Twenty-five years ago, when this company first started writing identity governance software, the problem was small. A few thousand employees. A handful of applications. A directory or two. Permission was something you granted; revocation was something you sometimes forgot. The category we now call IAM was an afterthought of HR systems and helpdesk tickets.
The 2026 numbers are from another planet. Flexera’s State of the Cloud Report shows 87% of enterprises on multi-cloud and 73% on hybrid architectures. Seventy-six percent of large enterprises spend more than $5 million a month on public cloud alone. [https://www.techtarget.com/searchcloudcomputing/feature/State-of-the-Cloud-report-shows-shift-from-cost-cutting-to-value]
What’s interesting isn’t just the scale. It’s that wasted cloud spend has risen to 29%, reversing years of FinOps progress. The reason? The underlying attack surface has shifted faster than governance practices.
Three quiet forces are colliding. First, identity has become the perimeter – not just for security teams, but for finance leaders tracking opaque bills. Google’s H1 2026 Cloud Threat Horizons Report attributes 83% of cloud breaches to identity issues. Second, non-human identities now outnumber humans by 50:1 in most enterprises (Orca Security, 2025), with 52% holding critical excessive permissions (Tenable, 2026). Third, AI agents are acting with their own credentials, on their own schedules.
For boards and executive teams, the implication is clear: governance built for human users – quarterly reviews, RACI matrices, IAM tickets – won’t scale to a world where most “users” are software, most spend is untracked, and most risk is structural.
The cloud era is no longer about migration. It’s about governance – of identity, access, cost, and consequence. Organizations that grasp these colliding forces won’t spend this decade explaining breach disclosures or 29% budget overruns to their boards.
