Legacy identity stacks are the bottleneck in AI-first workplaces

At a glance

What this is: This is a JumpCloud analysis of why legacy identity architecture becomes a barrier in AI-first workplaces, with the key finding that siloed, on-premises systems create friction, visibility gaps, and security risk.

Why it matters: It matters because IAM teams must govern humans, devices, and AI-enabled workflows through one control plane if they want to reduce sprawl without weakening access assurance.

By the numbers:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.

👉 Read JumpCloud's analysis of moving beyond Microsoft for a modern workplace

Context

AI-first operating models expose the limits of identity stacks that were built around fixed locations, fixed devices, and fixed trust zones. When access still depends on VPNs, siloed directories, and separate admin planes, the result is not just user friction. It is a governance gap that makes it harder to see who or what is accessing resources, especially as more work shifts into SaaS and AI-assisted workflows.

In practical terms, the problem is not AI itself. The problem is trying to layer modern collaboration, automation, and identity controls onto legacy infrastructure that assumes the workforce will always sit behind the same network boundary. That assumption no longer holds for hybrid employees, cloud services, or AI-assisted operations, which is why identity and device governance now have to move together.

Key questions

Q: How should security teams modernise identity governance for hybrid work and AI adoption?

A: They should start by removing access paths that depend on fixed office networks or separate admin planes. The goal is one identity layer that can evaluate user, device, and policy together in real time. That approach reduces friction, improves visibility, and gives AI-enabled workflows a control framework that can scale.

Q: Why do legacy identity stacks create more risk in AI-first environments?

A: Legacy stacks fragment authentication, device management, and authorization, so teams cannot see the full context of an access decision. AI-first environments magnify that weakness because more systems, more logs, and more automation all depend on the same underlying trust model. Fragmentation becomes a governance failure, not just an IT inconvenience.

Q: What do teams get wrong when they lift and shift identity systems to the cloud?

A: They often preserve the same workflows, trust boundaries, and administrative silos in a new hosting model. That means the organisation inherits the old complexity without eliminating the access friction or visibility gaps. A true modernization effort changes the operating model, not just the deployment location.

Q: What is the difference between cloud migration and identity modernization?

A: Cloud migration moves infrastructure. Identity modernization changes how access, device posture, and collaboration are governed. If the old control assumptions remain in place, the organisation only relocates the problem. Modernization is successful when the control model becomes simpler, more observable, and easier to enforce across hybrid work.

Technical breakdown

Why legacy identity boundaries break in hybrid work

Legacy identity architecture assumes the user, device, and application all live inside a predictable perimeter. In hybrid environments, that assumption breaks because access decisions must follow the user across home networks, SaaS applications, and unmanaged endpoints. VPNs and central office dependencies add latency and blind spots, but the deeper issue is that old control planes fragment authentication, authorization, and device posture into separate systems. That makes it harder to answer a basic governance question: is this access request actually safe right now?

Practical implication: remove location-bound access paths and unify identity and device policy so access decisions are made from current context, not network geography.

Cloud-native directory and device management as a control layer

A cloud-native foundation treats identity, device management, and collaboration as one operating layer instead of disconnected admin silos. That does not mean fewer controls. It means fewer contradictory control planes. When directory state, device posture, and access policy are managed together, teams can enforce Zero Trust more consistently and reduce the risk that one system says a user is trusted while another says the device is not. This is especially relevant when AI tools are layered into daily work, because those tools often amplify the consequences of inconsistent access governance.

Practical implication: consolidate identity and device administration where possible so trust decisions and enforcement actions are synchronized across the full environment.

AI access governance depends on the identity layer

AI tools are now operating inside core business workflows, not outside them. That means the identity layer determines whether AI stays bounded or becomes another channel for uncontrolled access. If access controls are scattered across legacy servers, the organization cannot reliably authenticate users, govern devices, and authorize AI-enabled tasks from the same source of truth. In other words, AI adoption is now an IAM design problem as much as it is a productivity problem.

Practical implication: treat AI rollout as an identity program with explicit authentication, authorization, and device assurance requirements before scaling usage.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legacy identity sprawl is now a governance problem, not just an infrastructure problem. The article shows that forced boundaries, VPN dependence, and siloed directories do more than create friction. They weaken the organization’s ability to answer basic access questions across human users, devices, and AI-assisted workflows. That is a structural issue for IAM and Zero Trust programmes, not merely an IT inconvenience. Practitioners should treat fragmented identity control as an operating risk.

Cloud-native identity control is becoming the minimum viable foundation for AI adoption. The central lesson is that AI cannot be governed cleanly when access and device state are managed in separate planes. A unified control model aligns authentication, device posture, and authorization so policy can follow the user and the workload instead of the old network perimeter. The implication is that identity modernization is now prerequisite work for AI rollout.

Identity and device management convergence is the named concept this shift exposes. Modern workplaces no longer separate collaboration, endpoint governance, and access assurance into clean lines, so the control model must converge as well. That convergence matters because AI-enabled workflows increase the blast radius of any inconsistent access decision. Practitioners should evaluate whether their current stack still forces them to manage one user, one device, and one application at a time.

Zero Trust fails when it is layered onto perimeter-era assumptions. The article’s deeper point is that Zero Trust cannot be implemented cleanly if users still need legacy network paths to reach essential apps. Trust must be evaluated continuously, but continuous evaluation is undermined when identity and device signals remain siloed. The implication for the field is that access governance and infrastructure modernization are now inseparable.

AI readiness is increasingly a test of whether the identity stack can support operational simplification. The article connects cost, usability, and security instead of treating them as separate outcomes. That matters because tool sprawl often survives on the false premise that more systems equal more control. Practitioners should read modernization as a control rationalization exercise, not a procurement swap.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Another 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
• For practitioners looking at the control-plane side, see Azure Key Vault privilege escalation exposure for a related example of how mis-scoped access and identity sprawl can escalate operational risk.

What this signals

Identity convergence is becoming a board-level operating issue, not an admin convenience. As AI systems absorb more daily work, the organisation needs fewer isolated control points and more coherent access governance. With 70% of organisations already granting AI systems more access than they would give a human employee performing the exact same job, the current gap is not theoretical. It is already embedded in how many environments are run, and that is why the identity stack now shapes AI risk as much as model selection does.

Legacy infrastructure creates an identity blast radius that modern AI tools can expose quickly. The more systems depend on VPNs, siloed directories, and manual exception handling, the harder it becomes to prove that access is current, bounded, and safe. Practitioners should prepare for modernization projects to be judged on control clarity, not just user experience or licence consolidation.

The next phase of IAM programmes will be measured by how well they integrate identity, device, and workflow governance across hybrid work. Teams that keep these functions separate will struggle to support AI adoption without adding manual review overhead and inconsistent access decisions.

For practitioners

• Map every access path that still depends on perimeter assumptions Inventory where users still need VPNs, internal servers, or location-specific routing to reach core applications. Replace those paths with identity-driven access flows that validate user, device, and policy in real time.
• Unify identity and device policy enforcement Bring directory state, endpoint posture, and authorization into one operational view so administrators can see whether access is safe without switching between disconnected tools.
• Treat AI rollout as an access governance programme Require explicit authentication, device assurance, and authorization rules for any AI tool that touches business systems, then review those controls as part of the rollout plan rather than after deployment.
• Reduce tool sprawl before expanding AI usage Consolidate overlapping identity and collaboration controls where possible so teams are not compensating for legacy fragmentation with manual oversight and duplicate admin work.

Key takeaways

• Legacy identity stacks create a governance gap because they still depend on fixed network assumptions that hybrid work and AI no longer obey.
• The evidence points to structural exposure: many organisations already grant AI broader access than humans, while still relying on static credentials and fragmented controls.
• Practitioners should modernise the control plane first, then expand AI adoption on top of unified identity and device governance.

Key terms

• Cloud-native identity stack: A cloud-native identity stack manages authentication, authorization, directory state, and device policy from services designed for distributed environments. It reduces dependence on local servers and fixed network boundaries, which makes access governance easier to enforce across hybrid work and AI-enabled workflows.
• Identity convergence: Identity convergence is the practical merging of identity, device, and access controls into one operational model. It matters because fragmented admin planes create inconsistent trust decisions, especially when users, endpoints, and AI tools all participate in the same business process.
• Perimeter-era trust model: A perimeter-era trust model assumes security can be anchored to network location, office presence, or VPN entry. That model breaks down in hybrid environments because access must be governed by current identity, device posture, and context rather than by where the request originates.

Deepen your knowledge

Modernising identity and device governance for AI-first workplaces is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning hybrid work controls with modern access governance, it is worth exploring.

This post draws on content published by JumpCloud: Moving Beyond Microsoft for a Modern Workplace. Read the original.