TL;DR: Identity security is still split between IAM teams and security teams, even though 91% of organisations rank it among their top five priorities, according to Silverfort. That gap matters because modern attacks move through identity, and governance only works when provisioning, lifecycle, and threat response are treated as one discipline.
At a glance
What this is: This is an editorial post about the persistent split between IAM and security operations, with the key finding that identity security remains a top-five priority for 91% of organisations while the operating model still lags behind the threat.
Why it matters: It matters because practitioners have to govern human identities, NHIs, and increasingly autonomous systems through one coordinated model, or attackers will keep exploiting the seams between teams and controls.
By the numbers:
- 91% of organizations classify Identity Security as a top five initiative.
👉 Read Silverfort's analysis of identity security's gap between IAM and security
Context
Identity security is the discipline that connects provisioning, lifecycle governance, access control, and threat response across the enterprise. The problem in this article is not a missing control, but an organisational split: IAM teams own the build, security teams own the defence, and attackers exploit the seam between them.
That split matters because identity is now the control plane for human users, service accounts, and AI-driven systems alike. When identity governance is treated as separate from security operations, teams lose the ability to see lateral movement, privilege drift, and escalation as one problem, which is where modern attacks do the most damage.
Key questions
Q: How should security teams coordinate IAM and threat response more effectively?
A: Security teams should align identity governance with detection and response around the same identity events, not as separate workflows. That means sharing telemetry, agreeing on escalation criteria, and treating privileged access changes as security signals as well as administrative tasks. The goal is to close the gap attackers exploit between valid access and malicious use.
Q: Why do identity security gaps persist even when organisations prioritise IAM?
A: Priority does not fix organisational separation. Many programmes still split provisioning, lifecycle governance, and access review from threat detection and incident response, so each team sees only part of the risk. Attackers exploit that seam by using legitimate identities to move laterally before either team connects the dots.
Q: What breaks when identity governance is treated as admin work instead of security work?
A: The main failure is visibility into how access is used after it is granted. IAM processes may issue the right account and entitlements, but without security correlation the organisation cannot tell whether that access is behaving normally, being abused, or enabling lateral movement. Governance becomes compliant on paper but weak in practice.
Q: Who is accountable when identity security controls fail across team boundaries?
A: Accountability has to sit with the function that owns the combined risk, not just the system owner. If IAM issues access and security monitors abuse, both sides need explicit decision rights for escalation, containment, and remediation. Otherwise the organisation creates a gap where each team assumes the other is responsible.
Technical breakdown
Why identity becomes the path of least resistance in enterprise attacks
Attackers often prefer identity because it gives them legitimate-looking access without immediately triggering classic perimeter alerts. Once a credential, token, or session is valid, movement can look operational rather than malicious. In large enterprises, that creates a gap between access administration and detection, especially when IAM and security tooling are not correlated. The result is not just compromise of an account, but misuse of trusted identity pathways across directories, applications, and cloud control planes.
Practical implication: correlate identity events with security telemetry so trust decisions can be evaluated in context, not in isolation.
What the IAM and security divide hides in day-to-day operations
IAM programmes usually focus on provisioning, entitlements, and lifecycle tasks, while security programmes focus on threats, anomalies, and response. Those are complementary functions, but they break down when no one owns the full path from assignment to abuse. The article’s core tension is organisational, not technical: identity security fails when access governance is treated as admin work instead of a security control surface. That is why the same account can be properly issued and still be poorly defended.
Practical implication: align identity governance reviews with security risk reviews so access decisions reflect exposure, not just policy compliance.
Why AI-driven attacks raise the stakes for identity governance
The Mythos example in the article points to a broader problem: AI-powered attack paths can adapt quickly enough to outpace human review cycles. Whether the system is a human identity, an NHI, or an autonomous actor, the core issue is the same when access changes faster than governance can observe it. For autonomous behaviour, the deeper break is that identity may initiate actions in runtime rather than simply responding to requests. That shifts identity security from static entitlement management to continuous control of execution paths.
Practical implication: design identity controls around runtime behaviour and not only around provisioning-time assumptions.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity security is no longer a specialism adjacent to IAM. It is the operating model that has to reconcile access governance with threat response. The article makes the right diagnosis even if it stays organisationally broad: attackers do not care which team owns the system, only whether the identity path is exploitable. That means identity security has to be treated as a control fabric spanning lifecycle, privilege, and detection, not as a handoff between teams. Practitioners should read this as a governance failure when the seams are visible to attackers but not to defenders.
91% prioritisation is not the same as operating maturity, and this article exposes that gap. Organisations can rank identity security highly while still leaving IAM and security in different decision loops, with different telemetry and different escalation paths. That is a familiar pattern across human identity, NHI governance, and emerging autonomous use cases. The lesson is straightforward: priority language without shared control ownership does not reduce exposure.
The drawbridge metaphor captures a real governance problem: identity controls are often designed to be raised after a decision, not during execution. That works only when access changes slowly enough for a human to intervene. In fast-moving identity environments, especially where machine identities and agentic systems are involved, the assumption that someone will always have time to decide is already under strain. Practitioners should recognise that runtime identity behaviour is now a security condition, not just an IAM administration concern.
Runtime review assumes access persists long enough to be observed. That assumption was designed for human-paced access changes and periodic recertification. It fails when identity-driven actions move laterally before review cycles catch up, because the object being reviewed is no longer the object that was used. The implication is that governance models built around post-hoc validation must be reconsidered for actors that can execute and move before control loops complete.
Identity security will keep converging with security operations because attackers already treat identity as the shortest route to impact. The discipline that survives will be the one that can connect provisioning, threat detection, and response around the same identity events. That convergence matters across human users, NHIs, and autonomous systems because the governance question is becoming the same one in different forms: who or what is acting, under what authority, and with what observable boundary? Practitioners should plan for shared identity risk operations, not separate towers.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly identity exposure compounds once governance fails.
- For lifecycle-focused teams, the NHI Lifecycle Management Guide helps translate that risk into provisioning, rotation, and offboarding decisions.
What this signals
Identity operations are moving toward a shared risk model. As threat activity increasingly targets identity rather than infrastructure, teams will need to merge access governance signals with incident response workflows. With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, the blind spot is already large enough to affect both IAM and security operations.
The practical signal is that board-level identity programmes will be judged on cross-functional execution, not policy volume. Organisations that can connect lifecycle, privilege, and detection into one operating rhythm will be better positioned to manage human, NHI, and future autonomous identity risk without waiting for a major incident to expose the gap.
For practitioners
- Unify identity and security ownership Create a shared operating model for IAM, detection, and response so identity events are reviewed by both governance and security stakeholders.
- Map lateral movement through identity paths Trace how an attacker could move from a valid identity into higher privilege, adjacent systems, or security tooling using trusted access.
- Review lifecycle decisions as security decisions Treat provisioning, recertification, and offboarding as exposure controls, not back-office administration, especially where privileged accounts are involved.
- Define runtime decision points for fast-moving identities Identify where identity actions can proceed before human review and decide which signals should trigger intervention, escalation, or containment.
Key takeaways
- Identity security fails when IAM and security teams operate as separate control planes rather than one risk model.
- Attackers exploit legitimate identity paths because they can move laterally before governance and detection are connected.
- Organisations need shared ownership of identity telemetry, lifecycle decisions, and escalation paths to reduce exposure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Shared identity control and response ownership directly affect access governance. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle and privilege control gaps are central to the identity security split. |
| NIST Zero Trust (SP 800-207) | AC-2 | Zero Trust depends on continuous evaluation of identity trust and access use. |
Link identity events to PR.AC-1 so access decisions are visible to both IAM and security teams.
Key terms
- Identity Security: Identity security is the discipline of protecting how accounts, credentials, entitlements, and sessions are created, used, and revoked. It spans IAM and security operations because identity is both an access mechanism and a major attack path.
- Lateral Movement: Lateral movement is the process of moving from one trusted identity or system to another after initial access is obtained. In identity-led attacks, it often happens through legitimate permissions, reused credentials, or over-privileged accounts rather than obvious malware.
- Identity Telemetry: Identity telemetry is the collection of signals that show how identities are issued, authenticated, authorised, and used over time. It is essential for spotting abuse because valid access can look normal unless access behaviour is correlated with security context.
- Access Review: Access review is the periodic evaluation of whether a user, service account, or other identity still needs its assigned access. It works best when access persists long enough to be observed and certified, which is why fast-moving or runtime-driven behaviour creates governance strain.
Deepen your knowledge
Identity security convergence across IAM and security operations is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance across human identities, NHIs, and emerging autonomous actors, it is worth exploring.
This post draws on content published by Silverfort: Identity Decoded and the widening gap between IAM and security. Read the original.
Published by the NHIMG editorial team on 2026-05-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
