Identity management a misnomer
Here, what you're talking about is "access management", "privilege management", or whatever you call it. You don't really care about the employee's name, that's just a convenience, but you do care that his responsibilities map with the access he's granted. This is a "positive" mechanism because you pay him to do that stuff, and a "negative" because it should keep people out who should be kept out. In all but the most draconian secret services' systems the "make it work" bit is the most important, because the more repressive the system the more cumbersome it gets and the more it will get subverted, circumvented, ignored, breached, and so on and so forth.
Before talking technology ("biometrics", "tokens", "id cards", and so on), and even before considering privacy (which is usually and wrongly discarded in a corporate context), it would behoove us to consider just what we're trying to achieve.
Who do we trust, why, what are the consequences if that trust proves misplaced because someone overstepped, or got impersonated and they overstepped, what the damage is and how to contain and repair it. Sometimes it's easier to just repair or replace, sometimes that's quite impossible. I'm saying this because it's a hard problem and the assumptions that underlie it might well turn out to be poor ones, so revisiting how we got here isn't a bad idea.