The FIDO Alliance and HID have released new research showing a widening gap between enterprise confidence in identity security and day‑to‑day operational performance. The State of Physical and Digital Identity in the Enterprise report surveyed 500 IT and cybersecurity decision makers across the U.S., Canada, the UK, France and Germany.
Most organizations believe they can revoke all physical and digital access within 24 hours when an employee leaves. In fact, 94 percent expressed confidence in that ability. But more than 170 respondents said they had experienced delays or failures doing so in the past two years. At least one identity‑related security incident overall was reported by 70 percent of respondents.
The study found that governance remains split between physical and digital identity teams. Only half of enterprises have unified reporting lines, while 48 percent have consolidated budget ownership. Finance is the most fragmented sector, with 34 percent operating fully separate reporting structures despite strict regulatory requirements.
Identity complexity is also rising, as 59 percent of organizations now manage three or more credential or authentication systems. More than half, 58 percent, said digital identity management has become more complex over the past two years.
The public sector reported the highest incident rate as 43 percent experienced failures revoking access. One in five still rely on manual credential revocation, which is more than double the rate in the IT and technology sector.
Passkey adoption is widespread but not yet mature: 93 percent of organizations are somewhere on the passkey adoption path. However, 65 percent report high or expert technical familiarity. But only 13 percent have deployed passkeys at scale. The report links this directly to the high rate of identity‑related incidents.
Phishing‑resistant authentication remains a top priority. Nearly half, 45 percent, said reducing phishing and credential‑based breaches is the main driver for moving to passwordless authentication. And 44 percent cited the need to cut IT costs from password resets and help‑desk load.
Andrew Shikiar, executive director and chief executive of the FIDO Alliance, said the findings show a clear execution gap. He said passkeys only deliver full protection when deployed comprehensively across the organization.
Sean Dyon, VP of HID’s Authentication Business Unit, said identity security has become a governance challenge as much as a technical one. “As organizations adopt passkeys, a unified approach to managing physical and digital identity becomes critical,” he says. “This research shows that fragmented governance, disconnected systems and limited visibility create real business risk.”
The full report is being launched this week at Identiverse 2026, where the FIDO Alliance and HID are exhibiting.
