The Identity Maturity Model: Where Does Your Organization Actually Stand 2026

Every enterprise identity program sits somewhere on a maturity ladder. The location matters more than most strategic plans acknowledge — the right next move depends entirely on where you actually are, not where you want to be. A Stage 2 organization investing in Stage 5 capabilities (AI-augmented certification, agentic identity, autonomous posture) before building the Stage 3 foundations (workflow automation, lifecycle discipline, recertification cadence) tends to produce expensive deployments that don't operationally deliver. A Stage 4 organization continuing to operate as if they were at Stage 2 tends to under-utilize tools they've already paid for. The location question is strategic; the answer drives the operational roadmap.

This piece is the 2026 enterprise reference on the identity maturity model — the five stages defined operationally, the self-assessment criteria that locate any organization on the ladder, the most common transition (Stage 2 to Stage 3, where most of the business value lives), and the specific moves that advance each stage. The companion pieces cover the architectural layers each stage composes. The Best IGA Solutions buyer guide covers the IGA platforms that anchor Stages 2 through 5. The HRIS-Driven Lifecycle piece covers the lifecycle automation that defines Stage 3. The ISPM piece and ITDR piece cover the risk-driven layers of Stage 4. The AI Access Certification piece covers the Stage 5 automation frontier. The Avatier posts on 8 Factors Successful Identity Management RFPs Always Have and Common Mistakes When Hiring an Identity Management Vendor cover the procurement-side framing that pairs with this model.

Five stages, one ladder. The strategic question isn't which stage to aspire to — it's which stage you're actually at right now. The right next move depends on the honest answer.

The five stages, defined operationally

Each stage has concrete operational markers — not aspirational descriptions but observable facts about how the program currently runs. The stage definition is what the program does today, not what the slide deck says it does.

Marker	Stage 1: Manual/Reactive	Stage 2: Tooled but Inconsistent	Stage 3: Workflow-Driven	Stage 4: Risk-Driven	Stage 5: Autonomous
Joiner provisioning	Manual tickets	Some automation; mostly tickets	Automated from HRIS	Automated + risk-evaluated	AI-recommended + agentic
Mover handling	Manual; entitlements accumulate	Inconsistent; partial cleanup	Automated entitlement diff	Risk-weighted approval	Autonomous with audit
Leaver deprovisioning	Manual; days/weeks delay	Hours/days delay	Same-day automated	Real-time triggered	Pre-emptive on signal
Certification cadence	None or annual rubber-stamp	Quarterly partial campaigns	Quarterly full campaigns	Event-triggered + cyclical	Continuous + AI-augmented
Catalog completeness	Partial / unmaintained	50-70% coverage	80-95% coverage	Near-complete + dynamic	Self-maintaining
Audit readiness	Scramble per audit cycle	Partial readiness	Routine	Continuous	Auditor-self-service
Posture management	None	Ad-hoc	Periodic audits	ISPM continuous	ISPM + autonomous remediation
Threat detection at identity layer	None	Alerts only	Behavioral baselines	ITDR + adaptive auth	ITDR + agentic response
Help desk volume for routine access	High	Moderate-high	Low (60-90% reduction)	Very low	Near-zero
MFA coverage	Partial	Most users	Universal phishing-resistant	+ adaptive policy	+ continuous + agentic

Stage 1 — Manual/Reactive. No IGA tooling beyond basic directory services. Access requests are tickets. Provisioning is manual. Recertification, if it exists, is an annual rubber-stamp. The IAM team operates in firefighting mode. Audit cycles are scrambles. Help desk volume on routine access work is high. Stage 1 organizations exist in the 2026 enterprise landscape but are increasingly rare at scale — regulatory pressure and the operational cost of the manual baseline have pushed most organizations off Stage 1.

Stage 2 — Tooled but Inconsistent. IGA tooling is deployed (Microsoft Entra ID Governance, SailPoint, Saviynt, Omada, Avatier Identity Anywhere Lifecycle Management, others). The tooling exists in production. But the operational reality lags. Workflows are inconsistent — some target systems have automated lifecycle, most don't. Certification campaigns happen but cover only the easy entitlements. The catalog has gaps. Most access changes still happen through ticket-driven manual provisioning despite the tool's capabilities. This is the most common location for mid-market and enterprise organizations in 2026 — the place where the gap between "we have the platform" and "the platform is operationally mature" lives.

Stage 3 — Workflow-Driven. The IGA platform actually runs the workflows it was deployed for. Joiner-mover-leaver is automated end-to-end across the major target systems. Certification campaigns complete on schedule and produce actionable findings. The catalog is largely complete and stays current. Help desk volume on routine access requests has dropped substantially — 60-90% reduction is the typical pattern. Audit cycles are routine rather than scrambles. The IAM team's time is shifting from operational firefighting toward architectural improvement.

Stage 4 — Risk-Driven. Beyond workflow automation, the program now evaluates risk continuously. Entitlement evaluation isn't just periodic — it's triggered by HRIS events, behavioral signals, ITDR alerts. ISPM (Identity Security Posture Management) is running continuously between certification cycles, surfacing findings the campaign cycle would miss. Adaptive authentication is composing with continuous authentication for high-risk segments. Help desk volume is very low. The audit position is continuous rather than periodic. The IAM team is focused on policy refinement and emerging-pattern integration.

Stage 5 — Autonomous. AI-augmented certification (the AI Access Certification piece covers this) is deployed and producing 3-week-to-3-day campaign compression. Agentic identity is supported with full delegation chain integrity (the Agentic Authentication piece on ICC covers this). Continuous posture management produces self-remediating findings for routine drift. The IAM program operates with minimal manual intervention on routine work; human attention is reserved for high-stakes architectural decisions and emerging-pattern adoption. Stage 5 is currently aspirational for nearly all organizations — full Stage 5 maturity is emerging 2026 territory rather than deployed operational reality.

The ten self-assessment questions

The strategic question isn't which stage to aspire to. It's which stage you're actually at. These ten questions locate any organization on the ladder honestly — not by what the strategic plan says but by what the program does today.

1. When a new employee joins, how long does it take from their start date until they have all required access? Stage 1: days to weeks. Stage 2: 1-3 days. Stage 3: same-day or pre-start. Stage 4: pre-start with risk evaluation. Stage 5: AI-recommended pre-start with full audit trail.

2. When an employee changes role, are their prior-role entitlements removed? Stage 1: rarely. Stage 2: partially, manually. Stage 3: automatically via mover workflow. Stage 4: automatically with risk-weighted approval. Stage 5: autonomously with auditable decision trail.

3. When an employee leaves, how long until their access is fully removed? Stage 1: days to weeks (sometimes months for partial-system access). Stage 2: hours to days. Stage 3: same-day across all systems. Stage 4: real-time triggered on HRIS event. Stage 5: pre-emptive on resignation signal where available.

4. How often do certification campaigns run, and what percentage of entitlements do they cover? Stage 1: annually or never; partial coverage. Stage 2: quarterly; partial coverage of easy entitlements. Stage 3: quarterly; full coverage. Stage 4: event-triggered + cyclical. Stage 5: continuous + AI-augmented.

5. When an auditor asks "who has access to system X right now," how quickly can you answer? Stage 1: days. Stage 2: hours. Stage 3: minutes. Stage 4: real-time. Stage 5: auditor self-service.

6. What percentage of your help desk tickets are routine access requests (password reset, group membership, application access)? Stage 1: 40-60%. Stage 2: 25-40%. Stage 3: 5-15%. Stage 4: under 5%. Stage 5: near zero.

7. Do you have an authoritative catalog of every service account and non-human identity in your environment? Stage 1: no. Stage 2: partial. Stage 3: yes for service accounts. Stage 4: yes for service accounts + machine identities. Stage 5: yes including AI agents.

8. When a privileged account is no longer needed, what process removes it? Stage 1: someone notices eventually. Stage 2: periodic cleanup attempts. Stage 3: lifecycle automation. Stage 4: lifecycle + ISPM posture audit. Stage 5: autonomous remediation.

9. If an attacker compromised a user's session right now, how would you detect it? Stage 1: no detection. Stage 2: log review after the fact. Stage 3: alerting on known patterns. Stage 4: behavioral analytics + ITDR. Stage 5: ITDR + agentic response.

10. How is your MFA deployed? Stage 1: partial, weak factor. Stage 2: most users, mixed factors. Stage 3: universal phishing-resistant. Stage 4: phishing-resistant + adaptive policy. Stage 5: phishing-resistant + adaptive + continuous + agentic.

The answers don't have to be uniform — most organizations show a mix across the ten questions, with some areas more mature than others. The overall stage is roughly the median of the answers, with the lowest answers identifying the operational gaps that should drive the next moves.

Self-assessment maps to operational roadmap. The shape of the gap between current state and target state is the program's next-year work plan.

The Stage 2 → Stage 3 transition: where the business value concentrates

The highest-leverage move for most organizations in 2026 is Stage 2 → Stage 3. The transition is the difference between "we have an IGA platform" and "the IGA platform actually runs the workflows it was deployed for." The business value is concrete and measurable.

Help desk reduction. When lifecycle automation is genuinely operational across major target systems, the help desk stops fielding routine access requests. The 60-90% reduction range cited above is the typical pattern in deployments that fully execute the transition. The arithmetic is straightforward — if 30% of help desk tickets are routine access work, and 80% of those can be automated, the help desk's queue drops by 24% overall.

Audit position improvement. Stage 2 organizations scramble in the weeks before each audit cycle, assembling evidence that the entitlement state matches the policy. Stage 3 organizations have the evidence continuously available because the workflow automation produces it as a byproduct. Auditor questions get answered in minutes rather than days. Audit findings drop because the underlying state is more disciplined.

Onboarding compression. Stage 2 organizations onboard new hires with manual lag — accounts created over days, access requested as needs surface, productivity ramp delayed by access friction. Stage 3 organizations provision new hires from the HRIS event automatically (the HRIS-Driven Lifecycle piece covers the integration pattern), often pre-start. The new hire is productive from day one rather than waiting on the IAM backlog.

IAM team capacity recovery. Stage 2 IAM teams spend most of their time on operational firefighting — manual provisioning, ticket triage, ad-hoc requests. Stage 3 IAM teams have the operational baseline running and can focus on architectural improvement, policy refinement, and emerging-pattern integration. The capacity shift is what enables progression to Stage 4 — without it, Stage 4 deployments stall because the team is still consumed by Stage 2 work.

The investment required to make the transition is meaningful — schema mapping discipline (the HRIS-Driven Lifecycle piece covers this layer in detail), HRIS integration, target-system connector deployment, workflow definition, certification process design, change management for the new operational pattern. But the operational baseline that emerges is what makes Stages 4 and 5 even reachable. Skipping the Stage 2 → 3 transition and trying to leapfrog to Stage 4 capabilities almost always produces deployments that look advanced on paper but don't deliver operationally.

Stage 3 → Stage 4: composing risk into the workflow

The Stage 3 → 4 transition adds continuous risk evaluation to the workflow foundation. The IGA platform that runs joiner-mover-leaver automatically now composes with the ISPM layer that continuously evaluates posture, the ITDR layer that watches for active threats, and the adaptive + continuous authentication layers that compose risk into the authentication flow.

The architectural test for Stage 4 readiness is whether the operational baseline from Stage 3 is genuinely stable. Stage 4 capabilities deployed on an unstable Stage 3 baseline produce false positives, alert fatigue, and architectural complexity the team can't sustainably operate. The mature Stage 3 baseline — where lifecycle is automated, certifications run cleanly, the catalog is current — is the foundation Stage 4 layers on.

The most common Stage 3 → 4 entry points are ISPM (the ISPM piece covers this layer) and ITDR (the ITDR piece covers this layer). Both compose naturally with existing IGA platforms and produce visible operational improvement without requiring fundamental architectural change. Adaptive authentication and continuous authentication for high-risk segments (covered in the corresponding pieces on ICC) typically follow.

Stage 4 → Stage 5: the emerging frontier

Stage 5 — Autonomous — is currently aspirational for nearly all organizations. Full Stage 5 maturity requires four capabilities that are individually deployable but not yet composable into full autonomous operation: AI-augmented certification (deployable per the AI Access Certification piece), continuous autonomous posture remediation (emerging — most ISPM platforms surface findings but don't yet autonomously remediate at scale), agentic identity support with full delegation integrity (emerging — the Agentic Authentication piece on ICC covers this territory), and continuous AI-monitored behavioral threat detection (deployable but still operationally early).

The pragmatic 2026 path is to evaluate Stage 5 capabilities individually. AI-augmented certification produces immediate ROI for any organization at Stage 3 or higher — the operational pattern is mature and the time-savings are real. ISPM with autonomous remediation for routine drift is becoming operationally viable in 2026. Agentic identity support is operationally early for most enterprise environments but warrants architectural readiness work even where deployment is premature. The strategic question is which Stage 5 capabilities are ready for deployment now versus which to wait on.

The realistic 2026 target for most enterprise programs is Stage 4 with select Stage 5 capabilities — operationally mature continuous risk evaluation, AI-augmented certification deployed, agentic identity readiness in place but not yet load-bearing. Full Stage 5 maturity will be 2027-2028 territory for early adopters and 2029+ for the broader market.

The 2026 reference path

Locate yourself honestly using the ten self-assessment questions. The median answer is roughly your current stage; the lowest answers identify your operational gaps.

Plan the next-stage transition deliberately. For most 2026 organizations, that's Stage 2 → Stage 3 — the highest-leverage move available. The investment required is meaningful but the business value is concrete: help desk reduction, audit position improvement, onboarding compression, IAM team capacity recovery.

Don't leapfrog. Stage 4 and Stage 5 capabilities deployed on an unstable Stage 3 baseline produce deployments that look advanced but don't deliver operationally. The baseline matters more than the frontier.

Compose deliberately when reaching Stage 4. The ISPM piece and ITDR piece cover the highest-leverage Stage 4 entry points. Adaptive authentication and continuous authentication for high-risk workforces follow. Each composes with existing IGA without requiring fundamental architectural change.

Evaluate Stage 5 capabilities individually. AI-augmented certification is the highest-value Stage 5 capability ready for deployment in 2026 for organizations at Stage 3 or higher. The AI Access Certification piece covers the operational pattern. Agentic identity support warrants architectural readiness work even where deployment is premature.

Pair the maturity model with procurement-side discipline. The Avatier posts on 8 Factors Successful Identity Management RFPs Always Have and Common Mistakes When Hiring an Identity Management Vendor cover the vendor-evaluation framing that complements the maturity-model framing in this piece.

The identity maturity model isn't about aspiration. It's about honest location and deliberate progression. The right next move is always knowable once you've answered the location question honestly — and the location answer drives the program for the next 12 to 18 months.