COMMENTARY: Companies still clinging to legacy identity and access management (IAM) are one breach away from disaster. Conventional IAM platforms are thoroughly outmatched in today’s hyperconnected, cloud-centric world.What’s worse, the explosion of non-human identities (NHIs), such as API keys, service accounts, bots and AI agents, has turned identity governance into a ticking timebomb for every enterprise.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The next IAM frontier requires intelligence-based systems that make evidence-based decisions, not just enforce predefined rules and rule sets. AI-native IAM, with real-time continuous reasoning capabilities, has emerged to combat today’s identity risks. AI-native IAM might prompt the question: Do we need to hire staff with extensive AI knowledge to run it?No. Today’s advanced AI-native IAM tools lower the barrier-to-entry, turning junior analysts into near-expert defenders by surfacing context, automating grunt work, and allowing humans to focus on true risk, not repetitive drudgery.Integrating AI-native IAM isn’t about tossing away current cybersecurity investments overnight: it’s about augmenting them.Teams can overlay AI-native tools on existing legacy stacks, starting with the biggest painpoints: access reviews, access requests, and lifecycle management. Let AI identify and fix issues and escalate “gray area” decisions to human review. Over time, as results roll in and trust grows, operators can give AI more autonomy because it will have earned it.There's no longer time for incrementalism. Attackers move fast, wielding automation to exploit every overlooked identity, both human and non-human. If defenders don’t match their speed and adaptability, breaches will only become more frequent and more damaging. It’s time to admit that traditional IAM is obsolete. AI-native IAM will likely become the new standard: the sooner enterprises act, the sooner they’ll stop playing catch-up.Every CISO and security leader must face reality: they can’t manage digital identity sprawl without AI, and attackers know it. The age of AI-native identity security has arrived, and it won’t wait for companies to catch up. The future belongs to those who take control now.Ofir Yakovian, co-founder and CTO, Fabrix SecuritySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Identity: The new battleground
Today, identity has become a primary attack surface. Every API credential represents a potential open door for attackers. In fact, for every single human employee, there may be 92 or more NHIs with possible unauthorized access to mission-critical systems. Unlike people, NHIs have no human managers, no one to request or review their access, leading to gaps of oversight.Yet, NHIs are not the only risk. Forgotten accounts, over-permissioned access, inconsistent or poor identity security lifecycle monitoring and management create attack opportunities for motivated adversaries. Many organizations lack the necessary visibility needed to address all these security gaps.Legacy IAM doesn’t cut it anymore
Traditional IAM tools were architected for static, predictable environments, not today’s hybrid environments and decentralized teams. Human-driven access reviews and validation of privileges, already error-prone and labor-intensive, become outright irresponsible when multiplied across thousands of ephemeral identities, including ephemeral machine identities.These legacy IAM tools are event driven and, as a result, they are reactive. By the time an over-permissioned account gets flagged, compliance is blown, or an organization’s data could be on the dark web. This isn’t just inefficient: it’s an unacceptable risk.AI-native security: The path forward
AI-native IAM was designed from the ground up for IAM, using AI, that offers continuous reasoning, which means always-on agents that can evaluate context, policy and behavior to make proactive decisions in near real time.This isn’t hype: it’s an imperative for any organization that wants to secure modern infrastructure. AI-native IAM fundamentally redefines governance. Instead of relying on brittle, rule-based workflows, AI-native IAM tools perform continuous risk assessment, detect toxic combinations of permissions in real time, and dynamically adjust access as business needs and threats evolve, while protecting business velocity and adhering to company policies. AI-native IAM tools don't just automate tasks, they understand, reason and adapt based on the evolving identity data, which is always changing.Unlike traditional IAM tools, AI-native IAM tools offer:- Scalable, real-time governance: Forget chasing spreadsheets and open tickets. AI-native IAM handles identity sprawl, from disconnected legacy applications to multi-cloud stacks, with unmatched speed and accuracy.
- Continuous, proactive protection: AI never tires. It promises to monitor identity behavior, flags anomalies, and remediates excessive privileges before an attacker can exploit them.
- Adaptive policy enforcement: Permissions are no longer static. Access rights evolve as users’ roles or behaviors change, without costly human intervention.
