Why Most Identity Investments Don’t Address the Real Risk

Introduction: Identity Doesn’t Fail Where You Think

Most organisations believe their identity systems are secure.

And in many cases, they are — at least at login.

But identity failures rarely occur during authentication.

They occur in the moments where systems need to decide whether someone should be trusted, and lack the evidence to do so. This is the Trust Gap.

Defining the Trust Gap

The Trust Gap is the difference between: What a system assumes about a user and What it can actually verify

In most enterprises, this gap is wider than expected. Because identity decisions still rely on:

• HR system entries
• Email ownership
• Knowledge-based verification
• Manual helpdesk processes

These are not proofs, they are proxies for trust.

Where the Trust Gap Shows Up

Across industries, the same failure points repeat:

1. Onboarding

• Users are provisioned based on submitted information
• Identity proofing is often minimal or inconsistent
• Contractors and third parties introduce additional risk

2. Recovery

• Password resets rely on knowledge-based questions
• Email or SMS become fallback identity mechanisms
• Attackers increasingly target recovery paths

According to Microsoft, account recovery flows are one of the most exploited entry points in identity attacks.

3. Helpdesk Verification

• Agents are required to “verify” identity under time pressure
• Decisions are made using incomplete or unreliable signals
• Social engineering becomes highly effective

The Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly highlighted helpdesk impersonation as a growing attack vector.

4. Access Changes and Exceptions

• Privileged access is often granted based on request and approval
• Verification of the requester is assumed
• Temporary access paths become permanent risk

Why Existing Investments Don’t Close the Gap

Organisations have invested heavily in:

• Identity providers (IdPs)
• Multi-factor authentication (MFA)
• Privileged access management (PAM)
• Passwordless authentication

These are necessary, but they are not sufficient.

Because they focus on:

Authentication strength

Not:

Trust verification

The Structural Problem

Authentication answers: Can you log in?

The Trust Gap exists because organisations also need to answer: Should you be trusted right now?

Without verifiable proof, systems fall back to:

• Assumption
• Process
• Human judgement

Which introduces:

• Inconsistency
• Cost
• Risk

The Financial Impact of the Trust Gap

This is where the conversation changes for executives. The Trust Gap is not just a security issue, it directly drives:

1. Cost

• Helpdesk overhead
• Manual verification processes
• Identity-related incident response

2. Risk

• Social engineering attacks
• Credential compromise
• Insider misuse

3. Revenue Friction

• Delayed onboarding
• Slower partner integration
• Reduced user conversion

According to IBM, identity-related breaches remain among the most expensive due to their lateral movement potential.

Why the Gap Is Growing

Several trends are widening the Trust Gap:

• Increased use of contractors and external identities
• Remote and distributed workforces
• AI-enabled social engineering
• Complex, multi-system identity environments

Traditional identity models were not designed for this level of complexity.

Closing the Trust Gap

Closing the Trust Gap requires a shift:

From: Trust based on system records

To: Trust based on verifiable proof

This is where Proof-Based Identity becomes critical.

The First Step: Visibility

Most organisations cannot close the Trust Gap because they have not mapped it.

They don’t know:

• Where trust decisions are made
• What evidence is used
• Where assumptions exist

This is why the first step is not technology.

It is: Mapping trust across the identity lifecycle

The Trust Gap is the defining challenge of modern identity.

It is where:

• Risk accumulates
• Costs increase
• Decisions break down

And it cannot be solved with stronger authentication alone, it requires a new model.

The next article explores what that model looks like and how identity moves from authentication to verifiable proof.

REFERENCES

Cybersecurity and Infrastructure Security Agency. (2023). Identity and access management best practices.

IBM Security. (2024). Cost of a data breach report.

Microsoft. (2023). Digital defense report.