Are Your Business Identities Secure for 2025? Find out with an IAM Maturity Benchmark Read More
72% of Orgs Struggle with IAM Complexity. But why? Get Access Now
Are Your Business Identities Secure for 2025? Find out with an IAM Maturity Benchmark Read More
72% of Orgs Struggle with IAM Complexity. But why? Get Access Now
News

Why Identity Programs Stall And What It Actually Takes to See Them Through

 

Allen Moffett

Nick Rowe

Chief Executive Officer, Simeio
April 21, 2026

As Chief Executive Officer (CEO), Nick Rowe is responsible for driving the overall vision and strategy for Simeio.

Rowe brings over 20 years of experience in the information technology and cybersecurity industry to the company. Throughout his career, he has built and managed operations driving growth, profitability, and efficiency.

An enterprise secures a budget for a major identity program. The board signs off, a respected platform gets selected, and a systems integrator gets hired. Eighteen months later, the program is behind schedule, over budget, and delivering a fraction of what was promised. I’ve seen this pattern repeat across dozens of organizations over twenty years, and the cause is almost never what the post-mortem says it was.

What failed was the relationship between the people doing the work and the people accountable for the outcome. Identity programs stall because the firms delivering them rotate off, hand off, or lose interest once the implementation contract closes. What’s left is an enterprise holding the bag on a half-finished program and a team rebuilding trust with consultants who don’t know the environment.

The Gap Nobody Talks About Honestly

Most IAM programs are sold with outsized commitments: risk reduction, productivity gains, stress-free audits. These promises get made to boards and steering committees, and they’re the reason the program gets funded.

Less than 20% of those stated objectives get realized. Executives change. Expectations get reset every year, almost always downward, to pass an audit or close gaps flagged by regulators. The larger business value deliverables that justified the original investment quietly get rebaselined. By that point, the political capital is spent, the budget is consumed, and the results are thin.

The firm that sold the vision and selected the technology typically isn’t the firm operating it twelve months later. The consultants who understood the environment, the stakeholder map, and the integration decisions have moved to other engagements. A new team arrives and context is lost. Decisions get relitigated. The program stalls because continuity was never part of the delivery model.

We see this constantly at Simeio. We’ve been called in to salvage programs left behind by other suppliers, from business outages causing revenue loss to audit failures that could have resulted in fines to post-breach recovery where the previous provider was already gone. These situations are far more common than the industry admits.

What “Staying in the Engagement” Actually Means

Simeio was running identity programs before SailPoint and CyberArk existed as companies.

That history shaped how we work: if you advise on strategy, help select technology, implement it, and operate it in production, you’re accountable for whether the program delivers, not whether the deliverable shipped on time.

Most firms excel at one stage of the identity lifecycle. The handoff between stages is where programs die. Requirements get misinterpreted. Architecture decisions get second-guessed. Institutional knowledge evaporates. Each new firm restarts a learning curve the enterprise has already paid for.

When one team works with a client over multiple years toward stated outcomes, the program matures across three dimensions.

  • Capability: Are we building what the enterprise needs on an ongoing basis, or did the project stop at first deployment?
  • Adoption: Is the access certification workflow built for finance running across HR, legal, and procurement, or sitting idle because nobody drove it past the first use case?
  • Effectiveness: Are the controls functioning as intended, and what needs to change as the business evolves?

Skip any one of those and the program stalls, regardless of how much was spent getting it live.

What’s Happening to the CISO Role Right Now

The CISO role has expanded dramatically while budgets haven’t kept pace. CISOs are being asked to own AI governance before the infrastructure exists. They’re accountable for identity, cloud security, data protection, and compliance across regulatory frameworks that keep multiplying.

What’s changed most recently is personal. According to Fastly, 93% of organizations have introduced policy changes in the past year to address rising CISO personal liability. The IANS CISO Compensation Benchmark Report found that more than half of CISOs in North America now receive D&O insurance as part of their compensation package, up from 40% the prior year. The Uber CISO conviction, the SEC’s action against SolarWinds, and the EU’s NIS2 directive changed the calculus. I know at least three CISOs in my immediate network who have recently stepped back from the role entirely. The personal risk has become overwhelming for some of the most experienced practitioners in the market.

When a CISO’s personal exposure is tied to whether the identity program delivers, who manages that program stops being a procurement question and becomes a personal one. You can’t hand the program to a firm that will rotate its team in nine months and leave you explaining the gap to your board.

What the NPS Score Actually Reflects

In 2023, Simeio’s Net Promoter Score was 25. In 2024, it was 39. In 2025, it reached 51. That’s a 26-point gain over two years, and in this market, client sentiment doesn’t move like that without something in the delivery genuinely changing.

We reorganized to put the client at the center of how we operate. We assigned dedicated resources so that continuity was built into the engagement, not left to chance. We moved toward having IAM specialists at every stage of the client relationship, from program management through implementation, so that the people working with clients were practitioners who understand identity deeply enough to act on what they’re hearing. We restructured contracts to tie compensation to business outcomes. If the objectives aren’t met, we don’t get paid. That eliminates the cost of failure clients have come to expect, where millions get spent and everyone gets paid regardless of whether the program delivers.

Clients had been telling us clearly: keeping the lights on isn’t enough. You have to constantly innovate and bring value. The numbers confirm the changes are landing. Programs are completing. Clients are renewing. Engagements aren’t stalling because the team that started the work is the same team running it. The score didn’t move because of a single initiative. It moved because every change we made reinforced the one before it.

Where This Lands

Identity is where the actual exposure lives. CISOs are carrying more personal risk around it than at any point in the discipline’s history. The partners that matter are the ones still there when the program gets complicated. Simeio has made that bet since before most of the market existed. The NPS movement suggests clients have noticed.

How does your IAM program measure up?

What area should be your first priority?

Simeio’s advisory and benchmarking service team provides a clear, quantifiable assessment of your identity management system, highlighting both strengths and areas for improvement. Schedule a session now to explore critical aspects of your identity fabric from onboarding to risk management. Gain a clear roadmap for enhancing your identity platform, closing gaps, and strengthening your enterprise’s security foundation.