A new report uncovered a significant disconnect between enterprise confidence in identity security and operational reality, according to identity technology providers FIDO Alliance and HID.

Of the 500 IT and cybersecurity decision-makers surveyed across the US, Canada, UK, France, and Germany, 94% said they could revoke employee access within 24 hours, yet 35% reportedly experienced delays or failures in the past two years.

The report, “The State of Physical and Digital Identity in the Enterprise,” also found that 70% experienced at least one identity-related security incident overall.

The results showed that governance is fragmented, with only 50% of enterprises having unified reporting ownership for physical and digital identity, and just 48% have consolidated budget control.

Finance is the most governance-fragmented sector, with 34% maintaining fully separate reporting structures despite stringent regulatory access-control obligations.

The report also found that complexity is growing, with 59% of enterprises reportedly managing three or more distinct credential and authentication systems, and 58% reported that managing digital identity has become more complex over the past two years.

The public sector carries the highest incident rate of any industry, with 43% experiencing access revocation failures. It has a 20% manual credential revocation rate, more than double that of the IT/Technology sector.

Passkey adoption is a must to protect businesses, the report found, as 93% of organizations are at some stage of passkey adoption, and 65% report high or expert technical familiarity. Just 13% have deployed passkeys at scale, which may explain why organizations experience such high levels of security incidents.

“Identity security is no longer just an authentication challenge; it is an enterprise governance challenge. As organizations adopt passkeys, a unified approach to managing physical and digital identity becomes critical. This research shows that fragmented governance, disconnected systems, and limited visibility create real business risk,” said Sean Dyon, vice president of the Authentication Business Unit at HID.

The report found that the leading driver for moving to passwordless authentication is reducing phishing and credential-based breach risk (45%), followed by reducing IT costs from password resets and help desk load (44%).

“The story in this data isn’t about awareness, it’s about execution. Ninety-three percent of organizations are on the passkey journey. Still, only 13% have deployed at scale, and the security incident rates reflect that gap directly,” said Andrew Shikiar, executive director and CEO of the FIDO Alliance. “Phishing-resistant authentication only delivers its full protective value when deployment is comprehensive rather than selective – because threat actors don’t limit themselves to the parts of the organization that are already protected.”