Building resilience with IAM: Unifying access, risk, and compliance

Many security breaches result from identity and access management (IAM) gaps—and they can go undetected for a long time.

According to IBM's Cost of a Data Breach Report 2025, it takes about 300 days to detect an identity attack. Cyber actors who use identity as a basis for attack have various motivations, such as reselling access to compromised systems on the dark web or siphoning information to monetize it further. Fortunately, organizations can fortify their resilience against these types of attacks by upgrading their IAM approach to account for more sophisticated threats.

The challenge of identity-based attacks

Threat actors love identity because it gives them unrestricted access to a range of systems. Armed with a phone number or device they've compromised, an attacker can look and behave just like the person whose digital identity they’ve stolen. With the advent of agentic AI, we now also have machines that can act just like humans—logging in to websites, paying bills, and transferring money. Attackers are using these tools, too, and, over time, can change an Internet user’s behavior so that malicious activity might look normal. Identity-based attacks continue to proliferate due to threat actors prioritizing:

1. Volume: Faster to adopt new technologies, such as GenAI
2. Velocity: Work better as a community
3. Variety: Don’t worry about compliance/standards

Whether human or machine is at fault, as more businesses lean into digital, more critical services—such as paying electric bills and accessing bank accounts—could be disrupted by cyberattacks, accelerating compliance needs.

In the future, every compliance team must ensure they understand the type of threat actor they’re dealing with, build security measures around that threat, understand the risks, and move forward from there—otherwise known as cyber-resilient identity. This means systems don’t just need to be secure; they also require uptime and the ability to determine whether a user is good or bad, or whether a user looks good but is actually engaging in some weird transactions or behaviors. Identity must have an audit-friendly control plane to identify gaps and plan and conduct proper risk assessments.

Why identity and access management is critical

Gartner says IAM “ensures the right people get access to the right resources at the right times for the right reasons.” It controls access to critical systems and sensitive data, reduces breach surfaces and insider threats, and responds to incidents by quickly isolating accounts and systems.

The original focus of IAM back in the 1990s was on quickly managing application sprawl, or providing access as soon as possible, depending on the following three employee designations:

1. Joiner—someone joining the company
2. Mover—someone moving departments in the company
3. Leaver—someone leaving the company

In each of these scenarios, the individual’s access and entitlements should change. But this categorization was created at a time when the employer network sat at the epicenter, and employees literally walked into the building, used a physical access card, and logged in to their desktops. Today, employees bring their computers home, meaning everything is digital and therefore porous, because the network is no longer in a position of power.

This outdated categorization also leaves out another crucial entity: Adversary, whether it’s someone already within your organization or outside of it. The goal of modern IAM is to establish and maintain trust in all identities—whether they're human, machine, or AI agents. By incorporating the adversary persona into the IAM approach, organizations become more threat-aware and evolve from the original IAM conception.

The new IAM era

With an explosion of data and AI-driven processes flooding organizations, security, risk, and compliance professionals now need to ask who has access to what, when, and why? AI systems increase the complexity of data visibility and control, and sensitive data now travels farther and faster than ever. This necessitates a new approach to IAM that isn’t just focused on security but also on operational continuity. This positions IAM as controlling access to critical systems and sensitive data, reducing breach surfaces and insider threats, and responding to incidents by quickly isolating accounts and systems.

To bring your organization’s IAM approach into the modern era, think like both an attacker and an end user. This means using the identity lifecycle to visualize user journeys, map identity-based threats and user journeys, and leverage predictive AI, orchestration, and modernization to unify the lifecycle, aiming for a holistic view. Here are the five identity lifecycle phases, the goal of each, and recommendations to upgrade your IAM approach in each.

1. Onboarding/registration: Convert a stranger into someone who's known. Look for technologies like DeepFakes, liveness detection, and identity verification, and ensure they're on a device you trust. And low-hanging fruit would be looking at telemetry and the device itself to see if known bad IPs or devices exist.
2. Digital identity account creation: Create a trusted digital identity using credentials based on Fast Identity Online (FIDO), which sets the standard for passwordless passkeys. To guard against account takeover attacks (ATOs), ensure you use detection technology, trigger authentication, and leverage contextual signals to examine if there are any account changes or any address changes that look suspicious. Also, conduct a secondary type of verification.
3. Authentication and “ongoing access:” Facilitate day-to-day access. Balance user experience, security, and total cost of ownership. This means that every time a user logs in, they’re not proving who they are—they are just going through the authentication process. Here again, leverage FIDO and fraud-risk-based conditional access.
4. Account recovery stage: Secure an account reset. Use an onboarding-lite approach—you know who this user is—mitigate deepfakes, look for alternative authenticators, enable telemetry and bot detection, and monitor activity after the reset.
5. Trust layer: Establish and maintain digital trust, balance user experience, security, and TCO—” zero trust.” Focus on predictive AI, authentication, behavior, fraud, device trust, telemetry, and continuous authentication

Implementing these upgraded IAM recommendations enables continuous authentication and consistent device evaluation across these phases, helping you pinpoint and address gaps to stay ahead of today’s identity-based attacks and their future iterations.