Nexis urges mid-year identity governance budget review

Nexis has urged organisations to review identity governance spending at the mid-year point, warning that manual identity and access management processes can create avoidable costs.

Heiko Klarl, Chief Executive Officer at Nexis, said annual IAM budgets are often based on assumptions that become outdated as compliance demands and operational pressures shift خلال the year. He said the halfway point offers a practical opportunity to reassess whether spending still matches the reality of audit activity, access reviews and governance gaps.

Klarl said the first half of the year often exposes weaknesses that are not visible during budget planning. Recertification exercises have taken place, audit requests have arrived, and compliance issues that seemed theoretical at the start of the year have become specific operational problems.

He also pointed to the cumulative burden of manual access governance work, including email approval chains, spreadsheet-based tracking and time spent following up on overdue reviews. While these tasks may sit outside a formal IAM budget line, they still add to staffing costs, consultancy spending and project delays.

Hidden costs

One clear example, he said, is manual access certification. In a mid-sized organisation carrying out quarterly recertifications without automation, Nexis estimates each cycle can absorb three to six weeks of internal effort across IT, compliance teams and business units.

That workload can be hard for finance teams to identify as a distinct cost because it is spread across departments rather than assigned to one programme. Even so, the effect can be significant when organisations are also juggling competing technology projects, regulatory work and staffing constraints.

Klarl said segregation of duties conflicts are another source of unnecessary expense. These issues often remain undetected until an external audit because organisations lack a single view across multiple identity and access management systems.

When conflicts are discovered late, businesses can face a remediation process on top of the audit finding itself. That work can involve reviewing permissions, redefining roles and documenting corrective action for auditors, adding time and cost after the fact.

Boardroom issue

Nexis said identity governance has moved beyond a narrow IT issue and become a matter for senior management and boards. Klarl said rising regulatory pressure has increased personal accountability for leaders, who must be able to show that access controls and security measures are in place and documented.

That shift changes how spending decisions are presented internally. Rather than treating identity governance purely as an operational technology issue, organisations are being pushed to frame it in terms of audit preparation, risk visibility and regulatory exposure.

Automated documentation of access rights can reduce the time spent preparing for external audits, according to Nexis. Better visibility over identities and permissions can also help management quantify risk and decide where to focus remediation efforts.

The company also argued that demonstrable access controls can reduce the likelihood of adverse audit findings. For companies in heavily regulated sectors, that can affect not only compliance costs but also reputation and management attention.

Review point

Klarl said the mid-year review should not be seen simply as a chance to adjust a budget line. In his view, it is the point at which an organisation can measure the current state of role models, segregation of duties conflicts and identity data quality, then compare those findings with peers in the same sector.

Such a review gives decision-makers figures they can use to weigh whether to maintain current processes or invest in changes, he said. His comments focused on identifying where money is already being lost through fragmented oversight and manual administration, rather than presenting IAM spending as an entirely new cost.

Nexis sells software for Identity Governance and Administration and Governance, Risk and Compliance. It says it serves more than 130 customers worldwide across sectors including financial services, insurance, manufacturing and automotive.

Its platform is designed to help organisations review identity data, manage roles and policies, and automate parts of access governance. Nexis also said its products are used to support compliance work linked to rules and frameworks including GDPR, NIS2 and DORA.

"The mid-year mark is the natural correction point. And in 2026, that moment carries particular weight: regulatory pressure on identity governance is intensifying across the board, and more and more organisations are realising that well-intentioned annual planning and compliance reality can diverge significantly," Klarl said.

He said the practical lesson from the first half of the year is often that costs have already built up in places businesses do not immediately track. "The first half of the year surfaces what planning rounds cannot anticipate. Recertification campaigns have run, audit requests have come in, and compliance gaps and audit findings that seemed abstract in Q1 have developed into concrete issues. Add to this the operational burden of manual processes, which, once again, has accumulated over six months into a tangible cost factor, even if it rarely appears as such in the budget line: hours spent on email chains, weeks chasing approvals, resources flowing into spreadsheets instead of projects, and results that still fall short," Klarl said.

On the case for a formal review, he added: "The mid-year mark is therefore not just a natural budget correction point. It is the moment at which organisations can honestly take stock of where identity governance and visibility stand today - and what it costs if they don't. A structured review of the role model, SoD conflicts, and identity data quality, ideally benchmarked against comparable organisations in the same sector, provides exactly the figures decision-makers need to make an informed budget decision."