At the recent Gartner IAM Summit, keynote speakers compared enterprise identity and access management (IAM) to the structure of an apple, with identity at its core.
Despite this, analyst firms still rate 65% of organizations’ IAM maturity as low.
Cyber resilience is built on identity security
A key element of cyber resilience includes creating an integrated and flexible architecture for managing digital identity and access across the organization. This should include employees, customers, partners, apps, APIs, devices, and AI agents. Gartner and most analysts and IAM experts refer to this architecture as the identity fabric.
According to Gartner, only 7% of organizations achieve this highest level of IAM maturity.
Why is IAM maturity important?
Simply put, identity and access management enables a company’s supply chain to function. IAM provides a layer of control to reduce the risks posed by third parties.
The exponential growth of machine identity and agent AI requires new strategies, including the adoption of identity fabrics that support pre-emptive security approaches.
Rather than identity being handled by many disconnected tools, the identity fabric weaves identity services together so that they work consistently everywhere. The benefits of this approach are that it provides a better user experience, reduces the risk of privilege escalation attacks, and allows organizations to manage access to legacy technologies that may not be compatible with modern IAM.
Please proceed with caution
A surprising takeaway from the Gartner IAM Summit was the message to “proceed with caution” when it comes to implementing AI-driven identity tools.
Using AI as an abstraction layer provides a powerful tool for building a unified identity platform. AI can quickly analyze the data contained in each component of a company’s identity fabric.
Within Identity Fabric, AI and machine learning dynamically adjust security measures to new threats and strengthen risk-based authentication enforcement.
This approach extends a company’s investments in existing IAM, IGA, PAM, AD management, and other identity tools rather than replacing them.
So why the warning?
Prompt with context
To understand Gartner’s warning, you need to understand how context-dependent Agent AI prompts are.
I often use the analogy of releasing a genie from a bottle. I can make three wishes come true. However, you need to be especially careful about how you ask for what you want.
Improperly phrasing a request without taking into account the necessary context can have completely unintended and undesirable consequences.
A commonly cited example is a prompt that asks LLMs, “How do I get cheese to stick to pizza?” The AI does not understand that pizza and cheese are edible and responds by suggesting the use of Elmer’s School Glue.
If you like this content…
When integrating ID tools, it’s important to use industry-specific prompts with the necessary context. Organizations need to create an AI abstraction layer. AI abstraction layers are not incomprehensible, inflexible blobs that reduce visibility, pose a risk of non-compliance, and create security gaps over time.
Applying machine learning and agent AI to identity security offers significant pre-emptive security benefits. However, the rules governing an AI-powered identity fabric must be clearly defined and the limits properly set.
What does this mean for CIOs?
Regardless of the industry in which you work, all CIOs are tasked with improving cyber resiliency.
The first priority is to harden the enterprise’s attack surface. This includes reviewing risks posed by SaaS apps, cloud services, machine identities, agent AI, remote workers, suppliers, partner organizations, and customers.
The next step is to communicate to the board that despite the hardening of the attack surface, a breach can still occur. Instill a culture of risk awareness at every level of your organization and use this awareness to improve your ability to respond quickly and recover.
Collaborate with colleagues across all departments to ensure identity security supports compliance with increasingly stringent regulations worldwide.
The fourth element of cyber resilience is hardening the entire ecosystem against more sophisticated and automated attacks. Defense measures need to become more automated, integrated, and agile. With the rise of AI-based attacks, traditional detection and response methods are taking too long. Gartner predicts that by 2030, more than half of IT security spending will be allocated to preemptive security technologies.
How AI-powered identity security supports cyber resilience
IT administrators may defer to their superiors’ judgment when implementing privileged access management rules. This human characteristic has been regularly exploited in spear phishing attacks. As reported by Think Digital Partners, the risk is increasing with the advent of AI-powered audio and video deepfakes that perform vishing and whaling attacks against senior executives’ login credentials.
However, the agent AI tools that handle the access removal and rehydration process cannot be bullied into bending the rules, even by the most senior colleagues.
Applying agent AI and machine learning can facilitate full adoption of zero trust policies and generate greater ROI with passwordless technology.
Automated, circular improvement processes can be achieved by analyzing the entire enterprise ecosystem to understand who is using what, when and where, and using machine learning and AI to change and adapt policies and governance.
In response to the exponential growth in machine identities, AI models can be integrated into the identity fabric to increase visibility and monitoring of identity assets.
Speak the language of the boardroom
Cyber resilience protects your bottom line by minimizing outages and preventing catastrophic business interruptions, thereby increasing customer trust and your company’s reputation.
The role of the CIO is shifting from a sole focus on technology to run the business more efficiently and profitably to a business risk leader who protects the organization from disruption.
AI provides powerful tools to strengthen cyber resilience and strengthen defenses against increasingly sophisticated and automated attacks. However, as Gartner warned at the IAM Summit, “AI cannot make decisions about your security posture on the fly.” CIOs and IAM leaders are needed for that critical governance and oversight process.
