Live Webinar- Through the Eyes of the Adversary: Breaking and Defending Identity
A digital fingerprint in red is overlaid with colorful lines of computer code on a black background, symbolizing cybersecurity, data protection, or digital identity.

The State of Identity Security: Why Identity Is the #1 Cyber-Attack Vector  

/in /by

Consistently, researchers point to identity as the number one cyber-attack vector. It provides the path of least resistance that fuels ransomware attacks, data breaches, and other incidents that can be detrimental. However, this isn’t a new problem for Chief Information Security Officers (CISOs): In 2024, 90% of organizations experienced at least one identity-related incident.  

Cybersecurity teams are in a race with the bad guys to minimize the identity attack surface before it can be exploited. For security leaders to earn a spot on the podium, and ensure attackers finish dead-last, they need to first look back, rather than forward, to understand how the state of identity security came to be.  

In this blog post, we lean on the insights shared in Radiant Logic’s new podcast, Radio Logic. Episode 1: The State of Identity Security pieces together why identity has become the favored attack vector, as well as what security leaders can do to outsmart adversaries. 

Why Identity Wasn’t Built for Cybersecurity

As Simon Moffatt, founder and CEO of analyst firm The Cyber Hut made clear to Radiant Logic Sr. Vice President Anders Askasen in the first episode of Radio Logic: 

“Identity was about productivity and compliance… it wasn’t really built for security.” — Simon Moffatt 

To tackle identity security in 2026, leaders need to look back at the ways in which identity and access management (IAM) and identity governance and administration (IGA) grew separately, rather than with cybersecurity. Moffatt and Askasen agreed in their conversation that enterprise identity efforts were originally tied to operational business needs, rather than potential security risk. 

Identity is still integral to business efficiency in 2026 and should be treated as such, Moffatt stressed. However, this context of how enterprise identity has historically been prioritized identifies a gap in cybersecurity strategy – making the identity attack surface of today more understandable. 

The Expanding Identity Attack Surface in Modern Enterprises

On top of this lack of security prioritization for identity, digital transformations such as on-premises solutions to the cloud and software-as-a-service (SaaS) products have created fragmentation within enterprises. This hybrid collection of different technology architectures makes it even more difficult for enterprises to understand their identity ecosystem.

“It’s been a gradual occurrence, but equally it’s a sort of perfect storm of legacy technology, isolated and siloed security components. Plus, we have more identities to manage.”  — Simon Moffatt

Because there is no cybersecurity technology today that doesn’t rely on identity, as Moffatt put it, security leaders need to find a unifying control that can account for this fragmentation. This control, also known as an identity layer, can help to bridge the gap between IAM/IGA and cybersecurity.  

“You need that identity layer under control… bringing all these different legacy silos and SaaS applications under one roof.” — Simon Moffatt

Once that unifying identity layer is in place, cybersecurity teams will have a starting point to begin reducing their organization’s identity attack surface. This identity visibility will provide defenders with a comprehensive picture of the multitude of identities that exist within enterprises – making it easier to strive for a Zero Trust ecosystem. As Askasen noted: “If you can’t see it, you can’t manage it.”

The Three Identity Problem   

Having visibility into the identity ecosystem does come with a key challenge: Enterprise identities are no longer solely human. Moffatt stressed that despite modern enterprises still not having a confident grip on the security of human identities, continued digital transformations have brought new identities that need managing to the CISO’s desk.  

For example, non-human identities (NHIs), which often outnumber humans 10-to-1, and come in the form of service accounts, APIs, workloads, and machines are poorly governed due to unclear ownership and minimal monitoring. Moffatt stressed that “we’ve not solved this NHI problem,” which only increases the identity attack surface.  

There is also identity’s newest frontier: Agentic AI. These identities exist as autonomous agents that analyze, decide and act on key processes within the enterprise, creating a new threat landscape that attackers can exploit. Moffatt characterized the risks that stem from Agentic AI identities as adding children to a workforce: “it’s a bit like giving permissions and control to a toddler.” 

As a result of these digital transformations, the state of identity security is now defined by the Three Identity Problem: Enterprises must secure human, non-human and Agentic AI identities before attackers can exploit them.

Context Matters

Every CISO strives for their organization to maintain a Zero Trust architecture, so that they can protect their organization from both internal and external threats. Identity security, which historically has been left outside of cybersecurity conversations, now demands that Zero Trust must be applied to human, non-human and Agentic AI identities. As Moffatt put it in this episode of Radio Logic, gaining context of these identities is where cybersecurity teams should start. 

“Zero Trust is all about context, and the more information you have, the better decision‑making you can achieve.” — Simon Moffatt

For deeper insights into the consequences of legacy identity technologies, the threats plaguing identity security today, and how CISOs can best move forward to minimize the identity attack surface, watch or listen to Radio Logic Episode 1: The State of Identity Security

A man in a suit stands in a dark room facing a glowing blue holographic figure of a person. Blue and red lights cast contrasting glows on the floor, emphasizing the futuristic and surreal atmosphere.

When AI Acts for You: Getting “On Behalf Of” Right  

/in /by

I just got back from the RSA Conference in San Francisco, where I binged more sessions on AI agents than is probably healthy. I came for architecture diagrams and real-world case studies; I left with a notebook full of ideas — and a healthy dose of fear about what happens when we wire autonomous software into everything and hope the identity access management (IAM) team ‘has it covered.’ 

Much of this thinking was shaped by Aaron Turner and Rich Mogull’s “Multi-MCP and Multi-Agent Security Reference Architectures” session and Sriram Santhanam’s “Cloudy with a Chance of AI” session on identity-first AI architectures. Those talks drew a clear line from identity sprawl and non-human identity explosions to the way agents should use “on-behalf-of” tokens and delegated authority. 

There is a clear takeaway from these presentations: The most dangerous AI systems aren’t the ones that hallucinate — they are the ones that act. 

As enterprises wire AI agents into ticketing systems, code repositories, CRMs, and data lakes, a single design choice quietly determines whether those agents behave like trusted assistants or runaway insiders: how an agent uses identity and authorization. 

That’s where OAuth “on-behalf-of” (OBO) comes in. In this blog post, I define what OBO is, why it’s essential for enterprise use of agentic AI, and how it helps organizations achieve a Zero Trust AI architecture. 

The Moment AI Starts Using Your Permissions

In a classic web app, OAuth is straightforward: a user signs in, gets a token, and the app calls APIs using that token. The app is essentially a messenger. It doesn’t have its own long-term power; it just passes along the user’s authority. 

AI agents break that mental model. 

Agents don’t just pass requests along. They interpret goals, choose tools, and run multi-step workflows. That means they will call downstream APIs and tools without the user being directly involved. If all the agent has is a broad service account token, then they have effectively been given permanent admin rights — forcing the user to just hope for the best-case scenario. 

OBO is how you avoid that. 

With OBO, the chain looks more like this: 

  • The user authenticates and gets a token that represents their identity and base permissions. 
  • The agent requests a new token, explicitly marked as acting on behalf of that user and scoped to the specific task or resource it needs. 
  • Downstream APIs see not just “an agent” but “this agent, acting for this user, with these narrow permissions, for this limited time.” 

Instead of hard-coding secrets into agents or giving them standing access, delegated, short-lived OBO tokens are issued for each hop. The agent never owns the keys; it temporarily borrows just enough authority to do a well-defined job. 

That’s the difference between “this agent can do anything in the CRM” versus “this agent can read opportunities for this salesperson for the next 10 minutes to draft follow-up emails.” OAuth OBO helps enforce Zero Trust by issuing short-lived, scoped tokens that let each backend verify and limit what an app or agent can do while still acting explicitly in the context of a specific user. 

Every Agent Needs a Human Shadow

Treating agents as first-class identities is now table stakes. They should be registered, authenticated, and governed like any other application. But they must never be allowed to exist and operate without being anchored to a specific, accountable human identity. 

An AI agent is not a person. It doesn’t own risk, sign contracts, or go to court. It is an execution proxy. Every meaningful action it takes should be traceable back to a human principal: Who was the AI acting for

Linking agents to humans through OBO tokens makes that connection concrete: 

  • Each agent has its own client identity, but every privileged call it makes carries the user’s identity in the delegation chain. 
  • Logs and audit trails show: “Agent X, acting on behalf of User Y, called API Z with scopes S at time T.” 
  • If something goes wrong, the lapse can be attributed to which user’s authority was used, which agent misbehaved, and which systems were touched. 

That linkage isn’t just for forensics. It’s how cybersecurity teams can attenuate risk in real time. If an agent is spotted doing something suspicious, OBO ensures that the admin or security architect can revoke the user’s access, which expires all related tokens. The security team can then disable that agent’s identity and tighten its policies — all without decommissioning other necessary agents or redesigning the agent itself. 

Without that clear relationship — the OBO parameter tying tokens back to real people — IAM and security teams are left with a fog of autonomous systems making changes no one can fully explain or stop.

You Can’t Govern Agents on a Disorganized, Disconnected Identity Layer   

All of this assumes something uncomfortable: that your human identity layer is in good shape. In many organizations, it isn’t. 

Years of cloud adoption have left behind overlapping directories, stale accounts, over-permissioned roles, and long-lived secrets. The result is identity sprawl: multiple “versions” of the same person, shadow admin access, and service accounts no one really owns. 

If OBO-based agents are dropped into that environment, existing problems simply multiply: 

  • If humans are over-permissioned, their agents inherit that excess by design. 
  • If you have duplicate or shared accounts, logs that say “acting on behalf of user X” don’t actually tell you which human that is. 
  • If secrets and roles are messy, it’s hard to scope OBO tokens meaningfully — everything looks like “full access.” 

This is why, before an enterprise gets clever with agent design, IAM teams need to do the unglamorous groundwork: 

  • Consolidate human identities.  Aim for one canonical identity per person across major systems. Kill duplicate and shared accounts. 
  • Right-size human permissions.  Strip back roles to least privilege. If a salesperson doesn’t need edit access to every customer, their agent probably shouldn’t either. 
  • Enforce strong auth and ownership.  MFA, SSO, clear account owners, and regular reviews are now prerequisites — not nice-to-haves. 

Once your enterprise’s human identity fabric is clean and reasonably least-privileged, OBO becomes a precision tool instead of a blunt instrument. Agents can safely inherit just enough authority from humans, and you can actually trust that your logs and policies accurately reflect reality. When an action appears in the logs as “Agent X acting on behalf of User Y with Scope Z,” you can rely on that being true, so you can investigate incidents, enforce rules, and make decisions based on that data with confidence rather than guessing who really did what or what access they actually had.

A red ceiling-mounted sign with white text reads “Emergency” followed by two right-pointing arrows, indicating the direction to the emergency department. The ceiling is white with rectangular lights and a dotted pattern.

From The Pitt to Mississippi: Why Ransomware Is Testing the Digital Foundation of Healthcare 

/in /by

An episode of HBO’s The Pitt shows a hospital going offline to avoid a cyber-attack, creating a narrative designed to heighten tension. Simultaneously in reality, the University of Mississippi Medical Center shut down systems statewide following a ransomware attack. Once again, fiction becomes a headline. 

In both scenarios, clinicians revert to manual processes; electronic boards disappeared, digital workflows stalled, and AI tools became inaccessible. Patient care continues, but under strain. 

The lesson is not that healthcare should slow innovation. The lesson is that digital transformation without identity visibility creates systemic fragility. 

Healthcare’s Expanding Identity Surface: Human and Non-Human Identities Across Hospitals

Today’s hospital environment includes a complex mix of human and non-human identities, spanning human clinicians and staff, contractors and rotating residents, and telehealth providers, alongside a growing ecosystem of technology such as EHR platforms, AI documentation tools, diagnostic systems, medical devices, APIs and integration layers, and cloud analytics engines. 

Each element introduces identities. Not just usernames and passwords, but service accounts, machine credentials, tokens, and automation workflows. In many hospitals, these identities are siloed across directories, cloud environments, legacy systems, and SaaS platforms. Attackers do not see silos. They see pathways. 

Ransomware as an Exposure Multiplier: How Identity Weaknesses Are Exploited 

Ransomware actors exploit a range of identity and access weaknesses, including over-privileged service accounts, unmonitored non-human identities, dormant accounts, opportunities for lateral movement, and weak segmentation across environments. 

In highly connected hospital environments, a single compromised identity can cascade across systems. When UMMC shut down its network, it was acting to contain risk. But containment after compromise is expensive, disruptive, and operationally painful. The more sustainable strategy is preemptive visibility. AI adds capability, but it also adds identity complexity. 

Beneath this complexity lies a quieter risk: Every AI integration expands the identity attack surface. 

AI tools require broad data access, deep system integration, elevated permissions, and persistent connectivity to function effectively. Without unified observability across those identities, hospitals may lack visibility into which systems are interconnected, which machine accounts hold privileged access, where excessive permissions exist, and how far a compromise could spread.

Identity as the Foundation of Clinical Resilience  

Resilience in healthcare is not simply about backups or downtime procedures. It requires unified visibility across all human and non-human identities, continuous monitoring of access risk, a contextual understanding of identity relationships, and proactive remediation of toxic combinations and privilege sprawl. Hospitals cannot treat identity as an IAM checkbox; it is operational infrastructure. 

When ransomware hits, it is not just a cybersecurity event. It is a patient safety event.

The Real Question for Healthcare Leaders

The question is not whether to deploy AI, it is whether you understand the identity ecosystem that supports it. 

Healthcare leaders should be asking: 

  • Do we have a single, accurate view of all identities across our environment? 
  • Can we map which machine accounts are connected to critical systems? 
  • Do we know our identity blast radius?
  • Can we isolate compromise without shutting down the entire network?

Innovation without identity intelligence is risk accumulation. The Pitt ends with a simple truth: when technology fails, human judgment remains. In cybersecurity, when visibility fails, uncertainty remains. Hospitals will continue to innovate, but as ransomware increasingly targets healthcare, resilience will depend less on the newest tool and more on the strength of the identity foundation beneath it. 

When the screen goes dark, architecture determines the outcome. 

To learn how your healthcare organization can achieve identity clarity for patient safety, Zero Trust and operational resilience, head to healthcareidentity.com.

A digital illustration shows a glowing shield with a brain icon at its center, protecting against surrounding red skull symbols, representing cybersecurity and artificial intelligence defense against cyber threats.

ISPM vs Identity Intelligence: Why Modern Identity Security Requires Both 

/in /by

Identity has become the backbone of modern security architecture. As organizations expand across cloud, SaaS, automation, and AI-driven systems, identity is no longer just about authentication and provisioning. It is the primary control layer governing access to data, applications, and infrastructure. 

Yet most identity environments were not designed to operate at today’s scale or complexity. Human users now coexist with service accounts, APIs, bots, and AI agents. Permissions sprawl across directories, clouds, and applications. And identity risk increasingly emerges not from a single misconfiguration, but from the interaction between identities, access, and behavior over time. 

This is why two complementary approaches are gaining traction: Identity Security Posture Management (ISPM) and Identity Visibility and Intelligence Platforms (IVIP). Together, they represent a shift from static identity governance toward continuous identity assurance.

Identity Security Posture Management: Establishing Identity Hygiene and Control 

Identity Security Posture Management focuses on the health of identity configurations. Its role is to continuously assess whether identity systems are aligned with internal policies, least-privilege principles, and regulatory requirements. 

ISPM monitors identity environments for excessive permissions, orphaned accounts, configuration drift, and shadow access. It pulls configuration and entitlement data from across IAM, IGA, and PAM systems to ensure that access is defined correctly and remains compliant over time. 

From a security perspective, ISPM reduces risk by shrinking the attack surface before it can be exploited. From an operational perspective, it replaces periodic audits with continuous posture validation and automated remediation workflows. 

In short, ISPM answers a foundational question: are identity configurations clean, compliant, and defensible?

Identity Visibility and Intelligence Platform: Moving from Configuration to Observability 

While ISPM focuses on how identity is configured, Identity Visibility and Intelligence Platforms focus on how identity actually behaves. 

IVIP reflects a fundamentally different way of thinking about identity. Rather than treating identity data as static records distributed across tools, IVIP unifies identity data into a single intelligence layer. This includes directories, applications, SaaS platforms, IAM, IGA, PAM, and increasingly, non-human identities. 

Radiant Logic refers to this as identity observability: the ability to see, understand, and explain how identities interact across systems in real time. 

By correlating identity data with usage and behavior, IVIP provides insight into how entitlements are actually used in practice. It surfaces access drift, anomalous behavior, risky patterns, and blind spots that configuration checks alone cannot reveal. 

IVIP answers a different but equally critical question: are identities using access in the way the organization expects and intends?

Where ISPM and IVIP Meet 

ISPM and IVIP address different layers of the same challenge. 

Both are identity-centric. Both emphasize continuous monitoring over point-in-time assessments. Both integrate data across the identity ecosystem. And both support governance, compliance, and risk reduction efforts. 

The difference lies in perspective. ISPM enforces structure and policy. IVIP provides context and intelligence. 

Without ISPM, identity environments accumulate configuration debt that increases risk. Without IVIP, organizations lack the visibility to understand how identity risk manifests in real-world activity.

Radiant Logic’s Perspective: Identity Requires Unification Before Intelligence and Action

At the foundation of Radiant Logic’s approach is that neither posture nor intelligence is possible without first unifying identity data across human, non-human and agentic identities. 

Most identity environments are fragmented. Identity attributes, entitlements, and signals live across disconnected systems, each with partial context. This fragmentation limits the effectiveness of both ISPM and behavioral analytics. 

By unifying identity data into a single Identity Data Fabric, organizations establish a consistent, authoritative view of identity across human and non-human entities. This foundation enables both continuous posture assessment and advanced identity observability. 

From there, organizations can move through a clear progression: 

  • Unify identity data across sources to establish trust and consistency 
  • Observe identity behavior and access usage across environments 
  • Act through policy enforcement, remediation, and informed security decisions 

This is the difference between managing identity as a collection of tools and managing identity as a living system.

Why Identity Security Needs Both Hygiene and Intelligence

ISPM ensures access is defined correctly. IVIP ensures access is used correctly. 

Together, they enable stronger security outcomes, faster investigations, improved compliance, and greater confidence in identity-driven decisions. They also prepare organizations for the next phase of identity complexity, where automation and AI-driven identities operate at machine speed. 

As identity becomes the dominant attack surface, security teams can no longer afford partial visibility or static controls. Sustainable identity security requires both disciplined posture management and continuous identity intelligence, grounded in unified, observable identity data. 

That is the future Radiant Logic is helping organizations build.

A close-up of a digital, futuristic eye with glowing blue elements and colorful code or data streams emerging from the iris, representing advanced technology or artificial intelligence.

Best Practices for AI Powered IVIP 

/in /by

AI seems to be on track for taking over the world in the coming years. Whether the hype is to be believed and we will all be replaced by AI-powered cyborgs in 10 years, it is fair to say that AI has created huge opportunities for both security and productivity improvements across a range of sectors, public and private and for entities of all sizes. 

Two key questions emerge: how will AI impact identity and access management and how can identity and access management adapt to protect what is in essence a brand new technology type?  

AI in IAM and IAM for AI

Let us tackle these questions from the lens of IVIP. But first, what is IVIP and what does it entail? “Identity Visibility and Intelligence Platforms” was a term coined by Gartner in 2025 to address some of the key challenges facing identity governance and administration programmes and some privileged access management deployments. Namely a lack of real-time visibility, a difficulty in handling more dynamic environments and the “speed of cloud” as well as a general lack of threat detection capabilities at both the data and post-authentication activity level. 

IVIP aims to provide this overlay component and support a range of end to end use cases that leverages existing technology investments but delivers a more security-focused approach. This security aspect is a real evolutionary step with respect to IAM. The past two-decades have seen a range of security evolutions for networks, data end points – with network security and data security emerging into multi-billion sectors. As our IAM infrastructure is now used to empower productivity, zero trust, security and user experience, it has by design become an attack vector. To that end being able to support security-related constructs like discovery, visibility and anomaly detection now become critical. IVIP aims to support that.

Other terms that have become synonymous with security for IAM include ISPM – identity security posture management and identity threat detection and response (ITDR). The former is often focused upon the identity data layer (namely profiles, permissions and policies) with ITDR aimed at detecting post-authentication anomalies including malicious access control usage and application activity.

It is becoming increasingly clear that the typical pillars of IAM capabilities (such as IGA, PAM, IDP and strong authentication) are no longer enough to improve security nor productivity. They are no longer enough to prevent even the most basic credential-privilege escalation-lateral movement attack flows due to a lack of visibility and poor hygiene maturity.

So if we tackle the two overlay identity security capabilities focused on end to end data management and runtime activity, what can AI do to help accelerate improvements?

It is important to identify where the pain points and risk “heat” may exist and where existing non-AI approaches to improving data hygiene and runtime detection are sub-optimal.

A secondary aspect to consider, is how existing IAM concepts and components can be used to protect the emerging use of AI. Not all AI is the same and there are many nuanced aspects that should rely heavily on strongly functional verification, attestation, authentication and authorization services. If we treat agentic-AI like a digital employee and not just an abstract software related component, we can start to realign our risk and threat models more accurately.

The agentic world generates multiple questions around delegation of permissions, in-personation use cases and just in time access and how that should relate to the permissions and context of the associated carbon-life form.

A line graph showing Progress over Time with two lines: Business Innovation with AI rising steeply, and IAM and Security Innovation for AI rising slowly, creating a red-dotted Security Gap between them.
Figure 1: A line graph showing Progress over Time with two lines: Business Innovation with AI rising steeply, and IAM and Security Innovation for AI rising slowly, creating a red-dotted Security Gap between them.

For example, an AI agent via the model context protocol (MCP) will have access to a vast and sprawling underlying data set. 

Should the agent simply assume the permissions of the human “using” the agent? How is the cascading access and risk determined and analysed?

Will the access need to change – and if so is that a legitimate expectation to complete an objective? Agents will be assigned objectives and not just specific well defined tasks – so it may well be a legitimate requirement for the access permissions to alter and grow as the agent learns, optimizes and understands the objective it has been set in more detail – just the same as a human snowballs more responsibility within a project, needs access to more systems with more authority. Their permissions grow too. How can an access request model, authorization policy and enforcement framework cater to this?

Today, there is a gap in the innovation maturity and adoption of AI and what the existing identity and security architectures and controls can support. Perhaps only by the addition of AI capabilities into the identity and security landscape can the gap be narrowed.

Identity Data Opportunities 

Identity and Account Discovery, Correlation and Management

If we look at the identity data layer – the typical profiles, permissions and policies focus – what can be identified as firstly being of high impact to security and productivity, but is also operating sub-optimally?

An immediate concern is that we can only protect what we know about. This clearly extends to many IAM projects due to a limited view and management control of all identities that exist within the organisation. It is quite common to deploy identity governance and administration (IGA) or privilege access management (PAM) tools to a small number of applications. Perhaps only those under the scope of regulation, but more likely due to connectivity and integration challenges. Of the systems under management, an ability to discover all identities and accounts within that system is not always possible. 

Secondarily an inability to link accounts to other accounts in different systems and in turn link to an anchor identity is essential for context and analysis, but also to fulfill provisioning and de-provisioning change events. 

Guidance: Correlation and recommended correlation can become a simple and highly automated process in the AI-led world.  The result is an instantly more connected and broad visibility of the identity assets play. 

Account and Permissions Ownership

Ownership of discovered assets is rarely optimized. Identifying who should own a service account or non-human identity is increasingly avoided due to the numbers involved and the highly dynamic nature of these types of identities. Being able to identify accountable and responsible owners and integrating with chatops infrastructure (think Slack and Microsoft teams) in order to notify, engage and assign accounts improves access request and approval functions and also improves the ability to identify changes to a secure running state of identity data.

An extension to this use case, is that of being able to effectively massage permissions. From directory groups, application-specific access control entries, roles and higher level policies – a lack of ownership instantly results in a lack of accurate posture, reporting and accountability. 

Guidance: The analysis of permissions events and meta data (who created, requested changes, which departments the accounts associated with the permission reside in and so on) is a clear machine learning and AI-lead initiative that can quickly be used to recommend and contact owners.

Access Request and Review Effectiveness

Whilst those two use cases are often overlooked, two use cases that are constantly in flight in many organizations are the access request and access review processes. Access requests occur daily and are part and parcel of all organisations, even those who have no regulatory obligations. Working out which system and in turn which permissions to request access for can be difficult for non-technical users. The fix is to “copy” access from a colleague who acts as a model user. The result? Access proliferation and the constant “copy and pasting” of poor access control logic. An improvement is to use AI-generated context – likely in the form of co-pilot and assistance technology. This can be based on natural language processing (NLP) and non-technical queries and answers based on the business tasks and functions the end user wishes to complete. 

Guidance: By analyzing existing users, risk and zero stranding privileges assistance technologies such as chatbots can navigate access requests in a way that automatically approves and assigns based on context such as work environment, ITSM tickets and risk.

Access reviews are constantly being optimized. As numerous compliance initiatives require this periodic process to be completed securely and effectively it is not a use case that is going to become obsolete anytime soon – yet with continued optimization and automation, perhaps many aspects of it can be removed from the human’s workload. 

Guidance: A clear optimization opportunity is to identify and in auto-remove the difference between the permissions associated with a user (even after successful access request and approval) and the permissions the user under review is actually using. This is a pragmatic approach to quickly reduce the identity attack surface, but also streamline birth-right permissions associated with particular business roles and job functions.

Identity Security Opportunities 

Anomaly Discovery

We should also consider the identity landscape from a more security-orientated perspective. This often brings into consideration anomaly discovery. Whilst this could be behaviour and post-authentication based, we must also consider anomalies within the aforementioned data layer too. So misalignment in existing identity data patterns (account to permissions associations, access request history and context, access usage) as well changes to configuration.

Anomaly analysis will require an ability to discover and in turn create baselines of “standard” and expected change. This could be through observation of existing and historical data sets. Who requested access to that, when, and how it was approved. Of correctly assigned permissions, which were being used? Under what circumstances were they used? Time of day, origin device and location and what happened before and after the permissions usage? This level of “observability” can often take time to create, but provides a higher-fidelity of decision making with respect to identifying something of suspicion, when to respond to how to respond.

Guidance: Machine learning against existing access request and usage patterns can provide a solid foundation for baselining standard patterns of usage and ways to identify suspicious changes to the secure running state of the identity data plane.

Misconfiguration Identification

The IAM landscape is complex. Multiple systems, identity types and access control logic points are needed to drive productivity and security success. All of which are growing in both volume and breadth of deployment. Cloud service provider (CSP) IAM components for example require specialist personnel and tools to administer features like federation, credentials, roles and permissions for humans and workloads. 

Mistakes and misalignment to controls and compliance requirements are common. The “scanning” of IAM configuration is not a new concept but can become increasingly difficult to automate due to the constant change in the surrounding business and cyber threat landscape. Changes to IAM policy and configuration can also have significant user impact if the wrong choices are made – so the simulation and A/B testing of identity configuration changes is often asked for – but that too can be difficult to sustain.

Guidance: The comparison of existing secure running states of IAM configuration need to be compared not only to “best practice” and regulatory requirements, but also to changes to business needs and external cyber threat intelligence. Identification of remediation actions is only one aspect, and the ability to perform updates to multiple types of identity configurations seems a likely candidate for agentic-AI with some level of human in the loop approval.

Risk Response

All of the previously mentioned options are grounded in an ability to identify risk, assess it appropriately and apply the appropriate response. The modern enterprise is not short of data and using that data to alter the IAM landscape more dynamically is key to both driving value from the underlying IAM components, but also improving their security posture.

IAM risk response should no longer just focus upon changes to permissions – which historically could take days to complete via poor provisioning and connector frameworks. Today risk can be identified at any part of the identity lifecycle – especially so post-authentication and during session usage. An ability to identify risk (which requires more security signals) and an ability to do something actively once that risk is deemed above a certain threshold is critical to modern identity security. Concepts like the shared signals framework (SSF) and continuous access evaluation profile (CAEP) are strong indicators of the industry both acknowledging this and moving forward with agnostic solutions. 

Guidance: Leveraging a more connected identity security fabric that includes a broader array of security signals is a foundational requirement. An ability to respond via a coordinated and broad approval and remediation model will result in a more fine-grained and rapid approach to threat recovery.

About The Author 

Simon Moffatt has nearly 25 years experience in IAM, cyber and identity security. He is founder of The Cyber Hut – a specialist research and advisory firm based out of the UK. He is author of CIAM Design Fundamentals and IAM at 2035: A Future Guide to Identity Security. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker and a strategic advisor to entities in the public and private sectors.

Identity Fabric Explained: Solving the Human, Non-Human, and AI Identity Problem 

/in /by

Identity management has always been a journey. For me personally, it’s been a journey since the early 2000s—from access management products to founding Brainwave, an identity analytics company, and now leading product strategy at Radiant Logic. But more importantly, identity management as a discipline has evolved dramatically, and if your organization hasn’t kept pace, you’re operating with serious blind spots that adversaries are already exploiting. 

Let me explain where we are today, why it matters, and how an Identity Fabric approach can help you move from reactive firefighting to proactive security posture management.  

The Evolution of Identity-First Security 

Identity management started with a simple goal: operational efficiency. Get employees access on Day 1 so they can do their jobs. It was human-centered, workflow-driven, and focused on lifecycle operations—onboarding, role changes, offboarding. 

Then digital transformation, DevOps, and the COVID-era shift to remote work changed everything. Identity became the new perimeter. Today, 90% of breaches involve a compromised identity at some point in the attack chain. Identity management is no longer just about productivity—it’s about risk mitigation. 

But here’s the problem: even as we’ve made progress on human identity management, the landscape has expanded. We’re not just managing people anymore. We’re now facing what I call ”The Three Identity Problem.” 

The Three Identity Problem 

Organizations today must solve three identity challenges simultaneously: 

  1. Human Identity: Employees, contractors, and partners across on-prem, cloud, and hybrid environments. Even here, most organizations struggle with identity sprawl, orphaned accounts, and excessive permissions. 
  2. Non-Human Identity: Service accounts, APIs, workloads, and machines often outnumber humans 10-to-1. Yet they’re poorly governed, with standing privileges, unclear ownership, and minimal monitoring. 
  3. Agentic AI Identity: The newest frontier: autonomous AI agents that analyze, decide, and act. These digital workers spin up on demand, execute tasks across your infrastructure, and disappear—sometimes in milliseconds. An orchestration agent might say, “I need a SOC2-certified agent for financial reconciliation,” credential it, let it execute a wire transfer, and deprovision it—all in real time. This is already happening. And if managing service accounts was hard, governing tens of thousands of ephemeral agentic identities will be exponentially harder. 

From Alert Fatigue to Intelligent Action 

As identity shifted from operations to security, we created dashboard sprawl—security teams drowning in alerts from IGA, PAM, SIEM, and cloud platforms. You get a million tickets. But which two actually matter? 

This is where AI-driven remediation becomes essential. At Radiant Logic, we’ve embedded AIDA (Artificial Intelligence Data Assistant) into our platform to help security teams cut through the noise. 

With guided remediation, AIDA doesn’t just alert—it automatically investigates. It reaches out to line managers and resource owners, determines if an issue is real or a false positive, and recommends or executes remediation. Your security team stops chasing spreadsheets and starts doing high-value threat analysis. 

The Identity Fabric Solution 

An Identity Fabric is a unified identity data layer that sits at the foundation of your security stack. It enables you to: 

  • Unify – Aggregate identity data from every source: AD, Entra, cloud IdPs, legacy systems, EHRs, CRMs. Create a single source of truth for who (or what) exists and what they can access. 
  • Observe – Monitor identity activity in real time. Surface anomalies, risky configurations, orphaned accounts, and policy drift with 360° visibility across human, non-human, and agentic identities. 
  • Act – Use AI-driven insights to proactively remediate risks. Automate hygiene, enforce least privilege, enable just-in-time access, and support dynamic authorization. 

How an Identity Fabric Enables Zero Trust 

Without a foundational identity data layer, you’re reactive—constantly investigating breaches and chasing access issues. 

With an Identity Fabric: 

  • You move toward  Zero Trust with real-time, contextualized identity data 
  • You apply least privilege and no standing privilege consistently 
  • You reduce your attack surface to the bare minimum 
  • Your security team focuses on strategic work, not manual reviews 

The Technical Debt Reality 

Most enterprise organizations still run the majority of critical systems on-premises—often on legacy platforms no one dares touch. You can’t ignore them, but you can’t let them block modernization either. 

An Identity Fabric virtualizes and normalizes identity data from legacy systems, providing modern APIs without requiring you to touch decades-old code. You get clean data, real-time visibility, and dynamic authorization—with measurable ROI and without the risk. 

  • Faster M&A integration: Unify acquired identities on Day 1 
  • Legacy modernization: Decommission old infrastructure safely 
  • Security productivity: Stop wasting talent on spreadsheets 
  • Reduced attack surface: Remediate risks before attackers find them 

The Bottom Line 

Identity is no longer just plumbing—it’s the center of your security strategy. You’re managing humans, machines, and autonomous AI agents at scale across hybrid environments. 

The organizations that win treat identity as critical infrastructure. They unify their identity data, observe it in real time, and act on it intelligently with an Identity Fabric that integrates with existing investments. 

At Radiant Logic, we help you build exactly that: the visibility, control, and automation you need to shift from reactive chaos to proactive confidence. 

Because the question isn’t whether identity is central to security. The question is: do you have the data foundation to manage it? For more information on this topic, listen to my interview with eChannelNews.

A close-up of a human eye overlaid with glowing digital lines, nodes, and binary code, symbolizing technology, artificial intelligence, and digital connections.

Gartner's 2026 IAM Predictions: Identity Visibility Is No Longer Optional 

/in /by

The identity security landscape is shifting fast, and Gartner’s newly published 2026 Predicts: Identity and Access Management report makes one thing unmistakably clear: identity has become the primary attack surface. Organizations that lack unified visibility across their identity ecosystems are running out of time to catch up. 

At Radiant Logic, this isn’t a surprise. It’s a validation of the platform and approach we’ve been investing in for years. Let’s break down Gartner’s four key predictions and what they mean for security leaders, and how RadiantOne is already helping organizations get ahead of each one. 

Gartner Prediction 1: By 2028, 70% of CISOs Will Adopt Identity Visibility and Intelligence 

Gartner’s lead prediction centers on the rise of Identity Visibility and Intelligence Platforms (IVIPs), solutions designed to eliminate the blind spots left by siloed IAM tools. The report is direct: fragmented identity environments across hybrid cloud, on-premises, and SaaS create misconfigurations and unauthorized access that attackers exploit at scale. The recommended response is equally direct. Unify visibility, leverage AI for anomaly detection, and enable real-time remediation. 

How RadiantOne Aligns 

This prediction reads like a product brief for RadiantOne. Our platform was purpose-built to aggregate, correlate, and unify identity data from every source across an organization’s environment, including Active Directory, cloud directories, HRIS systems, SaaS applications, and infrastructure components. RadiantOne provides continuous, real-time visibility and observability into the entire identity and access landscape, covering both human and non-human identities. Our AI Data Assistant (AIDA) analyzes complex relationships across entitlements, permissions, and group memberships to uncover hidden risks and deliver actionable remediation plans. 

Where Gartner recommends conducting gap assessments and engaging vendors with integration capabilities across heterogeneous IT environments, RadiantOne is already deployed at one-third of the Fortune 100 doing exactly that. 

Gartner Prediction 2: By 2028, 30% of Organizations Will Eliminate Service Desk Account Recovery 

Social engineering attacks targeting service desks have surged since the high-profile MGM casino breach in 2023. Gartner notes that the shift toward stronger authentication methods hasn’t been matched by equivalent improvements in how authenticators are managed and recovered. This leaves a dangerous gap that attackers are actively exploiting. The recommendation is to harden or eliminate service desk-driven recovery processes altogether. 

How RadiantOne Aligns 

While RadiantOne doesn’t replace the service desk directly, our platform plays a critical role in reducing the attack surface that makes these attacks possible. By providing unified identity visibility across all systems, RadiantOne enables security teams to detect anomalous account activity, identify orphaned or stale accounts that create recovery vulnerabilities, and enforce consistent identity hygiene. When organizations can see every identity, every account relationship, and every access path in real time, they have the foundation to implement more secure, self-service recovery workflows and to detect when social engineering attempts are underway. 

Gartner Prediction 3: By 2029, Machines Will Proxy All Human Access, Reducing Account Takeover by 80% 

This is Gartner’s most forward-looking prediction, and arguably the most consequential. The report envisions a future where humans no longer hold accounts or entitlements directly. Instead, personal AI agents authenticate on behalf of humans and broker access through purpose-built machine identities. In this model, traditional IGA implementations become artifacts of the past, and the ability to discover, catalog, and govern machine identities becomes paramount. 

How RadiantOne Aligns 

RadiantOne is already ahead of the curve on non-human identity (NHI) management. Our platform discovers and correlates all identities, both human and non-human, across every IAM layer. This includes service accounts, API keys, workloads, and agent identities. As the delegation model Gartner describes takes shape, organizations will need a foundational identity data layer that can handle the ephemeral, high-volume nature of machine identities while maintaining granular visibility into access paths. 

RadiantOne provides exactly that foundation. Our identity data management capabilities, combined with real-time observability and dynamic risk scoring, position organizations to govern machine identities with the same rigor they apply to human ones today, and to scale that governance as machine-proxied access becomes the norm. 

Gartner Prediction 4: By 2029, Phishing-Resistant MFA Will Reduce Breaches by 80% 

Gartner reaffirms that legacy authentication remains a critical vulnerability and calls for broad adoption of phishing-resistant MFA based on FIDO2 and device-bound passkeys. Organizations that can’t yet deploy phishing-resistant methods everywhere should implement compensating controls including risk signals, proximity detection, and number matching. 

How RadiantOne Aligns 

RadiantOne enables organizations to extend MFA capabilities, including phishing-resistant methods, to legacy applications that would otherwise be left unprotected. Our identity data platform serves as the connective layer that ensures modern authentication policies can reach across the full application landscape, not just the subset of apps that natively support modern protocols. By unifying the identity data that access management tools depend on, RadiantOne ensures that phishing-resistant MFA deployments have the complete, accurate identity context they need to function effectively. 

The Common Thread: You Can’t Protect What You Can’t See 

Across all four predictions, Gartner returns to a consistent theme: identity visibility is the prerequisite for everything else. You can’t shrink your attack surface without seeing it. You can’t govern machine identities you haven’t discovered. You can’t enforce least privilege without understanding every access path. And you can’t assess authentication risk without a unified view of who’s accessing what, from where, and how. 

This is the problem Radiant Logic was founded to solve. RadiantOne transforms fragmented identity data from a major risk into a strategic asset, unifying, analyzing, and securing an organization’s entire identity ecosystem in real time. As the IAM market evolves toward the future Gartner describes, the organizations that have invested in a strong identity data foundation won’t just be more secure. They’ll be ready. 

To learn how RadiantOne can help your organization align with Gartner’s IAM predictions, contact us for a demo or assessment

A person wearing a dark hoodie stands facing an open door with digital binary code overlaying the image, suggesting themes of hacking or cybersecurity.

What Master OccupyTheWeb Taught Us About Identity as Target #1

/in /by

What does your environment look like to someone whose job it is to break into it? 

That was the question we set out to answer in the first episode of our new webinar series, Through the Eyes of the Adversary, where we sit down with offensive security practitioners and walk through how real attacks actually work — not the sanitized, assume-the-breach PowerPoint version, but the actual steps. 

Our guest for the premiere was Master OccupyTheWeb — a well-known figure in the offensive security community, educator, author of Linux Basics for Hackers, and someone who has spent his career training U.S. military and intelligence personnel on attacking and defending systems. He has also played a significant role in cyber operations during the Russia-Ukraine conflict, targeting Russian industrial infrastructure in support of Western defense. 

Here’s what we learned… 

Identity Is the Front Door — and It’s Usually Unlocked 

Before we even got into tradecraft, we set the stage with numbers that should make every security leader uncomfortable. Ninety percent of organizations experienced an identity-related breach in the past year. Non-human identities — service accounts, API keys, workload credentials — outnumber human identities by ratios ranging from 50-to-1 to 144-to-1. Forty percent of those non-human identities have no identifiable owner, and 42 percent carry sensitive privileges. They’re growing three to five times faster than human identities, year over year. 

That is not an access management problem. That is an attack surface problem. And attackers know it. 

We wanted to see how our own audience stacked up against those industry numbers, so we asked them directly: do you have a complete inventory of non-human identities across your environment? Out of 136 respondents, 62.5 percent said no. Nearly two-thirds of the security professionals in the room cannot account for the service accounts, API keys, and workload credentials that represent the fastest-growing — and least-governed — segment of the modern identity landscape. That number alone should reframe any conversation about identity security maturity. 

62.5% (85 of 136 respondents) don’t have a complete inventory of non-human identities across their environment

Reconnaissance: You Can’t Attack What You Don’t Understand

OccupyTheWeb walked through how offensive operations begin: reconnaissance. Using OSINT (open-source intelligence) tools, social media platforms like LinkedIn and Facebook, and scanning services like Shodan and Censys, attackers build a detailed picture of an organization’s infrastructure, its people, and its vulnerabilities — often before a single packet is sent. 

The takeaway for defenders is sobering. The amount of information people voluntarily publish about themselves and their organizations is a treasure trove for adversaries. Job titles, reporting structures, technology stacks, personal interests — all of it feeds the attacker’s playbook, from crafting spear-phishing emails to guessing password variations. 

The Easiest Way In? Just Log In.

The most striking theme of the conversation was how consistently identity — not sophisticated exploits — provides the path of least resistance. OccupyTheWeb was blunt: the first thing he looks for is a username and password he can use to simply walk in through the front door. 

The top one million passwords from the dark web get him into roughly 30 percent of all systems. If he can identify the person behind a target account, he checks the dark web for previously breached credentials — a pool of roughly three billion passwords. If the exact password doesn’t work, minor variations usually do, since people tend to make predictable, incremental changes when forced to rotate credentials. 

He shared a story about compromising a major industrial system where the admin account still used “admin” as the username and the administrator’s birthdate — found on social media — as the password. No zero-day required. No advanced tooling. Just a login. 

And from the defender’s perspective, that login looks like a perfectly normal authentication event. 

Once Inside: Scan, Escalate, Move 

After gaining initial access — even with a low-privilege account — the next step is network reconnaissance. Attackers scan the internal environment to map the topology, identify systems, and locate high-value targets like databases. 

Then comes privilege escalation. OccupyTheWeb noted that the lateral movement potential from a single compromised low-level account is effectively unlimited, depending on the environment — especially once an attacker escalates to root or system admin privileges. 

Particularly valuable targets include abandoned contractor accounts that were never deprovisioned, service accounts with excessive privileges and no identifiable owner, and database servers running on default ports. 

His advice to defenders on that last point was practical and surprisingly simple: move your database to a non-standard port. It won’t stop a determined, targeted attacker, but it will frustrate 80 to 90 percent of opportunistic ones who are scanning for default ports. 

Our second poll question cut to the heart of why lateral movement succeeds: can you correlate human, workload, and AI agent identities in a single system of record? Of 121 respondents, 64.5 percent said no — the weakest result across all three polls. Without a unified view that connects human operators to their automated workloads and emerging AI agents, defenders simply cannot see the relationships and trust chains that attackers traverse as they move laterally through an environment. It’s the identity equivalent of fighting in the dark. 

64.5% (78 of 121 respondents) said they cannot correlate human, workload, and AI agent identities into a single system of record

The Emerging Threat: Agentic AI 

The conversation turned to agentic AI, and OccupyTheWeb offered a sharp warning. As organizations adopt AI tools and agents, they are creating entirely new attack surfaces. AI applications often collect and have access to vast amounts of data on the systems they run on, and if those AI systems are compromised, that data is exposed. 

The message wasn’t anti-AI — he emphasized that he loves the technology. But he urged caution around implementation, particularly around what data AI agents are allowed to access and what guardrails govern their behavior. 

From the attacker’s side, AI is already supercharging social engineering. LLMs can generate highly personalized spear-phishing emails by aggregating publicly available information about a target, creating messages that are almost indistinguishable from legitimate communication. 

The Best Hack Is When Nobody Knows They’ve Been Hacked 

One of the most memorable lines from the session came when we discussed how attackers approach persistence and stealth. OccupyTheWeb was clear: the best hack is when nobody knows they’ve been hacked, because then the target takes no action to recover or improve their defenses. 

This is the philosophy behind advanced persistent threats and state-sponsored operations — making intrusions look like system failures rather than attacks, maintaining access for as long as possible, and covering tracks meticulously. 

Our third poll brought this full circle: have you experienced identity-based lateral movement in the last 12 months? Out of 128 respondents, 39.1 percent said yes. Nearly four in ten confirmed it — and those are only the ones who know it happened. Given OccupyTheWeb’s point about the best hacks being invisible, the real number is almost certainly higher. 

39.1% (50 of 128 respondents) said they have experienced identity-based lateral movement in the last 12 months

Connect the three poll results and a clear pattern emerges. Organizations that can’t see their non-human identities (62.5%) can’t correlate them with human and agentic identities in a unified view (64.5%), and when they can’t correlate, they can’t stop attackers from moving through their environment (39.1% confirmed lateral movement). It’s the same attack chain OccupyTheWeb walked us through — reconnaissance, initial access, escalation, lateral movement — reflected back as capability gaps on the defender’s side. 

What Should CISOs Do First? 

When asked for his single most important recommendation for CISOs, OccupyTheWeb’s answer mapped directly to identity: make credentials complex and obscure, and implement multi-factor authentication. MFA can be bypassed — through session hijacking, MFA fatigue attacks, or compromising the email used for second-factor delivery — but it significantly raises the cost for attackers. And attackers are often opportunistic. If your system is hard enough to break into, many will simply move on to easier targets. 

Beyond those basics, the deeper lesson from the entire conversation was this: defenders need to think like attackers. Too many security teams implement controls without understanding why they exist or how adversaries will attempt to circumvent them. Compliance should never be a checkbox exercise — the controls exist for a reason, and understanding that reason is what separates effective defense from security theater. 

Three Questions You Should Be Able to Answer 

We closed the session by returning to the three questions we opened with — questions that, based on our live audience polls, most organizations still cannot answer: 

Can you enumerate all identities in your environment — human, non-human, and agentic — and tell me who owns each one? Our poll says 62.5% of you can’t. 

Can you map the real privilege landscape — not what your IGA says exists, but what actually exists across Active Directory, Entra ID, cloud IAM, SaaS applications, and PAM vaults? With 64.5% lacking unified identity correlation, most organizations don’t have the foundation to even begin. 

If someone created a new service account outside your governance workflow right now, how long would it take before you discovered it? With 39.1% already confirming lateral movement incidents, the cost of not knowing is no longer theoretical. 

If those numbers made you uncomfortable, good — that’s exactly what this series is designed to do. Identity visibility isn’t a nice-to-have. It’s the foundation that every other security control depends on. 

Coming Up Next 

Episode 2 of Through the Eyes of the Adversary features Marcus Hutchins — the security researcher who stopped the WannaCry ransomware attack and then found himself arrested by the FBI. You won’t want to miss it. 

Through the Eyes of the Adversary is a webinar series produced by Radiant Logic, exploring how real-world attackers exploit identity to compromise enterprise environments. The series is designed for security leaders, IAM practitioners, and anyone responsible for protecting organizational infrastructure. 

You can watch the full webinar on-demand here: https://www.radiantlogic.com/resource/ttea-why-identity-is-the-first-battlefield/

A white calendar icon with grid squares is displayed on the left, set against a blue, digital, geometric background with abstract lines, grids, and glowing effects.

A Calendar Invite Just Compromised Your Endpoint, Now What? 

/in /by

Securing Agentic AI Starts with Identity Intelligence 

Agentic AI is moving from experimentation to execution faster than most organizations are prepared for. Autonomous agents now read files, invoke tools, execute workflows, and make decisions across enterprise environments with little or no human intervention. That shift is redefining productivity, but it is also quietly redefining the security perimeter. 

The recent zero-click remote code execution vulnerability disclosed by LayerX in Claude Desktop Extensions is an early warning, not an edge case. A single calendar invite was enough to trigger a chain of autonomous decisions that resulted in full system compromise. No exploit kits. No phishing clicks. No user error in the traditional sense. 

What failed was not just a tool or a protocol. What failed was the assumption that agentic systems can be deployed safely without a foundational layer of identity intelligence. 

The Real Lesson from the Claude Desktop Incident 

The vulnerability itself was rooted in how Claude Desktop Extensions operate. MCP servers distributed through the extension marketplace ran with broad system privileges, effectively acting as execution bridges between the language model and the operating system. A low-trust input source such as a calendar entry was autonomously routed into a high-trust execution context without any enforced trust boundary, approval step, or visibility. 

Anthropic responded by stating the issue fell outside its current threat model, framing desktop extensions as local development tools. But the enterprise security community quickly recognized the broader implications. When AI agents are given autonomy, intent is no longer explicit, and authorization can no longer rely on static assumptions about user behavior. 

This was not a traditional software flaw. It was a workflow failure driven by autonomous decision-making in an identity-blind system. 

Why Agentic AI Breaks Traditional Security Models 

Security architectures have historically assumed three things: 

  • Identities are relatively static. 
  • Privilege changes are infrequent and auditable.
  • Actions are directly attributable to a human user. 

Agentic AI violates all three assumptions. 

AI agents are ephemeral by design. They spin up dynamically, act on behalf of users or systems, chain tools together, and disappear. They may operate across multiple environments in seconds, carrying delegated authority without persistent identity records or clear ownership. In many cases, security teams cannot even enumerate how many agents exist, let alone what privileges they hold. 

This creates a new class of compound risk in which human identity permissions are delegated implicitly, non-human execution contexts operate with standing privileges, and agentic decision-making determines how tools are chained together. 

Without identity intelligence, these layers blur into a single opaque workflow that security teams cannot see, govern, or audit in real time. 

MCP and A2A Are Not the Problem, but They Are Not Enough 

Protocols such as the Model Context Protocol (MCP) and Google’s Agent-to-Agent (A2A) protocol solve real integration challenges. MCP provides a standardized way for agents to access tools and data sources. A2A enables structured communication between agents across platforms and organizations. 

Both are necessary. Neither is sufficient on its own. 

MCP does not natively enforce trust tiering between connectors. A calendar integration and a terminal executor are treated as peers unless additional controls are layered on top. A2A improves authentication and task traceability between agents, but it does not govern what happens once an agent invokes a local tool with excessive privileges. 

The missing layer in both cases is identity intelligence. Protocols move data and tasks. Identity determines whether those actions should be allowed in the first place, under what conditions, and with what level of scrutiny. 

Identity Intelligence as the Control Plane for Agentic AI 

Identity intelligence goes beyond knowing that an identity exists. It provides continuous understanding of how identities are configured, how they behave, and how they interact with other identities and resources over time. 

For agentic AI, this means treating every agent, connector, and execution context as a non-human identity with defined ownership and lifecycle management, scoped privileges aligned to least-privilege principles, continuous posture assessment, and real-time behavioral observation. 

This is not theoretical. It is the same evolution security teams went through during the rise of cloud computing. Early cloud breaches were not caused by the cloud itself, but by applying perimeter-based assumptions to identity-driven environments. Agentic AI represents a similar inflection point. 

The Three Identity Problem 

Modern enterprises are now managing three concurrent identity classes: 

  1. Human identities such as employees, contractors, and partners. 33% of security incidents involve compromised privileged identities. Organizations still struggle with dormant accounts, over-privileged access, and weak authentication.
  2. Non-human identities including service accounts, APIs, and workloads. Machine identities outnumber humans by 50:1 or more. 42% have privileged access. 40% have no identifiable owner. 25% of organizations have experienced NHI-related security incidents. 
  3. Agentic AI identities that act autonomously and transiently. AI agents are expected to drive the greatest number of new privileged identities in 2026. Their non-deterministic and dynamic nature makes them harder to control than any identity type before them. 

The Claude Desktop incident exploited all three at once. A human user installed an extension. A non-human MCP server executed privileged actions. An AI agent autonomously interpreted intent and chained tools together. No single control failure explains the outcome. The risk emerged from the interaction between identity layers. 

This is why siloed identity tools are no longer sufficient. Governance, access management, and posture management must be anchored in a unified identity data foundation that spans all three identity types. 

What Securing Agentic AI Requires Moving Forward 

The industry must progress on several fronts simultaneously. 

First, trust tiering must become mandatory. Low-trust data sources should never be autonomously bridged into high-privilege execution contexts without explicit human confirmation or compensating controls. 

Second, AI agents must be governed as identities. Discovery, ownership, privilege scoping, and lifecycle controls cannot stop at service accounts. They must extend to agents that exist for milliseconds and operate across systems. 

Third, standardized sandboxing and least-privilege enforcement must be non-negotiable. The argument that agents require full system access is a false binary. Granular permission models already exist across operating systems and platforms. 

Finally, runtime observability must be treated as a security requirement, not an enhancement. Tool invocations, context flows, and cross-connector data transfers must be visible, logged, and analyzable within existing security operations workflows. 

The Radiant Logic Perspective 

At Radiant Logic, we have long maintained that identity is not a feature of security. It is the foundation. The agentic AI security challenge reinforces that belief. 

Our approach is built on a simple but powerful framework: 

  • Unify: Aggregate and correlate all identity data — human, non-human, and agentic — across every IAM layer into a single, enriched data model. You cannot govern what you cannot see, and you cannot see what you have not unified. 
  • Observe: Continuously monitor identity posture, access paths, and behavioral patterns in real time. Detect privilege creep, configuration drift, rogue identities, and anomalous tool-chaining behavior before attackers can exploit them. 
  • Act: Enable automated and guided remediation workflows that fix identity risks before they are exploited. Revoke excessive privileges, disable rogue accounts, and enforce least-privilege policies across the entire identity estate — including the agents that are now part of it. 

This applies equally to human, non-human, and agentic identities. Without unification, visibility is fragmented. Without observability, autonomy becomes risk. Without action, intelligence is theoretical. 

Agentic AI will continue to evolve rapidly. Protocols will mature. Vendors will add controls. But without identity intelligence as the control plane, organizations will remain one autonomous decision away from the next zero-click incident. 

Identity Intelligence Is the Prerequisite 

A calendar invite should never be able to compromise an endpoint. The fact that it can today is not an indictment of AI innovation. It is a reminder that innovation without governance creates exposure. 

Securing agentic AI does not require slowing adoption. It requires building the identity foundation that allows autonomy to operate safely. Identity intelligence is not optional in this future. It is the prerequisite. 

Radiant Logic is building that foundation so organizations can adopt agentic AI with confidence, visibility, and control. 

A 3D shield icon with a stylized fingerprint design in the center, rendered in blue and purple tones, set against a dark background.

Identity-First Security Is Here: The Market Shift that Gartner Confirmed

/in /by

For years, identity has been treated like plumbing: necessary, complex, and mostly ignored until something breaks. 

That era is over. 

A recent Gartner report titled Redefining Cybersecurity: IAM Acquisitions Cement Identity-First Security as Industry Imperative, on identity-driven cybersecurity acquisitions makes something very clear: identity is no longer a supporting control. It is the foundation of a modern security strategy. No longer just relied on for authentication and access reviews, the identity itself is center stage across humans, machines, services and now AI agents.  

What is interesting is why the market is now being finally being forced to accept it. 

The Security Industry Is Buying Its Way Toward Identity 

CrowdStrike. Palo Alto Networks. ServiceNow. Delinea. Leonardo. 

The report walks through a wave of acquisitions where traditional security vendors are scrambling to add authorization, just-in-time access, policy decisioning, browser telemetry, and machine identity controls to platforms that were never designed for identity at their core.   

This isn’t random M&A. It’s a signal. 

Security vendors are discovering, sometimes painfully, that effective detection, protection and response is not possible if it is unclear who or what has access. This does not just refer to who has access at login, but in a continuous manner, and not just for users, but for services, workloads, and autonomous agents. 

The industry is converging on identity-first security because the old perimeter models simply do not survive modern attack paths.  

The Real Problem Isn’t Missing Controls, It’s Missing Context 

One of the most important points in the Gartner research is not about acquisitions at all. It is about visibility gaps: 

  • Disconnected identity systems 
  • Siloed IAM tools 
  • Fragmented sources of truth 
  • Incomplete views of access and privilege   

This is where security teams lose. 

Attackers don’t exploit tools. They exploit relationships: 

  • Over-privileged access 
  • Stale entitlements 
  • Blind trust between systems 
  • Identities no one remembers owning 

Least-privilege enforcement depends on visibility into privilege. Attack-surface reduction depends on understanding identity sprawl. Securing AI agents depends on knowing where they exist and how they operate. 

This is not an IAM failure. It’s an identity data management problem. 

Why Identity Data Comes Before Identity Controls 

Gartner is explicit that no single converged platform solves everything. Identity-first security requires an identity fabric that connects systems, standards, and signals in real time.   

This is exactly where Radiant Logic operates. 

Radiant Logic does not replace IAM, PAM, IGA, or access platforms. We make them work better together as a system. 

By unifying identity data across directories, cloud platforms, applications, HR systems, partners, and non-human identities, Radiant Logic gives organizations something that most security stacks still lack: a single, authoritative, continuously updated view of identity and access

That unified identity data becomes the foundation for real visibility, meaningful observability, and coordinated remediation across tools. Without it, security platforms are forced to guess. 

Machine Identities and AI Agents Change Everything 

The report calls out a critical reality: IAM tools are not yet mature enough when it comes to AI agents, ephemeral workloads, and machine identities. Inventory, governance, access modeling, and abuse prevention continue to be problematic. 

This matters because AI does not fail slowly. 

An over-privileged autonomous agent doesn’t wait for quarterly access reviews: it moves at machine speed. 

If identity is the new perimeter, then identity data is the cyber terrain map. Organizations cannot secure what they cannot continuously observe. 

Radiant Logic’s ability to correlate human and non-human identities, model relationships, and surface risk in real-time becomes even more critical as organizations move toward agentic architectures. 

Identity-First Security Needs a Nervous System 

Gartner frames identity-first security around three principles: consistent, contextual, and continuous controls.   

Translated into practical terms, that requires: 

  • Consistent identity data across systems 
  • Contextual insight into access, behavior, and relationships 
  • Continuous observation, not point-in-time checks 

This is why Radiant Logic focuses on unifyingobserving, and acting on identity data as an operational reality, not a theoretical model. 

The Takeaway: Identity-First Security Starts With Identity Data

This Gartner research doesn’t introduce a new idea. It confirms one. 

The security market is moving quickly toward identity-first architectures because the old ones are failing under real-world pressure, and the vendors making acquisitions are trying to close gaps. 

Security teams are trying to reduce risk. 

Attackers are already exploiting identity blind spots. 

Radiant Logic sits at the center of this shift, not because we followed the trend, but because the market is now catching up to the problem that identity data has been solving all along. 

Identity-first security starts with identity data. Everything else depends on it. 

© 2026 Radiant Logic, Inc. All Rights Reserved. | Privacy Policy