Identity, trust and governance: what IAM teams need to rebuild

TL;DR: The CIA triad protects data, but modern breaches increasingly target actors, not artifacts, with the post citing 74% of attacks starting with compromised identities, 79% of detections being malware-free, and 88% of web app breaches involving stolen credentials, according to ConductorOne and cited industry reports. The control plane has moved above the ground floor, and identity, trust, and governance now determine security outcomes.

NHIMG editorial — based on content published by ConductorOne: Security Needs a Second Floor

By the numbers:

• 74% of attacks start with compromised identities.
• 79% of cyberattack detections are malware-free.
• 88% of web application breaches involve stolen credentials.

Questions worth separating out

Q: How should security teams govern identity as a control plane?

A: Security teams should treat identity as the layer that decides who can act, how far authority travels, and what context makes an action legitimate.

Q: Why do non-human identities change the way Zero Trust works?

A: Non-human identities change Zero Trust because workloads, service accounts, and agents do not behave like fixed human users.

Q: What breaks when identity is treated as an administrative task instead of a control plane?

A: When identity is treated as administration, organisations lose sight of how authority is created, inherited, and extended across systems.

Practitioner guidance

• Rebuild identity governance as a control plane Map IAM, PAM, and NHI controls to the decisions they actually make, then identify where those decisions are still hidden inside infrastructure or application teams.
• Trace delegation chains end to end Document how authority moves from human sponsor to service account, token, workload, or agent, then look for inherited permissions that outlive the original approval.
• Classify autonomous behaviour separately from automation Do not treat every tool-using system as an agent.

What's in the full article

ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:

• The full argument for why CIA maps to the data plane while identity, trust, and governance sit above it.
• Examples of how virtualisation, containers, serverless, and agentic AI each shift responsibility upward.
• The article's discussion of Gartner, CISA, WEF, and other references that support the second-floor framing.
• The closing recommendations for leaders deciding how to staff and fund the control plane.

👉 Read ConductorOne's analysis of identity, trust, and governance as the security control plane →

Identity, trust and governance: what IAM teams need to rebuild?

Explore further

View Full Forum →  |  NHI Foundation Course →