The Signal

Five member companies in five different industries posted access-management decisions to the DoGood network in the last 30 days. None of them led with "IGA" or "PAM." They led with a deliverable: "I need to run an access review."

The environments differ. Five separate ERP instances at an automotive-service company. On-prem systems an M365 access review can't see at a public utility. A SoC2 type 2 audit at a law firm. On/off-boarding consolidation at a security firm. Lifecycle automation with RBAC at an IT services shop. The ask is the same.

That breadth is the actual signal. The category names IGA, PAM, IAM, access governance sound distinct on a vendor slide. On a member submission they collapse into one outcome: did the review cover everything it was supposed to.

The reframe for buyers: stop comparing IGA vendors against each other. Compare them against your environment map. Cloud, on-prem, every ERP instance, every AI agent in production. The vendor covering the smallest number of those is the wrong tool, no matter how long the feature list runs.

From the Network

"I'm looking to consolidate access of multiple apps in our company. Especially for off/on boarding employees."

— Director, IT and Network Systems, Business Services

"We are evaluating vendors for lifecycle management automation, rbac, access management etc."

— Director of IT, IT Services

"We are exploring a PAM solution. Would like to learn more about how they differ from their competitors."

— Director, Information Technology Audit, Education

Three different categories on a vendor slide. One operational ask underneath.

Top Open Priorities This Week

Two raw asks pulled directly from member submissions in the last 14 days, unedited:

"We are looking for a vendor to assist us in setting up a identity management solution that will help us achieve a SoC2 type 2 audit."

— Manager of Information Security, Law Firms & Legal Services

"Looking to see how I can modernize my customer-facing sign-in access and exploring passwordless technologies. Want to understand different security measures and deployment options with you."

— Director, Information Technology, Hospitals & Physicians Clinics

Workforce on one. Customer-facing on the other. Two perimeters, one operational shape: identity governance that has to clear an outside check. The SoC2 audit is the check on the workforce side. The user is the check on the customer side. The cloud-primary tool doesn't get either of them all the way there alone.

Powered by the DoGood network

The data in this issue came from priority submissions by 5,000+ enterprise IT leaders. If you run IT or security at a $100M+ company and want to see what your peers are funding — and earn rewards for participating in vetted meetings with the vendors worth your time — apply to join DoGood.

The Context

The headlines are catching up to what the network already knew.

Sophos published its inaugural State of Identity Security 2026 report on May 12. The headline number: 71% of 5,000 surveyed IT and cybersecurity leaders had at least one identity-related breach in the past 12 months. Three on average. Root causes split 43% human credential error and 41% weak non-human identity management. API keys in code, static credentials, orphaned service accounts. Two-thirds of the ransomware victims in the same survey said their ransomware incident started with an identity compromise. Average cleanup cost: $1.64 million per breach.

The Sophos sample size is the same order of magnitude as the DoGood network. The breach root causes Sophos identified map almost row-for-row onto the submissions in this week's Signal: humans hitting credential pitfalls in environments their primary access tool doesn't cover, and non-human identities (service accounts, AI agents, API keys) that nobody is reviewing.

Bottom Line: Sophos's root-cause split (43% human credential error, 41% weak non-human identity) lines up almost cleanly with the access-review gaps in this week's network priorities (workforce IGA across multi-ERP, on-prem and AI agent coverage). Same failure, opposite ends of the funnel. The breach reports show where the gap closes. The priority list shows where the gap opens. The category language in between is what is keeping them from connecting.

What to Do About It

Open a three-column sheet this week. Cloud (M365, Workspace, every SaaS in your inventory). On-prem (file shares, AD, hypervisor consoles, legacy ERPs). Non-human (service accounts, AI agents in production, API keys). One row per access-review cycle you ran in the last twelve months. The cells your current tooling cannot fill are your next audit finding's address.

Most of the access-review submissions in the DoGood network this month came from leaders who never typed "IGA" into a search bar. Check the keyword you would type, and where it would land you.

The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.

Keep Reading

© 2026 The CXO Brief.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv