TL;DR: Women remain underrepresented in IT even as demand surges, with Gartner citing 31% female representation in IT roles and the U.S. Bureau of Labor Statistics projecting 667,600 new computer and IT jobs through 2030. The opportunity is real, but access to it still depends on culture, support, and sustained skill-building.

NHIMG editorial — based on content published by StrongDM: How to Thrive as a Woman in IT: A Comprehensive Guide in 2026

By the numbers:

• According to Gartner, only 31% of IT employees are women.
• The U.S. Bureau of Labor Statistics says computer and information technology jobs are expected to grow by 13 percent from 2020 to 2030, adding 667,600 new jobs.

Questions worth separating out

Q: How can organisations improve representation of women in IT teams?

A: Organisations improve representation by fixing both entry and retention.

Q: Why does workplace culture matter so much in technical careers?

A: Workplace culture shapes whether people stay long enough to build depth.

Q: What is the best way to bring more women into cybersecurity?

A: The most effective approach is to treat cybersecurity as a broad career family rather than a single narrow path.

Practitioner guidance

• Audit hiring and promotion pathways for hidden exclusion Review job descriptions, interview loops, promotion criteria, and referral patterns for signals that narrow the candidate pool or advantage one profile repeatedly.
• Strengthen workplace reporting and response mechanisms Make harassment and discrimination reporting usable, confidential, and fast to act on so technical staff do not have to choose between safety and career progression.
• Create multiple entry routes into security work Offer internships, rotational roles, apprenticeships, and adjacent-role transitions so support, analysis, and operations staff can move into IAM and security careers.

What's in the full article

StrongDM's full blog covers the practical career guidance this post intentionally leaves at the strategy level:

• Role-by-role examples of IT careers women can pursue, from support to architecture and security
• Named training and education resources for building technical skills and confidence
• Advice from multiple contributors on handling workplace bias, growth, and career progression
• Examples of how to choose a role that fits different learning styles and work preferences

👉 Read StrongDM's guide to women thriving in IT careers →

Women in IT in 2026: where the talent gap and culture gap still collide?

Explore further

View Full Forum →  |  NHI Foundation Course →

TL;DR: The White House’s AI Action Plan pushes faster AI adoption, infrastructure build-out, and secure-by-design expectations, but the article argues that governance will increasingly fall to industry as federal guardrails loosen and questions about training data, bias, and sensitive-data use remain unresolved, according to Cyera. The practical issue is not ambition but whether organisations can prove their AI data, model, and agent controls are trustworthy enough to absorb the policy shift.

NHIMG editorial — based on content published by Cyera: It’s Up to Industry to Regulate AI: The White House’s AI Action Plan is long on ambition, but short on guardrails

By the numbers:

• The Plan cuts federal science funding by 34 percent, including math and physics at $289 million, engineering at $127 million, computer science at $85 million, and technology at $18 million.

Questions worth separating out

Q: How should organisations govern AI systems that can access sensitive training data?

A: Organisations should treat sensitive training data as a governed input, not a loose repository.

Q: Why do AI applications and agents create new access risks for IAM teams?

A: AI applications and agents can request data, call tools, and move information across systems faster than traditional review cycles were designed to track.

Q: What do security teams get wrong about secure-by-design AI governance?

A: They often treat secure-by-design as a policy label instead of an enforceable operating model.

Practitioner guidance

• Inventory AI-connected identities and data paths Map every AI application, agent, service account, and API key that can touch training, retrieval, or output workflows.
• Gate sensitive data before model ingestion Require classification and policy checks at the point where training data, fine-tuning data, or retrieval content enters the AI pipeline.
• Apply least privilege to AI tool use Limit every AI-connected identity to the smallest set of tools, prompts, datasets, and export paths needed for its task.

What's in the full article

Cyera's full analysis covers the operational detail this post intentionally leaves for the source:

• The article’s specific commentary on the White House AI Action Plan and the policy trade-offs it introduces for enterprises.
• Cyera's description of how its AI-native platform discovers and classifies sensitive data in AI training sets and AI applications.
• The article’s examples of bias, training-data curation, and the governance challenge of defining objective truth in practice.
• The source article’s closing guidance on how organisations should think about secure AI adoption at scale.

👉 Read Cyera’s analysis of the White House AI Action Plan and AI governance →

AI governance gaps are widening as policy outpaces controls?

Explore further

View Full Forum →  |  NHI Foundation Course →

TL;DR: Engineering leaders at Enterprise Ready Conference 2025 described AI as moving junior engineers, product managers, and interns into much more capable roles while exposing non-deterministic output, customer-facing risk, and human oversight gaps, according to WorkOS. The governance lesson is that identity, accountability, and guardrails now matter as much as speed when AI enters delivery paths.

NHIMG editorial — based on content published by WorkOS: CTO panel on how AI is transforming engineering teams

Questions worth separating out

Q: How should security teams govern AI tools that help write and review code?

A: Treat AI-assisted development as an identity and control problem, not only an engineering productivity issue.

Q: Why do AI-assisted engineering workflows complicate identity governance?

A: Because they extend access beyond a single human user into tools that can read context, draft changes, and shape operational decisions.

Q: What do teams get wrong about AI-generated documentation and code review?

A: They often assume documentation or review output is proof of oversight.

Practitioner guidance

• Classify every AI-enabled workflow by actor type Separate human-assisted tooling from non-human identity use cases and from systems that make independent runtime decisions.
• Preserve independent review for production-impacting changes Do not allow the same AI layer to generate and effectively validate the same change without independent human challenge.
• Map delegated data access for AI tools Identify which repositories, tickets, logs, and operational systems AI tools can read or influence.

What's in the full article

WorkOS's full recap covers the operational detail this post intentionally leaves for the source:

• Panel commentary on how enterprise customers are evaluating AI guardrails for customer-facing deployments
• Examples of how engineering leaders are using AI tools to accelerate coding, migrations, and documentation
• Details on the forward deployed engineering motion and why it is resurfacing in AI-native products
• The panel's full discussion of how teams are thinking about scale, quality, and customer value in AI-heavy environments

👉 Read WorkOS's recap of the Enterprise Ready Conference 2025 CTO panel on AI in engineering →

AI agent governance is lagging engineering teams’ rapid shift?

Explore further

View Full Forum →  |  NHI Foundation Course →

TL;DR: AI adoption is pulling enterprise buying cycles forward so quickly that startups are landing customers in months, not years, according to WorkOS’s conversation with the hosts of Acquired. That acceleration changes the identity baseline: enterprise readiness, access governance, and trust assumptions now have to exist earlier in the product lifecycle.

NHIMG editorial — based on content published by WorkOS: Ben Gilbert and David Rosenthal from Acquired on what makes companies last

By the numbers:

• This year they stopped by the WorkOS booth at re:Invent before interviewing the CEOs of AWS, JP Morgan Payments, Netflix, and Perplexity in a 2,000-person auditorium.

Questions worth separating out

Q: How should teams evaluate AI-era vendors before granting enterprise access?

A: Treat evaluation as an identity assurance exercise, not just a product review.

Q: Why do fast-growing AI companies create new IAM risk for enterprises?

A: Because growth usually outpaces governance.

Q: What breaks when access governance is added after AI adoption has already scaled?

A: Review cycles become reactive instead of preventative.

Practitioner guidance

• Add identity readiness to vendor intake Require an access model review for any AI-era vendor before production integration.
• Map delegated access before rollout Document every delegated permission, token exchange, and machine-to-machine trust path introduced by the new system.
• Shorten entitlement review cycles for fast-moving platforms Increase recertification frequency for platforms that are still changing features, integrations, or ownership structures.

What's in the full article

WorkOS's full article covers the conversational context and company journey details this post intentionally leaves for the source:

• How Ben Gilbert and David Rosenthal describe compounding growth and why that framing matters for enterprise adoption decisions.
• The specific examples they use from Nvidia, Costco, Google, and other durable companies to explain how category leaders behave.
• Why AI companies are reaching enterprise customers earlier than previous generations of startups, and what that means for go-to-market timing.
• The broader interview context from AWS re:Invent 2025, including why WorkOS was discussing enterprise readiness in this setting.

👉 Read WorkOS's conversation on AI-era compounding and enterprise readiness →

AI startup compounding and enterprise identity readiness: what changes?

Explore further

View Full Forum →  |  NHI Foundation Course →

TL;DR: Engineering leadership models where managers own product areas end to end, stay close to customers and code, and guide reliability, security, and architecture decisions as companies scale, according to WorkOS. That kind of operating model matters because identity and access programmes increasingly need engineering-led governance, not handoffs.

NHIMG editorial — based on content published by WorkOS: Engineering leadership at WorkOS: Product, people, and impact

Questions worth separating out

Q: How should security teams handle identity features built inside product engineering teams?

A: Treat the engineering team as part of the control environment, not as a separate delivery function.

Q: Why do developer experience and identity governance need to be designed together?

A: Because developers will choose the fastest workable path, not the most policy-compliant one.

Q: What breaks when access-related decisions are made without explicit review gates?

A: The organisation loses the ability to prove who approved what, why the tradeoff was accepted, and how the change will be supported after launch.

Practitioner guidance

• Map identity feature ownership to governance ownership Identify which engineering leaders own SSO, RBAC, directory sync, secrets handling, and related access surfaces.
• Add explicit architecture review gates for access-related changes For any change that affects authentication, authorisation, or lifecycle behaviour, require a documented review trail that covers threat assumptions, rollback paths, and operational support.
• Test whether developer experience encourages unsafe workarounds Review integration patterns for hardcoded secrets, bypassed approvals, duplicated access logic, or manual provisioning steps.

What's in the full article

WorkOS's full article covers the organisational detail this post intentionally leaves for the source:

• The specific responsibilities WorkOS assigns to engineering managers across product, architecture, and team health
• How the company structures weekly decision-making between managers and the CEO
• The cultural expectations WorkOS uses to evaluate engineering leaders in a product engineering organisation
• How the leadership model is expected to evolve as headcount and AI infrastructure work expand

👉 Read WorkOS's analysis of engineering leadership in a product engineering model →

Engineering leadership at WorkOS: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →

TL;DR: Cyber Security Tribe’s 2025 annual state of the industry report compares 350-plus cybersecurity professionals’ responses across people, process, and technology, giving practitioners a benchmark for priorities and maturity shifts from 2024 into 2026. The report is most useful as a programme calibration tool, not a vendor scorecard.

NHIMG editorial — based on content published by Cyera: Cyber Security Tribe's 2025 Annual State of the Industry Report

By the numbers:

• The survey gathered responses from over 350 cybersecurity professionals.
• The survey was conducted between December 2024 and January 2025.

Questions worth separating out

Q: How should teams use cybersecurity benchmark reports in identity governance planning?

A: Use them to compare your programme’s operating assumptions with peer priorities, then check whether the gaps are in people, process, or technology.

Q: What does a people, process, and technology model miss in NHI governance?

A: It misses whether the identity subject is actually the same across controls.

Q: How can security leaders tell if their identity programme is over-focused on tooling?

A: If reporting tracks product deployment more closely than access ownership, exception closure, and lifecycle review, the programme is likely over-focused on tooling.

Practitioner guidance

• Re-baseline identity governance against all three operating dimensions Map current controls to people, process, and technology and identify where human IAM coverage does not extend cleanly to service accounts, API keys, tokens, and AI-driven access paths.
• Separate human and non-human benchmarks in reporting Track visibility, ownership, lifecycle, and exception handling for NHIs separately from human access review metrics so that one group’s maturity does not hide the other’s gaps.
• Use the report as a roadmap checkpoint Compare your current 2025 and 2026 priorities against peer benchmarks to see whether remediation work is still centred on tooling when operating-model change is the real constraint.

What's in the full report

Cyera's full report covers the survey detail this post intentionally leaves for the source:

• The year-over-year survey comparisons across people, process, and technology that let you benchmark your own programme.
• The expert commentary sections that explain how practitioners are interpreting the 2025 priorities.
• The full response breakdown from more than 350 cybersecurity professionals for deeper peer comparison.
• The report framing for using the benchmarks as a planning tool through 2026.

👉 Read Cyera's state of the industry report for cybersecurity benchmarks and trends →

Cybersecurity state of the industry report: what teams should benchmark?

Explore further

View Full Forum →  |  NHI Foundation Course →

TL;DR: Identity now sits in the center of breach paths, with Saviynt citing EY’s view that 90% of breaches involve identity through lateral movement and privilege escalation while AI compresses time-to-exploit and non-human identities outnumber people. That makes identity governance a core control plane for security, not just a compliance function.

NHIMG editorial — based on content published by Saviynt: EY's Ayan Roy on why identity security is now the foundation of defense in depth

By the numbers:

• Identity is involved in 90% of breaches through lateral movement and privilege escalation, making it the most critical and most overlooked layer of cyber defense.
• If a certification campaign only eliminates 2–5% of entitlements, you're doing compliance.

Questions worth separating out

Q: How should security teams govern non-human identities alongside workforce access?

A: Security teams should govern non-human identities with the same ownership, lifecycle, and review discipline used for people, but with tighter rotation and revocation expectations.

Q: When does identity security become more important than perimeter controls?

A: Identity security becomes more important when attackers can reach critical systems through valid credentials, delegated access, or over-privileged accounts.

Q: What is the difference between compliance-driven access review and real identity security?

A: Compliance-driven review checks whether a process was completed, while real identity security checks whether access risk was actually reduced.

Practitioner guidance

• Map identity blast radius across human and non-human access Build an inventory that links each identity to its privileges, downstream systems, and automation paths.
• Reduce standing privilege in high-risk paths Prioritize just-in-time elevation for admin, pipeline, and integration accounts that currently hold persistent rights.
• Tie identity telemetry to detection engineering Feed identity events into SIEM and endpoint workflows so privilege escalation, token misuse, and anomalous delegation can trigger response actions.

Teams that cannot measure blast radius will struggle to prove control effectiveness?

👉 Read Saviynt's analysis of EY's view on identity security and defense in depth →

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →

TL;DR: Teleport’s interview with its senior sales director frames a familiar enterprise gap: identity tools often stop short of securing infrastructure itself, where humans, machines, workloads, and AI agents still need cryptographic control and policy enforcement. The practical lesson is that infrastructure identity remains a governance problem, not just a sales story.

NHIMG editorial — based on content published by Teleport: Meet the Sales Leader Who Leads From the Front and Won't Let You Settle for Less

Questions worth separating out

Q: How should security teams govern infrastructure identities alongside user identities?

A: Treat infrastructure identities as part of the same governance programme, but manage them with tighter lifecycle controls.

Q: When does policy-based access control reduce risk for NHI environments?

A: It reduces risk when policy is enforced at runtime and paired with short-lived credentials.

Q: What is the difference between managing human access and managing machine access?

A: Human access is usually governed through joiner-mover-leaver processes and interactive authentication.

Practitioner guidance

• Inventory infrastructure identities by control plane Create a single register for service accounts, workload identities, certificates, API keys, and agent credentials.
• Convert standing access into task-scoped access Replace persistent entitlements with short-lived approvals for administrative and machine access.
• Define separate trust paths for humans and agents Do not allow autonomous agents to inherit human operator assumptions.

With 79% of organisations having experienced secrets leaks, the governance bar is already higher than many teams assume, and audit evidence will matter as much as control design?

👉 Read Teleport's interview on infrastructure identity leadership and the security gap →

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →

Identity security gaps in on-premise systems remain a critical challenge for enterprises despite advancements in cloud visibility. Many organizations have robust identity management for SaaS and cloud applications but neglect their on-prem and self-hosted environments. This oversight heightens identity risk as permissions multiply and governance processes fail to encompass these systems. Addressing these gaps is complicated, as integrating cloud tools often necessitates opening private network access, creating further security vulnerabilities.

👉 Read the full article from Unosecur here for comprehensive insights.

Key Insights

The Challenge of On-Premise Identity Security

• Organizations excel in identity management for cloud environments but often ignore on-premise systems.
• Self-hosted applications like GitHub and Jira pose significant security risks due to unmanaged permissions.
• The lack of visibility leads to unreviewed access and unsupervised governance processes.

Why Gaps Persist

• While security teams acknowledge the risks, solutions remain elusive due to the complexities involved.
• Creating connectivity between on-premise and cloud tools may further exacerbate security vulnerabilities.
• Altering firewall rules and ports can inadvertently open up the network to threats.

Impact on Security Programs

• The inability to manage identities in on-premise systems undermines overall security posture.
• Legacy applications and systems predating cloud adoption often lack modern governance frameworks.
• Continuous permissions accumulation can lead to data breaches and compliance issues.

Revamping Governance Strategies

• Fostering governance processes that extend to on-premise systems is paramount.
• Organizations must prioritize visibility and identity management across all environments.
• Innovative strategies and tools are essential for managing identity risks effectively.

👉 Access the full expert analysis and actionable security insights from Unosecur here.

In April 2026, a significant security breach at Vercel, a leading web infrastructure platform, compromised production workloads for major companies like OpenAI and Pinterest. The incident revealed that attackers exploited a routine OAuth request approved by a Vercel employee, gaining access through an AI tool, Context.ai, rather than through malware or code vulnerabilities. This incident underscores the risks of integrating AI tools and highlights the importance of vigilant identity management and OAuth security.

👉 Read the full article from Unosecur here for comprehensive insights.

Main Highlights

The Attack Overview

• The Vercel security breach occurred without exploiting zero-day vulnerabilities or traditional malware.
• Access was obtained via a routine OAuth process already approved by an employee, highlighting a crucial oversight.
• This incident serves as a cautionary tale for reliance on automated processes within modern engineering environments.

The Role of Context.ai

• Context.ai, an AI assistant, was integral to the workflow, learning from internal documents and communications.
• It used Google Workspace OAuth grants to function, which ultimately led to its compromise.
• The simplicity of the approval process masked a significant security vulnerability.

Identity Management Shortcomings

• The breach underscored weaknesses in identity management, with four identities exploited without malicious intent.
• This incident illustrates the need for stricter controls over third-party integrations and OAuth permissions.
• Organizations must develop robust policies to oversee the use of AI tools in workplace environments.

Lessons Learned from the Incident

• Employers should prioritize education and awareness about security risks associated with OAuth requests.
• Implementing multi-factor authentication could mitigate risks from unauthorized access granted through routine approvals.
• Security protocols should evolve alongside technological advancements to protect sensitive data and infrastructure.

👉 Access the full expert analysis and actionable security insights from Unosecur here.