Access under attack: Rethinking identity as the new cyber battleground

In a recent SC Media webcast, host Adrian Sanabria spoke with Rich Dandliker, Chief Strategy Officer at Veza Technologies, Inc., about the realities of identity security going into 2026 -- from the chaos of excessive access and shadow permissions to the mounting attacks exploiting identity systems themselves. 

The conversation traced the evolution of identity management, which once focused on IT operations and account provisioning, to its critical new role at the heart of cybersecurity.

Dandliker highlighted the shift driven by cloud adoption and zero trust principles, where identity is no longer just an IT concern but a strategic security imperative. He observed ongoing transitions in organizations, with some still managing identity under IT departments, while others now prioritize it under security teams.

One of the central challenges discussed was the journey toward enforcing least privilege—limiting access to just what users or workloads need. Richard emphasized that achieving least privilege is complex, requiring visibility into both human and non-human identities, like service accounts, enterprise applications, and emerging agentic AI. Traditional tools often struggle to provide comprehensive visibility, especially as AI begins to inherit human permissions and scopes.

The webcast also addressed the need for frameworks and maturity models, encouraging organizations to assess their standing in identity security.

Dandliker introduced a model based on NIST CSF, featuring three pillars: true permissions (“who can”), actual usage (“who has”), and policy guidance (“who should”). Automation, continuous monitoring, and adaptability were identified as necessary to manage risk amid growing complexity.

The session concluded with practical recommendations: regularly assess identity security maturity, prioritize automation, and prepare for the rapidly increasing influence of agentic AI. By embracing dynamic models and robust frameworks, organizations can better safeguard against evolving identity-related threats in the digital era.