems. According to new research from Cerby, fewer than 4% of security teams have fully automated their core identity processes.
Manual tasks like setting up MFA, updating passwords, or revoking access when someone leaves are still routine. These should be system-driven—but often aren’t. Instead, they rely on memory, reminders, or ticket follow-ups. And when execution depends on humans, mistakes are inevitable.
In fact, Verizon’s 2025 Data Breach Investigations Report found that 60% of breaches involved human error. Cerby’s latest Identity Automation Gap report, based on insights from over 500 IT and security leaders, reveals just how far behind most organizations remain.
The Final Stretch Is Still Manual—and Dangerous
Cerby’s data outlines three persistent identity security risks, all rooted in manual execution:
- Passwords shared insecurely: 41% of users still update or share credentials using spreadsheets, emails, or chat apps. These methods are rarely tracked or secured—making breaches more likely.
- MFA remains optional: 89% of organizations depend on users to manually enable MFA. Without enforcement, protection is inconsistent, and attackers are quick to exploit these gaps.
- Access management is still ticket-based: 59% of IT teams manually provision and deprovision users, often relying on ad-hoc reminders. These delays can lead to unauthorized access and compliance risks.
The consequences are real. According to the Ponemon Institute, over half of enterprises experienced a breach due to manual identity management. Many faced repeat incidents. 43% lost customers as a result, and 36% lost key partners.
Closing the Automation Gap Starts With Completion—Not Replacement
So why haven’t organizations automated what’s clearly critical? Cerby’s report points to three main causes:
- Application sprawl: Most apps don’t support standard identity protocols. Legacy systems and shadow IT tools are everywhere—and often beyond the reach of traditional IAM platforms.
- False sense of security: Security leaders assume that using tools equals having coverage. But most environments span SaaS, cloud, mobile, and on-prem. Without integration, security is uneven at best.
- Short-term fixes, long-term problems: Manual scripts and password vaults may fill gaps temporarily, but they’re hard to scale and prone to error. What starts as a patch becomes a permanent weak spot.
Fortunately, automation doesn’t require rebuilding from scratch. Modern solutions extend automation to disconnected applications, allowing teams to enforce identity policies across all tools—regardless of native integration support.
While some teams are exploring AI agents for identity automation, most still want human oversight. Cerby’s research shows that 78% of security leaders don’t yet trust AI to take over, but 45% are open to human-in-the-loop automation—a hybrid approach that blends system efficiency with human judgment.
Cerby’s platform enables both models, helping organizations close the automation gap without overhauling their identity stack. The company’s 2025 Identity Automation Gap report includes actionable guidance for teams looking to automate identity workflows, reduce risk, and eliminate hidden vulnerabilities before they become front-page breaches.
