For years, identity governance has been treated as a necessary interruption. Something teams pause to do. Quarterly reviews. Annual audits. Periodic cleanup.
That model no longer fits how modern systems operate.
New cross-customer data from ConductorOne shows a clear shift. Identity governance is becoming continuous, automated, and policy-driven by default. Humans are no longer the primary execution layer. Software is.
This post breaks down what identity governance looks like when automation does the work, and why this shift matters as organizations scale into the agentic era.
The old model cannot keep up
Modern environments move too fast for episodic governance. Applications are added continuously. Access changes daily. Non-human identities grow faster than headcount. AI agents and automation act across systems without waiting for tickets or approvals.
In this environment, identity governance that relies on periodic human effort breaks down quickly. The data shows organizations are responding by redesigning governance around automation, with humans focused on oversight rather than execution.
What the data shows when automation leads
Across anonymized, aggregated ConductorOne customer data from across 12 months, the same pattern appears across industries and company sizes.
At the median:
- ~98% of access requests were automated
- ~20 applications were integrated into identity governance workflows
- ~21,000 identities were actively governed per organization
- 90% of access review tasks were completed in under five days
These are not pilot programs or edge cases. These are production environments operating at scale. Automation is handling the overwhelming majority of routine access decisions. Humans define policy, review exceptions, and maintain control as systems act continuously.
Automation changes the role of humans
When automation does the work, the human role in identity governance shifts fundamentally.
Instead of approving every request or manually certifying access, teams focus on:
- Defining and refining access policy
- Reviewing exceptions and high-risk changes
- Maintaining oversight and audit confidence
This shift shows up clearly in the data. Organizations with deeper automation adoption complete access reviews faster, process higher access volumes, and maintain continuous audit readiness without increasing human workload.
Governance does not disappear. It becomes embedded.
Identity becomes the control plane
As automation increases, identity governance stops being a periodic compliance activity and becomes the control plane for how work happens. Three forces drive this shift.
More identities than ever before
Organizations now govern far more than employees.
Across the dataset, hundreds to thousands of service accounts were common. In AI-native environments, non-human identities sometimes made up 30 to 80 percent of total identities.
Identity growth is increasingly driven by software, not people.
Continuous access decisions
Access is no longer a one-time decision.
In 2025:
- Median organizations processed hundreds of access grants per year
- High-growth environments handled thousands to tens of thousands
- Some organizations completed over one million access review decisions in a single year
These volumes make manual, periodic governance impossible. Automation is not optional at this scale.
Lower tolerance for friction
As systems operate at machine speed, organizations are intentionally minimizing human bottlenecks. Teams that push decisions into policy and automation:
- Fulfill most access requests without human involvement
- Complete review campaigns in days, not weeks
- Keep governance out of the critical path for the business
Where additional human review is required for regulatory or risk reasons, automation still dramatically reduces effort through integrated provisioning, reminders, and enforcement.
What modern identity governance looks like in practice
When automation does the work, identity governance has a few defining characteristics.
It is:
- Always on, not episodic
- Policy-driven, not ticket-driven
- Integrated across SaaS, cloud, and infrastructure
- Scalable without proportional increases in headcount
Across industries and company sizes, organizations are already operating this way.
Small teams automate early to avoid bottlenecks. Mid-market organizations handle enterprise-level complexity with minimal overhead. Large enterprises automate the majority of workflows despite regulatory and legacy constraints.
Scale changes the shape of governance, not the outcome.
Why this matters now
The organizations represented in this data are already building for the agentic era. As AI agents and non-human identities act continuously, identity governance must operate at the same speed. Routine enforcement moves into automation. Humans provide judgment, oversight, and control.
This is what identity governance looks like when automation does the work. And it is quickly becoming the baseline, not the exception.
Read the full report
This blog captures the narrative shift. The full report goes deeper into the data.
In Identity Governance at the Inflection Point, you will find:
- Detailed cross-customer metrics and charts
- Industry and company-size breakdowns
- Trends across access grants, revocations, and reviews
- A clearer picture of what “normal” looks like for modern identity governance
Read the full report to learn more.
