DORA identity risk management: are your controls ready for resilience?

TL;DR: DORA shifts financial resilience from checkbox compliance toward continuous identity risk management, with static policies, weak visibility, and manual response called out as gaps that undermine operational continuity in hybrid environments, according to RSA Security. For IAM teams, the message is that identity has become a resilience control, not just an access gate.

NHIMG editorial — based on content published by RSA Security: Beyond compliance, how identity risk management drives DORA readiness

Questions worth separating out

Q: How should financial institutions use identity controls to support DORA readiness?

A: They should treat identity as a resilience layer, not just an authentication layer.

Q: Why do static IAM policies fall short for DORA obligations?

A: Static policies cannot keep pace with changing context such as device trust, location, behavioural drift, or social-engineering pressure.

Q: How can organisations know whether identity risk management is working?

A: They should look for measurable reductions in risky access approvals, faster detection of suspicious identity behaviour, and better continuity during incident simulations.

Practitioner guidance

• Reclassify identity controls as resilience controls. Document which IAM capabilities are required to keep critical financial services running during an outage, not just to satisfy access policy.
• Replace static access decisions with context-based review. Identify where access is still granted by fixed policy alone and add behavioural and device-risk signals for higher-risk user journeys.
• Test identity failover in continuity exercises. Simulate IAM degradation and verify that authentication, escalation paths, and recovery workflows still operate without creating unsafe standing access.

What's in the full article

RSA Security's full post covers the operational detail this post intentionally leaves for the source:

• Risk AI behavioural scoring and how it is positioned for access decisions
• Help Desk Live Verify workflow detail for preventing social engineering attacks
• Governance and lifecycle workflow coverage for policy enforcement and compliance reporting
• Hybrid failover design details for maintaining authentication during outages

👉 Read RSA Security’s analysis of how identity risk management supports DORA readiness →

DORA identity risk management: are your controls ready for resilience?

Explore further

View Full Forum →  |  NHI Foundation Course →