When Security Teams Inherit Identity Management
▼ Summary
– Organizations often treat identity as a reactive IT problem, with the conversation shifting to a strategic risk only after a security incident occurs, though remote work has increased awareness.
– Identity platforms are complex and prioritize usability over security by default, making them difficult for small and medium businesses without dedicated identity staff to secure properly.
– The industry wrongly assumes phishing-resistant authentication is too difficult for users, but people are more adaptable than expected, and securing 90% of users is better than waiting for a perfect solution.
– Controlling agentic AI is an identity challenge, but current systems lack guardrails for non-human identities, so short-term fixes rely on endpoint controls and limiting user permissions.
– The identity architect role requires understanding both SOC and IT systems, and professionals must now learn about AI to address non-human identities and agentic systems, even if it was not required before.
At the Span Cyber Security Arena conference, I spoke with Eric Woodruff, Chief Identity Architect at Semperis, about how organizations misjudge identity management and the security risks that follow. He offered insights on common identity pitfalls, why platforms often fail, the real-world resistance to phishing-resistant authentication, and the emerging challenges of non-human identities and AI.
Many boards still view identity as an IT housekeeping task, not a strategic security risk. What shifts that mindset? Woodruff notes that too often, the change comes only after a breach. “Instead of something proactive, it becomes reactive,” he says. However, he sees a cultural shift underway, with some security teams now absorbing Active Directory or Entra responsibilities. This integration helps reframe identity as a security priority. While progress is slower than he’d like, the pandemic-driven shift to remote work has accelerated awareness over the last five to six years.
Identity platforms often overpromise and underdeliver due to sheer complexity. Woodruff explains that in many organizations, the identity role is just one of many hats worn by a generalist IT or security staffer. “The platforms themselves are not easy. The standards aren’t easy to understand,” he says. Setup wizards lean toward usability over security by default, leaving environments vulnerable unless organizations invest heavily in expertise. A further complication: security teams accustomed to working behind the scenes must now interact with end users frequently, and missteps can occur when they adjust identity settings without understanding the domain’s nuances.
One widely accepted practice Woodruff challenges is the belief that moving to phishing-resistant authentication,like passkeys or Windows Hello for Business,is too hard. Enterprises often resist, fearing user confusion or demanding a 100% solution. “If we can go phishing-resistant for 90% of our users, then that’s 90% of our users who aren’t going to be phished,” he argues. He believes organizations underestimate users’ willingness to adapt, pointing to consumer apps like Amazon that enforce MFA without backlash. The real problem, he says, is a failure to recognize that people are more flexible than assumed.
Will this attitude improve? Woodruff isn’t sure. He recalls similar resistance to traditional MFA six or seven years ago, where fears of user backlash proved unfounded. “It’s almost like nobody learned,” he says. He advises security teams to communicate the why behind changes in clear, non-technical terms. “End users don’t need to understand everything threat actors are doing. They just need to understand the danger and what the worst-case outcome could be.” Sharing real-world examples of phishing incidents can make the risk feel personal, countering the “it won’t happen to me” mentality.
On agentic AI, Woodruff points out that most systems are still designed to act on behalf of the user, with few guardrails enforcing non-human identities (NHIs) . Even if NHIs are issued, users can often override them. “People will try to create guardrails, but ultimately, if you tell the AI you want something done differently, it will often follow that instruction,” he warns. Until better standards emerge, the short-term fix is endpoint controls and limiting user permissions. He cites real-world examples of AI accidentally deleting databases or causing other damage.
Regarding AI’s broader cybersecurity impact, Woodruff falls into the “not a big deal” camp for now. While some models can be manipulated to emulate threat actors, he believes much of the fear is marketing. He also notes that consumption-based pricing could raise costs for malicious actors, potentially limiting their AI usage. “It’s still too early to tell,” he says, adding that it’s easy to market fear around these technologies.
Looking five years ahead, Woodruff sees the Chief Identity Architect role as a bridge between IT and security, akin to a Chief Identity Officer. The ideal candidate must understand SOC operations, IT infrastructure, and even device management, as signals from various systems feed into identity security. While many identity professionals once came from system administration, newer graduates with cybersecurity degrees often lack deep identity training. “Organizations need to take identity more seriously,” he stresses. Not every company needs a Chief Identity Architect, but most should have an identity architect or engineer with hands-on experience in Active Directory, Entra, or Okta. The required skill set will remain broad, but AI literacy is now non-negotiable. “Whether you like it or not, you need to understand it,” Woodruff concludes, advocating for direct, hands-on learning as the fastest path to competence.
(Source: Help Net Security)
