Understanding Identity and Access Management Risks in a Modern Threat Landscape

Digital security is shifting. As organisations move to cloud, automation, and AI, the traditional perimeter is fading – and identity is taking its place as the new frontline. Every user, system, and now AI agent represents a potential access point, making identity the critical control layer for modern security.

Yet many organisations still treat identity as a secondary concern rather than a strategic priority. This is where identity and access management challenges begin to surface, often quietly, but with significant consequences. This article explores why identity has become the new security perimeter, where organisations are falling short, and what it takes to regain control in an increasingly complex, identity-driven world shaped by growing identity and access management risks.

Identity as the New Security Perimeter

In today’s digital landscape, identity has quietly become the most critical layer of security – yet it remains one of the least understood. This lack of understanding is at the core of many identity management challenges organisations face today. The definition of identity has evolved far beyond employees and logins. It now includes applications, services, and increasingly, AI-driven agents, and these agents introduce a new level of complexity. They can act, make decisions, and in some cases communicate on behalf of humans. Unlike traditional systems, they are continuously learning and adapting – making them both powerful and unpredictable.

“Identities today are not only humans, but also machines. In fact, there are now more machine identities than people in most environments,” explains Cybersecurity CTO at NetNordic, Mikael Järpenge. 

This shift also changes the role of humans. Instead of executing tasks directly, people are increasingly responsible for overseeing and guiding these digital actors. This requires an updated mindset, where AI agents are no longer seen merely as tools, but as identities that must be properly governed.

The Overlooked Risks: Identity and Misplaced Priorities

Despite growing awareness of cyber threats, many organisations still misunderstand where risk truly begins. “The majority of breaches start with stolen identities,” Björn Björkman, Cybersecurity Solution Advisor at NetNordic, states. Once attackers gain access to an identity, they don’t need to break in – they simply log in, allowing them to move across systems, access sensitive data, and operate as trusted users. These scenarios highlight some of the most critical identity and access management risks organisations face today.

Yet many organisations continue to prioritise infrastructure security – firewalls, endpoints, and networks – while overlooking identity behaviour. They monitor systems, but not who is accessing them or how, creating a dangerous blind spot where activity is happening, but no one is really watching it.

At the same time, there is a persistent belief that security can be solved by adding more tools. In reality, most organisations already have what they need; the issue lies in how those tools are configured and managed. Misconfigurations, unclear ownership, and limited understanding of how attacks unfold create gaps that can be easily exploited. 

This often results in organisations investing in new solutions rather than improving existing ones – adding complexity without meaningfully reducing risk. Even widely adopted measures like multifactor authentication are frequently misunderstood: while essential, they represent only a starting point, not a guarantee of security.

The Challenge of Managing Access

As organisations grow, so does the complexity of their identity landscape. Accounts are not always removed when employees leave. Access accumulates over time. Machine identities lack clear ownership. And increasingly, AI agents are introduced without proper governance. Over time, this creates an environment where access is widespread, poorly controlled, and difficult to oversee.

This growing complexity is compounded by a lack of meaningful visibility. While logs and monitoring tools may be in place, they are often not focused on identity-driven activity. Organisations may collect vast amounts of data, but lack the context needed to interpret whether behaviour is expected, risky, or anomalous. Without a clear view of how identities interact with systems over time, it becomes difficult to detect subtle signs of misuse or compromise.

AI Agents: A New Identity Challenge

The rapid introduction of AI agents is accelerating the need for better identity management as well. “One emerging mistake is that organisations introduce AI agents into their environments without treating them as identities. If an AI agent can read data or trigger actions in systems, it effectively becomes a new type of digital actor that also requires control and governance as any other identity,” says Björkman. 

Without proper controls, these agents can access sensitive information and perform actions at scale – making them both valuable and potentially risky. Treating them as identities is the first step. Defining their access, limiting their permissions, and monitoring their behaviour must follow.

Next Steps: Rethinking Identity Management

Identity management is still too often treated as a purely technical responsibility, when in reality it is a business-critical discipline that directly impacts risk, compliance, and operational resilience. Without a clear and strategic approach, even organisations with advanced tooling can remain exposed. Moving forward therefore requires more than technical adjustments – it requires organisational alignment. 

A practical step is to bring together stakeholders across IT, security, application ownership, cloud and development, governance, and the business itself to define a unified identity strategy. The objective is not simply to manage tools more effectively, but to establish clear ownership, governance, and accountability for how identities are controlled across the organisation.

Five Principles to Strengthen Identity Security

While the challenges are evolving, the solutions are not new. In fact, they are grounded in a few well-established principles, often overlooked in practice. Addressing identity and access management challenges starts with rethinking how access is granted, reviewed, and controlled. That includes aligning access with roles, limiting privileges by default, and ensuring that no single identity has too much power.

A strong foundation for IAM challenges typically includes:

• Role-based access control, where access follows roles – not individuals
• Least privilege access, ensuring users only get the access rights they need to get the job done
• Separation of duties, so critical actions require multiple people
• Segregation of identities to avoid the use of privileged accounts for everyday tasks
• Tiered access models, separating critical systems from normal user environments
  

Role-based access control ensures that access is tied to a person’s role rather than the individual, making it easier to manage permissions consistently as people – as well as machines and AI agents – move within the organisation. Closely related is least privilege access, which means users are only given the minimum level of access required to perform their tasks – reducing the potential impact if an account is compromised.

To further limit risk, separation of duties ensures that critical actions cannot be performed by a single individual alone, requiring multiple approvals or participants and thereby reducing the likelihood of misuse or fraud. In the AI world, separation of duties could actually be a combination of agents and humans, as AI is limited in judging ethical limits and consequences. In addition, segregation of identities introduces the practice of using different accounts for different purposes, ensuring that privileged accounts are not used for everyday activities like email or web browsing, where they are more exposed to threats. 

Finally, tiered access models create clear boundaries between different levels of systems and access, separating highly sensitive environments from standard user environments so that a breach in one area does not automatically grant access to the most critical assets. Together, these principles provide a structured and effective way to reduce risk while still maintaining operational efficiency.

The New Reality of Security

As identities continue to expand – from humans to machines to AI agents – the stakes are only increasing. What was once a technical concern has become a central pillar of organisational resilience, requiring both strategic attention and operational discipline. The organisations that succeed will not be those that invest in the most tools, but those that truly understand how identities function within their environment – and take responsibility for managing them accordingly. 

This is where experienced partners like NetNordic play a key role, helping organisations translate strategy into practice by strengthening identity governance, visibility, and control. In today’s landscape, attackers are no longer breaking in; they are logging in. And that is why security no longer begins at the firewall. It begins with identity.