By Thomas Müller-Martin, Field Strategist DACH at Omada Identity

When the Viennese doctor Ignaz Semmelweis suggested in Vienna in 1847 that doctors should wash their hands before every procedure, the mortality rate on his ward fell from over ten per cent to under two per cent.

The medical community reacted with scepticism, as it seemed simply too simple that such a straightforward solution could have such drastic effects. Today, hygiene is non-negotiable: it is the infrastructure upon which every medical innovation depends.

Identity security is at a similar juncture today. It controls who accesses which systems, closes orphaned accounts and ensures that audits are passed. When a ransomware attack fails because compromised login credentials lead nowhere, the reason is often well-configured identity management. The problem is: no one in the company knows about it, and certainly not senior management. And what no one sees has to justify itself anew every quarter, or is simply dismissed as a cost centre – or, at worst, as a stumbling block hindering change processes.

The problem is not a lack of performance, but a lack of communication. Identity teams measure their success in terms that nobody outside the IT department understands: connected systems, completed recertifications, streamlined authorisation structures. For board members, this is, at worst, technical jargon. What they need are key performance indicators: instead of “20 systems have been on-boarded”, the statement should read: “20 potential entry points for attackers closed” and “our IAM enables the company to develop in a controlled manner”. IT is no longer the bottleneck of digital transformation. Instead of “recertification campaign completed”, it must also read “We have revoked 400 permissions that were no longer legitimate, and because we are staying on top of it, attackers have a (for example) 30 per cent lower chance of accessing critical information in the event of a successful attack.” These are figures that every board member understands. But only if someone puts them on the table.

Without this visibility, a vicious circle emerges. No budget, no capacity. No capacity, no strategic work. This situation can be described with another image: many identity teams work like firefighters. They rush out when there’s a fire, put out the current problem and wait for the next alarm: the next support ticket, the next system integration, the next clean-up of messy HR data. What is missing is the fire safety officer: someone who thinks systemically, plans preventatively and ensures that fires do not break out in the first place. In every industrial plant, every bridge, every airport, this role is a matter of course. In identity management, however, the firefighter principle still dominates: putting out fires when they break out, rather than preventing them.

This situation is becoming untenable because requirements are currently intensifying. Non-human identities already outnumber human users many times over. AI agents bring with them governance requirements that traditional models cannot accommodate. NIS2 and DORA are increasing the pressure to provide evidence. And just like hygiene in a hospital, none of these requirements can be met if the core function is treated as a project that will eventually be ‘completed’.

Identity security is a cross-functional role that follows the same principle as hygiene in a hospital. It only works if everyone is continuously involved – business, IT, security, HR and operations – and if everyone sees it as a shared responsibility rather than the problem of another department. As in the case of Semmelweis, a simple solution can certainly be an effective one.

However, IT managers must be able to communicate this fundamental security principle to management using unambiguous indicators – in other words, hard figures. For it is this shift in perspective that transforms an IT project into a business function. And it is only as a business function that identity security receives the resources it needs to solve current problems and prevent future ones. Only those who make this foundation visible can maintain it and cement identity security as a catalyst for business transformation.