TL;DR: DORA shifts financial resilience from checkbox compliance toward continuous identity risk management, with static policies, weak visibility, and manual response called out as gaps that undermine operational continuity in hybrid environments, according to RSA Security. For IAM teams, the message is that identity has become a resilience control, not just an access gate.
NHIMG editorial — based on content published by RSA Security: Beyond compliance, how identity risk management drives DORA readiness
Questions worth separating out
Q: How should financial institutions use identity controls to support DORA readiness?
A: They should treat identity as a resilience layer, not just an authentication layer.
Q: Why do static IAM policies fall short for DORA obligations?
A: Static policies cannot keep pace with changing context such as device trust, location, behavioural drift, or social-engineering pressure.
Q: How can organisations know whether identity risk management is working?
A: They should look for measurable reductions in risky access approvals, faster detection of suspicious identity behaviour, and better continuity during incident simulations.
Practitioner guidance
- Reclassify identity controls as resilience controls. Document which IAM capabilities are required to keep critical financial services running during an outage, not just to satisfy access policy.
- Replace static access decisions with context-based review. Identify where access is still granted by fixed policy alone and add behavioural and device-risk signals for higher-risk user journeys.
- Test identity failover in continuity exercises. Simulate IAM degradation and verify that authentication, escalation paths, and recovery workflows still operate without creating unsafe standing access.
What's in the full article
RSA Security's full post covers the operational detail this post intentionally leaves for the source:
- Risk AI behavioural scoring and how it is positioned for access decisions
- Help Desk Live Verify workflow detail for preventing social engineering attacks
- Governance and lifecycle workflow coverage for policy enforcement and compliance reporting
- Hybrid failover design details for maintaining authentication during outages
👉 Read RSA Security’s analysis of how identity risk management supports DORA readiness →
DORA identity risk management: are your controls ready for resilience?
Explore further
Identity risk management is now a resilience requirement, not a compliance enhancement. DORA changes the job of IAM from proving access exists to proving access can be governed under stress. That shift matters because resilience collapses when identity controls cannot distinguish routine access from risky access in real time. Practitioners should treat identity governance as part of operational continuity design.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how hard it is to prove identity control during incident response, according to NHI Mgmt Group research.
A question worth separating out:
Q: Who is accountable when identity failures disrupt critical financial services?
A: Accountability sits with the teams that own identity governance, security operations, and resilience planning together, because DORA links access control to business continuity. If those functions are separated, no one can prove that identity risks were understood, monitored, and contained before services were affected.
👉 Read our full editorial: DORA readiness starts with identity risk, not compliance checkboxes