Read more

This fragmentation is no longer just inefficient—it is a fundamental busi…

Read more

Yet despite these advances, many organisations still suffer from weak identity assurance. The reason is not a lack of technology, but a failure in how identity is experienced across the user journey, that merges the physical and digital realms.

The Problem: Fragmented Access & Authentication

Most organisations treat identity as a series of disconnected events:

• Enrolment (initial setup of credentials)

• Authentication (logging in)

• Recovery (password resets, account unlocks)

In practice, these stages are often handled by different systems, policies, and processes. This leads to:

• inconsistent user experiences

• duplicated credentials

• gaps in assurance between steps

If we then multiple this fragmentation across different systems and different scenarios across the physical and digital realms, we have a cascade of issues.

Why This Matters: Assurance Breaks at the Weakest Point

Identity assurance is only as strong as its weakest link. Even if authentication is robust, weaknesses in enrolment or recovery can undermine the entire system.

For example:

• Weak identity proofing during enrolment allows false identities

• Poor recovery processes enable account takeover

• Inconsistent policies create exploitable gaps

In a recent analyst comment article written for HID I emphasise that recovery and reset processes are often the least secure parts of the journey. If this in turn is amplified by isolated physical and digital integration this problem becomes one of high risk and poor user experience.

What Can Be Done: Shift From Authentication to Journeys

The key insight from the article is that identity should not be treated as isolated controls, but as a continuous, end-to-end journey.

This requires a move toward:

1. Converged identity

• A unified system across digital and physical access

• Single identity spanning enrolment, authentication, and recovery

2. Continuous assurance

• Identity confidence maintained over time, not just at login

• Contextual signals (device, behaviour, location) informing access

3. Seamless user experience

• Reduced friction through passwordless or adaptive authentication

• Consistent processes across all identity interactions

Read More

About The Author

Simon Moffatt has over 25 years experience in IAM, cyber and identity security. He is founder of The Cyber Hut — a specialist research and advisory firm based out of the UK. He is author of Consumer Identity & Access Management: Design Fundamentals and “IAM at 2035: A Future Guide to Identity Security”. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker and a strategic advisor to entities in the public and private sectors.

The Fragmentation Problem

In many organisation, authentication is fragmented across multiple systems, tools, and environments. Employees move between physical access (badges, PINs) and digital systems (passwords, MFA, SSO), each with different processes for enrollment, login, and credential reset.

The result? A disjointed and inconsistent experience that creates what can only be described as credential chaos.

More Friction, Less Security

This fragmentation doesn’t just frustrate users—it actively undermines security.

Users are forced to manage multiple credentials and workflows, leading to frequent resets, workarounds, and mistakes. At the same time, IT teams struggle with rising support costs and operational complexity.

Critically, organisations lose end-to-end visibility of identity. There’s no reliable way to ensure that the person who entered a building is the same one accessing sensitive systems later.

Identity Assurance Breaks Down

Identity assurance—the confidence that someone is truly who they claim to be—depends on consistency across the entire access journey. But when authentication is siloed and inconsistent, that assurance collapses.

Security controls become difficult to enforce, measure, and scale. Integration between systems becomes fragile. Costs increase while trust decreases.

The Case for Unified Authentication

By unifying authentication across physical and digital environments, organizations can create a single, consistent identity journey. This results in:

• One cohesive authentication experience

• Centralized visibility and control

• Stronger, measurable identity assurance

A unified approach not only improves security but also reduces friction and enables future scalability—especially as non-human identities continue to grow.

This is a topic I wrote about in more detail in a recent analyst comment made for HID.

Read More

About The Author

Simon Moffatt has over 25 years experience in IAM, cyber and identity security. He is founder of The Cyber Hut — a specialist research and advisory firm based out of the UK. He is author of Consumer Identity & Access Management: Design Fundamentals and “IAM at 2035: A Future Guide to Identity Security”. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker and a strategic advisor to entities in the public and private sectors.

Curated Industry Announcements

• Aembit: SPIFFE vs. OAuth: Access Control for Nonhuman Identities

• Apono: Apono Launches Agent Privilege Guard, Bringing Runtime Privilege Guardrails to Enterprise AI Agents

• AWS: Deploy AWS applications and access AWS accounts across multiple Regions with IAM Identity Center

• Bravura Security: What Your Insurer Actually Wants to See in Your Identity Controls

• Cisco: Cisco Access Manager: Identity-Based Access Control That Lean IT Teams Can Actually Deploy

• ConductorOne: 2026 Future of Identity Report

• Entro Security: How smart should your secrets rotation technology be?

• Omada: Omada Appoints Jakob H. Kraglund as CEO to Accelerate Global Growth

• Google Cloud: Simplify your Cloud Run security with Identity Aware Proxy (IAP)

• LoginRadius: Model Context Protocol (MCP): Security Risks Explained

• Sailpoint: Launches Shadow AI Remediation

• SpyCloud: SpyCloud’s 2026 Identity Exposure Report Reveals Explosion of Non-Human Identity Theft

• Strata Identity: Secure Identity for TAK/ATAK at the Tactical Edge

Identity Threat Intelligence Updates

• CO-PILOT, DISENGAGE AUTOPHISH: The New Phishing Surface Hiding Inside AI Email Summaries

• The MCP AuthN/Z Nightmare

• Under the hood: Security architecture of GitHub Agentic Workflows

• Recorded Future: 2025 Identity Threat Landscape Report

Book Inquiry Consultation

Latest On Demand Industry Webinar

Closing the AD Privileged Access Gap

Register to Attend

Up Coming Event Attendance

RSAC 2026 - San Francisco - March 23-26

IDSA - Identity Management Day 2026 - April 14

IAM Tech Day - Sao Paolo - April 22-23

Identiverse - Las Vegas - June 15-18

Downloadable Cheat Sheets

Cheat Sheet: Agentic-AI Security Architecture Example

Cheat Sheet: Application Governance

Cheat Sheet: Top 30 IAM Metrics for B2C

Cheat Sheet: Top Metrics for B2E IAM

Cheat Sheet: MCP Security

Latest Identity Security Vendor Reports

Silverfort

CyberArk

HYPR

Axiad

FusionAuth

Apono

WSO2

A Demo Discussion on JiT for SSH

A demo walk through by P0 Security taking a look at just in time access for SSH services

Latest Podcast Episode

E70 The Analyst Brief: The Rise of AI Browsers. A Game changer for B2C IAM?

Submit Podcast Question

Latest Research Report

A Market Guide to Securing the Production Stack

A Fireside Chat with Identity at the Center Podcast

Latest Analyst Insight by The Cyber Hut

The Unified Identity Imperative: Breaking the Cycle of Fragmentation

Enroll. Forget. Reset. Repeat: How Broken Identity Journeys Undermine Identity Assurance

Pre-Emptive Identity Security: Getting Started

“From Operations to Strategic Enabler: Why IAM Must Adapt”

Architecting Identity for a Real-time World

Defining and Securing The Enterprise Production Stack

Read More Insight & Whitepapers

Latest Recent Industry Webinars by The Cyber Hut

Always On, Always Aware: Building a Continuous Identity Strategy

Identity-First Security for AI Agents with Token Security

Addressing the IAM Data Problem: A fireside chat with Radiant Logic

An Identity Security Playbook: The What and The Why with Silverfort

Putting the AI in IAM a fireside chat with Apono

Too Many IDPs: Why Now, How to Rationalize?

Watch More Webinars

Latest Training Academy Episodes by The Cyber Hut

39: What is Just in Time access and Zero Standing Privileges?

38: How does Identity and Access Management relate to Zero Trust?

37: What is Identity Risk Management?

36: What is Identity Data Management?

35: What are Initial Access Brokers?

See Training Archive

Enrol in B2C Design Bootcamp

Enrol Authentication Bootcamp

Latest Vendor Assessment Report

As assessment of Radiant Logic - analysing their identity-data view of ISPM

Download Here

Our Recent Vendor Introduction Interviews

Interviews with Stackbob, Reva.ai and Scalekit

Book Vendor Interview

What is Teleport’s Agentic Security Framework?

Order IAM and Identity Security Books on Amazon

IAM at 2035: A Future Guide to Identity Security - Paperback, Audio, Kindle and Hardback

CIAM Design Fundamentals - Paperback, Audio and Kindle

Download IAM Vendor Directory

This mismatch is becoming a serious security and governance problem.

The Identity Gap

Today, many AI agents authenticate using hardcoded API keys or long-lived credentials. These approaches are fragile: secrets get leaked, permissions sprawl out of control, and there’s often no clear way to trace actions back to a specific agent—or its owner. As the number of agents scales, so does the risk.

Traditional identity systems assume relatively static users and predictable access patterns. AI agents break both assumptions. They operate continuously, move across environments, and can generate thousands of interactions in minutes. In some cases, they may even expose their own credentials through logs or outputs.

A Better Model: Identity-First AI

To secure this new class of actors, AI agents need something fundamentally different: a verifiable, dynamic digital identity.

Instead of relying on shared secrets, agents should authenticate using cryptographic methods—proving who they are without exposing sensitive credentials. Access should be granted through short-lived, just-in-time tokens that expire quickly, reducing the blast radius of any compromise.

This approach aligns with zero-trust principles: never assume trust, always verify identity.

Centralizing Trust

A key part of this model is a centralized identity provider (IdP) that manages authentication and authorization for all agents. This creates a single control plane where policies can be enforced consistently, regardless of where the agent operates.

With this structure in place, organizations gain something they’ve long lacked: true visibility and accountability. Every action taken by an agent can be tied back to a unique identity—and, ultimately, to the human or system that deployed it.

Why It Matters Now

As AI adoption accelerates, the number of non-human identities is set to explode. Without a robust identity framework, organizations risk building powerful systems on top of weak security foundations.

These topics are covered in more detail in an analyst comment written for AKeyless.

Read More

About the Author

Simon Moffatt has over 25 years experience in IAM, cyber and identity security. He is founder of The Cyber Hut – a specialist research and advisory firm based out of the UK. He is author of CIAM Design Fundamentals and IAM at 2035: A Future Guide to Identity Security. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker and a strategic advisor to entities in the public and private sectors.

Privileged access management (PAM) has undergone a tremendous evolution in the past 5 years. No longer are we focused solely on a subset of systems - that only reside within an on-premises environment. Organisations have to contend with a broader array of identities, high risk systems and deployment models that span on-prem, private cloud, infrastructure, containers and SaaS environments.

The breadth and depth of identity types has increased too - from server root accounts, to workloads, service accounts and more latterly specific instances of non-human identities (NHI) along with agentic-AI too.

That initial PAM deployment model - using credential rotation and checkout services alongside basic vaulting - only really supported a subset of the critical high risk systems under management. As the number of variety of systems and services under management increased, the approach to privilege evolved too.

Is AD the PAM Weak Link?

If we pick on Active Directory (AD) for a second, has it become the weak link in the privileged access battle? AD was not built for security. In 2000 the basic security design pattern was built upon private/public network boundaries - coarse grained trust areas that focused on location and IP address. Fast forward to 2026 and organisations design via a zero trust approach - often with the assumption that “controlled” network components and applications are really open to internet access and likely be “breached” already by unauthorised users.

Whilst AD is not solely a PAM platform, it does contain high risk identities, along with being a jump off point for service accounts, administration functions and a broad array of infrastructure support and configuration functions.

Remote access approaches such as VPNs, RDP, MS Terminal Services and RADIUS may well leverage AD as a repository, before vectoring off into an array of on-prem and cloud-integrated relying parties, applications and federated services. But has AD kept up with the variety and complexity of identity related attacks that target both standard and high risk accounts?

Being at the centre of enterprise identity, it can become a fulcrum for cross-identity, privilege-abuse related flows for both internal and external adversarial activity.

What Does Modern PAM Look Like?

PAM is a journey - an evolution - that many organisations are embarking on. We are starting to see PAM require a broader set of integrated identities and systems, but also from an AD point of view, identify a more flexible and just in time approach that covers service accounts and high risk events.

A consistent approach to high-risk access across AD and related systems is needed - that allows organisations to “scale-up” their security strategy to include NHI, agentic-AI and hybrid deployment model.

The Cyber Hut’s next industry webinar will be tackling this topic in more detail. The Cyber Hut founder Simon Moffatt will be in conversation with EMEA Chief Identity Security Advisor Rob Ainscough from Silverfort on March 16th.

They’ll explore:

1. Why traditional PAM models break down in modern, identity-driven environments

2. How runtime, identity-aware enforcement changes the privileged access security model

3. How organizations can expand privileged access coverage to meet protection goals - without slowing the business down

4. How to mitigate the risk of static human and non-human credentials, and move to Zero Standing Privilege

5. How to mature from protecting accounts, to blast radius controls & containing risk

Reserve Your Seat

Modern production infrastructure has outpaced traditional Privileged Access Management (PAM), leading to an increase in the identity attack surface along with significant operational drag.

Traditional, on-premises, vault-centric PAM systems, which were designed for a small, static set of accounts, can no longer manage the breadth of modern systems, protocols, and identity types, including human, non-human, and agentic identities.

This complexity results in over-provisioned, standing privileges and slow, manual access workflows that frustrate developers and increase risk. This guide outlines a strategic shift from legacy, isolated PAM to an Identity-Native, API-first model that supports a decoupled, “zero-touch” production access environment.

Capabilities in this modern approach leverage:

• Just-in-Time (JIT) access and Zero Standing Privilege (ZSP): JIT allows identities to request access only when needed, and only for as long as needed, which is critical for minimizing the identity attack surface and enforcing a least-privilege policy. (See our Academy episode for an explainer on JiT and ZSP)

• Broad, consistent coverage: A modern privileged access platform must cover the full spectrum of high-risk assets, including cloud consoles, databases, Kubernetes and code repositories, and all identity types, particularly non-human identities (NHIs) which often hold unchecked privileged access.

Read more

Curated Industry Announcements

• Cerbos: Overcoming IAM blind spots and fragmentation for continuous governance

• CrowdStrike (CRWD) Q4 2026 Earnings Transcript

• Okta (OKTA) Q4 2026 Earnings Call Transcript

• Ping Identity: Privileged Access Is Broken…

• SecureAuth: Why Your Identity Vendor Is Your Biggest Security Risk

• Veza + ServiceNow: The Enterprise Agent Identity Control Plane

Identity Threat Intelligence Updates

• The Silent SaaS Threat

• AWS Incident Response: IAM Containment That Survives Eventual Consistency

• Google API Keys Weren’t Secrets. But then Gemini Changed the Rules

• Disruption targets Tycoon 2FA, popular AiTM PhaaS

• Breaking down a supply chain attack via a malicious Google Workspace OAuth app

• Identity Cyber Scores: The New Metric Shaping Cyber Insurance in 2026

Book Inquiry Consultation

Up Coming Industry Webinar

Closing the AD Privileged Access Gap

Register to Attend

Up Coming Event Attendance

Orchid Security Community Event - London - March 12

RSAC 2026 - San Francisco - March 23-26

IDSA - Identity Management Day 2026 - April 14

IAM Tech Day - Sao Paolo - April 22-23

Identiverse - Las Vegas - June 15-18

Downloadable Cheat Sheets

Cheat Sheet: Agentic-AI Security Architecture Example

Cheat Sheet: Application Governance

Cheat Sheet: Top 30 IAM Metrics for B2C

Cheat Sheet: Top Metrics for B2E IAM

Cheat Sheet: MCP Security

Latest Identity Security Vendor Reports

Silverfort

CyberArk

HYPR

Axiad

FusionAuth

Apono

WSO2

A Demo Discussion on JiT for CSP

A demo walk through by P0 Security taking a look at just in time access for cloud service provider components such as S3 storage buckets

Latest Podcast Episode

E69 The Analyst Brief: The Rise of IAM Resilience and Why Semperis is buying MightyID

Submit Podcast Question

Latest Research Report

A Market Guide to Securing the Production Stack

A Fireside Chat with Identity at the Center Podcast

Latest Analyst Insight

Pre-Emptive Identity Security: Getting Started

“From Operations to Strategic Enabler: Why IAM Must Adapt”

Architecting Identity for a Real-time World

Defining and Securing The Enterprise Production Stack

Analysing Application Activity

Read More Insight & Whitepapers

Latest Recent Industry Webinars

Always On, Always Aware: Building a Continuous Identity Strategy

Identity-First Security for AI Agents with Token Security

Addressing the IAM Data Problem: A fireside chat with Radiant Logic

An Identity Security Playbook: The What and The Why with Silverfort

Putting the AI in IAM a fireside chat with Apono

Too Many IDPs: Why Now, How to Rationalize?

Watch More Webinars

Latest Training Academy Episodes

39: What is Just in Time access and Zero Standing Privileges?

38: How does Identity and Access Management relate to Zero Trust?

37: What is Identity Risk Management?

36: What is Identity Data Management?

35: What are Initial Access Brokers?

See Training Archive

Enrol in B2C Design Bootcamp

Enrol Authentication Bootcamp

Latest Vendor Assessment Report

As assessment of Radiant Logic - analysing their identity-data view of ISPM

Download Here

Our Recent Vendor Introduction Interviews

Interviews with Reva.ai and Scalekit

Book Vendor Interview

Latest Video Shorts: Podcast and Interview Highlights

Order IAM and Identity Security Books on Amazon

IAM at 2035: A Future Guide to Identity Security - Paperback, Audio, Kindle and Hardback

CIAM Design Fundamentals - Paperback, Audio and Kindle

Download IAM Vendor Directory

• Broad variety of ticket types

• Lack of fulfilment efficiency

Service desk ticketing systems today are routinely overworked and ineffective when it comes to identity and access management (IAM) - and for several core reasons. The volume and variety of identity types and systems has increased - but so have the volume and variety of tickets being raised.

Broad and disjointed multi-factor authentication (MFA) strategies typically correlate with an increase in enrolment issues, as well as the avoidable troubles associated with credential and password reset work flows.

New user on-boarding inevitably generates interactions with respect to device configuration and a lack of familiarity with technology or systems registration. But ultimately it is in the access management and misalignment domain that are generating the most interactions - many of which are becoming complex to complete and fulfil.

Many of these requests are repeatable, routine and avoidable - yet are still being completed by human operators. Requests often lack the appropriate level of context and detail - missing basic details such as the user’s current role or access, a system owner or a more risk-aligned description of what is needed and why.

Fulfilment times are increasing too as a result. The breadth and depth of request coverage likely means that many downstream systems are disconnected from the core automated provisioning apparatus - resulting in error prone and customised fulfilment of access additions or removals. A lack of context can also impair risk based decision making as it comes to changing access that is in alignment with both business requirements and security controls.

Risk Increasing & Productivity Decreasing

• Lack of consistency

• Human error and complex operating procedures

The impact of this is not just overworked employees and inefficient service desk fulfilment. As the strategic role of IAM has increased to enable productivity, security and revenue generation opportunities, the ineffectiveness of ticket management creates systemic failures in many parts of the modern business.

Delays in access fulfilment have a material impact on risk management. A slowdown in access removal - be it for a terminated employee, insider threat scenario or task completion - introduces significant issues with respect to privilege escalation opportunities or privilege abuse. In addition to delay, a lack of context, disconnected systems and human-centric process results in inconsistent completion and a lack of repeatable execution. This has a cascading effect on both productivity and risk.

Productivity also needs to be considered from both a fulfilment and end user point of view. A lack of context, repeatability and manual completion results in reduced effort to closure rates, but delays and inconsistencies in closure impact the end user too. Ticket bounce backs - often due to incorrectly assigned permissions or the removal of the wrong permissions - prevent task completion or result in timely escalations with no clear incident resolution pathway.

Rise of The AI Digital Employee: Automation, Consistency, Repeatability

• Specialised learning based on company and context

• Human augmentation

So what can be done? Vendors like Twine Security are certain that the rise of the AI digital employee is showing significant inroads in solving some of these key issues. An ability to train an agent with the specific nuances of an organisation, system and their joiner-mover-leaver processes is now quite possible. AI thrives on data - and the data relating to how an organisation manages their identity and access management processes is often readily available. This form of specialist learning is critical.

Twine Security describe themselves as: “Reduce manual cybersecurity work by 70% with Twine's AI Digital Employees. Automate identity management, cut costs, and improve team efficiency.”

Not all organisations are the same. Not all on-boarding and off-boarding processes are the same. Access request approvals will vary, the connected systems will vary and how they are connected will also vary. And as technology never lives in a vacuum, all of these components are constantly in a state of flux - which many traditional IAM systems fail to handle - often designed from a very static point of view. Each of these components and workflows will also see execution variability based on a combination of end user involved in the request, the approver and the context too. AI of course is designed to consume both vast amounts of data but also the nuances within it - allowing optimisation to take place.

A key part of deploying not just digital employees but agentic-AI in general, is building trust. Trust from an interaction point of view but also from an operational perspective. Evidence of hallucination and negative optimisation are now common, so it becomes critical to leverage a digital employee function that knows its own limitations. Knows when risk is present, a lack of information is present and knows when an optimal outcome can not be achieved without human guidance. It is important the agentic-approach not only knows when to escalate, but how to escalate.

Full Accountability, With Strategic Automation

• Smarter decision making

• Operational improvement

• Security and audit traceability

There are touch-points where guardrails are critical. Initial on-boarding with respect to agent credential configuration, permissioning and credential issuance should be deterministic and transparent. This on-boarding process is critical to understand the existing nuance of both manual and automated processes - why have they been created, what might go wrong and who from an approval and escalation process is needed to complete both the happy and unhappy paths.

That learning process should also contribute to the identification of data concerns, or inefficiencies with respect to process or execution. By analysing existing processes and the ticket instances that have previously been completed, digital employees should be able to understand patterns and capture the subtle context needed (or lacking) to accelerate completion.

The immediate metric of success is operational improvement. Tickets can be fulfilled faster, with more automation and more consistency, but can also be optimised. Redundant stages, poorly completed or missing form entries can all be removed.

The key to both adoption and continual improvement is the ability to have full traceability of all of the AI digital employee events and ticket fulfilment stages. Audit and monitoring of all individual events and tasks is a given, but also the linkage back to a carbon life-form. This essentially is supporting the “on-behalf” of authorization flow for agentic-AI where it is critical to understand why and how an employee was triggered and is it authorised.

IAM is complex. Organisations have to deal with a range of asymmetric information problems, disconnected systems, missing workflows and an increasing rise in the volume and variety of identities and systems under management. The rise of Agentic AI adoption across all parts of the technology landscape is delivering huge productivity gains and competitive opportunities. The specific focus on the often stagnant IAM fulfilment flows will reduce considerable effort and security risk that many organisations are now facing.

An interview with Twine Security for The Cyber Hut’s vendor introduction series:

About The Author

Simon Moffatt has over 25 years experience in IAM, cyber and identity security. He is founder of The Cyber Hut - a specialist research and advisory firm based out of the UK. He is author of CIAM Design Fundamentals and IAM at 2035: A Future Guide to Identity Security. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker and a strategic advisor to entities in the public and private sectors.

Book Inquiry Consultation

The primary goal of a modern identity governance and administration (IGA) solution is to enforce concepts like the Principle of Least Privilege and actively reduce the identity attack surface, as emphasized in the transition to Zero Standing Privilege (ZSP) and the focus on Identity Security Posture Management (ISPM).

• Access Risk Reduction: Target a reduction in users with unneeded or excessive access (Orphaned Accounts, Stale Access).

• Segregation of Duties (SoD) Violations: Decrease in total SoD policy violations by a measurable percentage within a finite timeframe (e.g. within 6 months).

• Time-to-Remediation: Decrease the time required to revoke access for high-risk or compromised identities.

Read more

Curated Industry Announcements

• Apono: New Apono Report Reveals 98% of Cybersecurity Leaders Are Slowing Agentic AI Adoption Due to Insufficient Security Controls

• Auth0: The Revenue Potential of Shared Accounts With Fine-Grained Authorization (FGA)

• CrowdStrike: Exposing Insider Threats through Data Protection, Identity, and HR Context

• Gathid: The Silent Breach: How Organizational Drift Becomes An Identity Threat

• LoginRadius: MCP Authorization: The Key to Safe and Simple AI Integrations

• P0 Security: P0 Security extends its Authz Control Plane to service accounts, workloads and AI agents

• Ping Identity: Ping Identity’s Secure Containers in Iron Bank Strengthen DOW Data Security

• Saviynt: Saviynt bolsters Its AI-powered Identity Security through integrations with Amazon Quick

• SentinelOne: SentinelOne Unveils New Identity Portfolio and Strategy for Securing Human and Non-Human Identities

• Segura: Announces $25M Growth Round from Riverwood Capital to Strengthen Identity Security Platform

• Teleport: From Zero Trust to SPIFFE: How to Secure Microservices with Istio and Teleport

• Veza: The Enterprise Agent Identity Control Plane

Identity Threat Intelligence Updates

• OpenClaw Security Engineer’s Cheat Sheet

• Would You Click ‘Accept’? Automatically detecting malicious Azure OAuth applications using LLMs

• OpenClaw Threat Model: MAESTRO Framework Analysis

• How to Make a Digital Asset Inventory?

Book Inquiry Consultation

Up Coming Event Attendance:

• RSAC 2026 - San Francisco - March 23-26

• IDSA - Identity Management Day 2026 - April 14

• IAM Tech Day - Sao Paolo - April 22-23

• Identiverse - Las Vegas - June 15-18

Let's Meet at RSAC 2026

Free Identity Security Cheat Sheets

• Cheat Sheet: Agentic-AI Security Architecture Example

• Cheat Sheet: Application Governance

• Cheat Sheet: Top 30 IAM Metrics for B2C

• Cheat Sheet: Top Metrics for B2E IAM

• Cheat Sheet: MCP Security

Recent Identity Security Vendor Reports

Recently Added:

• Silverfort

• CyberArk

• HYPR

• Axiad

• FusionAuth

• Apono

• WSO2

Recent Content Updates

A Demo Discussion on JiT for CSP

• A demo walk through by P0 Security taking a look at just in time access for cloud service provider components such as S3 storage buckets

Our Recent Podcast Episodes

• E69 The Analyst Brief: The Rise of IAM Resilience and Why Semperis is buying MightyID…

Submit Podcast Question

Our Recent Research Reports:

• A Market Guide to Securing the Production Stack

Our Recent Comments and Analyst Insight

• A fireside chat with the Identity at the Center podcast on Identity Security:

• The Identity Underground 2026 Pulse: “From Operations to Strategic Enabler: Why IAM Must Adapt”

• Review of CrowdStrike acquiring SGNL

• Architecting Identity for a Real-time World

• Defining and Securing The Enterprise Production Stack

• Analysing Application Activity

• Building App Policies with Continuous Identity

Read More Insight & Whitepapers

Our Recent Industry Webinars

• Always On, Always Aware: Building a Continuous Identity Strategy

• Identity-First Security for AI Agents with Token Security

• Addressing the IAM Data Problem: A fireside chat with Radiant Logic

• An Identity Security Playbook: The What and The Why with Silverfort

• Putting the AI in IAM a fireside chat with Apono

• Too Many IDPs: Why Now, How to Rationalize?

Watch More Webinars

Our Recent Training Academy Episodes

• 38: How does Identity and Access Management relate to Zero Trust?

• 37: What is Identity Risk Management?

• 36: What is Identity Data Management?

• 35: What are Initial Access Brokers?

• 34: What is SPIFFE?

See Training Archive

Enrol in B2C Design Bootcamp

Enrol Authentication Bootcamp

Our Recent Deep Dive Vendor Assessment Reports

As assessment of Radiant Logic - analysing their identity-data view of ISPM

Download Here

Our Recent Vendor Introduction Interviews

What is the new auth-stack? We sat down with Scalekit to find out more…

Book Vendor Interview

Our Recent Video Shorts

Order IAM and Identity Security Books on Amazon

• IAM at 2035: A Future Guide to Identity Security - Paperback, Audio, Kindle and Hardback

• CIAM Design Fundamentals - Paperback, Audio and Kindle

Download Latest 120 Vendor Directory

Agent Identity and Access Management

We need to verify the agent's identity via attestation, before issuing bound credentials and unique attributes. We need to be dynamically granting access to data, apps, and other agents. All wrapped in ephemeral and just-in-time concepts.

Considerations:

• Secret-zero issue - how to attest processes or requesting party before credentials are minted, issued and bound

• How to identify what permissions an agent needs?

• How to verify a human has access to an agent?

• Should the agent “claim” permissions from the requesting party?

• How to handle agent to agent combined permissions risk and union of access?

• How to handle MFA requirements? Is a possession factor enough?

• Should credentials be auto-rotated, or rotated only during high risk?

Data and Knowledge Protection

Policies are needed to prevent unauthorized use of critical data by AI agents, ensuring access permissions are based on the type of data or resource being accessed - so this is a combination of PEP and also data confidentiality protection measures.

Considerations:

• Can existing DLP and DSPM products support the necessary discovery, classification and risk tagging of data resources?

• Can data objects be protected at rest, in transit and in use?

• Are concepts like homomorphic encryption and multi-party computing, understood, applicable?

• Are integrity protection mechanisms necessary?

• Are content authenticity measures in place? Are they scaleable? Can they be verified offline and at scale?

• How is the data returned back from an agent protected?

Agent Operational Integrity and Resilience

We need to ensure the agent's behavioral integrity is upheld by detecting and preventing tampering, drifting off-task, or malicious manipulation. This is tricky as some behaviour changes are expected for optimization and learning.

Considerations:

• What does success look like for an agent?

• Can that success be articulated during creation?

• Can agents be compared to each other?

• Can and should agent behaviour be compared and tied to a human-requestor’s behaviour?

• Are historical behaviour patterns for agents useful?

• Agents are likely to be targets - how can they be protected?

• Can they be stolen, replicated, impersonated?

Agentic Governance, Risk and Compliance (GRC)

We need to establish guidelines for agent behavior, risk changes, and ensuring that the agent's actions are auditable and traceable. Everything needs to be in sync for regulatory adherence.

Considerations:

• End to end traceability is important - that links agent tasks to human tasks

• Can agent actions be reversed?

• At what point do agent events need approval?

• What is the process for agent creation?

• What level of explainability is available?

• What level of agent action transparency is available?

Policy Engine with Runtime Enforcement

A system that provides granular, adaptive access control that changes dynamically based on real-time context and assessed risk levels. It enforces policies for access to corporate systems, inter-agent sharing, access periods (JIT), and memory retention. Can today’s human-centric PBAC systems do this?

Considerations:

• How are policies created?

• How are policies stored and made available to enforcing systems?

• Are policies part of the governance model?

• How are policies changed and analysed for effectiveness?

• How should policy be changed post-incident?

• Can enforcement points scale and be effective away from a central hub?

Human Oversight, Accountability, and Attribution

We need to ensure that all actions by autonomous agents can be traced back to an originating human user or organizational policy, often utilizing "human-in-the-loop" mechanisms for critical or sensitive actions.

Considerations:

• These are extension points that anchor both policy design and enforcement and how the GRC components are executed

Book Inquiry Consultation

Curated Industry Announcements

• Auth0: A Guide to Securing Amazon Bedrock AgentCore with Auth0 for AI Agents

• AuthSignal: Account recovery is the identity industry’s most overlooked challenge

• Axiomatics: 2026: A reflection on what’s ahead for Axiomatics, authorization, agentic AI, and more

• Cisco: Redefining Security for the Agentic Era

• CyberArk (Palo Alto): Identity Security Is the Foundation of the AI Era

• CyberArk: Palo Alto Networks Completes Acquisition of CyberArk to Secure the AI Era

• GitGuardian: $50 Million Series C Raised For Secrets And Non-Human Identity Security Platform

• Hydden: Why Nobody Owns Your Most Privileged Accounts

• Omada: Read The State of Identity Governance 2026

• Teleport: How to Prevent Prompt Injection in AI Agents

• Yubico: Yubico previews passkey-enabled digital signatures in upcoming YubiKey 5.8 firmware

Identity Threat Intelligence Updates

• Astrix Openclaw Scanner

• The 5 Most Valuable Credential Types Hidden in Stealer Logs

• In Bypassing MFA, ZeroDayRAT Is 'Textbook Stalkerware'

• Keys to JWT Assessments - From a Cheat Sheet to a Deep Dive

• How recruitment fraud turned cloud IAM into a $2 billion attack surface

Book Inquiry Consultation

Up Coming Event Attendance:

• RSAC 2026 - San Francisco - March 23-26

• IDSA - Identity Management Day 2026 - April 14

• IAM Tech Day - Sao Paolo - April 22-23

• Identiverse - Las Vegas - June 15-18

Let's Meet at RSAC 2026

Free Identity Security Cheat Sheets

• Cheat Sheet: Application Governance

• Cheat Sheet: Top 30 IAM Metrics for B2C

• Cheat Sheet: Top Metrics for B2E IAM

• Cheat Sheet: MCP Security

• Cheat Sheet: Agentic-AI Identity Security

Identity Security Vendor Summary Reports

Recently Added:

• Silverfort

• CyberArk

• HYPR

• Axiad

• FusionAuth

• Apono

• WSO2

Recent Content Updates

Improving the MTTA

• A deep dive into the concept of improving the mean time to access for a range of different stakeholders to a broad array of high risk systems

Our Most Recent Industry Webinar

• 3 December - Modernizing AD Protection Against Lateral Movement and Privileged Access Abuse with Silverfort

Reserve Your Seat

Our Recent Podcast Episodes

• E69 The Analyst Brief: The Rise of IAM Resilience and Why Semperis is buying MightyID…

Submit Podcast Question

Our Recent Research Reports:

• A Market Guide to Securing the Production Stack

Our Recent Comments and Analyst Insight

• OpenClaw: A Productivity & Cyber Security Clash

• The Identity Underground 2026 Pulse: “From Operations to Strategic Enabler: Why IAM Must Adapt”

• Review of CrowdStrike acquiring SGNL

• Architecting Identity for a Real-time World

• Defining and Securing The Enterprise Production Stack

• Analysing Application Activity

• Building App Policies with Continuous Identity

• Why PAM Needs to Evolve

• Shifting Left of Boom in Identity

Read More Insight & Whitepapers

Our Recent Industry Webinars

• Always On, Always Aware: Building a Continuous Identity Strategy

• Identity-First Security for AI Agents with Token Security

• Addressing the IAM Data Problem: A fireside chat with Radiant Logic

• An Identity Security Playbook: The What and The Why with Silverfort

• Putting the AI in IAM a fireside chat with Apono

• Too Many IDPs: Why Now, How to Rationalize?

Watch More Webinars

Our Recent Training Academy Episodes

• 38: How does Identity and Access Management relate to Zero Trust?

• 37: What is Identity Risk Management?

• 36: What is Identity Data Management?

• 35: What are Initial Access Brokers?

• 34: What is SPIFFE?

See Training Archive

Enrol in B2C Design Bootcamp

Enrol Authentication Bootcamp

Our Recent Deep Dive Vendor Assessment Reports

Our Recent Vendor Introduction Interviews

What are digital employees? How can they help with the identity and access management ticket workload? An interview with Twine Security to find out more…

Book Vendor Interview

Our Recent Video Shorts

Order IAM and Identity Security Books on Amazon

• IAM at 2035: A Future Guide to Identity Security - Paperback, Audio, Kindle and Hardback

• CIAM Design Fundamentals - Paperback, Audio and Kindle

Download Latest 120 Vendor Directory

Capability Matrix Entry

Web URL: https://www.silverfort.com/

Identity Type: B2E, NHI

Stakeholder Engagement: CIO, CISO, IAM, SoC

Tags: authentication, privileged access, identity data, runtime, detection, response, itdr, hygiene, behaviour, intent, attribution, risk, on-premises

Description: “Discover and protect every dimension of identity, everywhere. Human, machine or AI, cloud or on-prem—including systems that couldn’t be protected before.”

NB - Download the full market capability matrix here.

Silverfort provides a Unified Identity Security Platform that acts as an agentless overlay on your existing Identity and Access Management (IAM) infrastructure.

Its primary function is to secure all user and service account access across your entire environment—both on-premises (legacy) and cloud—by enforcing modern security controls.

Read more

Application governance (and administration) (AGA), is a specialized - yet rising - domain within Identity Governance and Administration (IGA) focused on managing the full lifecycle of access, permissions, and compliance for applications. These apps are typically those involving high-risk factors like privileged access, non-human identities, or shadow IT.

The key end goal design principles include:

• Zero Standing Privilege (ZSP): A strategic migration where no identity or account has pre-provisioned permissions or credentials when not in use, thereby reducing the identity attack surface.

• Just-in-Time (JiT) Access: Permissions and credentials are associated only when a verified, validated, and approved event or task is being processed.

• Automation: Essential for integrating more identities, systems, and locations, which includes automating discovery, provisioning, de-provisioning, and credential rotation.

The Why

Two sub-problems have emerged with respect to successfully deploying concepts like ZSP, JiT and least-privilege as part of a broader identity security fabric and zero trust initiative.

Firstly the existing identity and access management (IAM) pillars being used to handle the B2E workforce life cycle management use cases are often silo’d. This results in visibility blind spots, overlapping capabilities and ineffective security controls assurance.

The second aspect, is that specifically within the IGA world, the coverage of the core IGA platforms is low. They typically focus upon the most high risk applications - or applications that fall under regulatory scrutiny. This could be less than 10% of the overall application landscape. The remaining applications are either managed manually using ticketing systems or are entirely un-managed. The un-managed list will also include shadow-apps - that organisations don’t even know are un-managed.

To that end several issues develop:

1. Organisations want to improve basic IGA coverage to more (if not all apps)

2. Un-managed and shadow-app risk management is not complete

3. Visibility and usage within applications is not known

4. Access request and review processes are incomplete, ineffective and costly

Considerations

1. Is the existing IGA components (software or manual) being measured?

2. Is the current IGA model working effectively?

3. What is hindering expansion of the core IGA capabilities to more systems?

4. Do you have IGA capabilities for all identity types including NHI, agentic and workloads?

Example Capabilities

1. Discovery of shadow applications

2. Analysis of un-managed applications

3. Accelerated on-boarding of applications into the core IGA function

4. Visibility of account usage within applications

5. Support for human and non-human accounts

6. Composite risk analysis of application configuration

7. Composite risk analysis of application account usage

8. Template and semi-autonomous connectivity

9. Access path analytics

10. Permission usage analytics

11. Access request contextual analysis - E.g SoD, compliance validation

Vendor Solutions

Nexis

Offering a solution for “Enterprise Authorization Governance”.

Core Capabilities:

• Authorization Governance: Helps organizations manage and structure authorizations, ensuring they undergo lifecycle processes and comply with regulations (like SoD, least privilege).

• Overlay for Existing IGA: It acts as an overlay to enhance existing IGA systems (e.g., SailPoint, One Identity, IBM, Oracle, MS Entra ID) for improved functionality and efficiency.

• Role Management: It features role mining, fine-grained analysis, risk-based RBAC, and streamlined role lifecycle management (creating, changing, deleting Business Roles).

• Workflow Automation: It uses an easy-to-use, no-code workflow engine for seamless implementation of IGA use cases and automating Joiner-Mover-Leaver (JML) processes.

• Authorization Concept Management: Its module provides an integrated, automated solution for creating, maintaining, and versioning audit-proof authorization concepts, overcoming the limitations of static documents (like Word/Excel).

• AI Integration: Includes an Intelligent Assistant (NICO) to guide users through recertification, and AI-driven features for role model discovery, optimization, and anomaly detection.

• User Experience: It’s designed for end-users, providing tailor-made, web-based interfaces and self-service portals.

Solution Scenarios:

• Compliance: Simplifying challenges around regulatory compliance, Segregation of Duties (SoD), and recertifications.

• Modernize Legacy IGA: Enhancing functionality and efficiency of deeply integrated legacy IGA systems, particularly around user experience and self-service.

• IGA Light: Offering smart Identity Governance for Small to Midsize Businesses (SMBs) without existing IGA solutions.

• Authorization Governance for Microsoft Entra ID: Enhancing compliance and governance for organizations using Microsoft Entra ID.

Orchid Security

Core Capabilities:

• Application Discovery and Inventory Management: Their initial customer landing point is application inventory, focused on finding and identifying un-managed, self-hosted, or previously unknown applications.

• Application Governance: Helping organizations govern their applications, especially after they are discovered.

• Identity and Access Analysis: They provide insights into:

  • Authentication flows and access paths.

  • Routes, authentication methods, and access happening within the applications.

  • The difference between Identity Governance and Administration (IGA) and activity via traceability.

• Risk Analysis and Compliance:

  • Applications are presented via a risk analysis dashboard.

  • They provide out-of-the-box templates, scans, and recommendations for compliance frameworks such as ISO 27001, NIST 800-53, PCI DSS, SOC 2 Type 2, GDPR, HIPAA, and SOX.

• Augmentation and Remediation: They can “augment and raise the security level” if an issue is found, particularly for legacy applications that cannot be changed, supporting inline remediation.

Solution Scenarios:

• Mergers & Acquisitions (M&A): Providing due diligence, risk analysis, and counter measures during app integration.

• Audit Failings and GRC Concerns: Addressing audit findings and Governance, Risk, and Compliance issues.

• IGA Expansion and Onboarding Acceleration: Speeding up the integration of disconnected applications.

• Understanding Out-of-Band Authentication Flows.

Readibots

Core Capabilities:

Readibots provides a platform focused on Identity Data Automation to streamline and accelerate Identity Governance and Administration (IGA) processes. They position their product as an IAM Hub built to remove manual effort and complexity from identity flows.

• Focus on Automation: Core offering is the READI platform, which focuses on automating identity data flows. This is presented as an alternative to traditional connectivity or workflow engines, aiming to solve the complexity and workflow issues commonly associated with IGA.

• IAM Hub: The platform acts as an “IAM Hub” that connects to existing systems to improve the flow and transformation of identity data.

• Data Management: They offer inline data analysis and transformation capabilities, including a feature called “Atlas,” which serves as a meta-directory or virtual directory.

Solution Scenarios:

• Addressing IGA Pain Points: They specifically target “IGA projects in distress” and enterprises that lack the ability to create complex connectors or workflows.

• Productivity and Efficiency: Aiming to remove the human element in identity flows and serving as a productive driver.

• Speed and Agility: Offering faster deployments and an adaptive platform that does not require changing existing processes.

StackBob

Core Capabilities:

Stackbob's primary focus is on IAM-infrastructure optimization and Identity Governance and Administration (IGA). Their solution implements alongside and augments existing IGA/IdP systems (like Sailpoint, MS Entra, and Ping), rather than replacing them.

• Extending Governance to Any App: They specialize in bringing applications that lack standard connectors (SCIM or APIs) into the identity workflow, offering a “No API required” and “No-Code setup” approach.

• Automating Identity Lifecycle: They help IT Admins and Department Managers streamline the joiner, mover, and leaver process (on/offboarding) and manage Role-Based Access Control (RBAC) for employees and contractors.

• Cutting License Waste: The platform helps Finance teams detect and remove unused licenses and orphaned accounts to reduce software costs.

• Streamlining Security Compliance: They help businesses achieve audit-ready compliance evidence quickly for audits like SOC 2 and ISO 27001.

• Agentic Approach: The company is moving to an “agentic and ultimately autonomous approach” to enhance workflows and manual fulfillment processes, as noted in your meeting files.

Solution Scenarios:

• Automating Provisioning for Non-Integrated Apps (Joiner/Mover/Leaver)

  • Stackbob’s agentic technology can interact with the app’s user interface or other less-conventional interfaces to automate the provisioning and de-provisioning process.

• Reducing Unused/Orphaned Software Licenses

  • The platform aggregates usage data and cost information across all managed apps to identify licenses that have low or no recent activity. It can then automate the process of either downgrading or deactivating these unused licenses, allowing teams to quickly realize savings and reduce license waste.

• Achieving Audit-Ready Compliance for All Apps

  • Stackbob centralizes the access data for all applications, even those without APIs, providing a single source of truth for all users and their permissions. This makes it possible to quickly generate the comprehensive reports and evidence needed to pass audits, proving that Identity Governance and Administration (IGA) principles are applied

Pathlock

Core Capabilities:

Pathlock's core capabilities are centered around a comprehensive Identity and Application Access Governance (AAG) suite, specifically designed for fine-grained security and compliance in business-critical applications, particularly ERP systems. The solution is built on the vision of Continuous Access Governance for the Connected Enterprise.

• Access Risk Analysis (ARA): Analyzes access risk for Segregation of Duties (SoD), Sensitive Access, and Critical Access in a single view.

• Compliant Provisioning: Automates access provisioning with risk scoring and policy-based workflows.

• Certifications: Facilitates the review of user access, roles, risks, and controls across all business applications.

• Role Management: Helps build compliant technical and business roles with risk simulation analysis.

• Elevated Access Management (EAM): Monitors privileged users, enforces controls, collects logs, and automates the review of high-risk activity.

• Continuous Controls Monitoring: Provides real-time visibility into access, risk, and control events, moving from transaction-based to risk-based audit.

• Cybersecurity Application Controls: Includes vulnerability management, threat detection and response, dynamic access controls, code scanning, and transport control.

• Fine-Grained Entitlement Granularity: The platform provides a unique competency to perform fine-grained access risk management for multiple applications (e.g., SAP, Oracle EBS), going deeper than the coarse-grained entitlements of traditional IGA tools.

Solution Scenarios:

• Replacing and Augmenting Legacy IGA and GRC Tools

  • Augment Existing IGA: Integrate with solutions like SailPoint and Microsoft Entra ID to provide the fine-grained Access Risk Analysis (ARA) for critical systems, enhancing their provisioning and certification workflows.

  • Replace Legacy Systems: Directly replace older systems by offering full Pathlock Cloud, more Out-of-the-Box (OOTB) rules, and superior multi-app capabilities (e.g., better Firefighter for emergency access).

• Continuous Compliance and Audit Automation

  • Automate Controls Testing & Ensure Audit Readiness: Provide continuous, real-time evidence and centralized, standardized monitoring of all Segregation of Duties (SoD) risks across environments (SAP, JD Edwards, Ariba).

  • AI-Driven Audit: Future capabilities include “AI-generated documentation and audit evidence” and a “Chat with Your Auditor” explainable AI interface to streamline audit responses.

• Fine-Grained Access Risk Management for Business-Critical ERPs

  • Visibility into Transaction-Level Activity: Captures granular, security-relevant user activity (page, field, transaction level) inside applications like PeopleSoft to see what a user is actually doing versus what they are provisioned to do.

  • Detailed Entitlement Granularity: For systems like Oracle EBS, Pathlock goes beyond simple roles to manage access across “App Specific Responsibilities,” “Functions Only with Prompt,” and “Consider ReadOnly Functions” to deliver precise risk reporting.

  • Non-Human Identity (NHI) Governance: Provides end-to-end governance for service accounts and agentic AI agents within ERPs, including request, provisioning, monitoring, and certification.

Zluri

Core Capabilities:

The Zluri platform is centered around its Next-Gen Identity Governance and Administration (IGA) approach, often described using the Visibility, Intelligence, Action (VIA) Model.

Visibility (SaaS Management & Discovery)

• Comprehensive Application Visibility: Discovers and tracks all applications in use, including federated, unfederated, and Shadow IT apps.

• Real-Time Usage Data: Moves beyond static identity attributes by integrating dynamic application activity data, crucial for optimization and risk analysis.

• Gen AI Discovery: Identifies and auto-classifies Generative AI (GenAI) apps like ChatGPT and Claude in use across the organization.

Intelligence (Analytics & Reporting)

• Zluri IRIS (Identity Risk Intelligence System): Provides interactive dashboards, pre-built widgets, and scheduled reports to track identity governance metrics, risk posture, and license utilization.

• App Access & Activity Intelligence: Highlights insights such as unauthorized apps in use, over-provisioned access (e.g., users with admin access who don’t use it), and unused licenses.

• License Optimization: Performs usage analysis to identify unused licenses and redundant applications, leading to significant cost savings.

Action (Automation & Governance)

• Identity Lifecycle Management: Provides Instant Onboarding and Offboarding by bridging the HR-IT gap, using centralized playbooks to automate provisioning and deprovisioning actions across various systems (e.g., Okta, GitHub, Microsoft 365).

• Access Reviews/Certifications: Simplifies audits (SOC 2, ISO 27001) with automated, evidence-based certification, where reviewer decisions are supported by actual usage data.

• Entitlement Management & Least Privilege: Offers a centralized view of roles and permissions to support accurate review decisions and continuously rightsize permissions to reduce access sprawl.

• Security & Compliance: Enables automated actions and alerts on policy violations and provides audit-ready reports.

Solution Scenarios:

Automated Onboarding and Offboarding (Identity Lifecycle Management)

• Zluri automatically triggers a pre-configured workflow/playbook based on the HR system update (e.g., Workday or HiBob). It instantly provisions or deprovisions access across all required applications (like Okta, GitHub, Microsoft 365, Slack, etc.)

Evidence-Based Access Reviews and Compliance

• Automates the process by initiating a certification campaign (e.g., “SOX ITGC Q2”). It provides reviewers with real-time usage and activity data for each user and entitlement. This “evidence-based certification” helps reviewers make accurate decisions.

SaaS Cost Optimization and Shadow IT Remediation

• Patented Discovery Engine provides complete visibility into all 1400+ applications in use (Shadow IT included). It identifies “dormant” or “inactive licensed users” who are still paying for a license but haven’t used the app in a set time (e.g., 90 days).

Book Inquiry Consultation

Curated Industry Announcements

• 1Kosmos: 1Kosmos Announces Integration Partnership with Fischer Identity

• AuthSignal: How to deploy passkeys that drive real adoption: Insights from Yubico and Authsignal

• Google: Cloud CISO Perspectives: 5 top CISO priorities in 2026

• Semperis: Acquires MightyID: Expands True Cyber Resilience Across Multi-IdP Environments

• Strata Identity: New Survey from Cloud Security Alliance, Strata Identity Finds That Enterprises Are in a “Time-to-Trust” Phase, As They Build Foundations for AI Autonomy

• Teleport: AI Infrastructure Needs an Agentic Identity Framework — We’re Building It

Identity Threat Intelligence Updates

• Stealing Salesforce OAuth Tokens using the WA

• Inside the OpenClaw Ecosystem: What Happens When AI Agents Get Credentials to Everything

• Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft

• Analyzing Workload Identity Activity Through Token-Based Hunting

• Moltbot: When your identity keeps working after you do

Book Inquiry Consultation

Up Coming Event Attendance:

• RSAC 2026 - San Francisco - March 23-26

• IDSA - Identity Management Day 2026 - April 14

• IAM Tech Day - Sao Paolo - April 22-23

• Identiverse - Las Vegas - June 15-18

Let's Meet at RSAC 2026

Free Identity Security Cheat Sheets

• Cheat Sheet: Top 30 IAM Metrics for B2C

• Cheat Sheet: Top Metrics for B2E IAM

• Cheat Sheet: MCP Security

• Cheat Sheet: Agentic-AI Identity Security

Identity Security Vendor Summary Reports

Recently Added:

• CyberArk

• HYPR

• Axiad

• FusionAuth

• Apono

• WSO2

• Hydden

Recent Content Updates

Improving the MTTA

• A deep dive into the concept of improving the mean time to access for a range of different stakeholders to a broad array of high risk systems

Our Most Recent Industry Webinar

• 3 December - Modernizing AD Protection Against Lateral Movement and Privileged Access Abuse with Silverfort

Reserve Your Seat

Our Recent Podcast Episodes

• E68 The Analyst Brief: Delinea and StrongDM, PAM and AI…

Submit Podcast Question

Our Recent Research Reports:

• The Cyber Hut: A Market Guide to Identity Security Posture Management (ISPM): The Role of Data-Centric Identity Observability

Our Recent Comments and Analyst Insight

• The Identity Underground 2026 Pulse: “From Operations to Strategic Enabler: Why IAM Must Adapt”

• Review of CrowdStrike acquiring SGNL

• Architecting Identity for a Real-time World

• Defining and Securing The Enterprise Production Stack

• Analysing Application Activity

• Building App Policies with Continuous Identity

• Why PAM Needs to Evolve

• Shifting Left of Boom in Identity

Read More Insight & Whitepapers

Our Recent Industry Webinars

• Always On, Always Aware: Building a Continuous Identity Strategy

• Identity-First Security for AI Agents with Token Security

• Addressing the IAM Data Problem: A fireside chat with Radiant Logic

• An Identity Security Playbook: The What and The Why with Silverfort

• Putting the AI in IAM a fireside chat with Apono

• Too Many IDPs: Why Now, How to Rationalize?

Watch More Webinars

Our Recent Training Academy Episodes

• 38: How does Identity and Access Management relate to Zero Trust?

• 37: What is Identity Risk Management?

• 36: What is Identity Data Management?

• 35: What are Initial Access Brokers?

• 34: What is SPIFFE?

See Training Archive

Enrol in B2C Design Bootcamp

Enrol Authentication Bootcamp

Our Recent Deep Dive Vendor Assessment Reports

Our Recent Vendor Introduction Interviews

What are digital employees? How can they help with the identity and access management ticket workload? An interview with Twine Security to find out more…

Book Vendor Interview

Our Recent Video Shorts

Order IAM and Identity Security Books on Amazon

• IAM at 2035: A Future Guide to Identity Security - Paperback, Audio, Kindle and Hardback

• CIAM Design Fundamentals - Paperback, Audio and Kindle

Download Latest 120 Vendor Directory

Curated Industry Announcements

• AWS: Exploring common centralized and decentralized approaches to secrets management

• Beyond Identity: Opens Early Access for the AI Security Suite

• Cisco: Privacy and Data Governance — Keys to Innovation and Trust in the AI Era

• Descope: Unveils Agentic Identity Hub 2.0, the Most Comprehensive Identity Platform for AI Agents and MCP Servers

• Natoma: Announce partnership with CrowdStrike

• Ory: Partners with HID to Deliver First Enterprise FIDO2 Identity Platform of the Converged Physical and Digital Era

• RSA Security: Announces New $135 Million Capital Infusion and Debt Refinancing to Accelerate AI Product Innovation and Organic Growth

• Transmit Security: The 2025 Mosaic Rewind: How AI, Standards and Smarter Defenses Shaped Identity Security

Identity Threat Intelligence Updates

• Linking Privileged Accounts to Identities in Microsoft Defender: Benefits & Use Cases

• As Strong As Your Weakest Parameter: An AI Authorization Bypass

• Understanding DocuSign Credential Harvesting Campaigns: A Case Study

Book Inquiry Consultation

Up Coming Event Attendance:

• RSAC 2026 - San Francisco - March 23-26

• IDSA - Identity Management Day 2026 - April 14

• IAM Tech Day - Sao Paolo - April 22-23

• Identiverse - Las Vegas - June 15-18

Let's Meet at RSAC 2026

Free Identity Security Cheat Sheets

• Cheat Sheet: Top 30 IAM Metrics for B2C

• Cheat Sheet: Top Metrics for B2E IAM

• Cheat Sheet: MCP Security

• Cheat Sheet: Agentic-AI Identity Security

Identity Security Vendor Summary Reports

Recently Added:

• CyberArk

• HYPR

• Axiad

• FusionAuth

• Apono

• WSO2

• Hydden

Recent Content Updates

Improving the MTTA

• A deep dive into the concept of improving the mean time to access for a range of different stakeholders to a broad array of high risk systems

Our Most Recent Industry Webinar

• 3 December - Modernizing AD Protection Against Lateral Movement and Privileged Access Abuse with Silverfort

Reserve Your Seat

Our Recent Podcast Episodes

• E67 The Analyst Brief: End of 2026 Acquisitions and Technology Consolidation

Submit Podcast Question

Our Recent Research Reports:

• The Cyber Hut: A Market Guide to Identity Security Posture Management (ISPM): The Role of Data-Centric Identity Observability

Our Recent Comments and Analyst Insight

• The Identity Underground 2026 Pulse: “From Operations to Strategic Enabler: Why IAM Must Adapt”

• Review of CrowdStrike acquiring SGNL

• Architecting Identity for a Real-time World

• Defining and Securing The Enterprise Production Stack

• Analysing Application Activity

• Building App Policies with Continuous Identity

• Why PAM Needs to Evolve

• Shifting Left of Boom in Identity

Read More Insight & Whitepapers

Our Recent Industry Webinars

• Always On, Always Aware: Building a Continuous Identity Strategy

• Identity-First Security for AI Agents with Token Security

• Addressing the IAM Data Problem: A fireside chat with Radiant Logic

• An Identity Security Playbook: The What and The Why with Silverfort

• Putting the AI in IAM a fireside chat with Apono

• Too Many IDPs: Why Now, How to Rationalize?

Watch More Webinars

Our Recent Training Academy Episodes

• 38: How does Identity and Access Management relate to Zero Trust?

• 37: What is Identity Risk Management?

• 36: What is Identity Data Management?

• 35: What are Initial Access Brokers?

• 34: What is SPIFFE?

See Training Archive

Enrol in B2C Design Bootcamp

Enrol Authentication Bootcamp

Our Recent Deep Dive Vendor Assessment Reports

Our Recent Vendor Introduction Interviews

Book Vendor Interview

Our Recent Video Shorts

Order IAM and Identity Security Books on Amazon

• IAM at 2035: A Future Guide to Identity Security - Paperback, Audio, Kindle and Hardback

• CIAM Design Fundamentals - Paperback, Audio and Kindle

Download Latest 120 Vendor Directory

Capability Matrix Entry

Web URL: https://www.cyberark.com/

Identity Type: B2E, NHI

Stakeholder Engagement: CISO, CIO, Developer

Tags: infrastructure, application, JiT, on-premises, policy, privileged access, secrets, browser, ZSP, iga

Description: “Seamlessly secure identities throughout the cycle of accessing any resource across any infrastructure, including hybrid, SaaS and multi-cloud. The CyberArk identity security platform is the first line of defense against malicious actors and unauthorized access to protect what matters most.”

CyberArk is the leading Identity Security provider that helps organizations secure all forms of digital access to critical business data and infrastructure.

Their core mission, built on a foundation of intelligent privilege controls, is to protect against the leading causes of breaches: compromised human and machine identities and credentials.

CyberArk achieves this through a unified Identity Security Platform that covers several key areas:

Read more

Delinea to acquire StrongDM

Hot on the back of CrowdStrike announcing they are to acquire SGNL, privileged access provider and more latterly AI-driven platform provider Delinea announced they are to acquire StrongDM.

Delinea (who rebranded from Thycotic after they acquired Centrify) has traditionally been focused on the privileged space, competing with the likes of CyberArk and BeyondTrust. With over 1200 employees (according to LinkedIn) and several other recent IAM related acquisitions, they are building out a strategic platform capable of delivering a range of human, non-human, privileged and now it seems authorization related use cases.

Delinea describe themselves today as:

“Delinea made Privileged Access Management (PAM) seamless. But today’s enterprises need more than just PAM. They need identity controls that are intelligent, adaptive, and measurable. Powered by Delinea Iris AI, our platform delivers centralized, risk-based authorization to discover, monitor, govern, and secure all identities.

Their other recent related acquisitions include:

• Jan 2024 ITDR Provider Authomize

• April 2024 IGA Provider Fastpath

So how does StrongDM fit in here? They describe themselves as:

“Control what happens after login. Authorization at runtime. Productivity in real time. StrongDM gives you the control PAM promised but never delivered. Enforce policy in real time, eliminate passwords, and meet developers where they are.”

Their platform delivers an access-analyse-govern set of capabilities, with the emphasis on a workstation client, gateway enforcer and central control plane. Protected resources seem typically to be in the infrastructure asset space, with a consistent zero-trust narrative for continuous and seamless access.

So what will this mean for Delinea prospects and customers and the wider identity security sector?

The Delinea press release gives a few insights. The initial paragraph sets the scene by instantly distancing Delinea from their PAM roots and places StrongDM in the just-in-time (JiT) authorization space:

“Delinea, a pioneering provider of solutions for securing human and machine identities through centralized authorization, today announced it has signed a definitive agreement to acquire StrongDM, the universal access management company purpose-built for modern engineering, DevOps, and AI-driven environments. Delinea’s leadership in enterprise privileged access management (PAM), combined with StrongDM’s just-in-time (JIT) runtime authorization capabilities and developer-first access model, will form a new class of identity security platform designed for continuous, always-on environments.”

So here we start to see a more unified platform story - Delinea catering for both people and non-humans (including agents) with StrongDM playing the card of being a “universal access management” player - which supports a broader set of stakeholders including the ever-under-pressure DevOps.

This positions Delinea to be a more protect “anything, anywhere” platform - be that humans, non-humans or agents (all of whom by design will need the use of privileged permissions) wanting to gain access to a much broader array of resources - from code to infrastructure.

The rise of AI adoption has increased the need for improved automation and JiT in ways in which both credentials and in turn permissions are assigned and removed.

So what does the combined machine let organisations achieve?

“The combination of Delinea and StrongDM reflects the evolution of traditional session-based PAM into a scalable, modern identity security control plane that governs privileged access across all human and NHIs through JIT runtime authorization. This approach enables continuous evaluation and response, which is particularly valuable for organizations delivering seamless access to cloud infrastructure, production databases, and automated CI/CD pipelines that developers demand while providing the compliance and control that security requires.”

This brings them more in line from a narrative point of view with vendors like P0 and Teleport who have capable platforms aimed to delivering JiT and cloud-centric privileged management for a broader array of stakeholders.

The acquisition is subject to customary closing conditions, including regulatory review, and is expected to close in Q1 2026. Financial terms of the transaction were not disclosed.

Curated Industry Announcements

• AuthSignal: World’s first palm crypto payment at NRF 2026

• CrowdStrike: The Architecture of Agentic Defense: Inside the Falcon Platform

• Gathid: How To Rethink Access In The Age Of Human-Machine Fusion

• One Identity: Introducing One Identity Manager 10.0

• Strata: Why Agentic AI Forces a Rethink of Least Privilege

• Teleport: Is JIT the Secret to Engineer Happiness?

Identity Threat Intelligence Updates

• Analyzing 15 Days of Telnet Honeypot Data

• Detailed Analysis of LockBit 5.0

• Insider Threats: Turning 2025 Intelligence into a 2026 Defense Strategy

Book Inquiry Consultation

Up Coming Event Attendance:

• RSAC 2026 - San Francisco - March 23-26

• IDSA - Identity Management Day 2026 - April 14

• IAM Tech Day - Sao Paolo - April 22-23

• Identiverse - Las Vegas - June 15-18

Let's Meet at RSAC 2026

Free Identity Security Cheat Sheets

• Cheat Sheet: Top 30 IAM Metrics for B2C

• Cheat Sheet: Top Metrics for B2E IAM

• Cheat Sheet: MCP Security

• Cheat Sheet: Agentic-AI Identity Security

Identity Security Vendor Summary Reports

Recently Added:

• HYPR

• Axiad

• FusionAuth

• Apono

• WSO2

• Hydden

• AuthSignal

• Entro Security

Recent Content Updates

Improving the MTTA

• A deep dive into the concept of improving the mean time to access for a range of different stakeholders to a broad array of high risk systems

Recent Webinar:

• 3 December - Modernizing AD Protection Against Lateral Movement and Privileged Access Abuse with Silverfort

Reserve Your Seat

Recent Podcasts

• E67 The Analyst Brief: End of 2026 Acquisitions and Technology Consolidation

Submit Podcast Question

Recent Research Reports:

• The Cyber Hut: A Market Guide to Identity Security Posture Management (ISPM): The Role of Data-Centric Identity Observability

Recent Insight

• Review of CrowdStrike acquiring SGNL

• Architecting Identity for a Real-time World

• Defining and Securing The Enterprise Production Stack

• Analysing Application Activity

• Building App Policies with Continuous Identity

• Why PAM Needs to Evolve

• Shifting Left of Boom in Identity

Read More Insight & Whitepapers

Recent Industry Webinars

• Always On, Always Aware: Building a Continuous Identity Strategy

• Identity-First Security for AI Agents with Token Security

• Addressing the IAM Data Problem: A fireside chat with Radiant Logic

• An Identity Security Playbook: The What and The Why with Silverfort

• Putting the AI in IAM a fireside chat with Apono

• Too Many IDPs: Why Now, How to Rationalize?

Watch More Webinars

Recent Academy Episodes:

• 38: How does Identity and Access Management relate to Zero Trust?

• 37: What is Identity Risk Management?

• 36: What is Identity Data Management?

• 35: What are Initial Access Brokers?

• 34: What is SPIFFE?

See Training Archive

Enrol in B2C Design Bootcamp

Enrol Authentication Bootcamp

Recent Vendor Assessment Reports:

Recent Vendor Introduction Interviews:

Book Vendor Interview

Recent Video Shorts:

Order IAM and Identity Security Books on Amazon:

• IAM at 2035: A Future Guide to Identity Security - Paperback, Audio, Kindle and Hardback

• CIAM Design Fundamentals - Paperback, Audio and Kindle

Download Latest 120 Vendor Directory