Why doing nothing about identity re-establishment is now a leadership risk.

Let’s be honest

If you’re responsible for identity, security, or technology at scale, you already know this is an issue.

You might not describe it this way, but you recognise the signs:

• identity incidents that look “legitimate” in hindsight
• more controls in place, yet less confidence when something goes wrong
• recovery and support workflows carrying disproportionate risk
• an increasing reliance on human judgement to re-establish trust under pressure

What has changed is not intent or awareness, what in reality has changed is scale.

And at scale, friction doesn’t reduce risk, it moves and magnifies it.

The industry signal is unambiguous

Across every major threat, breach, and executive risk report, one message is consistent:

Attackers don’t defeat the strongest controls. They exploit the moments where trust is re-granted without proof.

The data backs this up:

• Verizon’s Data Breach Investigations Report continues to show credential abuse and social engineering as dominant contributors to breaches, even in environments with mature IAM and MFA deployments [1].
• Microsoft reports identity attacks at massive daily scale, noting that attackers adapt faster than organisations can add friction or controls [2].
• Mandiant’s incident response data consistently identifies stolen credentials and abuse of legitimate workflows as leading initial access vectors [3].

This is not an indictment of IAM platforms or Zero Trust strategies.

It is a warning that identity re-establishment has become the weakest link.

Why friction feels right and why it fails in practice

When an identity incident occurs, the instinctive response is almost universal:

• add more checks
• add more approvals
• tighten recovery
• slow things down

On paper, this looks like maturity. In reality, friction introduces three predictable and dangerous outcomes.

1. Workarounds become the system

Operational teams are measured on resolution, continuity, and experience — not identity purity.

As friction increases:

• controls are bypassed to meet SLAs
• approvals shift to informal channels
• “temporary” exceptions become permanent
• identity decisions drift off-system

The more friction you add without adding verifiable proof, the more identity assurance depends on human judgement — precisely where attackers succeed.

This is not a training issue, it is a structural one.

2. Risk concentrates instead of dispersing

Friction does not reduce identity decisions, it concentrates them.

As IAM environments become more complex:

• fewer people are authorised to override controls
• recovery and exception handling funnels through smaller teams
• those roles become high-value targets

Gartner has warned that IAM complexity itself is now a contributor to security risk, particularly in hybrid and large enterprises where recovery and exception workflows rely heavily on manual judgement [4].

This is why service desks, contact centres, and operational support functions increasingly appear in post-incident narratives, not because they failed, but because risk was forced there.

3. Confidence erodes, even when controls “work”

This is the most uncomfortable outcome.

Post-incident reviews increasingly show:

• procedures followed
• approvals granted correctly
• logs clean
• no obvious policy violations

And yet the wrong identity was confidently re-granted access. At that point, the question is no longer “did our controls work?” It becomes “can we stand behind the identity decision that was made?”

Gartner has observed that security leaders are now evaluated less on control maturity and more on their ability to demonstrate confidence in outcomes, particularly where identity and access are involved [5].

That shift turns identity failure into a leadership issue, not just a security one.

The real cost of doing nothing

Choosing not to address identity re-establishment is still a decision.

And its consequences are increasingly measurable.

IBM’s Cost of a Data Breach Report continues to show that breaches involving compromised credentials are among the most expensive, with longer detection times and higher overall impact [6].

But the most durable cost is not financial.

As Forbes Technology Council contributors have repeatedly noted, identity failures increasingly result in:

• erosion of executive credibility
• loss of board confidence
• stalled transformation programs
• sustained regulatory scrutiny
• and, in some cases, leadership change [7]

Systems recover. Brands take longer. Careers sometimes don’t. That is the magnitude of inaction.

Why training and “better process” won’t fix this

It’s tempting to frame this as a people problem.

·       Train staff more.

·       Refine scripts.

·       Update procedures.

But even highly trained teams fail when systems ask them to decide without sufficient proof, under time pressure, at volume.

Humans operate sequentially and Attackers operate at scale. No amount of awareness training changes that asymmetry.

NIST’s Zero Trust guidance makes this explicit: implicit trust, even when well-intentioned undermines assurance when it substitutes for verifiable identity proof [8].

The shift that actually works: proof over friction

The organisations getting ahead of this problem are not adding more steps.

They are changing what sits underneath identity decisions:

• moving away from knowledge-based recovery
• minimising repeated data collection under pressure
• embedding verifiable identity proof into operational workflows
• enabling identity to be re-proven, not re-assumed

The goal is not to slow people down, it is to increase confidence at speed.

The question this leaves you with

If friction has become a liability in your identity environment, the question is no longer whether you need another control.

It is this: When identity must be re-established quickly, what proof do we actually rely on and how confident are we in that decision?

If that question is uncomfortable, isn’t that the point.

References (APA)

1. Verizon. (2025). 2025 Data Breach Investigations Report (DBIR). Verizon Business.
2. Microsoft. (2024). Microsoft Digital Defense Report 2024. Microsoft Security.
3. Mandiant. (2025). M-Trends 2025: Executive Edition. Google Cloud.
4. Gartner. (2023). How IAM Complexity Increases Security Risk. Gartner Research.
5. Gartner. (2024). Predicts 2024: Cybersecurity Leadership and Risk Management. Gartner Research.
6. IBM Security. (2024). Cost of a Data Breach Report 2024. IBM.
7. Forbes Technology Council. (2023–2025). Articles on identity failures, trust erosion, and executive accountability. Forbes.
8. Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero Trust Architecture (NIST SP 800-207). NIST.