Trusted news and views on cybersecurity

With identity-based threats on the rise, how do you see the role of identity security evolving in modern cybersecurity strategies?

Identity security has gone from being just one piece of cybersecurity to being the foundation. Attackers aren’t breaking in anymore—they’re logging in and using stolen credentials, over-permissioned accounts, or AI-driven phishing attacks that are scarily convincing.

The future of cybersecurity is about identity-first security. That means enforcing least privilege access, so access isn’t accumulating over time, and managing every identity—whether it’s human, bot, or AI. Organizations also need full visibility into who has access to what across all applications. If you don’t know that, you’re flying blind. In 2025, protecting identity is protecting the business.

Many organizations are shifting to an ‘identity-first’ security approach. What challenges do organizations face in implementing this model, and how can they address them?

One big challenge? Cultural resistance. Businesses and people don’t love having their access restricted, even if it’s for security. A fix? Strong identity governance-automated least privilege enforcement and clear communication. Show teams that tighter identity controls aren’t about slowing them down—they’re about keeping organizations safe.

The survey indicates that AI is playing a growing role in identity governance. How can organizations leverage AI for identity threat detection and risk mitigation?

AI in identity governance is like having a security guard who never sleeps, never takes coffee breaks, and understands your environment better than you do. One of the biggest challenges in identity security is knowing exactly what access an identity should have—and enforcing that across every application in the enterprise. Manually managing this at scale is impossible, which is why AI-powered solutions are becoming essential. AI can analyze patterns, detect excessive permissions, and automate least privilege enforcement, reducing the attack surface. Without AI, organizations sometimes guessed—and in cybersecurity, guessing can result in something being missed.

With the increasing sophistication of insider threats, what measures should organizations take to balance security with user experience while managing internal access controls?

Insider threats are tough—because these users already have access. Lock things down too much, and productivity grinds to a halt. Leave things too open, and you're inviting risk. The key is making sure the business understands why users have the access they do. That starts with clear entitlement and role descriptions—so there’s no guesswork about who needs what. Organizations also need to prevent access creep—employees shouldn’t accumulate permissions as they change roles. And with privileged accounts, bots, and AI agents expanding the attack surface, it’s critical to map out effective access across identities, not just humans.

What are the key metrics or indicators you recommend measuring the effectiveness of an identity security program?

Measuring identity security isn’t just about counting how many accounts you’ve locked down—it’s about understanding who has access to what and whether that access makes sense. Some key metrics to track:

• Percentage of users with least privilege access: Are employees only getting the access they actually need?
• Access creep rate: How often do users retain old permissions when they change roles?
• Time to revoke access: How quickly are accounts deprovisioned when someone leaves or changes jobs?
• Privileged access visibility: Do you know who owns, the purpose and access for every privileged account, including bots and AI agents?
• Orphaned accounts: How many unused accounts are floating around, waiting to be exploited?
• Percentage of applications under identity management: How many apps are actually covered by identity security controls? If you’re only managing a fraction, the rest are blind spots.

If you’re not tracking these, you’re not measuring identity security—you’re just hoping for the best.