Identity security is becoming the control plane for business risk

At a glance

What this is: This SailPoint conversation argues that identity security has moved from a back-office function to a strategic control layer as attackers focus on identities and third-party access.

Why it matters: For IAM and NHI practitioners, the implication is that identity governance must extend beyond human users to partners, vendors, privileged accounts, and machine identities with continuous response.

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 5.7% of organisations have full visibility into their service accounts.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

👉 Read SailPoint's conversation on identity security as a business enabler

Context

Identity security is the discipline of governing who and what can access systems, data, and privileges across the enterprise. In this conversation, SailPoint and PwC frame identity as the control point where modern cyber risk, business transformation, and third-party exposure now converge.

That framing matters for NHI governance because attackers increasingly abuse service accounts, API keys, and vendor access after the initial compromise. When the same governance model must cover people, partners, privileged users, and non-human identities, weak lifecycle control becomes a business risk rather than a narrow IAM problem.

Key questions

Q: How should organisations govern third-party identity access more tightly?

A: Treat third-party access as a lifecycle problem, not a procurement checkbox. Require business ownership, least-privilege entitlements, expiry dates, periodic review, and immediate revocation when the relationship ends. Apply the same standards to partner accounts, support users, and vendor automation tokens that you would expect for internal privileged access.

Q: When does identity security become a business risk rather than a technical issue?

A: Identity security becomes a business risk when a compromise can interrupt revenue, expose regulated data, or block transformation work. At that point, the issue is not simply login control. It is the organisation's ability to keep operating safely while changing quickly, which depends on governance, privilege limits, and fast revocation.

Q: What is the difference between IAM and PAM in identity governance?

A: IAM governs authentication and ordinary access across the estate, while PAM constrains elevated privileges and high-risk sessions. In practice, IAM answers who should get in, and PAM answers who can perform sensitive actions once inside. Strong programmes use both, with governance ensuring that access remains current and justified.

Q: Why do non-human identities make identity security harder to manage?

A: Non-human identities are harder to manage because they are numerous, often overprivileged, and frequently long-lived. They may be embedded in code, CI/CD pipelines, cloud services, or vendor integrations, which makes ownership and rotation unclear. Without dedicated governance, they become durable trust paths for attackers.

Technical breakdown

Why identity has become the primary attack surface

Modern intrusions often begin with identity compromise rather than network exploitation. Once credentials, tokens, or delegated access are obtained, the attacker can authenticate as a trusted actor and move through systems that otherwise look healthy. This is why multifactor authentication alone is not enough: MFA reduces some phishing risk, but it does not solve excessive privilege, stale entitlements, or weak third-party governance. In NHI environments, the same issue appears when service accounts and API keys persist longer than the workload that needs them.

Practical implication: treat identity compromise as the default breach path and prioritize privilege reduction, rotation, and access review.

How integrated IAM, PAM, and identity governance reduce blast radius

The article points to a layered control model. IAM establishes authentication and access policy, PAM constrains elevated access, and identity governance provides visibility, approvals, certification, and lifecycle control. Used together, they reduce the time a compromised identity can remain useful and limit what that identity can reach. For NHIs, this matters because machine identities are often overprivileged, long-lived, and poorly inventoried. Without integrated controls, an attacker who captures one secret can inherit broad, persistent access across environments.

Practical implication: connect governance, PAM, and access management so every identity type is subject to the same entitlement and lifecycle checks.

Third-party access is an identity governance problem

Supply chain risk is not only about software dependencies. It is also about the identities granted to vendors, partners, contractors, and service providers. Those external identities often bypass the same scrutiny applied to employees, yet they can carry broad access into production systems, SaaS platforms, and support workflows. In NHI terms, this includes external API integrations, automation accounts, and partner tokens that remain active long after the business need has changed. The failure mode is simple: access outlives trust.

Practical implication: apply the same onboarding, review, expiration, and offboarding discipline to external identities as to internal ones.

Threat narrative

Attacker objective: The objective is to turn trusted identity into durable access that bypasses perimeter defenses and enables broad system or data compromise.

1. Entry occurs when attackers target identities directly, often through stolen credentials, phishing, exposed secrets, or abuse of vendor access rather than traditional network exploitation.
2. Escalation follows when the compromised identity has excessive privilege, allowing the attacker to expand access through trusted systems and administrative workflows.
3. Impact comes when the attacker roams laterally, reaches sensitive data or production systems, and turns one identity failure into a broader breach.

Breaches seen in the wild

• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity security is now a business continuity issue, not just a control function. The article is right to frame identity as the point where cyber risk and transformation risk meet. When authentication, authorization, and lifecycle management fail together, the business cannot safely scale digital change. Practitioners should treat identity resilience as an executive-level continuity requirement.

Identity blast radius is the real operating metric for modern security programmes. The important question is no longer whether an identity can log in, but how far it can move once compromised. Excess privilege, stale access, and weak offboarding turn a single account into an enterprise-wide exposure. Practitioners should measure and reduce the blast radius of every human and non-human identity.

Third-party identity governance is the overlooked control plane. Partners and vendors often receive access faster than internal users receive scrutiny, which creates a hidden trust gap. That gap becomes more dangerous when external identities are long-lived, poorly reviewed, or connected to privileged workflows. Practitioners should bring supplier identities into the same lifecycle and certification model as internal access.

Integrated identity control is replacing point solutions as the security baseline. MFA, PAM, and governance cannot operate as disconnected tools if the attack path is identity-centric. The market is moving toward connected control planes that can see, constrain, and revoke access across human and machine identities. Practitioners should evaluate whether their current stack can actually enforce end-to-end identity policy.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which explains why identity sprawl so often outpaces governance.
• For lifecycle control, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the rotation and offboarding discipline that reduces residual access.

What this signals

Identity programmes now need a blast-radius lens. The next maturity step is not broader authentication coverage, but tighter control over how far any identity can move once it is trusted. That means linking access policy, privilege boundaries, and revocation speed to business-critical systems, while aligning with the NIST Cybersecurity Framework 2.0 and Top 10 NHI Issues.

With 97% of NHIs carrying excessive privileges, the governance problem is already structural, not exceptional. Teams should expect identity sprawl to keep expanding as automation and third-party integration increase, which makes inventory accuracy and entitlement pruning operational priorities.

Identity blast radius: organisations that cannot quickly revoke or narrow access will keep turning routine identity changes into enterprise risk. The most urgent work is to shorten the time between trust loss and access removal across both human and non-human identities.

For practitioners

• Map identity blast radius for every privileged account Inventory which systems each privileged human and non-human identity can reach, then remove access that is not required for the current task or workload. Focus first on production, finance, and administrative paths where compromise creates the most downstream impact.
• Extend governance to partner and vendor identities Put external users, API integrations, automation accounts, and support identities into the same joiner-mover-leaver and access certification process as employees. Require explicit expiry and re-approval for third-party access that touches production or sensitive data.
• Tie PAM to identity lifecycle controls Do not let privileged access exist outside lifecycle oversight. Synchronize approvals, session monitoring, and revocation with role changes, contract end dates, and workload retirement so elevated access cannot linger after need has passed.
• Reduce trust in long-lived secrets Replace persistent keys and tokens with shorter-lived credentials where possible, and track where secrets are stored, shared, and reused across tools. Long-lived secrets should be treated as exceptional, reviewed, and time-bounded.

Key takeaways

• Identity security is now a business enabler only when it can constrain real-world access, not just authenticate users.
• The largest exposure sits in long-lived, overprivileged, and poorly governed identities, especially third-party and non-human accounts.
• Practitioners should measure blast radius, not just login success, and build lifecycle controls that revoke trust quickly.

Key terms

• Identity Blast Radius: The amount of access an identity can exercise if it is compromised. In practice, it reflects how far an attacker can move from one account into systems, data, and administration paths. Smaller blast radius means shorter dwell time, less privilege, and faster containment.
• Third-Party Identity: An identity issued to a partner, vendor, contractor, or external service that can access internal systems. These identities often sit outside normal employee governance and can become persistent trust paths if they are not reviewed, expired, and revoked on schedule.
• Non-Human Identity: A machine identity used by software, workloads, automation, or AI agents to authenticate and access resources. Common forms include service accounts, API keys, tokens, and certificates. These identities often outnumber human users and require lifecycle controls just as strict as workforce identities.

What's in the full article

SailPoint's full blog covers the conversational detail this post intentionally leaves for the source:

• The partner discussion between SailPoint and PwC on why identity is increasingly treated as a business enabler.
• The specific CEO survey framing used to connect identity security with business-model transformation.
• The practical narrative around integrating privileged access management, access management, and identity governance.
• The original video and conversation context for teams that want the source framing, not just the analyst interpretation.

👉 SailPoint's full blog adds the PwC conversation and business-transformation context behind the identity risk argument.

Deepen your knowledge

Identity blast-radius control, privileged access governance, and third-party lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is moving from human-only IAM to broader identity governance, this is a useful place to start.