Identity , Governance, Risk and Compliance , AI/ML Privilege risk is in the lifecycle: A CISO discussion on modernizing identity control April 20, 2026 Share By Paul Wagenseil Credit: Bradley Barth/SC Media In a recent CRA webcast , host Adrian Sanabria and CyberArk Vice President of Identity and Access Management Khizar Sultan painted a picture of an identity-security landscape struggling to keep pace with modern enterprise complexity. Identity controls and governance are no longer just supporting functions, the two agreed, but are central to preventing breaches. Organizations today operate with sprawling identity ecosystems built over decades, often consisting of fragmented tools and outdated automations. "Organizations will have plenty installed when it comes to what they're using to manage the identities inside the organization, but they certainly have not optimized in the last couple of years, and that's what we're seeing a lot of when we talk to customers now," said Sultan. A major focus of the conversation was identity lifecycle management (LCM), particularly the risks associated with joiners, movers, and leavers. While onboarding new employees (joiners) is relatively straightforward, the real danger lies in employees who change roles (movers) or leave the organization (leavers). Orphaned accounts left behind by leavers, and the privilege creep of access accumulated by users who move around within an organization, create fertile ground for attackers. "If you look at attacks, hacks that have happened in the last decade, it's that parallel hopping that attackers will do from permission to user to user to system to system, and oftentimes in that attack chain there is some sort of orphaned account or orphan permission or user that they're exploiting along the way," said Sultan. Privilege creep is particularly insidious because it builds gradually and often goes unnoticed. Employees who change roles may retain access they no longer need, creating excessive permissions that increase risk. Even worse, new employees may inherit these flawed access models, perpetuating the problem. The result is an environment where overprivileged users become prime targets. "Had they not taken away permissions every time I changed roles, I'd end up having access to things way beyond what I need access to, or way beyond what I need to do my job," Sultan explained. To address these challenges, Sultan and Sanabria pointed to automation, AI-driven insights, and just-in-time access as critical components of modern identity governance. Manual processes simply cannot scale in environments with thousands of users and applications. AI can help by analyzing access patterns, recommending appropriate roles, and reducing the burden of user access reviews. Instead of reviewing every permission manually, organizations can focus on anomalies and high-risk access. At the same time, the shift toward zero standing privileges, in which users receive elevated access only when needed, represents a major evolution in identity controls and reduces the attack surface by limiting persistent access to sensitive systems. Looking ahead, the discussion turned to a new and even more complex challenge: AI agents as half-human, half-machine identities. "An AI agent is basically a human, but with the speed and intellect of a machine," said Sultan. These non-human actors will soon outnumber human users but require the same governance controls, if not stricter ones. "If we don't clean up permissions privileges and the way that we give access to things like AI agents," Sultan said, "we'll be in pretty bad shape come a couple more years from now, when the average organization will have something like a 50-to-one ratio of AI agents to a human employee." "It's important to get your human access sorted," he added, because every human employee is now a tech worker. "Even if you're driving a truck, you're using a variety of different applications to do your job," Sultan said. "Nothing is hands-off tech anymore. Everyone's a knowledge worker to some degree." Ultimately, the conversation made clear that identity governance is no longer optional or static. It must be continuous, automated, and deeply integrated across the organization. Without that shift, identity will remain the weakest and most exploited link in enterprise security. Paul Wagenseil Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com. Related Identity Ponemon survey exposes identity overconfidence SC Staff April 20, 2026 A stark disconnect between perceived identity security and operational reality has emerged from a Ponemon Institute survey of over six hundred IT leaders, which found that while a majority express high confidence in their access controls, 89% of enterprise applications operate outside the governance of centralized multifactor authentication platforms, according to Security Boulevard. Identity iDenfy launches MCP server for AI coding assistants SC Staff April 20, 2026 iDenfy has released a Model Context Protocol server that enables AI coding assistants such as ChatGPT, Claude, and Cursor to ingest the company's live API documentation in real time, eliminating the friction of hallucinated parameters and outdated endpoint references that plague automated integration workflows, according to Biometric Update. Identity Non-human identities now center of enterprise risk SC Staff April 20, 2026 Security Brief Australia reports that security leaders marking Identity Management Day are sounding an urgent alarm over the explosive growth of non-human and AI-driven identities, warning that enterprises are rapidly scaling autonomous agent deployments while the governance frameworks needed to constrain their privileged access remain dangerously immature. Related Events Cybercast IAM for MSSPs: Real-World Deployments Mon May 18 Cybercast Privilege risk is in the lifecycle: A CISO discussion on modernizing identity control On-Demand Event Cybercast The industrialization of identity compromise On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Basic Authentication Biometrics British Standard 7799 Certificate-Based Authentication Chain of Custody Challenge-Handshake Authentication Protocol (CHAP) Competitive Intelligence Digest Authentication Digital Certificate Due Care You can skip this ad in 5 seconds