Traditional IAM is obsolete when identities become the new perimeter

At a glance

What this is: This is an analysis arguing that fragmented IAM no longer fits today’s identity attack surface, with cloud, remote work, and credential theft driving the gap.

Why it matters: IAM and NHI practitioners need to treat identity as the primary control plane and reduce seams between governance, privileged access, and access management.

By the numbers:

• 42% of attackers go after the credentials, and there's a reason for that.
• Over 500 million guests were exposed in the Marriott breach after hackers accessed a Starwood reservation database with compromised employee credentials.
• Around 40 million customers had payment card information and personal data exposed in the Target breach after attackers used compromised third-party credentials.

👉 Read One Identity's analysis of why traditional IAM is no longer sufficient

Context

Traditional IAM breaks down when identity controls are split across separate tools, because attackers do not have to defeat the whole stack. They only need one weak point, one stale credential, or one ungoverned integration path. As cloud services, remote work, and SaaS sprawl expand the identity attack surface, the security problem shifts from access administration to coordinated identity governance across humans and NHIs.

For IAM and NHI practitioners, the central issue is not whether access exists, but whether access is unified, auditable, and continuously constrained. Fragmentation leaves privileged access, governance, and behaviour monitoring operating on different clocks, which is exactly where credential theft and lateral movement gain traction. That starting point is common across mature and immature environments alike, which is why the article’s warning resonates beyond any single vendor stack.

Key questions

Q: How should security teams reduce risk from fragmented IAM controls?

A: Security teams should unify governance, privilege, and monitoring around the same identity lifecycle so access decisions are consistent and revocation is fast. The goal is not to remove every tool, but to eliminate control seams where a valid credential can be over-permitted, unmanaged, or invisible to reviewers. Fragmentation is a risk multiplier because attackers only need one gap.

Q: When does just-in-time access matter most for IAM and NHI governance?

A: Just-in-time access matters most when a credential can unlock production systems, administrative consoles, or automation that can act quickly. In those cases, standing privilege creates unnecessary exposure time. JIT reduces the window for misuse by making access temporary, task-scoped, and easier to revoke after the work is complete.

Q: What is the difference between reducing access and reducing blast radius?

A: Reducing access means fewer entitlements are granted. Reducing blast radius means even a compromised identity can do less harm because its privileges are time-bound, scoped, and monitored. Blast-radius control is stronger because it addresses the impact of misuse, not just the number of permissions assigned.

Q: How can organisations govern non-human identities more effectively?

A: Organisations should treat every non-human identity as an owned asset with a purpose, expiration, and review cycle. That means tracking tokens, certificates, API keys, and service accounts under one governance model so they do not become invisible shortcuts into critical systems. Effective NHI governance is lifecycle management, not just secret storage.

Technical breakdown

Why fragmented IAM creates exploitable seams

Fragmented IAM separates privileged access management, governance, and access management into different systems, each with its own rules and visibility. That architecture can work for administrative convenience, but it weakens the security model because attackers look for seams between controls rather than trying to break every layer at once. In practice, a credential that is valid in one system may be over-permitted in another, and the gap is often hard to see until an incident occurs. For NHI environments, this is especially dangerous because service accounts, tokens, and APIs often inherit access without the same review rigor applied to human users.

Practical implication: Consolidate identity control points so governance, privilege, and monitoring operate from the same policy baseline.

How just-in-time privilege reduces identity blast radius

Just-in-time privilege means elevated access is granted only when a task requires it and removed immediately after use. That matters because the value of a stolen credential drops when it is short-lived, tightly scoped, and tied to a specific workflow. This is not the same as simply rotating secrets faster. JIT changes the operating model by making standing privilege the exception rather than the default, which directly reduces lateral movement opportunities. In NHI and agentic AI environments, the same principle limits what an automated actor can do if its identity or token is compromised.

Practical implication: Use ephemeral privilege for administrative and machine identities that do not need persistent elevation.

Why identity governance must extend beyond human accounts

The article’s logic applies to NHIs as much as to user accounts, because modern breaches often succeed through credentials that are technically valid but poorly governed. Service accounts, API keys, and delegated access paths can become invisible trust shortcuts when they are managed separately from human identity controls. Unified governance matters because it creates one place to review ownership, scope, rotation, and revocation. Without that, organizations may have functioning login flows but weak control over who or what can move through them. The result is operational identity sprawl with security consequences.

Practical implication: Map every non-human identity to an owner, purpose, and review cycle before expanding automation further.

Threat narrative

Attacker objective: The attacker wants fast, low-noise access to valuable systems and data by abusing trusted identity paths rather than exploiting infrastructure directly.

1. Entry occurs through compromised credentials, often a password, phishing capture, or third-party access path that is already trusted by the environment.
2. Escalation happens when the stolen identity has broader rights than the task requires, allowing the attacker to move into privileged systems or adjacent applications.
3. Impact follows when the attacker uses that access to exfiltrate data, disrupt operations, or stage a ransomware event from inside a legitimate identity context.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Fragmented IAM is now a governance liability, not a tooling preference. When privileged access, governance, and access control are separated, practitioners inherit blind spots that attackers can exploit faster than manual review cycles can close them. The article correctly frames identity as the new perimeter, but the deeper point is that perimeters fail when identity decisions are distributed across disconnected products. Practitioners should treat fragmentation as an exposure class, not an integration inconvenience.

Identity blast radius is the right lens for modern access design. The article’s JIT discussion points in the right direction because ephemeral elevation reduces the time a stolen credential remains useful. But the real control objective is blast-radius reduction, not simply access reduction. That means scoping privileges to task, time, and environment, especially for NHIs and automation that can act at machine speed.

Cloud and SaaS sprawl have made identity governance a cross-domain control problem. Hundreds of apps, remote endpoints, and third-party integrations create a control surface that no single access layer can fully police on its own. A unified identity program must therefore span human users, service accounts, and machine workflows. The practical conclusion is clear: identity governance now sits at the centre of security architecture.

NHI governance cannot remain a sidecar to human IAM. The same weaknesses the article identifies for user credentials also apply to tokens, certificates, and service accounts, often with less visibility and faster abuse. A mature program does not bolt NHI controls onto legacy IAM. It normalises ownership, review, and privilege boundaries across both human and non-human identities.

Consolidation should be measured by control coherence, not platform count. Reducing the number of tools does not automatically improve security unless the resulting model creates consistent policy, shared telemetry, and fast revocation. Security teams should judge their IAM design by how quickly they can answer who has access, why they have it, and when it expires. That is the standard that matters.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For a broader control baseline, see NHI Lifecycle Management Guide for lifecycle practices that help constrain privilege drift across machine identities.

What this signals

Identity governance programmes will be judged by how well they handle machine speed, not just human workflow. The control problem is shifting from static access review to continuous privilege scoping across users, service accounts, and AI agents. With 70% of organisations already granting AI systems more access than they would give a human employee performing the same job, according to the 2026 Infrastructure Identity Survey, the governance baseline is already behind operational reality.

Identity blast radius should become a board-level security metric. Teams need to know which identities can reach crown-jewel systems, which are still standing privileges, and which can be revoked automatically when behaviour changes. That is the practical bridge between access management and resilience, and it aligns closely with the NIST Cybersecurity Framework 2.0 emphasis on governance and protection.

Programs that continue to treat NHI controls as a separate niche will keep inheriting the same failure mode: access that is technically valid but structurally overpowered. The more cloud and automation spread, the more the programme needs lifecycle discipline, policy coherence, and a single view of who or what can act in production. For teams building that posture, the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the right next reference point.

For practitioners

• Map identity control seams across platforms Inventory where PAM, IGA, and access management make separate decisions for the same identities. Focus first on systems where privileged access can be granted without a synchronized governance review, and where service accounts or API keys bypass normal approval paths.
• Replace standing privilege with task-scoped elevation Use just-in-time access for administrative accounts, service workflows, and automation that only needs short-lived elevation. Set explicit expiry, require purpose binding, and verify that revocation is automatic rather than operator-dependent.
• Extend governance to non-human identities Assign owners, purposes, and expiry rules to every token, certificate, API key, and service account. Tie each NHI to a review cycle so access cannot outlive the workload or automation job it supports.
• Measure identity risk by blast radius Prioritise identities that can reach production data, administrative consoles, or third-party integrations. The goal is to shrink the number of identities that can move laterally once compromised, not just to count how many exist.

Key takeaways

• Traditional IAM breaks down when identity controls are split across separate tools, because attackers exploit seams rather than whole platforms.
• Just-in-time privilege and unified governance reduce identity blast radius by limiting how long and how far a compromised credential can travel.
• NHI governance now belongs inside the core identity model, not as a bolt-on to human access management.

Key terms

• Identity blast radius: The amount of damage a compromised identity can cause before access is detected, contained, or revoked. In NHI environments, blast radius is shaped by privilege scope, credential lifetime, and the number of systems an identity can reach without additional checks.
• Just-in-time privilege: A privilege model that grants elevated access only when a specific task requires it and removes it as soon as the task ends. It reduces exposure time, limits lateral movement opportunities, and is especially useful for high-risk human and machine identities.
• Fragmented IAM: An identity architecture where governance, access, and privileged control are split across separate tools with inconsistent policy and visibility. Fragmentation often leaves seams that attackers can exploit and makes it harder to answer who has access, why they have it, and when it expires.
• Non-human identity: A digital identity used by software rather than a person, including service accounts, API keys, tokens, certificates, workloads, and AI agents. These identities often have persistent or delegated access, which makes ownership, scope, and lifecycle control essential.

Deepen your knowledge

Identity blast radius, just-in-time privilege, and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your environment is already dealing with cloud sprawl and machine identities, it is worth exploring.

This post draws on content published by One Identity: Breach by Breach: Why Traditional IAM Is Now Obsolete. Read the original.