At a recent Gartner IAM Summit, the keynote speaker likened enterprise identity and access management (IAM) to the structure of an apple, with identity at the core.
Despite this, the analyst firm assesses that 65 percent of organisations’ IAM maturity remains low.
A key element of cyber resilience involves creating a unified, flexible architecture for managing digital identities and access across an entire organisation. This needs to encompass employees, customers, partners, apps, APIs, devices, and AI agents. Gartner, and most analysts and IAM experts, refer to this architecture as the Identity Fabric.
In Gartner’s view, just seven percent of organisations have achieved this highest level of IAM maturity.
Quite simply, identity and access management enable enterprise supply chains to function. IAM provides the control layer for mitigating risks posed by third parties.
The exponential increase in machine identities and agentic AI demands new strategies, including adopting identity fabrics to support pre-emptive security approaches.
Instead of identity being handled by many disconnected tools, an identity fabric weaves identity services together, so they work consistently everywhere. The benefits of this approach are that it improves the user experience, reduces the risk of privilege escalation attacks, and allows organisations to manage access to legacy technologies that may not be compatible with modern IAM.
A surprising takeaway from the Gartner IAM Summit was the message to “proceed with caution” when it came to implementing AI-driven identity tools.
When used as an abstraction layer, AI provides a powerful tool for building a converged identity platform. AI is able to rapidly analyse data contained in each of the components of an enterprise’s identity fabric.
Within an identity fabric, AI and machine learning dynamically adjust security measures to new threats, augmenting the enforcement of risk-based authentication.
Rather than replacing identity tools, this approach extends an enterprise’s investment in existing IAM, IGA, PAM, AD management, and other identity tools.
So why the warning?
To understand Gartner’s caveat, we need to appreciate the extent to which agentic AI prompts depend on context.
I tend to use the analogy of releasing a genie from a bottle. You’re granted three wishes. But you need to be exceptionally careful about how you ask for what you wish for.
Phrasing your requests in the wrong way, without the necessary context, can result in completely unintended and undesirable outcomes.
The example often cited is the prompt which asks an LLM, ‘How do I make the cheese stick to my pizza?’ The AI, not understanding that pizza and cheese are intended to be edible, responds by suggesting using Elmer’s School Glue.
When integrating identity tools, it is vital to use industry-specific prompts with the necessary context. Organisations need to create an AI abstraction layer, not an incomprehensible, inflexible mass that reduces visibility, risks non-compliance, and introduces security gaps over time.
There are enormous pre-emptive security benefits to be gained from applying machine learning and agentic AI to identity security. However, the rules governing an AI-powered identity fabric must be very well-defined and restrictions set up correctly.
What does this mean for CIOs?
Regardless of the industry they work in, all CIOs are tasked with improving cyber resilience.
The first priority is to harden the enterprise attack surface. This involves reviewing the risks posed by SaaS apps, Cloud services, machine identities, agentic AI, remote workers, suppliers, partner organisations, and customers.
The next step is to communicate to the board that, in spite of a hardened attack surface, a breach is still likely to occur. Instill a risk-aware culture at all levels of the organisation and use this awareness to improve rapid response and recovery capabilities.
Work with colleagues in all departments to ensure that identity security aids compliance with tightening global regulations.
The fourth element of cyber resilience is to fortify the entire ecosystem against more sophisticated and automated attacks. Defensive measures need to be more automated, integrated and faster. With the rise of AI-based attacks, traditional detection and response methods have become too slow. Gartner predicts that this will result in more than half of IT security spending being allocated to pre-emptive security technologies by 2030.
IT administrators may defer to superiors when implementing privileged access management rules. This human trait has been regularly exploited in spear phishing attacks. As Think Digital Partners reported, the risk has increased with the emergence of AI-powered audio and visual deepfakes to conduct vishing and whaling attacks on senior executives’ login credentials.
However, an agentic AI tool handling the access removal and rehydration process cannot be bullied into bending the rules, even for the most senior colleagues.
Applying agentic AI and machine learning aids the full adoption of zero-trust policies, which can, in turn, yield greater ROI on passwordless technologies.
Automated, cyclical improvement processes could result from analysing an entire enterprise ecosystem to understand who uses what, when, and where, and then using machine learning and AI to modify and adapt policies and governance.
In response to the exponential growth of machine identities, AI models may be integrated into identity fabrics to provide additional visibility and oversight of the identity estate.
Cyber resilience protects revenue by minimising outages and preventing catastrophic business disruption, thereby improving customer trust and company reputation.
The CIO role is shifting from focusing solely on technologies that operate the business more efficiently and profitably to becoming a business risk leader, protecting the organisation from operational disruption.
AI offers powerful tools to increase cyber resilience and defence against increasingly sophisticated and automated attacks. However, as Gartner warned at the IAM Summit, “AI cannot make decisions on the fly for your security posture.” CIOs and IAM leaders are required for that crucial governance and oversight process.…Read more by Christine Horton