TL;DR: With traditional security perimeters gone, identity-first security has become the mode of governing access across people, devices, and AI agents. Strong orchestration combines least privilege, continuous monitoring, and fast recovery, while keeping humans in the loop to set guardrails and steer high-stakes decisions. As AI and automation accelerate and quantum threats loom on the horizon, resilience depends on how well organizations protect and recover identity.
The rules of security have changed. AI has strengthened our defenses, but its breakneck pace of adoption has fundamentally reshaped how we manage security. Especially identity security. The firewalls and physical infrastructure that organizations once built their defenses around no longer exist. In their place is identity, something far more dynamic and far harder to protect.
On a recent episode of the Beyond the Breach podcast, I explored what identity-first security looks like when the boundaries are gone and everything is connected and automated. How organizations govern identity, and how quickly they can restore it when something goes wrong, is becoming the defining measure of resilience.
Intelligent orchestration
For many organizations, security is a cycle of reactive firefighting driven by outages and breaches. Mature orchestration requires protecting the system of operations so the organization can absorb shocks and keep delivering outcomes. Identity sits right in the middle of that.
Identity governs who can access what, from where, under what conditions, and with what level of privilege across on-premises environments, cloud platforms, and SaaS solutions. It limits blast radius when something goes wrong and enables fast recovery when incidents inevitably occur.
Identity-first security ties together three distinct roles:
- Prevention – Implementing least privilege, enforcing strong authentication, and reducing standing administrative access
- Detection – Spotting abnormal identity behavior early, given that most major incidents involve credential misuse somewhere in the chain
- Recovery – Restoring directory and identity services quickly and confidently, because when identity is down or corrupted, everything else is affected
Organizations that can orchestrate identity well can orchestrate resilience.
An identity-first security strategy
Regardless of the technology in question, everything comes back to identity and the access it provides. Identity governance spans people, applications, devices, and now AI agents. When that foundation is strong, organizations can move quickly inside clearly defined guardrails. When that foundation is weak, the organization is exposed, and damage can easily spread.
The biggest vulnerability in AI development is excessive or misconfigured permissions. AI systems and assistants amplify whatever access they are given. Depending on what they are allowed to do, entitlements can become difficult to manage without the correct guardrails, creating risks of accidental exposure, toxic combinations of access, or AI agents taking actions they shouldn’t. The same applies to digital transformation more broadly. With hybrid clouds, SaaS sprawl, and automated applications, identity becomes the new perimeter.
Rather than defaulting to “no,” a mature identity-first security strategy says “yes, and here are the guardrails.” That requires having the means, mechanisms, and skills in place to verify things are working, and the resilience to recover quickly when they are not.
Business continuity plans need to be in place, tested regularly, and built around solutions capable of fast, secure recovery, even in scenarios where backups themselves may be compromised. AI doesn’t just read data; it can act on whatever permissions it’s been granted. Bad permissions become high-speed risks or mistakes. But when permissions are well-managed and continuously verified, identity security becomes an enabler of innovation.
The human role in autoGoverning human and machine identities togethermation
Intelligent orchestration shortens the time from signal to action. But automation does not eliminate the need for humans. If anything, the more automation is implemented, the more human judgment is needed.
Human involvement shows up in a few ways:
- Setting intent and guardrails – Automated systems can execute based on policies, but they cannot define risk appetite. People decide what blast radius is acceptable, when to automatically disable an account, and when to require human approval.
- Validating output where context matters – Correlation engines and large language models are effective at pattern detection, but they don’t understand business context. They cannot determine whether an anomalous login belongs to a CFO traveling abroad, a known maintenance window, or an administrative account being used for a sanctioned emergency.
- Handling the novel and adversarial – Attackers adapt to playbooks. They develop new tactics, techniques, and procedures in response to patched vulnerabilities. Hypothesis-driven investigation and shaping what the playbook becomes next are uniquely human capabilities.
A significant risk in any automated environment is automation drift. When an automated process becomes routine, complacency can follow. Approvals get clicked through without review, and privileges assigned to automated accounts go unchecked. Accounts and services built for automation must be treated like any other identity in the environment, subject to continual monitoring and lifecycle management.
Human oversight enables speed, and direct human intervention is reserved for high-risk actions. Automation expands what is possible. But in an identity-first security approach, human involvement ensures automated decisions are safe and correct.
Governing human and machine identities together
An AI agent must be treated like any other accountable identity in an identity-first security model. The person responsible for that agent is accountable for its actions, which means the risk register must reflect the financial and regulatory consequences of automated decision-making.
Roles and permissions for AI agents should be defined around intent and risk, not convenience. If an agent is deployed to accomplish a specific outcome, its permissions should be tightly scoped to that outcome and time-bound. For organizations building new infrastructure, least privilege and zero trust frameworks should be built in from the ground up. For those with existing systems in place, these principles can be retrofitted incrementally, starting with the highest-risk agents and extending those controls across the environment over time. The agent should be able to do that specific job, for that specific time, and nothing more.
Guardrails are one part of the equation; observability is the other part. Organizations need mechanisms to verify that guardrails have been implemented, that AI agents are accessing the right applications, modifying only what they are authorized to modify, and that a complete log of those changes exists. These agents act on behalf of a human host, operating with their own credentials, and entering corporate applications and databases as part of an automated process. To build trust, organizations need to know what identities these agents are using and how they interact with system processes.
Preparing for the quantum threat
Quantum machines are slowly emerging as long-term threats to cryptographic security, with large organizations like IBM and Google investing heavily in their development. One of their core capabilities is parallelization – performing operations simultaneously that current machines cannot.
Breaking today’s encryption with the most powerful supercomputer would take hundreds of years, rendering stolen data useless to attackers. But as quantum computing becomes viable in the next decade, encryption could be cracked at machine speed. Software supply chains would be weaponized, and entire cryptographic foundations that the world depends on would be at risk.
Threat actors are already acting in anticipation of this shift, exfiltrating large volumes of encrypted data today with the intent to decrypt it once quantum capability arrives. For organizations committed to identity-first security, this means the credentials and access policies governing data today must be treated as long-term liabilities.
The UK’s National Cyber Security Centre (NCSC) has mapped out a clear migration path to quantum safety:
- By 2028: Identify services that need upgrades and build a migration plan
- By 2031: Complete high-priority upgrades
- By 2035: Finish the full migration
By 2035, data harvested today could become actionable for attackers.
Building resilience through identity
No organization, regardless of size, can do everything alone. Just as the adversaries that organizations face rely on specialists, so too should organizations partner with specialized expertise. Finding a legacy system that needs securing, or navigating a complex migration is not a problem to solve in isolation. There are experts who can help, and engaging them is sound strategy.
If identity goes down or is compromised, transformation stops. The organizations that will be most resilient are those that treat identity as a core strategic asset, govern it intelligently, build in observability at every layer, and keep humans in the loop where it matters most.
The future belongs to organizations that master identity-first security.
