Practitioner's guide to the future of identity — new maturity model
Access the guide
E-book

Protect your GitHub from identity threats

The Wake-Up Call You Didn't Know You Needed

Featured event: A CISO’s take

Join Jim Alkove and Ramy Houssaini to learn how forward-thinking security teams are addressing Enterprise AI Copilot risks.

40%
of Microsoft 365 Copilot rollouts are being delayed due to security concerns
Microsoft Security, 2021 State of Cloud Permissions Risks Reports

Attackers aren't hacking in - they're logging in

Right now, a threat actor could be browsing your company's private GitHub repositories — not because they found a zero-day exploit or launched a sophisticated attack, but because they're logged in with stolen credentials. In 2023 alone, over 12 million authentication secrets were leaked on GitHub. Major brands including Uber, Okta, Samsung, and LastPass learned this the hard way.

If you're thinking,"We have MFA enabled, we're safe," think again. This guide was created because we've seen too many organizations discover critical identity security gaps only after a breach. By then, their code, credentials, and API keys were already exposed.

This guide is for you if:

  • You worry if your team's GitHub access is actually secure
  • You need to make changes to your repository permissions but don't know where to start
  • Your developers keep asking for admin access "just for this one project"
  • You suspect former employees or contractors might still have access
  • Your audit team is asking questions you can't confidently answer
  • You can’t easily answer key questions about GitHub access: Who has access to what? What are they doing with that access? And do they actually need that access?
12M+
In 2023 alone…
authentication and sensitive secrets were leaked on GitHub
1.2 billion
of attacks recorded that the
root case was from
compromised credentials

The common blind spot in code hygiene & supply chain security

The shift-left movement has transformed how organizations approach security, bringing unprecedented focus to code hygiene and supply chain security. Development teams are writing more secure code than ever before, integrating security scans into their pipelines, and catching vulnerabilities before they reach production.

While organizations have fortified their code, many have one dangerous blind spot: identity security within their development environments.

Critical exposure points:

  • Compromised credentials (now the #1 attack vector)
  • Privilege abuse from insider threats
  • Unauthorized access through legitimate logins
  • Complex permission structures that hide security gaps

Whether it’s a malicious external actor using stolen credentials or a disgruntled insider who has been planning a sabotage for months, if you can’t see who has access to what across your GitHub environment, you’re bound to be reacting too late to these incidents.

86%
of security breaches involving web-based apps and platforms involve stolen credentials
118 days
Average detection time for unauthorized access

The GitHub configurability paradox

GitHub's greatest strength — its incredible flexibility — has become security teams' biggest challenge. The platform's extensive configurability means that even small changes to deployment settings can have massive, often unexpected impacts on who can access what and how. This complexity creates a perfect storm where security teams struggle to:

  • Track permission inheritance patterns
  • Audit access effectively
  • Maintain least-privilege principles
  • Respond quickly to security incidents

Security and IT teams also feel pressure to enable development teams and support their Agile development workflows. Developers want rapid access to repositories, fast onboarding of new users, speedy rollout of new tools — and minimal friction through it all.

Over-provisioning becomes the default leaving risky open doors

This leads to a common but dangerous pattern: over-provisioning access "just to be safe" or "just for now" — temporary solutions that become permanent security risks. In short, misconfigurations around access permissions, repository settings, and workflows can lead to unintended access. Identities have more access than necessary, and security teams often lack the visibility and capabilities to clean up those excessive permissions proactively.

The hidden access crisis: alarming findings

When we audit GitHub and other environments, we consistently find the same dangerous patterns hiding in plain sight that organizations have suspected but lacked the tools to identify. We are able to discover tens or even hundreds of excess permissions, dormant accounts still holding sensitive access, and authentication tokens that never expire.

The scope of this crisis is staggering:

95%

of permissions are unused

80%

of breaches use compromised identities

71%

year-over-year increase in attacks targeting identities

But these aren't just statistics – they're ticking time bombs. Every unused permission, every dormant account, and every excessive access right represents an attack vector waiting to be exploited.

The MFA misconception

Do you mandate MFA for external users?

External collaborators and third parties present significant risk when MFA is not enabled, because any SSO requirement (and resulting MFA management) does not apply. Third parties that don’t use MFA or use a weak MFA factor could create potential attack vectors.

Many security leaders look at stats on unauthorized access and think, “We have MFA enabled, we're safe." This dangerous assumption overlooks two unfortunate realities: Many organizations do not have clear visibility to ensure MFA is enabled for all accounts; and not all MFA factors are created equal. While basic MFA provides a layer of protection, modern attackers have evolved their tactics to bypass traditional second factors.

If you're thinking,"We have MFA enabled, we're safe," think again. This guide was created because we've seen too many organizations discover critical identity security gaps only after a breach. By then, their code, credentials, and API keys were already exposed.

Understanding the MFA hierarchy:

  • SMS Authentication: Vulnerable to interception and social engineering
  • Time-based OTP: Better, but still phishable
  • FIDO2/WebAuthn: The current gold standard in MFA

Critical gaps in traditional MFA:

  • No protection against authenticated session hijacking
  • Limited visibility into access patterns post-authentication
  • Bypass potential through personal access tokens
  • Inconsistent enforcement across integration points

Building your GitHub defense strategy

Securing identity and access across your GitHub environment requires a multi-layered approach that balances security priorities with developer productivity demands.

Layer 1: Foundation

Implement these critical controls immediately:

  • Enforce FIDO2/WebAuthn MFA organization-wide
  • Audit and revoke all permanent access tokens
  • Set default repository permissions to none
Layer 2: Access Structure

Build a sustainable permission model:

  • Implement GitHub Teams for all access management
  • Define clear role templates
  • Create automated onboarding/offboarding workflows
  • Establish regular access reviews
Layer 3: Monitoring & Detection

Deploy continuous oversight:

  • Monitor authentication patterns
  • Track repository access
  • Alert on suspicious activities
  • Review admin actions
  • Tracks access utilization across GitHub
  • Single intuitive visualization of all of your GitHub identities and permissions

[fs-toc-omit]Layer 1: Foundation

The foundation of GitHub security requires attention some critical control areas that can help form your first line of defense. Here is a set of foundational best practices for helping your organization address identity and access risks within your GitHub environment:

Enforce MFA

Mandate MFA for all users including third-party collaborators.  Even if users are managed externally through single sign-on (SSO), The higher the security level of your MFA e.g. those based on phishing resistant FIDO2 or WebAuthn, the better. But don't stop at basic implementation. Create a robust compliance monitoring system that tracks MFA adoption and usage patterns across your entire GitHub environment.

Audit and revoke all unlimited lifetime access tokens

Personal Access Tokens (PATs) represent one of the most overlooked security risks in GitHub environments. Begin by conducting a comprehensive audit of existing tokens using GitHub's API. Many organizations are shocked to discover hundreds of tokens with unlimited lifespans and broad permissions scopes. Implement a mandatory 90-day expiration policy for all new tokens, and systematically review and revoke existing permanent tokens.

Set default repository permissions to none

Default repository permissions form the backbone of your access control strategy. Configure your organization's default permission level to "none" for new repositories, forcing explicit permission grantsfor each team or user. This zero-trust approach prevents accidental exposure of sensitive code. Implement repository templates that come pre-configured with appropriate permission structures and branchprotection rules.

[fs-toc-omit]Layer 2: Access Structure

A well-designed access structure is essential for maintaining security at scale and can help simplify management. This layer focuses on creating sustainable, manageable permission systems that grow with your organization while maintaining security integrity.

GitHub Teams architecture

Your Teams architecture should mirror your organization's structure while accommodatingproject-based collaboration.

  • Implement nested teams to create logical permission inheritance paths that reflect real-world reporting and responsibility structures. For example, a product development group might have child teams for frontend, backend, and DevOps, each with their ownpermission sets.
  • Create clear, documented naming conventions that encode team purpose and scope (e.g., 'product-payment-dev' or 'infra-security-admin').
  • Each team should have a detailed description documenting its purpose, required approvals for membership, and standard permission levels. This documentation becomes crucial during access reviews and audit processes.
Role templates & automation

Standard role templates form the foundation of consistent access management.

  • Create comprehensive role definitions that align with job functions while following least-privilege principles. Each role template should define not just permissions but also the approval chain, review requirements, and automatic expiration policies where applicable.
  • Build automated workflows for access provisioning that integrate with your identity provider. These workflows should handle both onboarding and offboarding, automatically adjusting permissions based on HR status changes.
  • Implement self-service access requests with appropriate approval chains, and create automated expiration for temporary access grants.

[fs-toc-omit]Layer 3: Monitoring & Detection

Effective monitoring requires sophisticated tools and well-defined processes to maintain security posture while enabling rapid response to potential threats.

Comprehensive activity monitoring
  • Implement deep and continuous monitoring of authentication patterns, repository access, and administrative actions.
  • Your monitoring system should establish baseline activity patterns for different user types and alert on significant deviations.
  • Track not just successful operations but also failed attempts, unusual access patterns, and suspicious behavior sequences.
  • Create detailed audit trails of all sensitive operations, including repository clones, fork creation, and branch operations.
  • Pay special attention to mass download operations and unusual access patterns that might indicate data exfiltration attempts.
  • Implement geographic access monitoring to detect and alert on suspicious login locations or impossible travel scenarios.
Advanced threat detection
  • Deploy behavioral analytics to identify potential security threats before they become breaches.
  • Monitor for patterns that might indicate compromise, such as unusual commit patterns, suspicious file modifications, or abnormal API usage.
  • Create sophisticated alert rules that consider multiple factors including time of access, location, repository sensitivity, and user role.
  • Implement automated response workflows for common security scenarios, such as unusual admin actions or suspicious after-hours access.
  • Create escalation paths for different types of alerts, ensuring that critical security events receive immediate attention while managing alert fatigue.

How Oleria simplifies effective GitHub identity security

On the surface, this long list of best practices can look daunting — particularly given how GitHub’s extensive configurability makes it difficult to stay on top of all of these access and identity hygiene principles. More to the point, implementing this framework — and doing it continuously — likely requires a new set of tools and capabilities built for the future that many organizations do not have today.

Oleria transforms GitHub security from a manual, time-consuming process into an automated, intelligence-driven system that proactively identifies and mitigates risks. With Oleria you get a single intuitive visualization of all of your GitHub identities and permissions that is plug and play – no long and expensive installation and onboarding.

Intelligent access management

Oleria's platform provides unprecedented visibility into your GitHub environment through sophisticated permission mapping and relationship analysis. The system automatically identifies risky permission combinations, unused access rights, and potential security gaps. Rather than manually tracking permissions, security teams get real-time insights into who has access to what, how that access is being used, and where potential risks exist.

Risk response

The platform goes beyond simple monitoring by providing rapid incident investigation with fine-grained details options. When risky patterns are detected — whether it's unused permissions, excessive access rights, or suspicious behavior — Oleria can help you implement corrections or initiate review workflows. This proactive approach helps maintain your GitHub security without creating additional work for security teams.

Track group & user activity

Oleria offers a powerful solution to enhance security and streamline access management on GitHub. By automatically tracking user activity and identifying unused or dormant permissions, you can proactively eliminate security risks and optimize your organization's security posture. With Oleria, you can easily identify and remove "ghost accounts," enforce least-privilege principles, and gain valuable insights into user behavior. By analyzing group utilization, you can optimize role-based access policies and ensure that permissions are granted only to those who truly need them.

A secure GitHub environment

Protect your GitHub environment with Oleria’s comprehensive security solutions, empowering you to understand, identify, detect, and accelerate responses to risks.

Understand

Visualize access and permissions for all users (internal and external)in a single pane of glass.

Identify

Quickly identify risks like over-provisioned or inactive accounts and prioritizefor remediation.

Detect

Accelerate incident investigation and remediation with immediate visibility to the “who, what and when” of actions performed on all GitHub resources.

Accelerate

Detect anomalous login activities with alerts and advanced analytics.

Oleria reimagines identity security, providing organizations with the clarity and control needed to protect their most critical assets.

Practitioner's guide to the future of identity — new maturity model
Access the guide
Executive Brief

Solving the non-human identity crisis: Securing your organization's invisible workforce

By the numbers

80:1
NHIs outnumber human identities by as much as 80 to 1
80%
Percentage of breaches involve compromised identities
46%
Organizations that have experienced a security breach related to NHIs
2 .7
Average number of NHIrelated security incidents per enterprise in the past year
40%
Repositories with Copilot enabled were found to have a 40% higher incidence rate of secret leaks compared to those without AI assistance
15%
Organizations that feel highly confident they can prevent NHI attacks

Understanding the NHI risk

In today's enterprise environments, the majority of identities accessing systems and resources are no longer human — they're machines. These non-human identities (NHIs) — service accounts, applications, API keys, bots, agentic AI, scripts, and more — form the backbone of modern business operations. They enable automation, integration, and cloud operations that drive digital transformation.

Yet they remain largely unmanaged, invisible, and over-permissioned. In fact, a recent study showed 85% of organizations are not highly confident in their ability to prevent NHI attacks.

Why? Because while organizations have spent decades refining their approach to human identity management, NHIs have proliferated in the background with minimal governance. Traditional IAM tools, created primarily to support human identities, were never designed to handle the unique challenges posed by machine identities operating across hybrid environments.

The sprawling, ungoverned web of NHIs represents cybersecurity's fastest-growing blind spot — and an increasingly popular entry point for attackers. With the rise of AI (and agentic AI in particular), this problem is growing exponentially. Tools like GitHub Copilot and other AI assistants are dramatically increasing the creation of NHIs — often without any of the identity governance or lifecycle management that covers human identities.

Strategic snapshot

The challenge:

Non-human identities (NHIs) now outnumber human users by 80:1 in enterprise environments, creating a massive, largely invisible attack surface.

Why it happens:

Traditional identity management tools weren’t designed for NHIs operating across hybrid ecosystems. The lack of visibility and stewardship allows NHIs to accumulate excessive permissions and use persistent credentials buried in code or configurations.

The solution:

Unified identity security that provides comprehensive visibility, intelligent governance, and rapid remediation for both human and non-human identities.

How NHIs fall through the gaps

Unmanaged and often overprovisioned NHIs create significant business exposure that goes beyond typical security concerns:

Why it matters: Business-critical impacts

Unmanaged and often overprovisioned NHIs create significant business exposure that goes beyond typical security concerns:

  • Overprovisioning and credentials in code. NHIs are frequently granted far more access than required. This rampant overprovisioning is compounded by poor credential hygiene management — like credentials buried in code or configurations — creating persistent and unmonitored backdoors.
  • Toxic combinations & undetected lateral movement. The interplay between human identities and NHIs can create “toxic combinations” where individual vulnerabilities escalate into critical exposures. Whether a compromised NHI gains control or a breached human identity exploits an NHI, the result allows bad, combined actors to potentially gain access to critical resources — often beyond the detection of traditional IAm solutions.
  • Compliance & governance failures. NHIs often operate outside established governance frameworks. They lack clear ownership, structured lifecycle management, and regular access reviews.
  • Operational disruption. As organizations become increasingly dependent on automation and AI, unmanaged NHIs introduce operational and security risks that can disrupt critical business functions. In fact, security incidents involving NHIs are particularly challenging to investigate and remediate due to limited visibility and unclear ownership.
  • Innovation barriers. Security concerns around NHIs can slow digital transformation initiatives. Without a robust framework for managing machine identities, organizations must choose between business agility and security assurance — a false choice that constrains business potential.

VISIBILITY GAPS

Limited inventory capability:
Most organizations cannot answer the fundamental question: Which NHIs exist, and who owns them? This visibility gap in complex on-prem, cloud, and hybrid enterprise environments hinders IAM and security teams from establishing the desired security posture and enforcing transparent governance.
Unique complexities:
NHIs span diverse technical implementations — machine accounts, service accounts, applications, API keys, tokens, AI models — each with distinct behaviors.
Rapid proliferation:
NHIs outnumber human identities by orders of magnitude, creating significant blind spots.
Complex lateral attack paths:
Compromised human identities often lead to NHI compromise (and vice-versa), enabling lateral movements that are difficult to identify and trace with traditional tools.

Agentic AI amplifies — and transforms — the NHI problem

The rapid emergence of agentic AI amplifies existing NHI risks. But agentic AI also transforms the NHI challenge in a critical way: unlike traditional NHIs that operate in a deterministic manner — executing predefined actions with predictable outcomes — AI-powered identities function non-deterministically, making autonomous decisions based on learning and context that can vary with each execution.

This fundamental shift from predictable to unpredictable behavior creates an entirely new security paradigm. When a traditional service account accesses a database, security teams can model the exact actions it will take. With AI-driven NHIs, that predictability disappears, introducing novel risks that conventional security controls weren't designed to address. This is a growing reality that, if not addressed proactively and effectively now, will soon become a crisis for every enterprise.

Advancing autonomy increases economic value — and business risk

As agentic AI progresses — from simple query-based assistants to more sophisticated GenAI copilots and ultimately toward truly autonomous agents operating without a human in the loop — their economic and business value grows. But this increasing autonomy also escalates the complexity of the identity and access challenges:

The path forward: Essential capabilities to secure NHIs

Organizations can close a critical identity security gap by bringing both non-human and human identities under a single intelligent framework. NHI access can be continuously monitored, right-sized, and enforced with least-privilege principles, enabling businesses to move faster, innovate boldly, and stay secure.

To effectively secure NHIs, organizations need:

Comprehensive discovery of NHIs across environments with fine-grained visibility down to the permission and resource level.

Lifecycle management including access review, proper onboarding, credential rotation and timely offboarding.

Rapid remediation capabilities to neutralize suspicious activity in seconds, not days or weeks.

GOVERNANCE CHALLENGES

Lack of stewardship:
NHIs frequently lack clear human ownership, making it difficult to assign accountability and drive corrective action.
Over-privileging by default:
NHIs are granted excessive permissions due to coarse-grained legacy systems, reuse across multiple resources, or just developer convenience.
Delegation without audit:
NHIs perform tasks on behalf of humans without transparent chains of responsibility. 
Highly privileged by design:
Many NHIs operate with broad, highly privileged access to multiple resources by necessity.
Persistent credentials:
NHIs often rely on hard-coded or long-lived credentials buried in code or configurations, creating hidden and persistent risks that are hard to detect, rotate, or manage

The Oleria Approach

Oleria's Trustfusion platform addresses these challenges through a graph-native architecture that connects to identity providers and applications across on-premises, SaaS, cloud, and hybrid environments. It unifies accounts, groups, resources, and permissions into a single access graph enriched with fine-grained usage insights.

Oleria enables organizations to:

  • Discover NHIs with unparalleled visibility in minutes across the entire identity ecosystem
  • Govern NHIs intelligently to find and fix over-permissioned, dormant, or ownerless identities.
  • Remediate in seconds to reduce NHI risks with recommended actions.

From blind spot to strategic advantage

Securing NHIs isn't just about closing a security loophole — it's about re-architecting identity security for a future where machines act with autonomy and impact at scale. Organizations addressing this challenge now will gain security and competitive advantages in an increasingly automated world.

The rise of agentic AI and automation means NHIs will continue to grow in importance and risk. Enterprises that wait to address this will be left vulnerable, while those who act now can get ahead of the curve.

Download PDF

Build your future-ready identity
security solution with Oleria

A practitioner’s guide to the future of identity 

Managing Identity in the age of AI

LED BY JIM ALKOVE, CEO, OLERIA
Guide v2.0 with how Oleria supports across the maturity journey.

Executive summary

Provided by
Jim Alkove, Chair, SINET Identity Working Group 
CEO, Oleria 
Former Chief Trust Officer, Salesforce
Secure business enablement hinges on identity
Identity is now the primary battleground in cybersecurity. A full 80% of breaches start with compromised identities and identity-based attacks are increasing 77% year-over-year.
But solving identity is more than a vital defensive play — it’s the non-negotiable key to secure business enablement. As we advance automation and move toward the AI-fueled future of business, every organization needs foundational confidence in the ability to see, manage, and protect all identities (human, non-human, AI).
Existing architectures won’t get us there
As we have navigated wave after wave of technological transformation over the past two decades, security and IT teams have incrementally made practical adaptations to  current tooling and practices. But as we now face the challenges of a perimeterless enterprise, the explosion of non-human identities, and the oncoming wave of agentic AI, these adaptations are reaching a breaking point. The human processes holding conventional approaches together cannot keep pace AI scale and speed. And the accumulated technical debt from previous adaptations only adds to the untenable level of identity fragmentation.
The crux of the problem:
Conventional approaches to identity management were never designed to handle the speed, scale, and complexity of today’s digital environments and operations. We need to radically rethink — not merely adapt — our identity architecture.
Defining the path forward
To address these critical limitation, several leading CISOs, security architects, and identity experts from diverse industries formed an Identity Working Group. This group began with three practitioner-validated principles regarding what is urgently needed to collectively move the business world forward:
Unified architecture is essential: We need a unified identity and access system that provides continuous, comprehensive visibility, enables consistent governance, posture enforcement, and facilitates automated threat response across all identity environments — from on-premise to cloud, SaaS, and emerging AI.
Maturity-based implementation: Organizations must progress systematically through well-defined maturity model levels across critical capability areas. Each stage must deliver measurable risk reduction and tangible operational improvement, avoiding the "boil the ocean" approach.
AI readiness is critical: The explosive, non-deterministic growth of agentic AI requires immediate action to establish robust identity lifecycle management, secure delegation frameworks, and scalable autonomous oversight capabilities. 
What this guide delivers:
A practical approach to unified enterprise identity
The Identity Working Group developed a comprehensive, highly actionable framework to transform identity from today's fractured, reactive landscape to tomorrow's autonomous, AI-enabled future. This guide presents both the strategic vision and tactical implementation guidance needed to achieve this transformation:
A definitive vision for unified identity and access: A practitioner-led description of the key capabilities every organization must achieve for secure business enablement in the age of AI.
A future-ready reference architecture: A prescriptive, “ideal state” reference architecture designed for the complexities of agentic AI and autonomous systems.
A practical model for advancing identity maturity: Detailed assessments to help you understand where your organization is at, and actionable guidance on how to strategically, measurably progress.

Current landscape: The fractured identity crisis

Identity has reached a critical breaking point in the enterprise world. Security and IT teams struggle to maintain even basic visibility and control over their sprawling identity ecosystems. Organizations are perpetually grappling with tech bloat, juggling disparate identity systems and point tools for human and non-human identities across SaaS applications, cloud infrastructure, and traditional on-premise environments. The problem is compounded because virtually every application and service today comes with its own embedded identity system. 
This rapid expansion happened for good reasons — with businesses prioritizing speed, agility, and innovation. But it now presents a chaotic, sprawling mess, where exploding fragmentation leads directly to massive security blind spots and critical control gaps around identity and access.
80%
Statistical Reality: 80% of breaches involve compromised identities
80:1
The NHI Challenge: Non-human identities outnumber humans 80:1
2.7
Enterprise Impact: Average 2.7 NHI incidents per year
15%
Confidence Gap: Only 15% of organizations feel highly confident preventing NHI attacks
Case studies in identity failure
New York Times GitHub Breach:
270GB of internal data exposed across 5,000 repositories
Microsoft Midnight Blizzard Attack:
Legacy test account without MFA compromised 50 executive accounts
Hugging Face Data Leak:
Compromised tokens exposed 10,000 organizations and 1.2 million users
The Oleria advantage:
Comprehensive, automated asset discovery — in minutes
Oleria provides a complete inventory of all identities — human, non-human, and AI — across your entire digital estate. Our deep and rapid integration gives you complete and continuous visibility and control in minutes, so you can eliminate blind spots and mitigate risks.
Why current solutions fall short
Existing identity architectures weren’t built to manage identities across SaaS, cloud, and on-premise applications and infrastructure. They weren’t built to handle rapidly proliferating NHIs operating in the shadows. And they certainly weren’t built for the oncoming wave of non-deterministic AI agents operating autonomously with full write and approval access.
In a race to patch gaps in visibility and control, security and IT teams are bolting point solutions onto existing identity architectures — a practical adaptation approach that helped organizations bridge previous technological transformations. 
But these bolt-on solutions for Identity Governance and Administration (IGA), Privileged Access Management (PAM), and Just-in-Time (JIT) access are, at best, temporary band-aids on a much larger, systemic problem of fragmentation. Moreover, this fragmentation is plagued by a lack of automation: inefficient, risk-laden human processes bridge the gap between various HR and Identity systems.
This fragmentation continually expands as businesses evolve their identity systems to meet new operational demands. The tech debt grows, the fragmentation worsens, and the blind spots widen.
The pervasive result is that identity, which should be an enabler, has become a frustrating business blocker. CISOs constantly hear, "I can’t get access to the data I need," from business units. Worse, it has solidified identity’s position as the number one attack vector for breaches, because we are collectively failing to manage it properly.
We’ve been here before — and we’ve pulled ourselves forward through a difficult-but-necessary transformation. For example, not long ago, we reached a similar breaking point with conventional endpoint AV. As the demands of digital business and the nature of threats evolved, it became painfully clear that we could no longer adapt endpoint AV to keep pace. EDR was born to fundamentally shift the balance toward business enablement — and the industry rapidly rallied under this new paradigm.
Today's common state: Multi-cloud fragmentation
Multiple identity environments: Separate and disconnected identity stores across on-premise systems, various cloud providers, and numerous SaaS applications.
Heterogeneous systems: Per-cloud identity stores and application-specific access controls, creating deep data silos and preventing a holistic view of access.
Management layer complexity: Limited and partial automation, often achieved through disparate lifecycle management, access governance, and PAM systems that don't speak to each other.
Human process dependencies: Reliance on fragile, ineffective manual processes that attempt to bridge gaps between systems, leading to delays, errors, and security weaknesses.
Inconsistent controls: A profound lack of comprehensive visibility and unified policy enforcement, making it impossible to apply consistent security postures across the entire digital estate.
Key Problems
Identity sprawl:
Organizations contend with multiple, disconnected identity systems and stores across on-premise infrastructure, various cloud providers, and countless SaaS applications.
Lack of central visibility:
There is no single source of truth for identity and access, forcing security teams to toggle between numerous consoles and dashboards to piece together a partial, often outdated, picture.
Inconsistent policy enforcement:
Inconsistent policy enforcement: Fragmented approaches inevitably lead to inconsistent security controls and significant gaps, making it impossible to enforce uniform policies across the entire enterprise.
Manual orchestration burden:
Security teams are overwhelmed by the sheer complexity and volume of managing identities and access manually, leading to burnout, errors, and an inability to scale.
Corresponding Risks
Security gaps:
Unmanaged non-human identities and inconsistent access policies, and dormant accounts becoming persistent, high-value targets for attackers.
Operational inefficiency:
Manual processes, "swivel chair" administration, and endless troubleshooting consume critical security team resources, preventing focus on strategic initiatives.
Compliance challenges:
Extreme difficulty in demonstrating and maintaining consistent controls across disparate environments, leading to audit failures and regulatory penalties.
Business risk:
Identity becoming a severe bottleneck rather than a strategic enabler, hindering innovation, slowing down new initiatives, and directly contributing to breaches.
Agentic AI shifts the identity paradigm
The rapid emergence of agentic AI amplifies existing identity risks around non-human identities (NHIs) — but it also fundamentally transforms the identity and access challenge. 
Unlike traditional NHIs, which operate in a deterministic manner — executing predefined actions with predictable outcomes — AI-powered identities function non-deterministically, making autonomous decisions based on continuous learning and evolving context. When a traditional service account accesses a database, security teams can model its exact actions. With AI-driven NHIs, that predictability vanishes, introducing novel risks that conventional security controls were never designed to address. 
This dynamic, non-deterministic behavior introduces an entirely new security paradigm. If not proactively and effectively addressed now, these risks will rapidly become an existential crisis for every enterprise.
Understanding the progression of AI agents
The truly transformational economic and business value of AI lies in its rapid evolution from simple query assistants to highly autonomous workflow executors. Yet this increasing autonomy significantly escalates the complexity of managing AI identities and access rights. Agentic AI creates new categories of risk that existing tools were never designed to address — and amplifies the existing flaws in conventional identity tools.
Query Agents (Read Access)
Capabilities: Limited to read-only access — responding to prompts by accessing and retrieving information.
Risks: Latent over-privileged access, exposed to AI search (granting the agent more access than necessary) and unattended access, where an agent might access sensitive data without direct human oversight or if a user’s session is left unsecured.
Task & Workflow Agents (Read, Write, Execute Access)
Capabilities: These AI copilots can complete specific tasks or entire workflows, including writing, modifying, moving, or deleting data on behalf of human users, where the human is in the loop.
Risks: Introduce new dimensions of challenges around access delegation and auditing, centered on verifiable assurance of actions performed by AI agents (e.g., ensuring the AI working on HR onboarding is executing tasks legitimately).
Autonomous Agents (Approval Access)
Capabilities: Fully realized agentic AI can complete entire workflows or significant job elements without human (in the loop) oversight or approval.
Risks: To ensure the AI agent’s decisions align with critical business policies and relevant regulatory obligations, organizations urgently need to build mechanisms for automated approval and robust oversight of decision-making without inhibiting the speed advantages of autonomy. Our existing identity frameworks were not built for this.
Securing (and enabling) our autonomous future
Industry analysts predict that billions of AI agents will soon manage critical infrastructure — from energy grids and transportation systems to financial markets and healthcare networks. Our current identity frameworks offer no viable path for secure, scalable management at machine speed and machine scale. Without a fundamental shift, the transformative potential of AI will be overshadowed by catastrophic, systemic security risks.
Beyond adaptation: Reimagining identity for tomorrow
The path from fragmented to unified and intelligent control requires a fundamental architectural shift — a revolution rather than evolution. Instead of continuing to layer point solutions onto existing complexity, organizations urgently need a meta identity and access system — a powerful, overarching framework that provides comprehensive visibility, consistent policy enforcement, and automated threat response across all identity environments (human, non-human, and AI).

Reference architecture: The Unified Identity and Access System

The Identity Working Group’s unified reference architecture provides a blueprint for overcoming today’s fragmentation and building a future-ready identity posture — built by veteran security practitioners, for security practitioners. This architecture is designed as a unified identity and access system that integrates seamlessly with existing investments, providing a powerful overlay without requiring disruptive "rip-and-replace" strategies.
Core architectural principles:
Unified data foundation (centralized system of record + common data model)
By establishing a single source of truth for identity lifecycle, entitlements, and policy decisions, and by normalizing identity information across heterogeneous systems (on-prem, cloud, SaaS, custom apps) into a unified schema, this architecture eliminates conflicting information. It ensures perpetual, consistent enforcement across all integrated systems, enabling consistent operations, accurate reporting, and granular analytics that traditional tools miss.
How do you make it work?
To achieve this unified data foundation, the system requires the ability to pull in data at the right level of granularity from all underlying identity systems and applications. This involves deep integration to collect fine-grained data, which is then transformed and transmitted into the common, unified data model. 
Single control plane
This architecture provides a centralized point for policy definition and consistent enforcement across all identity systems, acting as an intelligent overlay that orchestrates and works with — rather than against — current investments.
How do you make it work?
This system needs the ability to coordinate and orchestrate actions across all individual systems. It must be able to “poke back” and write back to these applications in their native language to ensure consistent policy enforcement and effective risk remediation.
System of intelligence
It creates a comprehensive understanding of identity and access patterns across the entire digital estate, providing the deep, usage-level visibility and context needed for informed security decisions and proactive risk management.
How do you make it work?
This system requires a continuous monitor to look at integrated applications and evaluate if anything deviates from established policies or patterns. This continuous monitoring enables proactive identification and reduction of risk.
The Oleria advantage:
An identity-centric system of intelligence — to drive smarter action
Oleria acts as your comprehensive "system of intelligence" on identity — a comprehensive store of all your identity data and access patterns in one place to drive better analysis and decision-making. Operators can ensure that all their identity policies and least privileged access are working everywhere, everyday — for example, validating that all human identities use strong, phish-resistant multi-factor authentication, and that all non-human identities and AI agents use strong credentials that have been recently rotated.
The Unified Identity and Access System in action
Putting together the three core architectural principles — and the essential capabilities needed to make each work — creates a unified identity and access system that operates across three primary functions:
Understands:
Provides comprehensive visibility and fine-grained analysis across all identity environments. This includes discovering all identities (human, non-human, AI), their permissions, and their actual usage patterns, even detecting dormant or over-privileged accounts.
Establishes consistency:
Enforces unified policies and standards consistently across a diverse array of heterogeneous systems. This means applying "least privilege" principles uniformly, removing unused groups and dormant accounts, and ensuring continuous compliance.
Manages risk & threats:
Integrates proactive threat detection, rapid response, and automated remediation capabilities. It surfaces critical risks and offers recommended actions, with the ability to eliminate time-consuming manual processes to strengthen security and improve operational efficiency
Critical components: Integrating AI, HR & vendor systems
A critical component of this reference architecture specifically addresses the unique and complex integration requirements of emerging AI, alongside traditional HR and vendor systems:
AI agent identity management
Dedicated identity lifecycle for artificial intelligence agents
Integration with existing cloud environments and SaaS applications
Specialized provisioning for autonomous and semi-autonomous systems
Enhanced entity types
Users, Devices, and traditional Non-Human Identities (NHI)
AI Agents as a distinct entity class with unique characteristics
Specialized authentication, authorization, and audit requirements
Unified human capital management 
Combined, normalized view of HR & Vendors
Establish Identity assurance at onboarding time
Provision Identity using ILM
Validated against external signals for multiple identity proof points

How we get there: 
The Identity Maturity Model

Organizations cannot merely aim for the end state of the unified architecture. Getting there requires a strategic, phased approach that maintains operational continuity while systematically addressing capability gaps.
The Identity Working Group developed a maturity model for identity that provides organizations with a prescriptive, structured pathway from their current fragmented state to the unified architecture vision.
Unlike theoretical frameworks developed by standards bodies, this model has been piloted and refined with practitioners within the Identity Working Group, ensuring practical applicability and realistic expectations for achieving measurable risk reduction and operational improvement at each stage.
1. Identity Asset Management & Inventory
Partial Inventory, ad-hoc processes to inventory
Critical assets inventoried, repeatable process
Most assets inventoried, partially automated process
Complete inventory (User + NHI), fully Automated process
Continuous, automated discovery/classification, stale / risky assets autonomously removed
2. Identity Proofing
Any form of identity proof acceptable, identity assertions validated through self assertions (NIST IAL L1), identity verification performed once during onboarding, manual adhoc processes for verification; No documented process, no proof linking to Individual
One acceptable form of identity proof, identity assertions validated w. trusted entity (NIST IAL L2), identity verification performed once during onboarding, manual consitent processes per documentation, no proof linking to Individual
Two acceptable forms of identity proof, identity assertions validated w. trusted entities (NIST IAL L2), identity re-verification performed during significant employment level changes, efficient process with some automation and process documentation, at least one form of proof linking to Individual
Three acceptable forms of identity proof, identity assertions validated w. trusted entities (NIST IAL L3), identity re-verification performed during significant employment level changes, mostly automated process with ML models for verification, at least two forms of proof linking to Individual
Three or more acceptable forms of identity proof, identity assertions validated w. trusted entities (exceed NIST IAL L3, identity re-verification performed during significant role changes, integrated with federated, trusted consortium of identity proofing entities, countermeasures deployed against AI generated Identity proofs, at least three forms of proof linking to Individual
3. Identity Lifecycle Management
None / Manual & inconsistent lifecycle, fractured onboarding & offboarding, poor tracking / reporting
Basic lifecycle processes (joiner / leaver), no automation, disjoint HR / vendor systems, adhoc tracking / reporting
Clear lifecycle processes for provisioning / deprovisioning, basic automation / tracking / reporting
Integrated HR / Vendor systems, comprehensive automated lifecycle management, detailed tracking / reporting
Business policies drive autonomous lifecycle management, modeled least privileged provisioning / deprovisioning, detailed tracking / reporting
4. Robust Authentication - Users
Single weak factor authentication, mostly local accounts, poor cred hygiene, lack of comprehensive visibility on Authentication strength from different IdPs and applications
Partially enabled MFA with weak methods, SSO partially enabled, cred hygiene for users
Strong MFA for critical identities, SSO mostly enabled, cred hygiene for critical identities, consistent Token session management
Strong MFA for all applicable users, SSO fully enabled for applicable accts, user creds fully managed & rotated, consistent, comprehensive, continuous visibility into adoption of Robust authenticaiton methodologies
Risk based authentication, behavioral analytics, adaptive authentication based on context, passwordless authentication, adopt SaaS vendors with stronger/ secure Token implementations
5. Identity Access Governance & Compliance
No formal governance structure, lack of compliance checks, no audit trails, no Access reviews
Basic governance roles defined, periodic audits, manual audit process, limited tracking of findings, adhoc access reviews for critical systems
Established governance team Regular scoped audits, documented audit process, tracking and addressing findings, regular access reviews for critical systems
Comprehensive gov framework Continuous auditing, automated alerts for violations, detailed audit trails + high fix rate, comprehensive access reviews
AI drive governance recos, predictive analysis for compliance, automated compliance reporting, continuous control validation, regular, automated access reviews
6. Authorization, Access Management & Entitlements
Excessive resource access, excessive privileges common, lack access control policies
Some resources and privileges managed, basic RBAC, limited enforcement
Critical resource access managed, external accounts and resource access tightly controlled, access control policies
Continuous access monitoring, drive towards least privilege
Self review and certification, continuous access monitoring, just in time, Just enough access, fine grained entitlements mgmt.
7. Privileged Access Management
No dedicated PAM solution, shared privileged accounts, lack of audit trails for priv accts.
Basic PAM solution for various admin roles, password vaulting, session tracking & limited control
Comprehensive PAM solution for all privileged and High value target accts, access control for priv accts, auditing for priv accts.
Just in time priv access, strict control of priv acct sessions, separation of duties & access reviews
Continuous monitoring of priv activities. model-based priv access pruning, AI driven risk of priv access, adjust access based on priv access breaches
8. Zero Trust Implementation
No zero trust strategy, implicit trust throughout environment
Basic zero trust concepts introduced, limited implementation in key areas
Defined zero trust arch, full implementation in key areas, “Always verify” principle for key assets
Comprehensive zero trust framework, continuous verification of identity, context-aware access controls
Full zero trust implementation, micro-segmentation, continuous validation, dynamic trust using behavioral analytics
9. Identity Threat Detection & Analytics
Limited logging, limited detection capabilities
Basic logging and monitoring, some alerts to critical events, manual incident detection
Comprehensive logging, event correlation insights, real-time monitoring & alerting
Adv analytics & ML detection, automated alerts and workflows
Threat intel integrations, UEBA, threat ontology sharing, adaptive, predictive detection
10. Identity Incident Response
No formal incident response plan, ad hoc reaction to incidents
Basic incident response plan, partially tested
Comprehensive response plan, regularly tested
Automated incident response, integrated with IAM systems, post incident posture / access improvements
Real time response, self healing systems, proactive simulations
11. NHI Hygiene
Partial Inventory, ad-hoc processes to inventory, NHI resource access is adhoc
Highest Value NHI inventory, defined process for inventory, credentials manually managed, NHI resource access manually provisioned
Most NHI inventory, partially automated process for inventory, credential rotation is monitored & automated, NHI access is automated
Complete inventory (NHI) with ownership, credential, and account hygiene is automated, detailed tracking / reporting, NHI security posture is continuously managed, NHI access is automated and governed
Toxic combinations understood and guarded against
12. AI Agents
No inventory of AI agents, no life cycle management of AI agents, shadow AI may be prevalent, data access by AI is broad, ungoverned and user ids are impersonated by AI agents
Manual, partial inventory of AI agents, critical AI agent life cycle management, shadow AI may be prevalent, data classification based access control for AI
Automated, infrequent inventory of AI agents, most AI agents onboarding / user assignemnts are centrally managed, shadow AI is monitored and disabled due to inventory automation, resource access control is in place for users with AI agents
Automated, frequent AI agent inventory, most AI agent onboarding / user assignements are centrally managed, shadow AI is controlled, least privilege access control to AI agents, AI agent delegation practices in development
Continuous monitored AI agent inventory, Al agent use is continuously monitored, no Shadow AI, least privilege, JIT, JEA to AI agents, delegation practices are rolled out
Maturity levels 
Each of the 12 capability areas progresses through five distinct maturity levels. 
Maturity Level
Initial: Characterized by poor visibility, ad-hoc processes, a reactive approach to identity issues, and a highly vulnerable posture to identity-based attacks.
Developing: Basic visibility into key identity elements established, along with foundational management processes. While the response to identity issues remains largely reactive, some early automation reduces immediate vulnerabilities. But significant gaps remain for comprehensive control and strong posture. 
Defined: Improved visibility and understanding achieved through documented processes and a degree of integration between identity systems. Consistent management processes are in place with moderate automation. This allows for more coordinated response to identity issues, moving toward proactive measures — and improves posture.
Managed: Offers near real-time visibility and comprehensive understanding across the identity ecosystem through unified systems and data collection. Highly automated and mature management processes enable proactive identity risk identification, significantly strengthening posture against identity-based threats.
Optimized: Achieves continuous, intelligent visibility and predictive understanding powered by advanced analytics and AI. Autonomous and self-healing management processes drive continuous improvement, leading to a highly adaptive and proactive threat response model and an exceptionally resilient posture.
Compliance Benefits
Organizations achieving higher maturity levels demonstrate measurably better compliance outcomes, reduced audit findings, and lower regulatory risk across frameworks including SOX, GDPR, HIPAA, and PCI-DSS.
Core assessment categories
The model evaluates organizations across 11 critical identity capabilities:
1. Identity Asset Management & Inventory
• Objective: Complete visibility and control of all identity assets across the enterprise.
• Why critical: You cannot secure what you cannot see. Comprehensive identity inventory is the foundation of all other security controls.
How Oleria accelerates identity maturity:
Create a single source of identity truth across your hybrid environment.
Oleria consolidates identity silos into a single source of truth, giving you comprehensive and fine-grained visibility, down to the individual permission and resource level, of all access rights and permissions across your organization's systems and applications — including SaaS, cloud, on-prem and custom applications.
2. Identity Proofing
• Objective: Establish trusted digital identities through rigorous verification processes aligned with NIST Identity Assurance Levels.
• Why critical: Strong identity proofing prevents identity fraud and ensures accountability for all actions taken within the enterprise.
3. Identity Lifecycle Management
• Objective: Automated, secure management of identity creation, modification, and termination.
• Why critical: Manual lifecycle processes create security gaps, operational delays, and compliance risks.
4. Robust Authentication
• Objective: Strong, phish-resistant authentication, and account hygiene across all systems and use cases.
• Why critical: Weak authentication is the primary enabler of credential-based attacks that comprise 80% of breaches.
How Oleria accelerates identity maturity:
Gain wide and deep visibility into your authentication posture to remediate MFA & SSO gaps and manage password & account hygiene across your digital estate.
Oleria gives you wide and deep visibility into overall posture, including MFA coverage for both SSO and local accounts across your digital estate. Our continuous monitoring automatically detects accounts without MFA, including admin accounts and helps enforce strong MFA for every app and every account. With continuous visibility into authentication gaps, Oleria identifies weak or outdated authentication methods and enables your transition toward strong, phishing-resistant MFA.
5. Identity Governance & Compliance
• Objective: Comprehensive oversight and regulatory compliance for all identity operations.
• Why critical: Governance failures lead to compliance violations, regulatory penalties, and loss of stakeholder trust.
How Oleria accelerates identity maturity:
Automate governance and compliance with intelligent workflows.
Oleria simplifies identity governance by moving beyond manual access reviews to automated campaigns that drive real action. Our platform provides intelligent recommendations to right-size access, enforces policy with automated workflows, and delivers alerts for rapid remediation of violations. This ensures organizations can maintain continuous compliance, reduce audit findings, and strengthen stakeholder trust while freeing teams from time-consuming, error-prone processes.
6. Authorization, Access Management & Entitlements
• Objective: Fine-grained access control implementing least privilege principles.
 • Why critical: Excessive privileges enable lateral movement and data exfiltration once initial access is gained.
How Oleria accelerates identity maturity:
Streamline and automate access reviews.
In addition to deep insights into your group and account analytics, external access management, Oleria enables you to move from manual, rubber-stamping access reviews to an intelligent process with automated campaigns that achieve high fix rates. AI-powered recommendations based on actual usage patterns significantly reduce manual review time while driving towards least privilege through usage-based intelligence. 
7. Privileged Access Management
• Objective: Specialized controls for high-risk administrative, specialized and service accounts. 
• Why critical: Privileged accounts provide the highest-value targets for attackers and require enhanced security controls.
8. Zero Trust Implementation
• Objective: "Never trust, always verify" security model across all access decisions.
• Why Critical: Traditional perimeter-based security fails in cloud and mobile environments.
9. Identity Threat Detection & Analytics
• Objective: Proactive identification and analysis of identity-related threats 
• Why critical: Traditional reactive security approaches cannot keep pace with modern attack techniques and velocities.
10. Identity Incident Response
• Objective: Rapid, effective response to identity-related security incidents. 
• Why critical: Quick containment and remediation of identity incidents prevents lateral movement and data exfiltration. AI Agents (Special Category)
How Oleria accelerates identity maturity:
Get immediate answers to investigation questions and remediate vulnerability rapidly.
Immediately answer essential questions around who has access to breached data, how they got it, and what they did with it — in minutes instead of weeks — so you can respond faster to remediate threats. Oleria makes it easy to locate sensitive files and understand access paths through a visually intuitive Access Graph, or get automatically-generated case summaries with Oleria’s Copliot.
11. Non-human Identities (NHI)
• Objective: Secure management of Non-human Identities
• Why critical: Non-human Identities have remained the un-monitored, un-managed and un-governed parts of organizational identity systems, representing significant risk.
How Oleria accelerates identity maturity:
See and secure all NHIs — and investigate faster with Copilot.
Oleria gives you complete visibility into every non-human identity across cloud, SaaS, on-prem, and hybrid environments — in minutes, not months. Our unified access graph consolidates accounts, groups, resources, and permissions into one view, with fine-grained insights down to individual entitlements. When issues arise, Oleria Copilot streamlines investigations by generating case summaries that show who had access, how it was used, and direct links to detailed logs and reports — making it easy to trace access paths, validate impact, and remediate risks quickly.
AI Agents (Special Category)
Objective: Secure management of artificial intelligence agents and autonomous systems. 
Why critical: AI agents represent the fastest-growing category of identity risk with unique management challenges.

How to use the Identity Security Maturity Model: Key actions to advance your maturity

Having understood the core assessment categories and the progression of identity maturity, the next step is to strategize your organization's journey. This section provides practical guidance for progressing through each level of the Identity Maturity Model. These transitions aren’t theoretical — they’re grounded in field-tested tactics from practitioners who’ve made the climb.
1
Initial -> Developing 
From adhoc to foundational visibility
Top 4 actions:
Inventory critical assets (user, NHI, applications and resources) across directories, identity providers, HR and Vendor systems, and commercial / custom applications. Establish a unifying foundational platform for visibility creating a repeatable process. 
Establish ownership of identity policy: who governs, who approves, how we approve and who enforces. 
Establish basic identity lifecycle Processes (Leavers, Joiners) moving to a defined process even if manual for onboarding and offboarding. 
Build identity compromise analysis into your incident response plan. Perform failure mode analysis of your enterprise identity data estate against well known identity breaches and establish identity centric response into your  incident response plan that covers investigation, remediation, and retrospective / posture enhancement plans that include / emphasize identity compromise. 
Quick wins:
Enforce MFA on all critical (admin) and High value NHI and Agentic accounts.
Standardize one acceptable form of identity proof validated by a trusted entity and apply to all new user accounts. 
Centralize and store/retain identity related audit logs. 
Avoid these pitfalls:
Over reliance on human processes and spreadsheets; actively seek opportunities for automation even if partial. 
Using SMS as long term MFA option
Ignoring machine and service identities. 
How Oleria accelerates identity maturity:
Inventory critical assets in minutes. Organizations can spend weeks or even months manually inventorying critical assets, but with automated discovery and continuous classification, Oleria delivers a complete inventory of all identities, application accounts, and resource instances across human and non-human identities, internal and external accounts — in minutes, not months. 
This foundation of visibility is paired with the basic building blocks of posture and governance needed to advance from the Initial to Developing stage: Oleria shows where MFA and SSO coverage is missing, surfaces weak or risky accounts (including admin accounts), and provides clear insights to patch gaps, while also helping define ownership, enforce baseline policies, and create repeatable processes for onboarding, offboarding, and access decisions — ensuring your identity program is built on a strong, sustainable framework.
2
Developing -> Defined
From visibility to repeatable processes
Top 4 actions:
Automate most inventory: Transition from manual (even if repeatable) to automated process for inventorying most assets. 
Implement consistent life cycle management process: Fully vetted, consistent process for  deprovisioning and provisioning for leavers and joiners, ensures no persistent access for leavers and necessary and sufficient access for joiners. 
Conduct regular (quarterly) access reviews for privileged and sensitive accounts with usage insights. 
Manage Critical Resource access and External Accounts: Re-evaluate, redefine and deploy access to top critical systems and resources. Inventory external accounts and disable critical resource access to un-recognized external accounts. 
Quick wins:
Deploy strong phish-resistant authentication for executive and IT staff.
Establish Identity security KPIs. Track “time to deprovision” as a KPI. Monitor for residual access. 
Avoid these pitfalls:
Deploying point identity security solutions for expediency and cost reasons, creating additional identity security fragmentation and debt.  
Assuming initial integration solves end-to-end identity. 
How Oleria accelerates identity maturity:
Establish repeatable processes with automation and governance.
Moving from Developing to Defined maturity is about creating consistency — turning one-off fixes into standardized, repeatable processes. Oleria helps by automating core elements of inventory and lifecycle management, providing the framework to enforce posture and governance policies, and embedding identity into your incident response plan. With centralized visibility and automated workflows, organizations can begin to replace manual, ad-hoc administration with structured processes that ensure access is consistently provisioned, governed, and monitored across the enterprise.
3
Defined → Managed
From process to automation and assurance
Top 4 actions:
Automate provisioning & deprovisioning: Integrate HR/ Vendor systems with IdPs for automated provisioning and deprovisioning according to policies established in the defined stage. 
MFA everywhere, SSO everywhere: Achieve strong, phishing resistant MFA for all applicable users and fully enable SSO for all non-break glass local accounts. Continuously monitor for violations. 
Comprehensive access reviews: Perform comprehensive access reviews through automated scheduled campaigns for all applications. 
Enable continuous activity analysis, with identity behavior anomaly detections.
Quick wins:
Revise and standardize on multiple forms of required identity proof. 
Alert on deviations from MFA everywhere & SSO everywhere identity security posture. 
Disable dormant accounts over 90 days inactive.
Avoid these pitfalls:
Running access reviews without entitlement context.
Lack of automation with comprehensive, continuous verification of identity security posture & governance, resulting in falling back to previous stages. 
How Oleria accelerates identity maturity:
Automate governance, posture enforcement, and remediation at scale.
Oleria helps organizations move from manual oversight to reliable automation by embedding identity security into daily operations. We enable continuous posture enforcement (MFA/SSO monitoring, dormant account cleanup), automated governance (policy-driven access reviews with intelligent recommendations), and faster incident response (immediate visibility into who had access, how it was used, and rapid remediation workflows). With these automated processes in place, security teams gain assurance that controls are consistently applied, violations are quickly addressed, and identity risk is actively contained — a critical step in progressing from Developing to Managed maturity.
4
Managed → Optimized
From automation to autonomous identity
Top 4 actions:
Implement continuous, automated discovery and classification of all identity assets - Automated systems help discover all identity assets, classify them, understand their security risk and autonomously improve cleanliness, remediating dormant, stale, or risky assets. 
Deploy autonomous access governance frameworks (with human-in-the-loop as appropriate) - Enable just in time, just enough access, removing excess access to resources, with real-time, continuous access certifications, based on activities on resources, and role / attribute based claims. 
Shift to automated confirmance to identity security policy across all identity and access systems instead of manual detection and remediation of identity security policy violations. 
Deploy agents for adapting policies - that recommend and deploy policy changes based on business needs. 
Integrate Threat intelligence and behavioral analysis in drive towards zero trust, and adaptive threat detection. 
Quick wins:
Pilot passwordless authentication for key user groups. 
Begin adoption of AI agents to flag and remediate excessive entitlements, reclaiming licensing COGS.
Avoid these pitfalls:
Ignoring AI generated identity proofs. 
Treating deployed AI agents as generic service accounts. Insufficient focus on AI agent security beyond basic controls. 
Prioritizing your identity security transformation
The section above provides a guide to top actions for advancing your identity security maturity. But this is not a one-size-all prescription: organizations should not undertake all of the given top actions for their maturity stage all at once. Moreover, organizations should prioritize different top actions based on a careful consideration of how the outcomes align with key business-level objectives.
Essential considerations for strategic business alignment
Below is a set of  critical factors you must evaluate to prioritize specific improvements, allocate resources effectively, and ensure your identity security initiatives directly support overarching business goals:
Latent security risk: Organizations often have personnel or departments focused on latent risk in their existing systems. These security risks may come from internal audits, security risk assurance evaluations from trusted vendors, etc., and consist of systemic vulnerabilities, known breaches or threats, unmet compliance needs, etc. These are typically recorded in a risk registry (something we recommend every organization have) with impact / probability ratings and associated prioritizations. A prioritized list of risks need to be considered as part of the manifest of security actions that the organization should fund. 
Business outcomes: Organizations may need to prioritize a particular domain based on their industry, on their specific business outcomes, and strategic investments. For example, an organization may be looking to deploy AI copilots across their organization and needs to mature their authorization and access readiness before focusing on other domains. Another  organization might be in the process of acquiring  a company, and needs to bring together heterogeneous identity systems under one common identity security administration. Such a list of business outcomes needs to be considered as part of the identity security program. 
Identity security maturity model: Assess your current identity security maturity and establish the most impactful domain(s) to enhance, creating a concrete list of security maturity model activities for your organization. 
Get your strategic Identity security roadmap
Pinpoint your current security and governance gaps with the only identity assessment that helps you assess, benchmark, and optimize your security strategy. Unlike generic security assessments, we deliver actionable insights tailored to your organization. 
Book now with Oleria. www.oleria.com/identity
Cost: Improving your identity security maturity comes with a cost. These costs include transition costs from a poorly deployed / developed system to a more mature system, while preserving business continuity and procurement costs for unified identity security platforms (though the expectations from such systems should be that over time they improve the efficacy and efficiency of overall identity security programs).  Moreover, improving your identity security maturity in the right way should  also improve the long-term operational cost of your identity security programs — through improved security, lowered operational costs, tool and license consolidation, reduction in business impact of breaches, and outages due to identity security compromise. 
Organizations must balance these considerations to create a robust prioritization framework and establish effective plans for improving identity security. Progress doesn’t have to be uniform across all 11 core capabilities. What matters most is consistent forward momentum — reducing risk, increasing operational efficiency, and safely improving business agility along the way. Use the maturity model and unified architecture as a north star, not a checklist.
A Net BRiCE Score: Your prioritization framework
Establish a prioritization framework for evaluating and ranking identity security program initiatives based on the factors above:
Business value: how aligned is this with strategic business initiatives & value
Risk Impact: what is the impact of an unaddressed risk or of delaying a maturity model initiative 
Cost: cost of implementing the initiative 
Effectiveness / efficiency: improvements that result from implementing the initiative 
Computing your BRiCE score: BRiCE score can be computed as [(B * Ri) / C] * E. A higher net BRiCE score initiative should be considered a  higher priority. 
Embracing a continuous journey
Ultimately, advancing identity security maturity is not a static destination but a continuous journey of strategic transformation. By systematically applying the prescriptive actions within this model, and by thoughtfully prioritizing improvements based on your organization’s unique risks, business objectives, and resources, you can ensure consistent forward momentum. 
This disciplined approach not only reduces risk and enhances operational efficiency, but critically, it positions identity security as a proactive enabler for innovation, business agility, and the secure adoption of emerging technologies like AI. Leverage this model as your North Star, guiding a sustained evolution towards a truly unified and autonomous identity future.

The imperative for change

The urgency for transforming identity cannot be overstated — and is rooted as much in capturing competitive advantage as in avoiding risk. Organizations that defer action will face compounding risks and severe consequences:
The cost of inaction: Continued exposure to identity-based attacks, which represent the most common and damaging breach vector, leading to financial losses, reputational damage, and operational disruption.
Competitive disadvantage: Organizations with fragmented, immature identity programs will struggle to innovate at the pace of business, falling behind agile competitors who can securely leverage automation and AI.
Escalating regulatory pressure: Increasing compliance requirements and the certainty of rigorous audits will expose organizations with weak identity governance, leading to significant penalties and legal liabilities.
Impeded business enablement: Identity will remain a frustrating bottleneck, hindering productivity, blocking access to critical data, and preventing the secure adoption of transformative technologies.
Essential steps to get started
The journey toward a unified, autonomous identity future begins with practical, actionable steps. Leverage the Identity Working Group’s frameworks to begin your transformation:
1. Assess your current state: Utilize the provided maturity model for a baseline assessment. This will give you a comprehensive understanding of your existing identity landscape, revealing critical gaps and guiding your strategic investments.
2. Prioritize high-impact improvements: Identify "quick wins" – high-impact, low-effort improvements that can immediately reduce risk and demonstrate value within your organization. 
3. Develop a strategic roadmap: Create a phased implementation plan that systematically progresses through the maturity model, ensuring operational continuity while building toward the unified architecture. 
4. Secure executive sponsorship: Obtain critical executive sponsorship and allocate the necessary budget to ensure the sustained success of your identity transformation initiatives. 
5. Begin implementation: Start with foundational elements, focusing on achieving comprehensive visibility and control over all identities across your environment – human, non-human, and AI.
Jumpstart your identity maturity with Oleria
Our identity security solution provides complete clarity and control over all identities — human, non-human, and AI — across your entire hybrid environment. Our graph-native Trustfusion Platform integrates with all your systems in minutes, not months, delivering unparalleled, fine-grained visibility. 
Connect with our team to see how Oleria  transforms identity security from bottleneck to business enabler. Demo link
Measuring success
Transforming identity delivers measurable results across multiple dimensions:
Security metrics:
Demonstrable reduction in identity-related incidents, compromised accounts, and the overall attack surface.
Operational metrics:
Tangible improvements in efficiency and automation, reducing manual orchestration burden and freeing up security teams for strategic work.
Business metrics:
Enhanced user experience, accelerated productivity, and the secure enablement of new business initiatives and AI adoption.
Compliance metrics:
Measurable reduction in audit findings and consistent adherence to regulatory compliance requirements across all frameworks.
Committing to continuous advancement
We also emphasize that maturity in identity is not a static destination but an ongoing journey. Organizations must commit to these principles to ensure continuous advancement:
Continuous evolution: Recognize identity as a dynamic, ongoing process that requires constant adaptation to emerging threats and technologies.
Community engagement: Actively participate in industry initiatives and the Identity Working Group to share insights, collaborate on solutions, and collectively advance the state of identity.
Innovation adoption: Stay current with emerging technologies that align to the unified architecture and maturity model, ensuring your solutions are future-ready.
Leadership development: Invest in building organizational capabilities and developing security leaders who can champion and execute this critical transformation.

Our shared mandate: 
Realizing a secure, AI-enabled future

The challenges we face are universal — shared across departments, industries, and geographies. The fragmented identity landscape, the explosion of non-human identities, and the emergence of agentic AI affect every single organization on the planet. Only through a proactive, unified approach — guided by real-world experience — can we keep up with these unprecedented risks without slowing down business agility and innovation.
The Identity Working Group represents a fundamental shift toward this kind of practitioner-led innovation in identity. Our collective commitment extends beyond this publication to ongoing collaboration, knowledge sharing, and continuous evolution of these frameworks.
Looking ahead, we envision a future where identity enables rather than inhibits business innovation. Where agentic AI operates securely within well-defined boundaries. Where security teams focus on strategic initiatives rather than manual identity administration. Where organizations achieve true Zero Trust through comprehensive, adaptive, and autonomous identity management.
This future is achievable. The architecture in this paper provides the prescriptive roadmap — and the maturity model offers a practical, structured progression.
The journey from fractured identity to unified autonomy begins with a single step. We invite you to take that step with us.

Appendix A: Glossary of Identity Terminology Core identity concepts

Core identity concepts
Identity: The attributes and characteristics that define and uniquely identify an individual or entity in a domain. An identity can be for a person, device, application, service, etc. Key components include identifiers that distinguish one identity from another, attributes such as name and role, credentials used to assert identity, and profiles representing the identity in specific contexts.
Identity Management: A foundational element of an organization's security architecture, enabling organizations to protect their data and systems while supporting efficient and secure operations. Composed of capabilities ranging from lifecycle management and access governance to privileged access management.
User Lifecycle Management: Identity systems that manage the lifecycle of user identities within an organization, from creation through changes to deactivation. Includes processes for onboarding new employees, updating permissions as roles change, and removing access when employees leave.
Identity Proofing: The essential process of verifying and authenticating the identity of an individual to ensure they are who they claim to be. A critical step in establishing the binding between a person and their digital identity representation in an organization.
Non-Human Identity (NHI): Identities representing services, applications, bots, devices, and other automated systems. In SaaS environments with AI solutions, non-human identities often outnumber human identities significantly and frequently have broader permissions while running continuously.
Third Party Identities: Identities presented from external partners, vendors, consultants, and other third parties. With improved collaboration capabilities, third party identity and access control presents challenging security domains.
Account: A digital representation of an identity linked to a specific service or application. Typically consists of a username, password or other credentials, and may include profile data, preferences, and permissions.
Dormant Account: A user account that has not been accessed for a specified period as defined by organizational security policy. These accounts pose security risks as they can be targeted for unauthorized access.
Authentication
Authentication: The process of verifying the identity of a user, device, or system. Ensures that the entity trying to access a resource is who or what it claims to be. Common methods include passwords, biometric data, hardware/software tokens, and multi-factor authentication.
Credentials: Information provided by a user, device, or system to prove identity binding. For example, a username (identifier) and password constitute credentials for authentication purposes.
Passwordless Authentication: A method of verifying user identity without requiring password entry, using more secure and convenient alternatives such as biometric authentication, security tokens, or other phish-resistant methods.
Authentication Strength: The robustness and security of the authentication method used to verify identity. Strong authentication mechanisms reduce the risk of unauthorized access and protect sensitive information.
Multi-Factor Authentication (MFA): An authentication model requiring users to provide multiple forms of identity proof for verification. Typically incorporates something you know, something you have, and something you are. Different factors should be used to ensure that compromise of one factor doesn't defeat the entire authentication system.
Assurance Level: The degree of confidence in successful authentication of a user's claimed identity. Determined by factors including authentication mechanism strength, identity provider assurance, identity proofing rigor, and the number and types of authentication factors used.
Authorization
Authorization: The process of establishing what an authenticated user, device, or system is permitted to do within a system. Defines the level and type of access to resources, actions, or services based on the rights the identity has.
Entitlements & Permissions: Entitlements are predefined access rights assigned to users or roles within an organization, representing what users are entitled to access. Permissions are specific access rights defining what actions can be performed on particular resources.
Groups and Roles: Groups are collections of users sharing common attributes, entitlements, and permissions, simplifying access management. Roles define specific permissions associated with certain functions, dictating what actions can be performed on resources.
Delegation and Impersonation: Delegation refers to temporarily granting a subset of access rights to another entity to perform actions on behalf of the original user. Impersonation is acting as another entity with all their permissions, representing a significant security threat.
Claims: Assertions made about a user or entity, used to grant access to resources and define permitted actions. Claims provide flexible representation of identity attributes, entitlements, roles, and permissions.
Access management
Access Management: The process of regulating how entities gain access to applications and digital resources, ensuring only authorized users have access to specific information or systems while preventing unauthorized access.
Least Privilege Principle: An approach limiting access to the minimum required level to perform tasks, reducing the risk of accidental or malicious misuse through just-in-time and just-enough access implementations.
Access Governance: Establishing policies, frameworks, and processes ensuring access rights are properly assigned, monitored, and maintained across the organization, focusing on oversight and accountability.
Access Modeling: The process of designing, implementing, maintaining, and controlling access to resources within an organization, facilitating least privilege principles and integrating with identity lifecycle management.
Privileged Access Management (PAM): Framework of policies, technologies, and practices designed to protect systems and sensitive data by managing and controlling access for users with elevated privileges.
Security tokens
Security Token: A digital artifact containing credentials, assertions, and claims needed to authenticate and authorize users or systems. Examples include username tokens, X.509 certificates, SAML tokens, JSON web tokens, and Kerberos tickets.
Security Token Service (STS): A web service that issues security tokens, making assertions based on trusted evidence presented by recipients. Forms the basis of modern web service authentication and authorization systems.
Proof Tokens vs Bearer Tokens: Proof tokens require cryptographic demonstration of ownership through key possession. Bearer tokens do not require ownership proof—anyone presenting the token is considered the owner.
Token Binding, Signing, and Encryption: Practices for cryptographically linking tokens to specific messages, ensuring authenticity and integrity through digital signatures, and protecting confidentiality through encryption.
Single Sign-On (SSO): An authentication process allowing users to access multiple applications with one set of credentials. Once authenticated, users can seamlessly access permitted applications without re-authentication.
Identity federation
Identity Federation: A system allowing users to access multiple applications across different domains using a single set of login credentials, simplifying user management while maintaining security across platforms.
Trusted Authority: An entity trusted by all parties to authenticate and verify user identities, responsible for issuing and managing security tokens or credentials that other entities can rely on.
Identity Provider (IdP): A trusted entity that authenticates users and issues identity credentials or tokens used by service providers to grant access to resources and services.
Relying Party/Service Provider: An entity offering services that relies on an Identity Provider for user authentication, granting access to requested services or resources once authentication is confirmed.
Threats and mitigations
Common Threat Categories: Including spoofing (unauthorized entity posing as authorized), tampering (unauthorized alteration), repudiation (denial of involvement), denial of service attacks, information disclosure, and elevation of privilege.
Attack Methods: Brute force attacks (trying all possible combinations), dictionary attacks (using common password lists), password spray attacks (common passwords across many accounts), man-in-the-middle attacks (intercepting communications), and DNS poisoning (fake DNS information).
Security Practices: Data privacy and security protections, cryptography for information transformation, integrity and confidentiality preservation, identity security posture management (ISPM), identity governance and administration (IGA), and identity threat detection and response (ITDR).
Advanced Security Technologies: Endpoint detection and response (EDR), security orchestration automation and response (SOAR), security information and event management (SIEM), and zero trust security models operating on "never trust, always verify" principles.
Foundational terms
Resources:Assets requiring access control in digital identity systems, including applications, data and files, infrastructure, platform instances, APIs, and AI agents and workflows.
• Trusted Authority: Entity trusted for identity verification
• Identity Provider (IdP): Authentication and credential issuing entity
• Relying Party/Service Provider: Entity depending on IdP authentication
Entities: Physical entity digital representations in identity systems, typically classified as users, machines, devices, services, applications, and resources requiring access control.
Threats and mitigations
Threat Categories
• Spoofing:Unauthorized entity posing as authorized
• Tampering: Unauthorized data/system alteration
• Repudiation & Non-repudiation: Denial of involvement vs. proof
• Denial of Service: Service disruption attacks
• Information Disclosure: Unauthorized sensitive data revelation
• Elevation of Privilege: Gaining unauthorized higher-level access
• Attack Methods: Brute force, dictionary, password spray attacks
• Man in the Middle: Intercepting communications
• DNS Poisoning: Fake DNS information injection
Foundational Terms
• Entities: Physical entity digital representations in identity systems
• Resources: Assets requiring access (applications, data, infrastructure, APIs, AI agents)
Mitigation Techniques
• Data Privacy:Personal data protection from unauthorized access
• Data Security: Digital information protection practices
• Cryptography: Mathematical information transformation
• Integrity: Preventing unauthorized information changes
• Confidentiality: Preventing unauthorized information disclosure
• Identity Security Posture Management (ISPM): Security posture framework
• Identity Governance and Administration (IGA): Digital identity management
• Identity Threat Detection and Response (ITDR): Threat monitoring strategy
• EDR: Endpoint detection and response systems
• Identity Lifecycle Management: Comprehensive identity management process
• SOAR: Security operations automation and orchestration
• SIEM: Security information and event management
• Principle of Least Privilege (PoLP): Minimum access security concept
• Just-in-Time/Just Enough Access: Temporary, need-based access
• Zero Trust Initiative: "Never trust, always verify" security model

Appendix B: Architecture Evolution Analysis

Progression from the Identity and Access Reference Architecture document

Appendix C: Identity Model Details

1. Identity Asset Management & Inventory
Initial Stage
Description: Organizations lack a comprehensive or accurate inventory of identity assets across the enterprise. Identities (human and machine), their associated attributes, and their corresponding access rights are often unknown, unclassified, and decentralized. There's poor visibility into who has access to what, where, and why.
Risk today: High risk of orphaned accounts, unauthorized access, and undetected shadow IT. Inaccurate identity data leads to insecure access provisioning, prolonged access for departed users, and a broad attack surface for identity-based exploits. Compliance audits are extremely challenging or impossible.
Future implication: The absence of a unified and accurate identity inventory will prevent any meaningful security improvements. It will be a significant impediment to implementing advanced security frameworks like Zero Trust and will make secure adoption of new technologies (e.g., AI agents) impossible due to unmanageable identity sprawl.
Developing Stage
Description: Basic efforts are underway to inventory some critical identity assets, often in silos (e.g., Active Directory, HR system). Some manual processes are used to track new identities and basic attributes. However, there's still no complete, centralized view, and many identities and their full access context remain unknown.
Risk today: While some critical areas might have better visibility, the overall lack of a comprehensive identity inventory means significant blind spots persist. This leads to inconsistent policy enforcement, difficulty in identifying dormant or privileged accounts, and continued exposure to risks from unmanaged identities and entitlements.
Future implication: This fragmented approach will create ongoing operational overhead and security gaps. It will hinder efforts to automate identity lifecycle processes and build robust authorization models. Scaling secure access for a growing digital footprint, including AI integration, will be slow and error-prone.
Defined Stage
Description: Documented processes are in place for identity asset management, with a degree of automation for collecting and centralizing identity information from key sources. A foundational identity catalog or repository might exist, providing better, though not complete, oversight of human identities and their core attributes. Non-human identities are still often managed separately.
Risk today: Improved visibility reduces some common risks, but the lack of true completeness and real-time updates means that identity data can become stale, leading to potential access drift and delayed detection of unauthorized access. Non-human identities often remain a significant blind spot.
Future implication: While supporting current needs, the absence of a truly unified and dynamic identity inventory will limit the organization's ability to adapt to rapid changes in the IT landscape, such as cloud expansion or increased use of APIs. It will also slow down comprehensive identity governance initiatives.
Managed Stage
Description: A comprehensive and largely automated system for identity asset management is implemented, providing near real-time visibility into all human and a significant portion of non-human identities. A unified identity catalog serves as a central source of truth, tracking identity attributes, lifecycle status, and key entitlements across most critical systems.
Risk today: Identity-related risks are significantly reduced due to high visibility and accurate, up-to-date identity information. Automated processes minimize the window for unauthorized access and facilitate quicker identification of policy violations. This strengthens the overall security posture against identity-centric attacks.
Future implication: A managed identity asset management system provides a robust foundation for implementing advanced security frameworks like Zero Trust and enables more confident and secure adoption of emerging technologies. It enhances compliance capabilities and supports agile business operations by ensuring accurate and timely access provisioning.
Optimized Stage
Description: Achieves continuous and intelligent identity asset management, driven by predictive analytics and AI-powered discovery. The system autonomously identifies, classifies, and tracks all identity types (human, machine, AI agents) and their relationships in real-time, anticipating changes and risks.
Risk today: Near-zero risk of undetected identity sprawl, orphaned accounts, or unauthorized access due to continuous monitoring and automated remediation based on deep contextual understanding. The attack surface related to unknown or mismanaged identities is significantly reduced.
Future implication: An optimized identity asset management system is a strategic enabler for complete digital transformation and highly autonomous security. It provides the foundational identity context for advanced AI-driven security operations, self-healing access, and seamless, secure integration of any new technology or business initiative, driving competitive advantage.
2. Identity Proofing
Initial Stage
Description: Identity proofing processes are inconsistent, manual, and rely on basic, easily spoofed methods (e.g., simple document checks without verification, self-attestation). There's no standardized process for verifying the authenticity of an individual or entity when an identity is first established or when a high-risk transaction occurs.
Risk today: High risk of identity fraud, account takeover, and unauthorized access due to weak verification at the point of initial registration or during critical interactions. Physical impersonation attacks are easy to execute, leading to data breaches and financial losses.
Future implication: The inability to confidently prove an identity at critical junctures will severely limit trust in digital interactions and impede the adoption of high-value online services. It will also create significant regulatory compliance challenges in sectors requiring strong customer identification.
Developing Stage
Description: Some basic identity proofing mechanisms are introduced, typically for higher-risk scenarios or specific applications. This might involve a mix of manual reviews and simple digital checks (e.g., email/SMS verification). However, processes are not fully standardized or integrated, leading to gaps and inconsistencies.
Risk today: While some improvements mitigate the easiest fraud attempts, sophisticated attackers can still bypass these fragmented proofing measures. The lack of a consistent, multi-layered approach means vulnerabilities persist, particularly for less scrutinized workforce identities.
Future implication: This piecemeal approach will create friction in user onboarding and critical transactions. It will struggle to meet evolving regulatory demands for stronger identity verification and will limit the organization's ability to securely scale digital services that require a high degree of identity assurance.
Defined Stage
Description: Documented and standardized identity proofing processes are in place for various levels of assurance, integrating a combination of verification methods (e.g., basic document verification, knowledge-based authentication, or stronger digital identity checks). Processes are largely consistent for human identities, though non-human identity proofing may lag.
Risk today: The risk of identity fraud and account takeover is significantly reduced due to more robust verification at enrollment and high-risk access attempts. However, the reliance on some static or less dynamic methods may still leave openings for advanced persistent threats or social engineering.
Future implication: While supporting current security and compliance needs for many use cases, the proofing methods may not be dynamic enough to adapt to rapidly evolving fraud techniques or provide the high level of assurance required for emerging high-trust digital services.
Managed Stage
Description: A comprehensive and largely automated identity proofing system is implemented, utilizing a layered approach of dynamic verification methods (e.g., biometric authentication, robust document verification with liveness detection, federated identity attributes). Identity proofing is integrated into critical lifecycle events for human and machine identities.
Risk today: Identity fraud and account takeover risks are very low due to robust, multi-factor, and often real-time identity verification. Automated processes ensure consistent and efficient proofing, significantly enhancing the trustworthiness of identities within the system.
Future implication: A managed identity proofing system provides a strong foundation for secure digital transformation, enabling the organization to confidently offer high-value services and interact securely with partners and customers. It meets stringent regulatory requirements and sets the stage for secure AI adoption.
Optimized Stage
Description: Achieves continuous, risk-adaptive identity proofing driven by AI-powered analytics and behavioral biometrics. The system autonomously assesses the trustworthiness of an identity proof,, re-verifying based on context, behavior, and threat intelligence, providing a higher degree of needed trust in the person behind the identity.
Risk today: Near-zero risk of identity fraud or account takeover due to dynamic, intelligent proofing that proactively detects and mitigates sophisticated impersonation attempts. The system continuously learns and adapts to new fraud patterns, ensuring the highest level of identity assurance.
Future implication: An optimized identity proofing system is a strategic enabler for high-trust  digital experiences and the secure deployment of truly autonomous AI agents. It ensures unparalleled trust in digital interactions, driving competitive advantage and allowing the organization to operate with the highest level of security and confidence in a fully digital ecosystem.
3. Identity Lifecycle Management
Initial Stage
Description: Identity lifecycle processes (onboarding, provisioning, changes, offboarding) are entirely manual, ad-hoc, and inconsistent. There's no centralized system to manage identity accounts and access rights from creation to termination, leading to delays, errors, and security gaps.
Risk today: High risk of "access sprawl" where users retain unnecessary privileges, orphaned accounts after departure, and prolonged access for terminated employees. This creates a significant attack surface for insider threats and external exploitation, leading to data breaches and non-compliance.
Future implication: The absence of automated and governed identity lifecycle management will severely impede business agility. It will be impossible to scale operations securely, introduce new applications quickly, or ensure rapid compliance with auditing requirements, especially with a growing number of identities.
Developing Stage
Description: Some basic, often siloed, automated processes are introduced for identity provisioning and de-provisioning in a few key systems (e.g., HR system to Active Directory). However, full end-to-end automation is lacking, and many access changes and de-provisioning events still require manual intervention.
Risk today: While speeding up some processes, significant gaps remain. Access drift is common as changes are not consistently propagated across all systems. The potential for orphaned accounts and "toxic combinations" of access still exists, increasing the risk of insider threats and audit failures.
Future implication: This partial automation will create ongoing operational bottlenecks and security inconsistencies. It will hinder efforts to achieve true least privilege and make it challenging to adapt to rapid organizational changes (e.g., mergers/acquisitions, departmental shifts) securely.
Defined Stage
Description: Documented and semi-automated identity lifecycle processes are in place, managing human identities from onboarding through offboarding across major enterprise applications. Role-based access control (RBAC) might be used for provisioning, and access reviews are conducted periodically, though perhaps manually. 
Risk today: Risk is reduced through more consistent provisioning and de-provisioning, limiting the window for unauthorized access. However, manual elements in the process can still introduce errors or delays, and the scope might not cover all applications, leaving some residual exposure.
Future implication: While supporting current security and compliance needs, the system may struggle to keep pace with dynamic business environments. The lack of full automation and real-time reconciliation will make it difficult to scale securely to cloud-native applications and the rapid onboarding/offboarding of partners or AI agents.
Managed Stage
Description: A comprehensive and largely automated identity lifecycle management system is implemented, providing end-to-end provisioning, de-provisioning, and access modification for most human identities. This includes automated role management, and real-time reconciliation of access rights.
Risk today: The risk of unauthorized access, access sprawl, and orphaned accounts is significantly minimized due to highly efficient and consistent lifecycle processes. This greatly reduces the attack surface and improves compliance posture by ensuring identities and their access are always aligned with policy.
Future implication: A managed identity lifecycle system provides a robust and agile foundation for secure business operations. It enables rapid onboarding and offboarding, supports dynamic access adjustments, and seamlessly integrates with new applications and services, including securely managing the lifecycle of AI agents.
Optimized Stage
Description: Achieves continuous, autonomous identity lifecycle management driven by AI and machine learning. The system predicts access needs, automatically provisions/de-provisions, and conducts risk-based, continuous access reviews based on behavioral analytics and contextual data for all identity types, including AI agents.
Risk today: Near-zero risk of access-related vulnerabilities due to the highly intelligent and adaptive system that ensures least privilege is maintained in real-time. Access drift is prevented proactively, and the system autonomously responds to changes in identity status or risk.
Future implication: An optimized identity lifecycle management system is a strategic enabler for extreme business agility and a highly autonomous security posture. It allows for instant, secure access adjustments in hyper-dynamic environments, facilitates secure collaboration with a vast ecosystem of partners, and is essential for the secure and scalable deployment of AI agents and other cutting-edge technologies.
4. Robust Authentication
Initial Stage
Description: In the initial stage, organizations lack a consistent approach to applying robust authentication. This translates to common problems like relying mostly on local application authentication instead of a central identity provider, using single weak-factor authentication, and lacking adequate password and credential hygiene protocols. Visibility into authentication methods is poor, and processes are ad-hoc.
Risk today: High exposure to common attack patterns and breaches associated with weak authentication methods, such as credential stuffing, phishing, and brute-force attacks. Incident response is reactive and often slow.
Future implication: Weak authentication will present both regulatory concerns and significant security risks that will impede or prevent effective deployment of advanced technologies like agentic AI, as the foundational trust in user identity is absent. It will also severely limit business agility and productivity improvements tied to secure access.
Developing Stage
Description: Some basic processes are established for robust authentication, with some recognition of the need for stronger methods. This might include partial MFA adoption for some critical administrative accounts or key applications, but deployment remains inconsistent across the enterprise. There's limited visibility into the full scope of authentication practices.
Risk today: While basic improvements reduce some immediate vulnerabilities, significant gaps remain in comprehensive control. The organization is still susceptible to sophisticated identity-based attacks targeting areas where robust authentication is not uniformly applied.
Future implication: This piecemeal approach will create friction in user onboarding and critical transactions. It will struggle to meet evolving regulatory demands for stronger identity verification and will limit the organization's ability to securely scale digital services that require a high degree of identity assurance.
Defined Stage
Description: Consistent, strong MFA is deployed for critical identities.SSO is mostly enabled, reducing local account risk. Account hygiene is improved, reducing abandoned, dormant, and poor password management. Posture is centrally established and consistently managed across the organization. As the organization matures, token session lifetimes and token security practices are consistently enforced, reducing run time risk of token compromise. 
Risk today: The risk of account takeover is significantly reduced due to more robust authentication for critical accounts. However, non-critical user identities still present openings for advanced persistent threats or social engineering.
Future implication: While supporting current security and compliance needs for many use cases, the lack of robust authentication methods across users presents significant risk, limiting ability to evolve with advancing AI applications.
Managed Stage
Description: A consistent strong MFA is deployed for all identities, SSO is enabled for all applicable identities, password policies are consistently enforced, and account hygiene is applied across identities. A centralized governance ensures compliance with robust authentication posture, reducing risk and improve trust in the identity systems. 
Risk today: Account takeover, impersonation and unauthorized access risks are very low due to strong phishing-resistant  multi-factor authentication, and consistent enablement of the required level of authentication strength.
Future implication: A robust identity authentication system provides a strong foundation for secure digital transformation, enabling the organization to securely  utilize their digital assets. It meets stringent regulatory requirements and sets the stage for secure AI adoption.
Optimized Stage
Description: Achieves passwordless authentication implements step-up authentication for sensitive resource access, uses behavioral analytics and identity risks to require additional forms of proof.  The system autonomously assesses the needed level of trustworthiness in an identity at the time of resource access , adapting strength of authentication based on context, behavior, and threat intelligence and providing seamless and highly secure experiences. Organizations require Application and Platform vendors to enforce strong token and protocol security and adopt robust identity security practices for their software supply chain vendors. 
Risk today: Reduces risk of phishing attacks, identity fraud or account takeover and mitigates most forms of known credential and account compromise. The system continuously learns and adapts to new fraud patterns, ensuring the highest level of identity assurance.
Future implication: An optimized authentication system is a strategic enabler for hyper-personalized digital experiences and the secure deployment of truly autonomous AI agents. It ensures unparalleled trust in digital interactions, driving competitive advantage and allowing the organization to operate with the highest level of security and confidence in a fully digital ecosystem.
5. Identity Governance & Compliance
Initial Stage
Description: Identity governance is virtually non-existent, or highly manual and fragmented. There's no clear ownership for identity-related risks, policies are undefined or unenforced, and compliance efforts are reactive, relying on last-minute manual data collection for audits. Access reviews are rare or non-existent.
Risk today: High risk of non-compliance with industry regulations (e.g., SOX, HIPAA, GDPR), internal policies, and contractual obligations, leading to significant fines and reputational damage. Inability to prove who has access to what, increasing the likelihood of audit failures and data breaches.
Future implication: The lack of robust identity governance will become an insurmountable barrier to operating in regulated industries or expanding into new markets. It will prevent secure adoption of cloud services and AI, as compliance cannot be demonstrated, and trust with partners and customers will erode.
Developing Stage
Description: Some basic identity governance policies are being formulated, often in response to specific audit findings or critical incidents. Limited, manual access reviews might be performed for select sensitive systems. Compliance reporting is still largely manual and reactive, with significant effort required.
Risk today: While initial efforts address urgent compliance gaps, the lack of integrated governance means a high potential for policy drift and inconsistencies across the environment. This leads to continued audit findings, a reactive compliance posture, and a persistent risk of unauthorized access.
Future implication: This piecemeal approach will continue to consume significant manual effort and hinder proactive risk management. It will limit the organization's ability to adapt to new regulatory requirements quickly and efficiently, slowing down strategic initiatives that require strong governance.
Defined Stage
Description: Documented identity governance policies and processes are in place, covering key identity-related risks and compliance requirements. Periodic (though potentially still manual or semi-automated) access reviews are conducted across major applications. Compliance reporting is structured but may still involve significant manual data aggregation.
Risk today: Compliance risks are significantly reduced due to defined policies and regular access reviews, improving the ability to demonstrate adherence to regulations. However, the lack of full automation means that a certain degree of human error or oversight can still lead to policy violations or audit inefficiencies.
Future implication: While supporting current compliance needs, the system may struggle to scale to the complexity of multi-cloud environments or to provide the real-time granular audit trails required for increasingly stringent regulations. It will also limit the agility needed to incorporate governance for new identity types like AI agents.
Managed Stage
Description: A comprehensive and largely automated identity governance framework is implemented. This includes automated policy enforcement, continuous monitoring for compliance deviations, and systematic, often automated, access certifications. Real-time audit trails provide detailed visibility into access decisions and changes across the enterprise.
Risk today: Compliance risks are very low due to proactive governance and continuous monitoring. The organization can confidently demonstrate adherence to internal policies and external regulations, significantly reducing the likelihood of audit failures, fines, and reputational damage.
Future implication: A managed identity governance system provides a robust and agile foundation for compliance in dynamic environments. It enables the organization to adapt quickly to new regulatory landscapes, securely expand into new markets, and confidently leverage cloud services and emerging technologies by integrating governance from the outset.
Optimized Stage
Description: Achieves continuous, autonomous identity governance driven by AI-powered analytics and predictive compliance modeling. The system proactively identifies potential policy violations, recommends policy improvements, and autonomously adjusts access to maintain continuous compliance based on real-time risk assessment and evolving regulatory landscapes.
Risk today: Near-zero compliance risk due to the highly intelligent and adaptive governance system that ensures continuous adherence to policies and regulations. The system autonomously adapts to changes, preventing policy drift and enabling real-time audit readiness.
Future implication: An optimized identity governance system is a strategic enabler for global operations and highly secure digital ecosystems. It provides a competitive advantage by transforming compliance from a cost center into a driver of trust and efficiency, allowing for seamless integration of advanced technologies like AI with full regulatory confidence.
6. Authorization, Access Management & Entitlements
Initial Stage
Description: Authorization and access management are decentralized, inconsistent, and often application-specific. Access decisions are ad-hoc, based on broad groups or roles, and entitlements are rarely fine-grained or centrally managed. There's no unified approach to granting or revoking access across diverse systems.
Risk today: High risk of excessive privileges, "access sprawl," and unauthorized access due to lack of granular control and consistent policy enforcement. This creates a vast attack surface for lateral movement by attackers and increases the likelihood of data exfiltration and insider threats.
Future implication: The inability to manage granular entitlements centrally will prevent the drive towards least privileged access and secure collaboration with external entities. It will severely limit business agility by making it difficult to provision precise access quickly for new applications or AI agents, and will lead to compliance failures.
Developing Stage
Description: Some basic access management tools are in place. Authorization decisions are still primarily application-specific or based on broad roles. Efforts to manage entitlements are siloed and mostly manual, lacking fine-grained control.
Risk today: While SSO improves user experience and basic security for some apps, the underlying authorization model remains coarse. This means that users often have more access than they strictly need, increasing the blast radius of a compromised account. Managing entitlement changes is cumbersome and prone to error.
Future implication: This fragmented approach will create ongoing security gaps and operational friction. It will hinder efforts to achieve true least privilege and make it challenging to implement risk-based access decisions. Scaling secure access to a diverse application portfolio, including cloud and AI, will be slow and complex.
Defined Stage
Description: Documented processes and some centralized components for authorization and access management are in place, often leveraging a central Identity Provider (IdP) for SSO and basic access control. Role-Based Access Control (RBAC) is applied consistently across major applications. Entitlement management is structured for critical systems, but may lack fine-grained or attribute-based capabilities.
Risk today: Access-related risks are reduced through more consistent, centralized group, role management, improving user experience and limiting broad unauthorized access. However, the lack of fine-grained or dynamic authorization can still lead to over-privileging, and managing entitlements across all applications can be cumbersome.
Future implication: While supporting current security needs, the system may struggle to adapt to the complexity of hybrid cloud environments or the need for highly dynamic, context-aware access decisions. It will limit the ability to implement advanced Zero Trust policies and securely manage access for highly granular AI agent permissions.
Managed Stage
Description: A comprehensive and largely automated system for authorization, access management, and entitlement governance is implemented. This includes a central policy engine for consistent enforcement of access rules, fine-grained entitlement management, and automated access provisioning/de-provisioning across identities.
Risk today: The risk of excessive privileges and unauthorized access is significantly minimized due to highly granular and consistently enforced access policies. This strengthens the security posture against insider threats and lateral movement, and greatly improves compliance capabilities.
Future implication: A managed access management system provides a robust and agile foundation for secure digital operations. It enables the organization to confidently implement least privilege, support dynamic work environments, and securely extend access to external partners and emerging technologies like AI agents with granular control.
Optimized Stage
Description: Achieves continuous, intelligent authorization and access management driven by AI-powered real-time risk assessment and behavioral analytics. Authorization decisions are context-aware, dynamic, and adaptive, automatically adjusting permissions based on identity, resource, environment, and threat intelligence, enabling just-in-time, just-enough access.
Risk today: Near-zero risk of unauthorized access or over-privileging due to the highly intelligent and adaptive system that ensures least privilege is maintained in real-time, even for highly dynamic interactions. The system proactively detects and prevents deviations from policy and anomalous access attempts.
Future implication: An optimized authorization and access management system is a strategic enabler for extreme business agility and fully autonomous security. It allows for seamless and secure access to any resource, by any identity (including AI agents), from anywhere, fostering innovation and competitive advantage while ensuring the highest level of data protection.
7. Privileged Access Management (PAM)
Initial Stage
Description: Privileged access is managed ad-hoc or through manual processes, with no centralized control over administrative accounts. Shared credentials are common, strong password practices are not consistently enforced, and there's little to no session monitoring or auditing of privileged activities.
Risk today: Extremely high risk of privileged account compromise, which is a primary vector for major data breaches and ransomware attacks. Lack of visibility into privileged sessions makes detection of malicious activity difficult, leading to prolonged compromise and severe impact.
Future implication: The absence of a robust PAM solution will be a constant, critical vulnerability, preventing secure cloud adoption and hampering compliance with almost any security framework. It will make secure integration of automation and AI agents impossible, as their underlying privileges cannot be managed or audited.
Developing Stage
Description: Initial efforts are made to identify and secure some highly critical privileged accounts, often through manual segregation or basic password vaulting. Some multi-factor authentication (MFA) might be applied to a few admin accounts. However, many privileged accounts remain unmanaged, and session monitoring is limited or non-existent.
Risk today: While addressing the most egregious risks, significant gaps remain. The lack of comprehensive coverage and real-time session management means that attackers can still exploit unmanaged privileged accounts or operate undetected once a privileged session is established.
Future implication: This piecemeal approach will create ongoing security blind spots and compliance challenges. It will hinder efforts to implement Zero Trust and micro-segmentation, as the fundamental control over highly privileged access is not consistently applied across the enterprise.
Defined Stage
Description: Documented processes and a PAM solution are implemented for managing and securing critical privileged accounts (e.g., domain admins, root accounts). This includes password vaulting, session recording for some sensitive systems, and periodic (though possibly manual) privileged access reviews. Just-in-Time (JIT) access might be considered but not widely adopted.
Risk today: The risk of privileged account compromise is significantly reduced for key systems, improving the overall security posture. Session monitoring provides some auditability. However, the scope may not cover all privileged accounts (especially non-human), and the processes may not be fully automated or adapt to dynamic environments.
Future implication: While supporting current security needs, the system may struggle to scale to the complexity of multi-cloud environments, DevOps pipelines, or to securely manage the growing number of non-human privileged identities. It will limit the ability to achieve fine-grained, context-aware privileged access.
Managed Stage
Description: A comprehensive and largely automated PAM solution is implemented, providing centralized management, secure credential vaulting, and session management for most human and non-human privileged identities. Just-in-Time (JIT) access and Just-Enough-Access (JEA) principles are widely applied, minimizing standing privileges.
Risk today: The risk of privileged account compromise is very low due to proactive and automated management, monitoring, and auditing of all privileged activities. This significantly reduces the attack surface for advanced persistent threats and insider risks, and greatly enhances compliance.
Future implication: A managed PAM system provides a robust foundation for secure cloud adoption, DevOps automation, and advanced security architectures like Zero Trust. It enables the secure integration of highly automated processes and machine identities, preparing the organization for AI agent deployment with strong privilege controls.
Optimized Stage
Description: Achieves continuous, intelligent PAM driven by AI and machine learning. The system autonomously identifies, manages, and secures all privileged identities (human, machine, AI agents) and their access, using real-time behavioral analytics and risk assessment to dynamically grant/revoke privileges with JIT/JEA.
Risk today: Near-zero risk of privileged account compromise due to the highly intelligent and adaptive system that ensures least privilege is maintained in real-time, even for highly dynamic interactions. The system proactively detects and neutralizes privileged threats, often before they can cause harm.
Future implication: An optimized PAM system is a strategic enabler for complete digital transformation and highly autonomous security operations. It provides the highest level of control and trust for all critical access, allowing for the secure and scalable deployment of AI agents and other cutting-edge technologies with minimal human intervention.
8. Zero Trust Implementation
Initial Stage
Description: Zero Trust principles are not understood or are only conceptual. Access decisions are implicitly trusted based on network location (e.g., inside the perimeter). There's no granular verification of users, devices, or workloads before granting access, assuming internal networks are secure.
Risk today: High risk of lateral movement by attackers once the perimeter is breached, as internal systems offer little resistance. Insider threats can easily exploit implicit trust. Data exfiltration and unauthorized access are highly probable without continuous verification.
Future implication: The lack of Zero Trust will severely hinder secure cloud migration, remote work capabilities, and adoption of modern microservices architectures. It will prevent the organization from effectively protecting sensitive data in a borderless enterprise and will be a major compliance barrier.
Developing Stage
Description: Initial discussions or pilot projects for Zero Trust are underway, typically focusing on a single domain like remote access (e.g., MFA for VPN). Some basic policies might be defined for user and device verification, but these are not consistently applied across all access pathways or applications.
Risk today: While some access points are hardened, the majority of the environment still operates on implicit trust. Attackers can pivot from less secure areas, and the lack of continuous verification means compromised identities or devices can still gain unauthorized access within the "trusted" network.
Future implication: This siloed approach will create security inconsistencies and make it challenging to scale Zero Trust across diverse IT environments. It will limit the organization's ability to protect critical assets effectively in a hybrid cloud model and will slow down adoption of modern application architectures.
Defined Stage
Description: Documented Zero Trust policies are in place, with foundational elements implemented across key access pathways (e.g., all remote access, sensitive applications). This includes strong identity verification, device posture checks, and network micro-segmentation for critical assets. Policies are somewhat static and require manual updates.
Risk today: Security posture is significantly improved by reducing implicit trust. Lateral movement is harder for attackers, and the blast radius of a breach is contained. However, the static nature of some policies and incomplete coverage may still leave gaps for dynamic threats or complex attack scenarios.
Future implication: While meeting current security needs, the defined Zero Trust model may struggle to adapt to rapid changes in the threat landscape or the proliferation of diverse identities and resources (e.g., IoT, AI agents). It will limit the agility needed for dynamic policy adjustments and real-time risk-based access.
Managed Stage
Description: A comprehensive and largely automated Zero Trust architecture is implemented across most of the enterprise, covering users, devices, applications, and data. Access decisions are dynamic and continuous, based on identity, device posture, location, and resource attributes. Policy enforcement is consistent across hybrid environments.
Risk today: Risk of unauthorized access and lateral movement is very low. The organization operates on the principle of "never trust, always verify," significantly enhancing its resilience against both external and internal threats. Real-time monitoring and enforcement minimize the impact of potential compromises.
Future implication: A managed Zero Trust implementation provides a robust and agile security foundation for secure digital transformation. It enables the organization to confidently leverage multi-cloud environments, support hybrid workforces, and securely integrate new technologies like AI agents, knowing that access is always verified and least privileged.
Optimized Stage
Description: Achieves continuous, adaptive Zero Trust driven by AI and machine learning. Access decisions are entirely autonomous and real-time, leveraging deep behavioral analytics and predictive threat intelligence. The system dynamically micro-segments and adjusts access policies based on the slightest change in context or risk.
Risk today: Near-zero risk of unauthorized access or lateral movement due to the highly intelligent and adaptive Zero Trust system that proactively anticipates and neutralizes threats. Access is granted only at the precise moment it's needed and revoked instantly when conditions change, even for highly dynamic workloads.
Future implication: An optimized Zero Trust implementation is a strategic enabler for extreme business agility and a fully autonomous, self-healing security posture. It allows for seamless and highly secure integration of any new technology, supports dynamic and unpredictable business models, and positions the organization at the forefront of cybersecurity innovation.
9. Identity Threat Detection & Analytics
Initial Stage
Description: Identity threat detection relies on fragmented, isolated security logs or manual review. There's no centralized collection or analysis of identity-related events across the enterprise. Anomalous behaviors or indicators of compromise are often missed or identified too late.
Risk today: High risk of undetected identity compromise, insider threats, and lateral movement by attackers. Lack of visibility into identity activity means that breaches can persist for extended periods, leading to significant data loss, financial impact, and reputational damage.
Future implication: The absence of comprehensive identity threat detection will make it impossible to respond effectively to modern, identity-centric attacks. It will prevent the organization from understanding its true risk posture and will undermine any investment in other security controls by failing to detect when they are bypassed.
Developing Stage
Description: Some basic log collection and analysis are initiated for critical identity systems (e.g., Active Directory, IdP logs). Simple alerts might be configured for known attack patterns. However, correlation across different identity sources is limited, and many advanced threats using identity remain undetected.
Risk today: While some obvious threats might be caught, the fragmented view means that sophisticated attacks, particularly those involving lateral movement or credential abuse across multiple systems, are likely to be missed. Alert fatigue can also lead to legitimate threats being overlooked.
Future implication: This siloed approach will create ongoing blind spots and make it challenging to respond effectively to multi-stage identity attacks. It will limit the organization's ability to automate threat response and learn from past incidents, keeping it in a reactive posture.
Defined Stage
Description: Structured collection and analysis of identity-related logs from major sources are implemented, often integrated into a SIEM. Defined use cases and rules are in place to detect known identity-based threats (e.g., brute force, impossible travel). Basic correlation across some identity systems provides better, though not complete, contextual awareness.
Risk today: Identity-based threats are more effectively detected than in earlier stages, reducing the time to detect compromise. However, the reliance on signature-based or rule-based detection means that novel attacks or subtle anomalous behaviors may still go unnoticed.
Future implication: While supporting current detection needs, the system may struggle to keep pace with the rapidly evolving threat landscape. It will limit the ability to move from reactive detection to proactive threat hunting and to effectively detect complex, low-and-slow identity attacks, especially involving non-human identities or AI agents.
Managed Stage
Description: A comprehensive Identity Threat Detection and Response (ITDR) solution is implemented, providing unified collection and advanced analytics (e.g., UEBA, machine learning) on identity-related data across the entire digital estate. Real-time detection of anomalous behavior, insider threats, and identity-based attack campaigns is standard.
Risk today: The risk of undetected identity compromise is very low due to proactive and intelligent threat detection. The organization can identify and respond to complex identity-centric attacks rapidly, minimizing their impact and preventing lateral movement. This significantly strengthens the overall security posture.
Future implication: A managed ITDR system provides a robust foundation for advanced security operations and enables proactive threat hunting. It allows the organization to leverage threat intelligence effectively and sets the stage for integrating automated response actions, enhancing resilience against evolving identity threats.
Optimized Stage
Description: Achieves continuous, autonomous identity threat detection and analytics driven by advanced AI and predictive modeling. The system proactively identifies and neutralizes identity-based threats in real-time, leveraging contextual awareness, behavioral baselining, and automated threat hunting across all identities, including AI agents.
Risk today: Near-zero risk of undetected identity compromise or abuse due to dynamic, intelligent threat detection that anticipates and neutralizes even highly sophisticated attacks. The system continuously learns from new threat patterns, providing unparalleled visibility and control over the identity attack surface.
Future implication: An optimized ITDR system is a strategic enabler for autonomous security operations and a highly resilient digital enterprise. It ensures the highest level of protection against identity-based attacks, allowing the organization to operate with extreme confidence in highly dynamic and complex environments, including the secure deployment of AI.
10. Identity Incident Response
Initial Stage
Description: Identity-related incident response is ad-hoc, informal, and lacks documented procedures or dedicated teams. There's no clear process for identifying, containing, eradicating, or recovering from identity compromises. Communication is chaotic, and post-incident analysis is rarely performed.
Risk today: High risk of prolonged and widespread impact from identity compromises, leading to extensive data breaches, system downtime, and significant financial and reputational damage. The inability to respond effectively means attackers often retain access or can easily re-enter the environment.
Future implication: The absence of a structured identity incident response capability will make the organization a prime target for sophisticated attackers, as it signals a lack of resilience. It will prevent compliance with critical breach notification laws and severely undermine trust with customers and partners.
Developing Stage
Description: Basic incident response procedures are being developed for some common identity-related incidents (e.g., password reset for compromised accounts). Limited roles and responsibilities might be assigned, but full coordination across security, IT, and business units is lacking. Response is still largely manual and reactive.
Risk today: While some urgent incidents can be addressed, the lack of comprehensive procedures and automation means that complex identity compromises are handled slowly and inconsistently. The window for containment is often long, increasing the potential for data loss and business disruption.
Future implication: This piecemeal approach will create ongoing operational challenges and hinder efforts to reduce the "dwell time" of attackers. It will limit the organization's ability to learn from incidents and improve its overall security posture, leaving it vulnerable to recurring attacks.
Defined Stage
Description: Documented identity incident response plans and playbooks are in place for common identity-related incidents. Dedicated response teams (or clear roles within broader IR) exist, and some automation is used for containment or forensic collection. Post-incident analysis is performed regularly for key incidents.
Risk today: The organization can respond more effectively to identity compromises, reducing the impact and recovery time. Known identity-based attacks can be contained and remediated with greater consistency. However, responses to novel or highly sophisticated attacks might still be challenging due to limited automation and real-time intelligence.
Future implication: While supporting current incident response needs, the reliance on some manual processes and less integrated tools may struggle to keep pace with the volume and sophistication of attacks in dynamic environments. It will limit the ability to move towards proactive incident prevention and autonomous response.
Managed Stage
Description: A comprehensive and largely automated identity incident response program is implemented. This includes integrated ITDR (Identity Threat Detection & Response) capabilities, automated playbooks for common scenarios, forensic readiness, and well-defined communication plans. Regular drills and lessons learned improve response efficacy.
Risk today: The risk of prolonged identity compromises is very low due to rapid detection, containment, and eradication capabilities. The organization can effectively manage complex identity-based security incidents, minimizing business disruption and reputational damage.
Future implication: A managed identity incident response program provides a robust and agile capability to withstand and recover from sophisticated attacks. It enhances overall organizational resilience, improves regulatory compliance, and allows for confident adoption of advanced technologies by ensuring a strong response posture.
Optimized Stage
Description: Achieves continuous, autonomous identity incident response driven by AI and machine learning. The system proactively detects, analyzes, contains, and even remediates identity-based threats in real-time, leveraging predictive analytics and automated orchestration without human intervention. Post-incident learning is continuous and adaptive.
Risk today: Near-zero impact from identity compromises due to the highly intelligent and adaptive system that identifies and neutralizes threats almost instantaneously. The organization operates with unparalleled resilience, preventing breaches from escalating and often self-healing compromised identity elements.
Future implication: An optimized identity incident response program is a strategic enabler for extreme business continuity and a fully autonomous, self-healing security posture. It allows the organization to operate in highly dynamic and complex threat landscapes with maximum confidence, ensuring the integrity of identities as a core business asset.
11. Non-Human Identities (NHI)
Initial Stage
Description: Organizations lack a comprehensive or accurate inventory of NHI assets across the enterprise. NHI ownership, attributes, and their corresponding access rights are often unknown, unclassified, and decentralized. There's poor visibility into who has access to what, where, and why.
Risk today: NHIs often present high-value targets due to their ability to act on behalf of a large number of users. As application identities, they are seen as undetected shadow IT. Inaccurate identity data leads to insecure access provisioning, prolonged access for departed users, and a broad attack surface for identity-based exploits. Compliance audits are extremely challenging or impossible.
Future implication: The absence of a unified and accurate identity inventory will prevent any meaningful security improvements. It will be a significant impediment to implementing advanced security frameworks like Zero Trust and will make secure adoption of new technologies (e.g., AI agents) impossible due to unmanageable identity sprawl.
Developing Stage
Description: Basic efforts are underway to inventory critical NHI assets, often in silos (e.g., Active Directory, HR system). Some manual processes are used to register and manage new identities and their basic attributes. However, there's still no complete, centralized view.
Risk today: While some critical areas might have better visibility, the overall lack of a comprehensive NHI inventory means significant blind spots persist. This leads to inconsistent policy enforcement, difficulty in identifying dormant NHIs (for example, applications used for testing purposes, that have been dormant, have resulted in significant breaches), and continued exposure to risks.
Future implication: This fragmented approach will create ongoing operational overhead and security gaps. Scaling secure access for a growing digital footprint, including AI integration, will be slow and error-prone.
Defined Stage
Description: Documented processes are in place for NHI asset management, with a degree of automation for collecting and centralizing identity information from key sources. A foundational NHI catalog or repository might exist, providing better, though not complete visibility into the NHI landscape. Credential hygiene and rotation is monitored and mostly automated. 
Risk today: Improved visibility reduces some common risks, but the lack of true completeness and real-time updates means that NHI data becomes stale, leading to potential access drift and delayed detection of unauthorized access.
Future implication: While supporting current needs, the absence of a truly unified and dynamic NHI inventory will limit the organization's ability to adapt to rapid changes in the IT landscape, such as cloud expansion or increased use of APIs. It will also slow down comprehensive identity governance initiatives.
Managed Stage
Description: A comprehensive and largely automated system for NHI asset management is implemented, providing near real-time visibility into a significant portion of non-human identities. A unified identity catalog serves as a central source of truth, tracking identity attributes, lifecycle status, and key entitlements across most critical systems. Credential hygiene and identity hygiene are fully automated. NHI security posture programs are automated and comply with policy. 
Risk today: NHI-related risks are significantly reduced due to high visibility and accurate, up-to-date identity information. Automated processes minimize the window for unauthorized access and facilitate quicker identification of policy violations. This strengthens the overall security posture against NHI-centric attacks.
Future implication: A managed identity asset management system provides a robust foundation for implementing advanced security frameworks like Zero Trust, and enables more confident and secure adoption of emerging technologies. This enhances compliance capabilities and supports agile business operations by ensuring accurate and timely access provisioning.
Optimized Stage
Description: Achieves continuous and intelligent NHI asset management, driven by predictive analytics and AI-powered discovery. The system autonomously identifies, classifies, and tracks all NHI assets and their relationships in real-time, anticipating changes and risks. Combined NHI and user identity threats are detected in near real time. 
Risk today: Reduced risk due to a well-defined posture, continuous monitoring, and NHI roll out/governance. Automated detection of multi-identity risks that include NHIs, with automated response/remediations, reduce impact of breach attempts. The attack surface related to unknown or mismanaged identities is significantly reduced.
Future implication: An optimized NHI management system is a strategic enabler for complete digital transformation and highly autonomous security. It provides the foundational identity context for advanced AI-driven security operations, self-healing access, and seamless, secure integration of any new technology or business initiative, driving competitive advantage.
12. AI Agents
Initial Stage
Description: There is no specific strategy or framework for managing the identities, access, or security of AI agents. AI models and applications are deployed without formal identity lifecycle management, dedicated authentication, or granular authorization. Their activities are not monitored from an identity perspective.
Risk today: Extremely high risk of AI agent compromise, unauthorized data access by agents, and rogue agent behavior due to lack of identity and access controls. This creates a vast, unmanaged attack surface for intellectual property theft, data manipulation, and service disruption. Compliance with data privacy regulations for AI interactions is impossible.
Future implication: The inability to securely manage AI agents will completely prevent their safe and scalable deployment. It will lead to severe security incidents, undermine trust in AI applications, and expose the organization to significant legal and ethical liabilities related to AI governance.
Developing Stage
Description: Initial efforts are made to identify some AI agents and their basic associations, often manually. Some rudimentary access controls might be applied, treating them as generic machine accounts. Dedicated identity lifecycle or granular authorization for AI agents is not yet developed.
Risk today: While acknowledging the existence of AI agents, the lack of specific identity controls means they remain a significant blind spot. Attackers can exploit broad access grants or weak authentication methods (if any) to compromise agents, gaining access to sensitive data or manipulating AI outputs.
Future implication: This piecemeal approach will create growing security gaps as AI adoption expands. It will hinder the ability to audit AI agent activities, enforce least privilege for their access, and adapt to evolving regulatory landscapes for AI security and ethics.
Defined Stage
Description: Documented processes and some foundational controls are in place for managing a subset of AI agent identities. This might include registering agents in an inventory, applying basic authentication (e.g., API keys), and assigning them to broad roles for authorization. Session logging for AI agent activity might be initiated.
Risk today: The risk associated with known AI agents is somewhat reduced by applying basic identity controls. However, the lack of fine-grained, context-aware authorization and comprehensive lifecycle management means that agents might still have excessive privileges or their access could become stale, creating vulnerabilities.
Future implication: While supporting initial AI deployments, the system may struggle to scale securely to a large number of diverse AI agents with varying access needs. It will limit the ability to implement advanced AI governance and ensure compliance with emerging AI ethics and security standards.
Managed Stage
Description: A comprehensive and largely automated framework for managing AI agent identities and access is implemented. This includes automated lifecycle management for agents, robust authentication methods, and granular, policy-driven authorization based on their specific function and context. Dedicated monitoring of AI agent activity is standard.
Risk today: The risk of AI agent compromise or misuse is significantly minimized due to dedicated identity and access controls. The organization can confidently deploy AI agents with least privilege, monitor their actions, and ensure their activities align with security and compliance policies.
Future implication: A managed AI agent identity and access system provides a robust and agile foundation for responsible AI adoption at scale. It enables the organization to leverage AI for strategic advantage while mitigating security, compliance, and ethical risks associated with autonomous systems.
Optimized Stage
Description: Achieves continuous, autonomous management and security of AI agents driven by AI itself and predictive analytics. The system intelligently provisions, authenticates, authorizes, and monitors AI agents in real-time, dynamically adjusting access based on behavioral analysis, risk assessment, and evolving task requirements.
Risk today: Near-zero risk of AI agent compromise or unintended behavior due to the highly intelligent and adaptive system that ensures continuous least privilege and detects anomalous agent activity proactively. The system autonomously responds to threats and self-heals compromised agent identities.
Future implication: An optimized AI agent identity and access system is a strategic enabler for cutting-edge AI innovation and fully autonomous operations. It provides unparalleled trust and control over the AI landscape, allowing the organization to fully harness the power of AI while ensuring superior security, ethical governance, and competitive differentiation.
Copyright and usage information for this guide
This guide and its contents are protected by copyright laws. The copyright holder expressly retains full and exclusive ownership of all intellectual property rights, including copyrights, in perpetuity, for this guide.
This guide is intended for informational purposes only; it is not a substitute for legal advice, and any actions taken based on its contents should be independently evaluated by your legal advisor. The author and Oleria Corporation bear no liability for any outcomes resulting from the application of these strategies.
Permitted uses by readers
Given the collaborative spirit of this work, we encourage you to use this guide to strengthen your cybersecurity posture. You are free to:
Copy and share: Reproduce and distribute this guide or a subset for your internal business purposes or in any non-commercial medium or format.
Attribution: When sharing outside your organization, you must provide prominent attribution to Oleria Corporation.
All other rights - including the creation of external-facing derivative works or other implementation for commercial purposes by your business – are reserved by the copyright holder.
For any queries regarding further licensing, distribution, or publishing rights beyond the scope described above, please contact: legal@oleria.com.