As 2026 budgeting ramps up, CISOs are under renewed pressure to cut costs without compromising security. Boards are demanding measurable ROI, while digital transformation efforts, increasingly driven by AI, continue to accelerate. Yet one critical area remains overlooked. Identity security is too often seen as a technical layer, rather than what it truly is: the foundation of modern cybersecurity and a strategic business asset.

In the current enterprise environment, where risk, compliance and productivity are tightly linked, weak identity governance poses a serious threat. High-profile breaches, such as the attack linked to the ‘Scattered LAPSUS$ Hunters’ group, have shown how quickly unmanaged access can spiral into reputational and financial damage. Despite this, investment in identity controls still lags behind, often unlocked only in the wake of a breach.

This reactive model is not sustainable. As threats and expectations rise, the costs of inaction are high. Identity gaps slow down cloud projects, complicate mergers, stall innovation and leave doors open to attackers. One misstep is enough to lose a customer or the board’s confidence.

For forward-looking CISOs, identity represents a critical opportunity, not only to strengthen security but to streamline operations, boost workforce productivity and demonstrate clear business value.

A Widening Gap Between Access and Accountability

Fueling this urgency is the national push towards AI adoption. In August, the Australian Government outlined plans to lift productivity by accelerating the use of AI and data-led innovation. While the ambition is commendable, it also introduces fresh layers of risk. As organisations integrate more systems, onboard more users and expand their use of AI, the challenge of managing access grows exponentially — and so too does the potential for exposure.

This complexity is already playing out in real time. Organisations are facing a surge in non-human identities, from bots to service accounts and AI agents. In many environments, machine identities now outnumber human ones. Further, our recent agentic AI research found that 72% of security professionals believe AI agents are riskier than machine identities. These agents have already triggered real-world incidents: 80% of organisations report that AI agents have taken unintended actions, including unauthorised access to systems (39%) and sharing of sensitive data (33%). Alarmingly, nearly one in four say AI agents have been tricked into revealing access credentials. But the tools to manage them have not kept pace, with only 44% of organisations having governance policies in place to manage these agents. To mitigate risks and threats from agentic AI, identity governance must be designed for real-time autonomy. Organisations need to shift from periodic, human-centric controls to identity-centric security and governance strategies that are continuous, dynamic, and context-aware.

The Business Case for Identity Security Is Stronger Than Ever

Identity remains one of the few security domains that can deliver measurable business benefits. Automating identity processes can dramatically reduce the time it takes to onboard employees, especially in high-turnover industries like healthcare, education and financial services. When users are productive from day one, the organisation gains a competitive edge.

Centralising identity governance also supports audit readiness and compliance. In highly regulated sectors such as banking and government, this can be the difference between passing or failing an external review. At a time when regulators are sharpening their focus on data protection and access control, this visibility is non-negotiable.

Consolidation is another key benefit. Many organisations are managing access through a patchwork of legacy tools and siloed teams. By consolidating identity functions and tools, CISOs can reduce licensing costs, simplify operations and enhance their negotiating power with vendors. This aligns with broader enterprise goals around efficiency, cost control and risk reduction.

What CISOs Should Do Next

To close the identity gap, CISOs must act now. The first step is to reframe identity security in the language of the business. Our 2025 Horizons of Identity Security report found only 25 percent of organisations position identity and access-based controls as a strategic business enabler. That needs to change. Identity should be viewed as a driver of resilience, productivity and compliance, not simply a backend IT task.

When reframed, the data is there to back it up. Our report also found that identity security delivers the highest ROI of any security investment, consistently outpacing endpoint, network and compliance tools. Enterprises that treat identity as a strategic enabler report ROI multiples of up to 10x, reducing risk, driving revenue and enabling safe AI adoption.

Next, simplify and consolidate. Fewer tools, clearer ownership and streamlined processes make identity governance not only more efficient but more effective. Consolidation can also help demonstrate cost savings, a critical factor in budget discussions.

Finally, CISOs must prepare for the rise of machines and AI-driven access. This means treating non-human identities with the same level of scrutiny and control as human users. Without this, enterprises risk losing visibility and control as their attack surface expands.

The Bottom Line

In a world where every system, application and user is digitally connected, identity security is not a secondary concern — it is central to effective cybersecurity. For CISOs making their case in 2026 and beyond, the takeaway is simple: treating identity security as an expense misses the point. It’s a long-term investment in keeping the business stable, resilient, and trusted.