Adaptive trust and conditional trust: where IAM teams are hitting limits

TL;DR: Fortune 500 cybersecurity posture is weak and identity compromise dominates breaches, with 84% of firms scoring D or worse and up to 71% of breaches tied to compromised credentials, according to Business Digital Index research cited by Clarity Security. The deeper issue is structural: access models built for periodic review cannot keep pace with human, NHI, and AI agent identities that change faster than governance cycles can see.

NHIMG editorial — based on content published by Clarity Security: Adaptive Trust and the evolution of identity security

By the numbers:

• Eighty-four percent of Fortune 500 companies score a D or worse for their cybersecurity efforts, according to Business Digital Index research analyzing companies across seven key security dimensions.
• With up to 71% of breaches now attributed to compromised credentials and identity-based attacks, the state of cybersecurity posture and the state of identity security are impossible to separate.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams move from periodic access reviews to continuous identity governance?

A: Start by treating reviews as assurance, not detection.

Q: Why do non-human identities break conditional trust models?

A: Non-human identities break conditional trust because they outnumber human accounts, rarely appear in HR workflows, and often keep access long after the original purpose ends.

Q: What do organisations get wrong about just-in-time access for NHIs?

A: They often apply just-in-time thinking only to privileged human sessions and leave service accounts, API keys, and bots with standing access.

Practitioner guidance

• Inventory every identity class in scope Build a single inventory that includes human users, contractors, third parties, service accounts, API keys, bots, and AI agents.
• Collapse review findings into remediation workflows Route risk findings into direct remediation actions instead of ticket queues.
• Define where standing access must disappear Identify entitlements that should exist only for a task, then convert them to just-in-time access or removal by default.

What's in the full article

Clarity Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The step-by-step Adaptive Trust workflow for moving from assessment to remediation.
• The three maturity stages of remediation automation and how human-in-the-loop decisioning changes over time.
• The specific limitations of campaign-based IGA tooling when it is extended to non-human identities.
• The article's full explanation of how just-in-time provisioning fits into the target operating model.

👉 Read Clarity Security's analysis of Adaptive Trust and conditional trust limits →

Adaptive trust and conditional trust: where IAM teams are hitting limits?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →