Skip to content

Illustration by iStock; Security Management

Complex, Siloed Physical–Digital Identity Management Creates Fragile Security Posture

By Claire Meyer
17 June 2026

Today in Security

Perception and reality often conflict, and security is no exception. Nearly 95 percent of IT and cybersecurity decision-makers surveyed by HID and the FIDO Alliance said they can revoke all physical and logical access within 24 hours of an employee leaving, but 35 percent said they experienced delays or failures doing so in the past two years.

The survey findings, published in The State of Physical and Digital Identity in the Enterprise, examined the gaps between physical and digital identity management in organizations, as well as the fragile security posture created by those siloed functions.

More than 70 percent of organizations issue physical access credentials to most or all employees, and 95 percent have also at least started incorporating physical-digital convergence into their identity strategy, merging access on a single, standards-based credential, such as passkeys.

Access systems are only getting more complex, though, and 59 percent of enterprises are currently managing three or more distinct credential and authentication systems. To keep these systems running, organizations continue to fall back on manual processes. More than 10 percent of respondents reported that onboarding, credential recovery, and credential revocation are still mostly or fully manual.

The complexity of digital identity management systems is spiking based on compliance and regulation (cited by 57 percent of respondents), evolving cyber threats (56 percent), and hybrid workforces (47 percent).

Only 50 percent of the 500 security professionals surveyed had unified reporting ownership for physical and digital identity, and 48 percent have consolidated budget control. In addition, procurement varies widely across identity type. Physical security is predominantly purchased as a capital expenditure, while logical security relies on SaaS or mixed financing models.

“Different teams, different budgets, and different procurement models have created a structural divide that is proving hard to close,” the report said.

In the past 24 months, 70 percent of survey respondents had at least one identity-related security event, including delays or failures revoking employee access (35 percent), a phishing or social engineering attack that bypassed existing multifactor authentication (32 percent), a credential-based breach or account takeover (23 percent), unauthorized access through orphaned or unrevoked credentials (22 percent), or an insider threat involving physical or logical access abuse (21 percent).

The gap between users’ confidence in their systems’ abilities and the rate of incidents “is the predictable consequence of fragmented systems,” the report said. “When physical and logical access are managed separately, no single team holds a complete picture—and the credentials never revoked because no one knew they existed become the attack surface.”

 

Focus on Agentic AI

What is Agentic AI?

Risk vs. Reward: What Security Leaders Need to Know When Using Agentic AI

Defending Against Online Fraud in the Age of Agentic AI

3 Non-Negotiables for CISOs in the Agentic Era

How to Use AI Responsibly to Prevent SOC Analyst Burnout

Best of Security Management

A Cascading Crisis: U.S. Federal Prisons Grapple with Decades of Unsafe Understaffing

The Other Side of the Looking Glass: Providing Security for Marches and Rallies

Is Your Workplace Toxic? Here's What You Need to Do

Preventing Workplace Violence: Holistic Support Starts with Listening to Nurses

What to Add to a Rules of Engagement Document

What is Agentic AI?
arrow_upward