The FIDO Alliance and HID, a global enabler of trusted identity solutions, released The State of Physical and Digital Identity in the Enterprise, a new research report examining how organizations manage physical and logical access across their workforces.

Surveying 500 IT and cybersecurity decision makers across the US, Canada, UK, France and Germany, the new study uncovered a significant disconnect between enterprise confidence in identity security and operational reality. While most organizations believe they can revoke all physical and digital access within 24 hours when an employee leaves, more than one-third report experiencing actual failures doing so, contributing to identity-related security incidents across the enterprise.

Key findings from the report include:

While confidence is high, so are security incidents

• 94% of organizations claim confidence that all physical and logical access can be revoked within 24 hours of an employee leaving.
• Yet 35% experienced delays or failures doing exactly that in the past two years — and 70% experienced at least one identity-related security incident overall.

Governance is fragmented

• Only 50% of enterprises have unified reporting ownership for physical and digital identity, and just 48% have consolidated budget control.
• Finance is the most governance-fragmented sector, with 34% operating fully separate reporting structures despite operating under stringent regulatory access-control obligations.

Complexity is growing, and enterprises manage three separate systems on average

• 59% of enterprises manage three or more distinct credential and authentication systems.
• 58% say managing digital identity has become more complex over the past two years.

The Public Sector carries the highest incident rate of any industry

• The sector has the highest identity security incident rate of any industry, with 43% experiencing access revocation failures.
• It has a 20% manual credential revocation rate, which is more than double the IT/Technology sector. 

The passkey adoption must scale to protect businesses

• 93% of organizations are at some stage of passkey adoption and 65% report high or expert technical familiarity.
• However, only 13% have deployed passkeys at scale, explaining why organizations experience such high levels of security incidents.

Phishing-resistant authentication is a top business priority

• The leading driver for moving to passwordless authentication is reducing phishing and credential-based breach risk (45%), followed by reducing IT costs from password resets and help desk load (44%).

“The story in this data isn’t about awareness, it’s about execution. Ninety-three percent of organizations are on the passkey journey, but only 13% have deployed at scale, and the security incident rates reflect that gap directly,” said Andrew Shikiar, executive director and CEO, FIDO Alliance. “Phishing-resistant authentication only delivers its full protective value when deployment is comprehensive rather than selective because threat actors don’t limit themselves to the parts of the organization that are already protected.”

Sean Dyon, vice president of the authentication business unit, HID, added, “Identity security is no longer just an authentication challenge; it is an enterprise governance challenge. As organizations adopt passkeys, a unified approach to managing physical and digital identity becomes critical. This research shows that fragmented governance, disconnected systems and limited visibility create real business risk. HID is closing that gap by bringing credentials, access rights and lifecycle management together to enable faster, more confident access decisions.”