Home/Posts/ Addressing the Elephant in the Cybersecurity Room

Addressing the Elephant in the Cybersecurity Room

October 9, 2025

The Promise #

The current generation of IGA products was built in an era where IT environments were fairly static and the workforce was primarily based in controlled network locations and on-premise facilities. IGA as a concept evolved to provide centralised control over human identity lifecycles, including automated provisioning, access certification, rudimentary RBAC, request management, and privileged access management. It also feeds other security platforms like on premise directories and SSO solutions. The primary focus has always been the governance of employees (internal/external) access rights and meeting regulatory compliance requirements. They evolved adequately along with other technologies to cater to cloud-native models and DevOps methodologies.

Largely they still adhere to the vision of centralised identity governance, which puts all user identities across the enterprise on a single pane of glass, and unifies the view of “who has access to what”. Additionally, enterprises have matured over the years to break down the legacy barriers of fragmented access provisioning and local credentials.They have also achieved ROI by reducing helpdesk costs through automation of lifecycle management and password resets, and single sign-on. Implemented properly, IGA reduces the cost of a data breach by $180,000 on an average, and according to this One Identity survey, 80% of the respondents say that better identity management tools could have prevented the impact of cybersecurity breaches.

So clearly, IGA works and is an essential tool in the defense of enterprise security. True to the name, these tools continue to deliver on their promise of identity governance and administration.

But is it enough? Are these tools, primarily catering to the governance of human identities, and along with a host of adjacent security tools and technologies, sufficient to handle the threats posed by the influx of innovations in the technological landscape?

---
title: "A Typical IGA stack"
---
flowchart TB
    subgraph Sources["Source Systems"]
        HR[HR Systems<br/>Workday, SAP SF]
        AD[Active Directory<br/>Azure AD]
        Apps[Business Apps<br/>SAP, Oracle]
        SaaS[SaaS Apps<br/>M365, Salesforce]
    end
    
    subgraph IGA["Core IGA Platform"]
        Lifecycle[Identity Lifecycle<br/>Management]
        Governance[Access<br/>Governance]
        Compliance[Compliance &<br/>Reporting]
    end
    
    subgraph Adjacent["Adjacent Security Tools"]
        SSO[SSO/IdP<br/>Okta, Azure AD]
        PAM[PAM<br/>CyberArk]
        Cloud[Cloud IAM<br/>AWS, Azure, GCP]
    end
    
    subgraph Support["Supporting Tools"]
        SIEM[SIEM<br/>Splunk]
        ITSM[ITSM<br/>ServiceNow]
        GRC[GRC Platforms]
    end
    
    HR -->|Employee Events| Lifecycle
    Lifecycle <-->|Sync Accounts| AD
    Governance -->|Provision Access| Apps
    Governance -->|Provision Access| SaaS
    Lifecycle -->|Provision Accounts| SSO
    Governance -->|Govern Privileged| PAM
    Governance -->|Provision Roles| Cloud
    Compliance -->|Audit Logs| SIEM
    Governance <-->|Tickets & Approvals| ITSM
    Compliance -->|Compliance Data| GRC
    SSO -->|Auth Events| Governance
    
    style IGA fill:#9333ea,stroke:#7e22ce,color:#fff
    style Sources fill:#3b82f6,stroke:#2563eb,color:#fff
    style Adjacent fill:#10b981,stroke:#059669,color:#fff
    style Support fill:#f59e0b,stroke:#d97706,color:#fff

The Reality #

The reality is that, even though identity-based CVEs might represent 10-20% of all CVEs, 80% or more of actual cyberattacks still use identity-based attack methods; That many of these breaches happen more because of misconfiguration (weak passwords, poor IAM hygiene, excessive permissions, etc) rather than badly coded software. Attackers prefer identity compromise because it’s easier than exploiting code vulnerabilities, and importantly, it provides legitimate-looking access, thereby reducing the chance of immediate detection.

Growth trends #

There is a fundamental shift in the enterprise identity landscape. The numbers around the growth of Non Human Identities (NHIs) are staggering:

The volume of NHIs and agentic identities is estimated to cross 45 billion by the end of 2025. That is a ratio of 46 NHIs to one human identity. World Economic Forum
Organisations predict an additional 20% increase in the number of NHIs they manage over the next year.

In terms of breaches, authentication and authorization vulnerabilities have consistently remained in OWASP’s top categories for over a decade. Now, due to the exponential growth of NHIs, the attack surface has exploded. For example, in 2024 alone, GitGuardian found more than 23 million API secrets uploaded to public GitHub repositories. In 2023, Okta suffered a breach that allowed hackers to gain access to the data of 134 Okta’s customers. The issue was pinpointed to a breached service account.

Identity-driven threats have skyrocketed since 2023, now accounting for 59% of all confirmed cases in early 2025, highlighting a 156% surge in identity-based attacks between 2023 - 2025.

Identity-Centric Threats: The New Reality, eSentire

The Gap #

Although Saviynt, SailPoint, etc. have introduced Non-Human Identity Management (NHIM) in their IGA offerings, it has yet to be proven against the real world. Since the general industry view is that IGA ≠ NHIM, we now see an influx of products that specifically tackle the governance of NHIMs. Some prominent examples include Astrix Security, Oasis Security and Entro Security. Decentralization is the need of the hour, yet what we seem to be getting is fragmentation. Add to this the fact that many enterprises spend big money on shiny new security tools only for them to go untilised or underutilised.

CISOs identified blind spots as a key issue, with 70% of CISOs stating their existing security tools are not as effective as they could be when it comes to detecting breaches due to limited visibility

Despite massive security spending, 44% of CISOs fail to detect breaches

130 - That’s the number of products the average enterprise has assembled to protect its infrastructure, applications and data

Cybersecurity tool sprawl is out of control – and it’s only going to get worse

The Way Forward #

We can understand the need for specialized tools to address specialized issues; however, we cannot expect CISOs to continue investing time, money, and resources in implementing new tools for every new threat. Yes, decentralization may be needed, but not at the expense of visibility or the timely surfacing of critical information to the right people. In this post, I tried to highlight one specific aspect of NHIM as an emerging trend that traditional IGA tools are trying to catch up with. But there are many more trends that are emerging, and which need to be addressed. With their rigid entity models built around HR-driven lifecycles, inflexible or unyielding account and entitlement relationships, and a lack of dynamic modeling of accesses, they seem to fall short of surfacing up-to-date, dynamic, and real-world information about “who” has access to “what”.

So what is the way forward? Enterprises need to carefully evaluate tools that complement existing IGA investment rather than fragment it, decentralize capabilities while preserving a unified visibility of the entire identity ecosystem.

Webmentions

Loading mentions...

←

Driving into Hyprland