Identity, trust and governance are the second floor of security

At a glance

What this is: This is an analysis of why identity, trust, and governance now function as the security control plane above the CIA triad.

Why it matters: It matters because IAM, NHI, and human identity programmes now have to govern actors and delegation chains, not just protect data.

By the numbers:

• 74% of attacks start with compromised identities.
• 79% of cyberattack detections are malware-free.
• 88% of web application breaches involve stolen credentials.

👉 Read ConductorOne's analysis of identity, trust, and governance as the security control plane

Context

The CIA triad still matters, but it was designed to protect data, not to govern the actors that touch it. As infrastructure moved into virtual machines, containers, serverless systems, and AI agents, the central security question shifted from what the data is to who or what is acting on it.

That shift is why identity has become the control plane for modern security. In NHI terms, the question is no longer only whether a secret is protected, but whether the workload, service account, or agent using it is governed across its full lifecycle and delegation chain.

Key questions

Q: How should security teams govern identity as a control plane?

A: Security teams should treat identity as the layer that decides who can act, how far authority travels, and what context makes an action legitimate. That means combining IAM, PAM, and NHI lifecycle controls with continuous evaluation, machine-readable policy, and delegation tracking. If identity is only provisioned and not governed, the rest of the stack is protecting decisions that were never validated.

Q: Why do non-human identities change the way Zero Trust works?

A: Non-human identities change Zero Trust because workloads, service accounts, and agents do not behave like fixed human users. Their access can be ephemeral, delegated, or machine-speed, so trust has to be evaluated continuously rather than assumed after login. In practice, Zero Trust becomes a governance model for runtime authority, not just a network segmentation strategy.

Q: What breaks when identity is treated as an administrative task instead of a control plane?

A: When identity is treated as administration, organisations lose sight of how authority is created, inherited, and extended across systems. That leads to stale permissions, invisible delegation, and weak accountability when incidents happen. The programme may still issue accounts correctly, but it will not govern actor behaviour well enough to limit blast radius.

Q: How do you know if your identity governance model is keeping up with AI agents?

A: You know it is keeping up when it can explain each agent’s authority, delegation path, and review state in real time. If access is only checked at provisioning or quarterly review, the model is already behind. Strong governance for AI agents must account for runtime decisions, sub-agent creation, and fast revocation before the session closes.

Technical breakdown

Why the CIA triad becomes incomplete in identity-driven environments

The CIA triad is a data-plane model. Confidentiality, integrity, and availability describe what must hold for information once access decisions have already been made. In modern environments, that is only half the problem. Virtualisation, containers, and serverless all move enforcement upward, so the decisive question becomes who is requesting access, what authority they carry, and how that authority changes over time. That is why identity, not storage, is now the primary control surface. The model fails when actor identity is the attack path, because data protections do not decide legitimacy on their own.

Practical implication: treat identity governance as the control layer above data protections, not as a sub-feature of them.

Identity control plane, trust, and governance

Identity control plane describes the layer that determines who or what can act, how much confidence the system has in that actor, and what rules constrain the action. Trust is dynamic and contextual, which is why static authentication checks are not enough once actors can operate continuously or delegate to other actors. Governance adds accountability, policy, and auditability, turning identity decisions into managed controls rather than one-time approvals. In practice, this is the shift from perimeter thinking to continuous authorisation, machine-readable policy, and traceable delegation chains.

Practical implication: align IAM, PAM, and NHI policy enforcement around continuous evaluation rather than point-in-time access grants.

Second-floor security for AI agents and non-human identities

AI agents raise the stakes because they can select tools, call APIs, and spawn sub-agents faster than human review cycles can follow. That makes their identity behaviour structurally different from a service account or a human user. NHI governance has to account for delegated authority, ephemeral access, and the possibility that one actor can create another actor. The key lesson is not that all automation is autonomous, but that runtime decision-making changes what least privilege and oversight mean. The security model now has to govern execution, not just authentication.

Practical implication: classify agentic systems separately from static workloads and require lifecycle, delegation, and oversight controls before production use.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity is no longer a supporting control, it is the control plane. The article is right to frame the CIA triad as incomplete once infrastructure becomes abstract and actors become the primary attack surface. Confidentiality, integrity, and availability protect information, but they do not answer who is acting, under what authority, or whether that authority is still valid. Practitioners should treat identity governance as the layer that decides whether CIA protections apply at all.

Standing access assumptions break down as soon as delegation becomes dynamic. Traditional IAM programmes assume access can be granted, reviewed, and revoked on a human-paced cycle. That assumption fails when service accounts, workloads, or AI agents can inherit authority, change scope, or create downstream actors in real time. The implication is not simply more tooling. It is that governance models built around stable actors stop describing the system accurately.

Zero Trust has effectively become an identity and trust architecture, not just a network model. The article’s control-plane framing aligns with the way modern security programmes are converging on continuous verification, policy enforcement, and explicit trust evaluation. That matters for NHI governance because service accounts and agents operate without human friction, so their permissions must be judged by context and lifecycle, not by origin story. Practitioners should read Zero Trust as a governance discipline, not a slogan.

Second-floor security exposes the failure mode of treating identity as an administrative layer. When identity is handled as a provisioning task, organisations miss the fact that identity now determines reach, delegation, and blast radius across every cloud and automation domain. The named concept here is identity control plane: the governing layer above CIA that decides what actors can do. Security leaders should adopt that frame before they inherit more abstraction than their governance model can handle.

For autonomous systems, the broken assumption is stable intent. Least privilege was designed for actors whose purpose and scope are knowable at provisioning time. That assumption fails when an autonomous actor can choose tools, alter execution paths, and spawn follow-on actions mid-session. The implication is that many identity controls are built around a stable actor model that no longer holds once runtime behaviour becomes independent.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• Only 20% of organisations have formal processes for offboarding and revoking API keys, which helps explain why identity governance failures persist.
• For the lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the operational controls that close the gap.

What this signals

The governance shift is structural, not cosmetic. When actors can be workloads, tokens, or agents, the programme that only tracks human access reviews will miss the systems doing the actual work. With only 5.7% of organisations reporting full visibility into their service accounts, the visibility problem alone is enough to undermine control-plane claims.

Identity control plane: this is the operating model practitioners will need to use for the next wave of cloud and AI governance. It means deciding which actors exist, what they can do, and how quickly that authority can be changed or revoked. Identity and trust now need the same operational rigour that data once carried by default.

For practitioners

• Rebuild identity governance as a control plane Map IAM, PAM, and NHI controls to the decisions they actually make, then identify where those decisions are still hidden inside infrastructure or application teams. Use the Ultimate Guide to NHIs to anchor lifecycle, visibility, and offboarding requirements across all non-human actors.
• Trace delegation chains end to end Document how authority moves from human sponsor to service account, token, workload, or agent, then look for inherited permissions that outlive the original approval. Where the chain cannot be explained, the governance model is already incomplete.
• Classify autonomous behaviour separately from automation Do not treat every tool-using system as an agent. Require explicit evidence of runtime decision-making, independent tool choice, and approval-free execution before moving a system into an autonomous governance model.
• Shift reviews from access lists to authority states Review whether current access reviews examine only entitlements or also assess trust context, delegation, and operational purpose. For NHI estates, pair this with the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs so review cadence matches actor lifecycle.

Key takeaways

• The post argues that CIA protects data, but identity governance determines whether access should exist in the first place.
• The evidence points to a control-plane shift, with identity and delegation now driving most modern security outcomes.
• Practitioners need to govern actors, trust, and accountability together or the rest of the security model will remain incomplete.

Key terms

• Identity Control Plane: The identity control plane is the layer that decides who or what can act, how much trust to place in that actor, and which policies govern the action. It sits above data protections and determines whether access is legitimate, traceable, and revocable across human, NHI, and autonomous contexts.
• Delegation Chain: A delegation chain is the sequence of authority transfers from one actor to another, such as a human sponsor, service account, token, workload, or agent. In modern environments, security failures often happen when the chain is invisible, unbounded, or not tied to a clear revocation path.
• Second Floor Security: Second floor security is a framing for the controls that govern actors rather than data. It captures identity, trust, and governance as the decision layer above confidentiality, integrity, and availability, especially where abstraction has moved execution away from infrastructure owners.
• Authority State: Authority state is the current condition of an actor's permissions, trust context, and operational scope. Unlike a static account record, it changes with time, purpose, delegation, and revocation events, which is why continuous governance is needed for service accounts and agents.

Deepen your knowledge

Identity control plane design is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are rebuilding governance for service accounts, workloads, or agents, it is worth exploring.

This post draws on content published by ConductorOne: Security Needs a Second Floor. Read the original.