RSA 2024 exposed the limits of platform-led identity consolidation

At a glance

What this is: This is a conference analysis arguing that identity, GRC, and platform fragmentation are converging into a governance problem with identity at the center.

Why it matters: It matters because IAM teams now have to coordinate NHI, human identity, and emerging AI-linked controls across multiple platforms instead of assuming a single stack can absorb the whole problem.

By the numbers:

• The RSA Conference is now 33 years old.

👉 Read Axiad's RSA 2024 analysis of identity, GRC, and platform fragmentation

Context

Identity governance is becoming harder to manage because security teams are no longer dealing with one control plane, one identity stack, or one risk owner. RSA 2024 exposed that the industry is still trying to make fragmented identity tools behave like a coherent programme, even as identity becomes a first-order security concern.

The article also points to a broader shift in how cybersecurity programmes are organised. GRC and security are moving closer together, identity tooling is multiplying, and practitioners are being pushed toward integration models that preserve best-of-breed capabilities instead of forcing a single platform to do everything.

Key questions

Q: How should IAM teams respond when identity tools do not share risk context?

A: They should map where identity risk context is lost, then prioritise integration points that let one control’s findings affect another control’s decisions. In practice, that means linking authentication, threat detection, lifecycle, and governance data so a detected issue does not remain isolated inside one platform.

Q: Why do identity platforms create governance problems when they are not integrated?

A: Because each platform may see a different slice of identity risk, but none can reliably update the others. That leaves teams with duplicated controls, inconsistent decisions, and blind spots in the handoff between detection, enforcement, and compliance.

Q: When should organisations prefer a fabric model over a single identity platform?

A: They should prefer a fabric model when they need specialised tools to remain effective but still want shared policy and telemetry across them. A fabric is the better fit when control quality depends on interoperability rather than on replacing every component with one suite.

Q: How do identity governance and GRC need to work together now?

A: They need to share the same evidence for identity controls, because identity failures now create both security and compliance exposure. The practical test is whether a control issue can move from operational detection into audit reporting without manual reconstruction.

Technical breakdown

Identity fabric versus platform sprawl

An identity fabric is an integration layer that connects multiple identity and security systems so risk signals, access context, and policy decisions can move across them. The core problem is not lack of tools, but lack of interoperability between identity providers, identity threat detection, proofing, and access governance systems. When those systems do not exchange state, one control may detect risk while another continues to grant access as if nothing changed. That breaks the value of identity telemetry at the programme level and leaves teams with partial visibility rather than usable governance.

Practical implication: map where identity risk signals stop today, then prioritise integration points that let access and threat context propagate across platforms.

GRC and cybersecurity are collapsing into one operating problem

GRC has traditionally handled policy, controls, and compliance while security operations handled threats and response, but identity now sits in both worlds. Rising regulatory pressure means identity posture is no longer just an access issue; it is a compliance and financial exposure issue as well. This creates a need for governance structures that can treat identity findings as both security events and control deficiencies. The technical challenge is less about adding more policy and more about connecting evidence, control ownership, and enforcement across teams that used to operate separately.

Practical implication: define which identity controls are evidence-bearing for compliance and ensure they are visible to both GRC and security operations.

Why best-of-breed identity controls still matter

Best-of-breed identity tools often outperform all-in-one platforms because they are built for specific control problems such as authentication, threat detection, or lifecycle governance. The trade-off is that separate tools can create a diaspora of identity data if they do not share context. A fabric model tries to preserve specialisation while adding orchestration above it. That is different from platform consolidation, where capabilities are absorbed into one vendor stack and may lose depth. The key design issue is whether the architecture preserves control quality while still allowing governance decisions to travel across systems.

Practical implication: evaluate identity architecture by control depth plus interoperability, not by how many capabilities a single vendor claims to bundle.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity sprawl is now the central operating problem in enterprise security. RSA 2024 showed that identity is no longer a niche control layer, it is the place where authentication, threat detection, governance, and compliance all collide. The article’s point is not that more products are needed, but that fragmented identity estates already create governance blind spots. Practitioners should treat identity sprawl as an operating risk, not a tooling inconvenience.

GRC and cybersecurity are converging because identity has become a board-level risk surface. The article notes that rising regulation is pulling governance and security closer together, and that shift is not optional. When identity failures create financial and compliance exposure, the old separation between control ownership and threat ownership stops working. Practitioners should rework reporting lines and evidence flows so identity controls can satisfy both operational response and assurance requirements.

Platform consolidation is not the same as identity consolidation. The article makes clear that one-stop-shop security stacks often increase complexity when they fail to share state across identity functions. A platform can bundle features without solving the underlying integration problem, which means risk decisions still do not travel cleanly across tools. Practitioners should distinguish capability bundling from governance continuity.

Fabric is the right named concept for this moment because it describes coordinated control, not vendor consolidation. A fabric model preserves specialised identity tools while connecting them into a decision layer that can move risk and access context across the estate. That matters because identity programmes now need interoperability more than replacement. Practitioners should judge architecture by how well it preserves control quality while linking policy and telemetry.

The next identity maturity leap will come from control coherence, not feature accumulation. The article signals that the market is moving toward integration patterns that let identity, data, and GRC operate as one governance surface. That will favour programmes that can connect evidence, enforcement, and lifecycle decisions without forcing every function into a single stack. Practitioners should prepare for identity architecture to be assessed on orchestration maturity.

From our research:

• 52 NHI breach cases are analysed in the 52 NHI Breaches Analysis, showing how identity failures tend to repeat across environments.
• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• The broader lesson is documented in the Ultimate Guide to NHIs , Key Challenges and Risks, which frames the visibility and over-privilege problem that identity fabrics are trying to contain.

What this signals

Identity programmes should expect consolidation pressure, but not assume consolidation will solve control fragmentation. The architecture question is whether access, threat, and governance evidence can actually move between systems. With 6 distinct secrets manager instances on average in organisations, fragmentation is already a structural condition rather than an edge case.

Fabric thinking will matter more than suite thinking for the next phase of identity governance. The operational win comes from preserving specialised controls while connecting their state, not from replacing every function with a single platform. Teams that prepare now will be better positioned to link identity telemetry into both security operations and GRC workflows.

For practitioners

• Map identity signal handoffs across your stack Document where risk signals from authentication, threat detection, proofing, and lifecycle systems stop propagating. The goal is to identify control dead zones where one platform detects risk but another still authorises access.
• Separate capability depth from integration depth Review each identity platform for the specific control problem it solves well, then assess whether the stack shares context through common policy or telemetry. Avoid judging tools only by feature count or suite breadth.
• Align identity evidence with GRC reporting Identify which identity controls generate audit evidence, which teams own that evidence, and how it is consumed during compliance reviews. If security and GRC cannot reference the same control record, governance will stay fragmented.
• Evaluate fabric patterns before platform replacement Before replacing a specialised identity tool, test whether a fabric layer can connect it to surrounding systems without losing its control depth. This is especially important where lifecycle, authentication, and threat data need to stay distinct but correlated.

Key takeaways

• RSA 2024 made identity fragmentation look like a governance failure, not just a tooling inconvenience.
• The strongest signal in the article is that control quality depends on interoperability, not on how many identity features sit inside one platform.
• IAM teams should plan for fabric-style integration so identity risk, compliance evidence, and enforcement can move together.

Key terms

• Identity Fabric: An identity fabric is an integration layer that connects separate identity controls so policy, telemetry, and risk context can move across them. It does not replace specialised tools. Instead, it preserves control depth while reducing the blind spots created when platforms operate in isolation.
• Identity Sprawl: Identity sprawl is the accumulation of overlapping identity tools, control points, and decision sources that no longer share a single view of risk. It creates inconsistent enforcement, duplicated work, and governance gaps because each system sees only part of the identity state.
• Governance Convergence: Governance convergence is the operational merging of security and compliance decision-making around the same control evidence. In identity programmes, it means the records used to prove control effectiveness must also help drive enforcement and response.

Deepen your knowledge

Identity fabric, identity sprawl, and governance convergence are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to connect fragmented identity controls across security and GRC, it is worth exploring.

This post draws on content published by Axiad: Three Key Takeaways from the 2024 RSA Conference. Read the original.