RSA’s EMEA Central leadership move and identity security priorities

At a glance

What this is: RSA has appointed Sabine Davies as Regional Director for EMEA Central and tied the move to demand for resilient identity security across the region.

Why it matters: For IAM, NHI, and human identity programmes, the appointment is a signal that regional go-to-market strategies are increasingly shaped by compliance pressure, passwordless adoption, and posture management expectations.

By the numbers:

• 9, ore than 9,000 high-security organizations trust RSA to manage more than 60 million identities.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read RSA Security’s announcement on its new EMEA Central regional director

Context

RSA’s EMEA Central leadership appointment is a commercial signal, but the identity security issue underneath it is broader: regional buyers are being asked to prove resilience, passwordless readiness, and governance discipline at the same time. In that sense, the primary keyword here is identity security, not staffing.

The mention of DORA matters because it shows how identity programmes are increasingly evaluated through operational resilience, not just authentication quality. For teams running IAM, NHI, and lifecycle governance together, the practical question is whether the programme can support auditability, access control, and continuous assurance across cloud, hybrid, and on-premises estates.

Key questions

Q: Should identity teams treat passwordless as a governance project or an authentication project?

A: Identity teams should treat passwordless as both, but govern it as a broader assurance change. Removing passwords changes the primary login factor, yet the programme still depends on recovery, device trust, identity proofing, and exception handling. If those controls are weak, passwordless can reduce friction without improving identity assurance.

Q: How should IAM teams respond when regulatory pressure starts shaping identity strategy?

A: They should align identity controls to the evidence regulators and auditors will ask for, not just the features a vendor advertises. That means linking authentication, access reviews, posture findings, and remediation ownership to measurable outcomes such as recoverability, traceability, and policy enforcement.

Q: What does identity security posture management actually change for practitioners?

A: It shifts identity governance from periodic review to continuous visibility. Instead of waiting for access recertification cycles to surface problems, teams can detect stale privileges, weak recovery paths, and policy drift earlier and connect those findings to operational remediation.

Q: How do security teams know whether identity controls are ready for regulated growth?

A: They know the controls are ready when they can prove who has access, how exceptions are handled, how quickly risky access is removed, and whether the evidence is complete enough for audit and incident response. If any of those are unclear, the programme is not ready for expansion.

Technical breakdown

Passwordless access and identity assurance across user populations

Passwordless access removes the password as the primary authenticator, but it does not remove the need for identity proofing, policy, device trust, and recovery controls. In mixed environments, the hard part is not the login method itself, but the assurance model behind it. Enterprises still need to know who or what is authenticating, under which conditions, and how exceptions are handled when access needs to be re-established. That makes passwordless a governance programme as much as an authentication upgrade.

Practical implication: treat passwordless as an identity assurance redesign, not a user-experience project.

Identity security posture management in regulated environments

Identity security posture management, or ISPM, is the discipline of continuously finding risky identity conditions such as excessive privilege, stale access, weak recovery paths, and configuration drift. In a regulated setting, its value is not just visibility but evidence. Teams need posture data that can support review, remediation, and accountability across identities that are human, machine, or delegated through service processes. That is why ISPM increasingly sits beside access governance rather than beside pure detection tooling.

Practical implication: connect posture findings to access review and remediation workflows, not just dashboards.

Why regional growth now tracks governance maturity

Regional growth in identity security now follows the same pattern seen in other compliance-driven markets. Buyers do not just want feature coverage, they want controls that map to operational resilience, certification, and ongoing oversight. When a vendor frames growth around DORA, passwordless, and AI-powered threats, the technical subtext is that identity is becoming the control plane for both human access and machine-mediated access decisions.

Practical implication: re-check whether your IAM roadmap is aligned to resilience and evidence requirements, not only deployment milestones.

NHI Mgmt Group analysis

Identity security buying decisions are shifting from product features to governance proof. The article links regional growth to DORA, passwordless, and identity security posture management, which is the right set of pressures to watch. Buyers increasingly need to show that identity controls produce evidence, not just access, and that they work across cloud, hybrid, and on-premises estates. The practical conclusion is that identity programmes are now judged by auditability and operational resilience as much as by authentication coverage.

Passwordless is being positioned as a resilience control, not only an authentication change. That framing matters because it moves the discussion away from login friction and toward how identity assurance is maintained when passwords are removed. The real work sits in recovery, exception handling, policy enforcement, and downstream governance. Practitioners should read passwordless roadmaps as part of broader identity lifecycle and access assurance design.

Identity security posture management: the market is converging on continuous identity risk visibility as a default expectation. ISPM is becoming the connective tissue between authentication, access governance, and compliance evidence. The consequence for practitioners is that point-in-time access decisions are no longer enough; identity risk needs to be observable and reviewable continuously.

The EMEA Central opportunity signals that identity security is now being sold through regulatory and operational language. That reflects where the market is going: less standalone IAM messaging, more emphasis on resilience, auditability, and AI-era access risk. Security teams should expect vendors to frame identity as part of business continuity and regulatory readiness, not just workforce administration.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
• That confidence gap is why teams should compare their current identity roadmap with Ultimate Guide to NHIs before adding more identity surface area.

What this signals

Identity security programmes are being forced to prove resilience, not just access control. As regulatory pressure increases, teams need evidence that identity policy, recovery, and exception handling all work together across human and machine access paths. The next planning checkpoint is whether identity operations can satisfy auditors without creating manual bottlenecks.

Identity security posture management is becoming the control layer that connects authentication to governance. That matters because posture without remediation is only reporting. Teams should expect more demand for continuous identity evidence, tighter links to NIST Cybersecurity Framework 2.0, and clearer accountability across IAM, PAM, and lifecycle processes.

Governance teams should prepare for the convergence of user access and machine access oversight. Even when the current article is about regional leadership, the market signal is that buyers want one identity programme that can handle workforce access, service identities, and emerging agentic workloads without fragmenting policy.

For practitioners

• Reassess your identity roadmap against resilience outcomes Map current IAM and lifecycle priorities to the evidence demands implied by DORA, access assurance, and recovery expectations across cloud, hybrid, and on-premises environments.
• Separate passwordless adoption from governance readiness Track whether passwordless rollout is paired with identity proofing, exception handling, and recovery procedures that can stand up in audit and incident response.
• Tie posture findings to remediation ownership Connect ISPM outputs to access review, revocation, and exception workflows so identity risk is not trapped in a dashboard without action.
• Validate regional compliance assumptions Confirm whether EMEA Central programmes have the controls and reporting needed for resilience-oriented regulation before growth or expansion plans scale access complexity.

Key takeaways

• The article is a market signal about identity governance, not just a leadership appointment, because it ties regional growth to resilience and compliance needs.
• Passwordless and identity security posture management only create value when they are linked to recovery, exception handling, and auditable remediation.
• Practitioners should measure their readiness by evidence quality, not feature count, because regulated growth exposes weak identity governance quickly.

Key terms

• Passwordless Authentication: An authentication approach that removes the password as the primary login factor and instead uses stronger methods such as device-based or cryptographic credentials. In identity programmes, the key issue is not the login experience alone but the surrounding assurance, recovery, and exception controls.
• Identity Security Posture Management: The continuous discovery and assessment of risky identity conditions such as stale access, excessive privilege, weak recovery paths, and policy drift. It turns identity risk into an operational signal that can be monitored, prioritised, and remediated across human and non-human identities.
• Identity Assurance: The degree of confidence an organisation has that an identity is who or what it claims to be and can be trusted within policy. It includes proofing, authentication strength, recovery design, and control consistency, not just the method used to sign in.
• Access Governance: The set of processes that decide who or what should have access, approve exceptions, review entitlements, and remove privileges when they are no longer needed. Good access governance links policy decisions to evidence, remediation, and lifecycle control rather than treating access as a one-time event.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: RSA to power growth in EMEA Central with appointment of Sabine Davies. Read the original.