Notifications
Clear all
Topic starter
12/06/2026 10:14 pm
TL;DR: RSA 2024 showed three clear shifts: AI hype remained loud, identity drew roughly a third of vendor attention, and GRC moved closer to cybersecurity as regulation and risk pressures intensified, according to Axiad. Platform sprawl, not platform promises, is now the governance problem identity teams must solve.
NHIMG editorial — based on content published by Axiad: Three Key Takeaways from the 2024 RSA Conference
Questions worth separating out
Q: How should security teams handle identity tool sprawl across multiple platforms?
A: They should treat tool sprawl as a control-design problem, not a licensing problem.
Q: Why does platform consolidation often fail to simplify identity governance?
A: Because a larger platform does not automatically preserve the specialised controls that made the original tools useful.
Q: How do identity teams know whether their fabric model is working?
A: It is working only if a risk signal in one identity system changes decisions in another without manual intervention or delay.
Practitioner guidance
- Map identity decision handoffs across platforms Document where identity risk signals stop at one product boundary and fail to influence the next system in the chain.
- Test whether consolidation preserves specialist controls Before moving toward a broader platform, verify that core controls still work at the same depth after integration.
- Align identity governance with GRC reporting Translate identity control failures into language that risk, audit, and compliance teams can use.
What's in the full article
Axiad's full blog post covers the conference observations this post intentionally leaves at a strategic level:
- Alex Au Yeung's field notes on the vendor themes that dominated RSA hall conversations
- The article's first-hand comparison of identity, GRC, and platform messaging seen across the North, South, and Innovation Halls
- Axiad's own commentary on why security platforms can add complexity in identity environments
- The original framing around identity fabric as a way to connect best-of-breed tools without collapsing their strengths
👉 Read Axiad's RSA 2024 take on identity convergence and platform sprawl →
Identity convergence at RSA 2024: what teams are missing?
Explore further
13/06/2026 12:51 am
Identity fabric is becoming the only credible answer to identity tool fragmentation. The article correctly identifies a market reality: organisations already run multiple identity platforms, and those products rarely exchange risk context well enough to behave like one control plane. That is not a feature gap alone, it is a governance problem that weakens visibility across human identity, NHI, and adjacent access workflows. Practitioners should treat integration quality as a first-class control requirement, not an architecture nicety.
A few things that frame the scale:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who owns identity risk when GRC and cybersecurity converge?
A: Ownership should be shared, but accountability must be explicit. IAM teams own control design and evidence, security teams own detection and response integration, and GRC teams own risk translation and reporting. The failure mode is assuming that convergence creates ownership by itself. In practice, someone must be accountable for how identity risk is measured, escalated, and remediated.
👉 Read our full editorial: Identity convergence and platform sprawl reshaped RSA 2024
