Who Should Own IAM in the Enterprise?
Identity and access management (IAM) started as an IT function, with the entire focus on giving human users the right access to the right systems. But today, identity has become the primary attack surface, with at least 80% of all modern breaches involving compromised or stolen identities from adversaries who exploit poor identity. This reality has moved the responsibility for risk onto the shoulders of the team tasked with protecting the organization from attacks, namely security. Which ultimately means the CISO.
However, there’s a major blind spot in this conversation: non-human identities (NHIs). This is a critical oversight. We are witnessing non-human identities (NHIs) outnumber humans by a factor of at least 45-to-one in the enterprise, with some estimates as high as 100 to 1. As organizations accelerate to deliver more code and products faster than ever, the number of these machine identities, such as service accounts, APIs, and automated workloads, will continually increase this imbalance. LLMs and the rapid adoption of new coding assistants and AI productivity tools will only rapidly accelerate this trend.
