Identity failures are making CISO accountability a personal risk

At a glance

What this is: Cerbos argues that IAM failures now carry personal consequences for security leaders, while weak governance, fragmented tools, and poor identity proofing still create avoidable exposure.

Why it matters: This matters because IAM programmes now shape breach resilience, audit readiness, and leadership accountability across human identity, NHI, and autonomous control surfaces.

By the numbers:

• 40% worry they might be held personally liable for a breach.
• The average enterprise uses over 10 separate identity tools.

👉 Read Cerbos' analysis of why IAM failures are now a CISO liability issue

Context

IAM is no longer just an operational control layer. In many organisations it has become the place where governance gaps, audit failure, and executive accountability all meet, which is why identity governance now matters directly to the CISO's personal risk profile as well as the company's.

The article's main point is that fragmented identity data, weak onboarding checks, and poorly coordinated access governance make it hard to answer a basic question with confidence: who has access to what, why, and under whose accountability. That is a human IAM problem, but the same governance pattern also applies to NHI sprawl and machine access oversight.

Key questions

Q: How should security teams reduce IAM failures that create executive liability?

A: They should treat identity governance as a measurable control programme, not a collection of tools. That means cleaning identity data, proving onboarding assurance, and tracking whether access decisions are consistently enforced. When leaders can show reliable identity evidence and repeatable governance outcomes, they reduce both breach exposure and the chance that accountability becomes personal.

Q: Why do organisations with many IAM tools still struggle with governance?

A: Because tool count does not equal control quality. If identity data is fragmented across directories, HR, PAM, SSO, and application silos, teams cannot reliably answer who has access or why. Governance fails when the evidence layer is inconsistent, even if each product works as designed.

Q: What should organisations look for in a stronger onboarding process?

A: They should look for identity proofing that matches the risk of the role, especially for remote hires and contractors. That usually means stronger verification than a copied document, plus checks that the person is genuine before access is issued. The goal is to avoid building trusted access on an untrusted root identity.

Q: When does adaptive access become more useful than static permissions?

A: Adaptive access becomes more useful when user context changes enough that a fixed grant no longer reflects the real risk. If location, device posture, behaviour, or resource sensitivity can shift the decision, runtime policy is more defensible than a standing entitlement. That is especially important for privileged and high-impact access paths.

Technical breakdown

Identity governance under fragmented toolchains

Enterprises rarely run one clean identity stack. They accumulate directories, SSO, PAM, IGA, HR systems, and cloud consoles over time, which creates inconsistent records and broken lineage between identity source, entitlement, and actual usage. When the data model is fragmented, dashboards can look authoritative while still missing real access paths. That is why governance fails at the data layer before it fails at the control layer. This is a classic identity assurance problem, not just a tooling problem, and it affects human accounts, service accounts, and delegated access patterns alike.

Practical implication: centralise identity evidence and reconcile source-of-truth ownership before you rely on dashboards for decisions.

Identity proofing and onboarding as an attack surface

Remote hiring and contractor onboarding have turned identity proofing into an upstream security control. The risk is not simply account creation after a bad hire, but the creation of a valid identity that starts with weak assurance and then inherits trust, access, and internal legitimacy. Standards such as NIST 800-63 matter here because assurance levels are only meaningful if they are actually enforced at onboarding. Once that gate is weak, later access controls inherit an untrusted root identity and the rest of the programme is compensating for a bad start.

Practical implication: treat identity proofing as a security control, not an HR formality, and raise assurance for remote and contractor onboarding.

Adaptive authorisation and contextual access decisions

Static permissions do not reflect how modern work happens. Adaptive authorisation uses risk signals such as device posture, location, behaviour, and resource sensitivity to make runtime decisions about whether access should proceed, step up, or stop. This is the practical zero trust move in IAM: continuously verify the request, not just the login. The value is not only stronger security, but better control evidence, because decisions become inspectable and policy-driven rather than hidden across local application logic and manual exceptions.

Practical implication: move sensitive access decisions into policy evaluation so you can prove why access was granted or denied.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Personal CISO liability is a governance symptom, not just a leadership problem. The article shows that identity failure is now being judged through a personal accountability lens, which means weak IAM has become visible at the executive level. That shift does not change the technical problem, but it changes how quickly underinvestment, bad data, and poor ownership become board-level consequences. The practitioner conclusion is that IAM governance now needs explicit executive evidence, not just technical controls.

Identity data fragmentation is the hidden control gap behind many IAM failures. The average enterprise reality is not a single coherent identity fabric, but a patchwork of disconnected tools, stale attributes, and unclear ownership. That makes risk scoring, certification, and audit evidence unreliable even when teams believe they have coverage. The implication is that governance maturity starts with evidence quality, because controls cannot be trusted if the underlying identity graph is incomplete.

Identity proofing debt creates downstream access debt. A weak onboarding process does not merely create a bad user record, it creates a legitimate account anchored to an untrusted identity. That is why the front door matters as much as downstream access review: the programme inherits the assurance level of day zero. Practitioners should recognise this as a lifecycle failure, not a one-time exception.

Adaptive access is the real zero trust test for IAM. The article's practical examples show that static allowlists and one-time authentication are not enough when context changes constantly. Mature programmes must make access decisions based on runtime evidence, not assumptions frozen at provisioning. The practitioner conclusion is that zero trust is proved in access evaluation, not in policy statements.

Dynamic authorisation is becoming the control plane that unifies human and non-human access. The same governance logic that helps with risky human logins also applies to service accounts, API-driven actions, and delegated workflows. If the organisation cannot explain access in policy terms, it will struggle to govern privilege creep, exception handling, and audit traceability across all identity types. The practitioner conclusion is to treat authorisation as shared infrastructure, not an application afterthought.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how weak assurance remains even before autonomous behaviour enters the picture.
• The deeper signal is governance fragmentation, so readers should also review NHI Lifecycle Management Guide for lifecycle controls that turn access evidence into an operational discipline.

What this signals

Identity confidence is the new governance metric. If security leaders cannot demonstrate coherent identity evidence, they will continue to carry breach blame without the control visibility needed to prevent it. That is why the CISO liability story is really an IAM maturity story, not just an executive stress story. Readers should use NIST Cybersecurity Framework 2.0 to connect governance, protection, detection, and response into one accountability model.

Lifecycle governance has become the practical boundary between control and theatre. In programmes that still rely on manual reviews and scattered ownership, access decisions are often too slow, too vague, or too late to matter. The right response is not more reporting, but a clearer lifecycle model for accounts, entitlements, and exceptions. For that, the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs remains a useful reference point.

For practitioners

• Rebuild identity source-of-truth ownership Assign named owners for authoritative identity attributes, then reconcile HR, directory, IAM, and application records on a fixed cadence so access reviews use a single evidence set.
• Raise identity proofing assurance at onboarding Use stronger verification for remote employees and contractors, including document checks, live identity validation, and fraud screening where risk warrants it.
• Move high-risk access to policy-driven decisions Externalise sensitive authorisation decisions so device context, role, and request risk are evaluated at runtime rather than buried inside application code.
• Brief executives with governance metrics, not tool counts Report dormant accounts, deprovisioning latency, and access exceptions as business risk indicators so leadership sees whether the IAM programme is actually reducing exposure.

Key takeaways

• IAM failures now land on the CISO personally, so governance quality has become a leadership risk as well as a technical one.
• Fragmented identity data and weak onboarding assurance are the recurring failure points that make access evidence unreliable.
• Adaptive, policy-driven authorisation is the practical path from static identity control to defensible zero trust decision-making.

Key terms

• Identity Proofing: Identity proofing is the process of establishing that a person is who they claim to be before access is granted. In practice, it is a security control that sets the assurance level for everything that follows, so weak proofing creates downstream trust debt.
• Adaptive Authorisation: Adaptive authorisation is runtime access decision-making that changes based on context such as device state, location, behaviour, and resource sensitivity. It replaces one-time permission logic with continuous policy evaluation, which is essential when risk changes faster than static roles can keep up.
• Identity Data Fragmentation: Identity data fragmentation is the condition where authoritative identity information is split across many systems that do not agree with one another. It weakens governance because reviews, dashboards, and audit evidence can no longer be trusted as a single source of truth.
• Access Review Evidence: Access review evidence is the set of records used to prove who had access, why they had it, and whether it was still appropriate. Good evidence is complete, current, and tied to ownership, while poor evidence makes recertification a formality rather than a control.

Deepen your knowledge

Identity governance, onboarding assurance, and dynamic authorisation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are formalising controls across human and non-human identities, this is a strong fit for your programme.

This post draws on content published by Cerbos: IAM failures, CISO accountability, and the hidden challenges of modern identity governance. Read the original.