Paul Zolfaghari is President of Saviynt, a leader in cloud identity security and management solutions.
If change is the only constant, it’s never been more true than in the arena of identity governance and access management. In just a handful of years, identity access management (IAM) has grown into what is now known as “identity security,” demonstrating that it is now a central tenant of modern cybersecurity strategies.
In navigating this complex new world of identity security, we’ll explore some of the key factors that need attention to protect and enable your organization.
The Expanding Landscape Of Identity Regulations
Regulations governing identity and access management have greatly multiplied. In the U.S., companies navigate a web of long-standing mandates such as the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).
Adding to this complexity, recent federal directives, including President Biden’s Executive Order on Improving the Nation’s Cybersecurity (which has gone untouched by the Trump Administration), have elevated standards for identity governance and access controls across federal agencies and their partners.
Globally, the regulatory footprint is equally demanding. The EU’s General Data Protection Regulation (GDPR) remains one of the world’s most comprehensive data protection laws, imposing steep penalties for noncompliance. Simultaneously, countries across Asia-Pacific and Latin America have introduced or expanded privacy, cybersecurity and digital identity laws, each with its own compliance obligations.
For enterprises operating across regions and sectors, the cumulative effect is clear: The regulatory environment surrounding identity security is more layered and complex than ever, giving rise to new approaches enabled by artificial intelligence to help enterprises navigate this intricate landscape.
The Identity Explosion And Threat Growth
In past years, the majority of identity management challenges revolved around managing human identities. Today, the challenge is infinitely more complicated. A person can have dozens of digital identities across personal and professional accounts, cloud services and applications. More startling is the proliferation of machine or non-human identities (NHIs). These are service accounts, bots, APIs and agentic AI. NHIs reportedly outnumber human identities by a factor of 45 to 1 and are growing. This explosion of identities creates a sprawling attack surface for malicious actors.
The 2025 Verizon Wireless Data Breach Investigations Report underscores the need for modern, forward-thinking identity security in enterprises. Key points include:
• Sixty percent of breaches involved a human element. Of these, 32% involved credential abuse, the top initial access vector.
• Thirty percent of human-related breaches involved third-party identities, nearly double from last year.
• Eighty-eight percent of web application attacks used stolen credentials.
• Eighty-nine percent of GenAI use on company devices was done outside of corporate purview.
Statistics like these serve as a call for organizations to elevate their manual and disconnected IAM efforts into a comprehensive, modern identity security system.
The Stakes: Beyond Financial Penalties
In addition to significant financial penalties, there are other potential consequences of noncompliance that can lead to more damaging and longer lasting impacts.
Failure to follow IAM regulations and protocols can now affect business integrity; organizations risk operational disruptions, reputational damage and, most importantly, the erosion of customer trust. In an era where data is the new currency, safeguarding customer data is essential to long-term viability and future growth.
Every organization can benefit from an objective audit of its existing cybersecurity and identity management solutions and processes. There is so much changing so quickly that companies cannot assume that decisions made several years ago can necessarily prepare them for the future, let alone the present. Having an expert look at how your organization is addressing these issues can provide companies with actionable insights to evaluate. This assessment could include questions like:
• How reliable is our identity data quality?
• Do we have complete ownership info for every app and system?
• Are role definitions, entitlement descriptions and access classifications accurate and current?
• Are all apps and identities covered?
• As new technologies are adopted (including external users or non-human identities like bots and AI agents), are they being onboarded into our identity security system—or are they left unmanaged?
• Is our compliance process continuous?
• Are we audit-ready year-round or scrambling to prepare when regulations tighten?
Once you’ve answered these questions, here are three key strategies to implement:
1. Reframing Identity
The first step is acknowledging the multifaceted nature of identities today. A person now holds numerous digital identities across platforms, and non-human machine identities operate at a scale previously unimaginable.
In sectors like healthcare and education, individuals often assume multiple roles, each with distinct access requirements. This further complicates management. In this new reality, organizations need a unified identity security platform to manage the complexities of all identities effectively, streamlining and simplifying access controls and enhancing security.
2. Embracing Zero Trust
The traditional perimeter-based security model is gone. Today, identity is the new perimeter, and identities aren’t contained within a building or even a region. A zero-trust approach to identity security is anchored in the principles of “never trust, always verify,” enforcing least privilege access and continuous monitoring and adaptive controls that assume a breach. This paradigm shift ensures that every access request is scrutinized, mitigating potential threats before they materialize.
3. Harnessing AI For Compliance And Security
Artificial intelligence has emerged as a formidable ally for identity security. AI-driven systems facilitate automated compliance audits, ensuring adherence to evolving regulations without the burden of manual oversight.
AI enables dynamic policy enforcement, with just-in-time access controls that adjust in real time based on contextual factors. AI’s predictive analytics can identify potential compliance risks and detect anomalies, offering a preemptive strike against emerging threats.
AI is increasingly used in modern identity security posture management (ISPM). ISPM is a framework that focuses on continuously monitoring, assessing and improving the security of an organization’s identity infrastructure to ensure that user identities, permissions and access align with the organization’s security policies. AI can analyze vast amounts of data to identify suspicious activities and potential vulnerabilities before they can be exploited.
In short, AI strengthens the human gatekeeper—amplifying the impact of security teams and helping them outpace increasingly sophisticated, AI-powered threats.
Final Thoughts
By reframing our understanding of identity, adopting a zero-trust approach and leveraging the power of AI’s capabilities, organizations can master the complexities of identity security compliance. Beyond this, they can lay the foundations for future innovation and growth.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
