Silverfort acquires Fabrix: identity security shifts to runtime

At a glance

What this is: Fabrix Security argues that identity security must move from static policy and delayed review to real-time, runtime decisioning and enforcement for humans, machines, and AI agents.

Why it matters: This matters because IAM, PAM, and NHI programmes built around preapproved access and periodic certification will miss risk that emerges and disappears inside a single access session.

👉 Read Fabrix Security's explanation of autonomous identity security with Silverfort

Context

Identity security is breaking because the programme assumption has been that access can be defined in advance and reviewed later. That works only when roles are stable, permissions are predictable, and the identity behaves on a human time scale. This post is about the shift from preauthorized identity control to runtime identity governance, with implications for NHI, human IAM, and autonomous access decisions.

Fabrix Security is arguing that the old model cannot keep pace with environments where non-human identities outnumber people and AI agents can act independently. The key governance issue is not whether access exists, but whether the system can judge intent, context, and timing at the moment access is attempted. For readers looking to ground that problem in NHI practice, the Ultimate Guide to NHIs and the NHI Lifecycle Management Guide both map the underlying lifecycle and control model.

Key questions

Q: How should security teams handle access that changes faster than review cycles can see it?

A: They should move high-risk access decisions into the request path and treat periodic review as a secondary control. If access can be created, used, and discarded faster than certification runs, the review process can still support accountability, but it cannot be the primary containment mechanism. Runtime enforcement is the control that matches the speed of the risk.

Q: Why do AI agents and NHIs force IAM teams to rethink preapproved permissions?

A: Because their behaviour is not always stable enough for static role design to remain accurate. When an identity can change intent or execution pattern in real time, the original permission model may no longer describe the actual risk. Teams need a decision model that evaluates current context, not only assigned access.

Q: How can organisations tell whether runtime identity controls are actually working?

A: Look for evidence that unsafe access attempts are being blocked, stepped up, or constrained at the point of use. If the programme only produces reports, alerts, or post-event findings, then it is measuring risk rather than controlling it. The key signal is whether the access path changes in response to policy.

Q: Who is accountable when access is decided in real time across multiple identity types?

A: Accountability still sits with the organisation that defines the policy, enforces the control, and owns the identity lifecycle. The harder question is not who owns the log, but who can prove that the policy was applied inline for that specific request. Lifecycle governance and runtime enforcement have to be linked.

How it works in practice

Why static authorization breaks under runtime identity pressure

Traditional IAM treats authorization as a precomputed decision: define roles, attach permissions, and certify them on a schedule. That model fails when access intent changes faster than review cycles can observe it. In AI-native environments, context is not fixed at provisioning time. It is assembled at request time from identity history, permissions, asset sensitivity, policy, and behavioural signals. The architectural shift is from static allowlists to continuous evaluation. Practical enforcement depends on the decision being made at the moment of use, not after the fact.

Practical implication: move high-risk access paths out of periodic certification workflows and into request-time policy evaluation.

Why decisioning without inline enforcement leaves a control gap

Decisioning engines can calculate risk, but if they are not embedded in the authentication or access path, they only produce advice. That creates a split between analysis and control: the system knows access is unsafe, yet the transaction still completes. Runtime enforcement closes that gap by making the decision actionable where the identity is actually trying to enter the environment. For NHI, human, and agentic access alike, the control point has to sit at the execution boundary, not in a separate review console.

Practical implication: verify that policy output can actually block or step up access inline before treating it as a control.

How identity-centric AI decisioning uses context, not just roles

An identity-centric decisioning engine evaluates who the identity belongs to, what it has done before, what it is trying to do now, and under what business conditions the request occurs. That is materially different from role-only governance, which assumes permission can be inferred from classification alone. In dynamic environments, the meaningful question is not whether the identity has access in principle, but whether this specific action should be allowed in this specific instance. That is why context becomes the control plane.

Practical implication: enrich access decisions with activity, asset, and organisational context before extending runtime enforcement to privileged flows.

NHI Mgmt Group analysis

Predefined access policy is no longer a sufficient governance assumption. The article is right that static permissions and periodic reviews were designed for stable roles and predictable behavior. That assumption fails when identities, especially AI agents and NHIs, can act and re-act at runtime with different context each time. The implication is not that governance becomes harder only, but that the old certainty model has collapsed.

Runtime identity governance is becoming the real control boundary. Access review and certification are still useful, but only for residual state, not for fast-moving execution paths. Once decisions must be made in milliseconds, the control that matters is the one that sits in the transaction path and can act at the point of use. Practitioners should read this as a shift in where identity authority actually lives.

Identity blast radius is now set by enforcement latency, not just entitlement scope. When decisioning is advisory and enforcement is deferred, the exposure window expands even if the underlying permissions are narrow. That creates a new named concept: runtime enforcement gap: the distance between knowing a request is risky and being able to stop it. The practitioner conclusion is that governance quality is increasingly measured by that gap.

AI-native identity platforms will increasingly converge NHI, human, and agentic controls. The article reflects a market direction in which the same control plane must evaluate service accounts, people, and autonomous actors in one model. That convergence will pressure teams to unify lifecycle, privilege, and enforcement logic across identity classes. Practitioners should expect fewer siloed controls and more shared runtime policy infrastructure.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
• That confidence gap points to the next control question, which is why teams should pair lifecycle governance with the NHI Lifecycle Management Guide and the OWASP Non-Human Identity Top 10.

What this signals

The practical signal for identity teams is that governance is moving closer to the execution layer. Programmes that still rely on access review as the main control will struggle to demonstrate containment when AI-driven or machine-driven access changes inside the session.

Runtime enforcement gap: the distance between a risky decision and the moment it can be stopped is becoming the new measure of identity control quality. Teams should expect more pressure to align PAM, NHI lifecycle, and access policy evaluation around the live transaction rather than the review queue.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, hidden access paths remain a structural problem even before runtime enforcement enters the picture. That makes lifecycle visibility and policy enforcement a combined priority, not separate workstreams.

For practitioners

• Map where access decisions are still admin-time only Inventory the paths where policy is evaluated at provisioning or review time but not at request time. Prioritise privileged flows, third-party access, and agent-triggered actions that can change meaning after issuance.
• Test whether policy output can actually stop access inline Validate that a risk decision can block, step up, or constrain the transaction before the identity reaches the target system. If the platform only alerts or reports, the control remains advisory.
• Unify context signals across human, machine, and agent identities Correlate identity history, permissions, activity, and asset sensitivity in a single decision flow so that access is judged against current business context rather than role alone. Use the Ultimate Guide to NHIs as the lifecycle reference point.
• Redesign review cycles around residual risk, not live enforcement Keep certification and recertification for accountability, but do not rely on them to contain fast-changing access risk. Pair them with runtime controls so that review work is evidence, not the enforcement mechanism.

Key takeaways

• Static access models are no longer sufficient when identities can act at machine speed and change context mid-session.
• The real control question is whether unsafe access can be blocked inline, not whether it can be identified after the fact.
• Identity programmes should treat runtime enforcement, lifecycle governance, and contextual decisioning as one operating model across humans, NHIs, and AI agents.

Key terms

• Runtime identity governance: Identity governance that evaluates and enforces access at the moment a request is made. It treats current context, not just assigned role, as the basis for control. This matters when human, non-human, and autonomous identities can change risk faster than a review cycle can react.
• Inline enforcement: A control pattern where the security decision can directly allow, deny, or constrain access inside the authentication or request flow. It is stronger than alerting or post-event review because the decision changes the transaction before the target system grants access.
• Identity-centric decisioning: A method of access evaluation that combines identity history, permissions, activity, and business context before making a live decision. It moves beyond role-based logic by asking what the identity is trying to do now and whether that specific action should proceed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by Fabrix Security: the company’s explanation of autonomous identity security with Silverfort. Read the original.