Technology Risk Briefing

Identity Security: Why It Has Become the Most Important Control in Modern Organisations

• David Horn • Season 1 • Episode 8

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 9:36

🔐 Identity Security: The Most Important Control You're Probably Not Managing Well Enough

Identity has become the new security perimeter.

In today's cloud-first, AI-enabled world, attackers increasingly don't need to break into organisations—they simply log in. As traditional network boundaries disappear, identity has become the foundation of security, operational resilience and trust.

In this episode of the Technology Risk Podcast, David Horn takes a deep dive into the growing challenges surrounding Identity Security and why it has become one of the most important technology risk topics facing organisations today.

Topics covered include:

✅ Why attackers are increasingly targeting identities rather than vulnerabilities

✅ The risks associated with privilege creep and excessive access

✅ Privileged Access Management and why administrator accounts remain prime targets

✅ Machine identities, service accounts and APIs – the hidden risks many organisations overlook

✅ Third-party access and supplier-related identity risks

✅ The emergence of AI agents and non-human identities

✅ Why identity resilience is becoming a board-level concern

✅ Practical warning signs organisations should look for and actions they can take to strengthen controls

Whether you're a technology leader, CISO, CIO, auditor, risk professional or board member, this episode provides practical insights into one of the most critical control areas in modern organisations.

Presented by David Horn
Sponsored by CauTix – Technology Risk and Control

🎧 Key risks. Real insights. Practical actions you can take.

#IdentitySecurity #CyberSecurity #TechnologyRisk #IAM #PAM #OperationalResilience #RiskManagement #TechnologyLeadership #AIGovernance #InformationSecurity #TechnologyControls #CauTix #TechnologyRiskPodcast

SPEAKER_00

Hello and welcome to the Technology Risk Podcast. I'm David Horn. Before we get started, I'd like to thank the sponsor of today's episode, Cortics, who help organisations strengthen technology governance, improve operational resilience, and build confidence in the controls that protect their most critical services. Now, when people think about cybersecurity, they tend to think about hackers, ransomware, phishing attacks, or perhaps the latest critical vulnerability that's making headlines. But if you ask many CISOs today what keeps them awake at night, increasingly the answer isn't malware or firewalls, it's identity. In fact, many security leaders now describe identity as the new perimeter. Reason's simple. Attackers don't necessarily need to break into organisations anymore. More often than not, they simply log in. And that's what we're going to explore today, why identity security has become one of the most important technology risk challenges facing organizations, where many businesses are getting it wrong, and what good looks like if you're trying to manage identity risk effectively. The world has changed. Twenty years ago, most organisations had fairly clear boundaries. Applications sat inside corporate data centres. Employees worked from offices. Access was largely restricted to internal networks. Security teams focused heavily on protecting the perimeter. But today, most organisations operate very differently. Applications live in the cloud. Employees work from almost anywhere in the world. Suppliers connect directly into your business systems. Customers access services online. And increasingly, artificial intelligence systems are interacting with applications on our behalf. In that world, the traditional perimeter has largely disappeared. The one thing that remains constant though is identity. Every action within an organization is ultimately performed by some form of identity, whether that be a person, a supplier, a service account, an application, or increasingly, an AI agent. And that's why identity has become such a critical focus area. So why do attackers target identities? One of the most interesting shifts we've seen over recent years is how attackers gain access to organisations. Historically, attackers needed sophisticated exploits. They had to find vulnerabilities, develop attack code, and work hard to break through technical defences. Today, many attacks start with something much simpler: a compromised account, a stolen password, a successful phishing attack, a supplier account that wasn't properly secured, or perhaps a privileged account with excessive access. Let's think about it from an attacker's perspective. Why spend weeks trying to break into a building when somebody has left the front door unlocked? That's essentially what compromised identities provide: legitimate access. And that's what makes identity attacks so dangerous. One issue I see repeatedly when reviewing organisations is something called privilege creep. Now that sounds quite technical, but the concept is actually very straightforward. Imagine somebody joins an organisation in a junior role. Over time they get promoted, they move departments, they take on additional responsibilities. Every new role requires new access, but often nobody removes the old one. Five or ten years later, that individual may have permissions accumulated from multiple previous roles. In many organisations, if you ask why somebody has access to a particular system, nobody can actually tell you. It's simply because they've always had it. And that's where risk starts to emerge, because excessive access doesn't just increase the impact of insider threats, it also increases the potential damage if an account is compromised. One of the easiest indicators of identity maturity is whether an organization can confidently explain why people have the access they currently have. Surprisingly many can't. Now let's take that challenge one step further. Not all accounts are created equal. Some users can reset passwords, some can create new accounts, some can change security settings, some can effectively control entire environments. These are privileged accounts. And if there's one category of identity that deserves attention from senior management, it's these. Because if a privileged account is compromised, attackers often gain the keys to the kingdom. I've seen organisations with hundreds of privileged accounts, I've seen administrators sharing credentials, I've seen service accounts with administrator rights that nobody realised still existed. One question I often ask is, how many people in this organisation have administrative access? The answer is usually much higher than the leadership expects. Mature organisations take a very different approach. They minimise privileged access, they monitor it closely, and increasingly they only grant elevated permissions when they're actually needed. What's particularly interesting is that many organisations focus heavily on human users. Employees receive training, levers are processed, access reviews take place. But often the biggest identity risks aren't people at all. They're machine identities, service accounts, application accounts, APIs, certificates, cloud workloads. These identities often outnumber employees many times over, yet they frequently receive far less scrutiny. The challenge is ownership. When you ask who owns a service account, the answer is often unclear. Maybe it belonged to a project team that no longer exists. Maybe the original owner left years ago. Maybe nobody really knows. And that's where risk accumulates, because unmanaged identities inevitably become poorly controlled identities. One of the strongest indicators of identity maturity is whether every identity has a clearly accountable owner. Not most identities, every identity. Another major challenge involves suppliers. Modern organisations rely heavily on third parties. Cloud providers, managed service providers, software vendors, consultants, support partners, all of these relationships often require access. The problem is that third-party access frequently falls into a grey area. Internal teams assume suppliers are managing security, suppliers assume the organization is monitoring access, and somewhere in the middle visibility is lost. When major incidents occur, organisations are often surprised by the extent of supplier access that exists. One useful exercise is to ask a simple question: if we terminated every supplier relationship tomorrow, could we identify every account that we would need to remove? If that answer isn't immediately available, there may be more risk than people realise. Perhaps the biggest identity story right now involves AI agents. Increasingly, organisations are deploying systems that can retrieve information, make decisions, trigger workflows, and interact with applications. In many ways, these agents are beginning to behave like digital employees. But unlike employees, organizations often haven't yet developed governance frameworks for them. Who owns the AI agent? What systems can it access? What actions can it perform? How is activity monitored? What happens if it behaves unexpectedly? These are rapidly becoming some of the most important identity questions organizations face. The key principle is actually very simple. If an AI agent can perform actions inside your organization, it should be governed just like any other user. Unfortunately, many organizations are only beginning that journey. One final point that I think is often overlooked. Identity security isn't just about preventing attacks, it's also about resilience. Think about how many critical services depend on identity platforms today. Employees logging into systems, customers accessing applications, administrators managing environments, cloud platforms authenticating users. Now imagine your identity platforms become unavailable. How long could your organisation continue to operate? For many businesses, the answer is surprisingly short. That's why leading organisations increasingly treat identity systems as critical infrastructure. They test recovery procedures, they validate backup mechanisms, and they ensure that they can recover identity services rapidly following disruption. Because ultimately, resilience is about assuming nothing will go wrong, it's about being prepared when it does. So, if there's one message I'd leave you with today, it's this identity security is no longer an IT administration activity. It's one of the most important technology risk disciplines in any modern organization. As organizations become more cloud-based, more interconnected, and increasingly dependent on AI, identity becomes the foundation upon which trust is built. The organizations that understand this are investing heavily in identity governance, privileged access management, machine identity management, and resilience. Those that don't may discover during an instant that they were far more exposed than they realized. I'm David Horn. Thank you for listening to the Technology Risk podcast sponsored by Cortex. Until next week, stay resilient, stay informed, and stay ahead of Technology Risk.