By Roberto Marzocca, Head of Cybersecurity Kirey
Identity is no longer just one of many domains to be monitored by cybersecurity: it has become the new digital perimeter, a foundation of trust and, at the same time, a prime target for cybercriminals.
In a world where the boundaries between users and machines are becoming increasingly blurred, where AI agents interact with enterprise systems and human trust is challenged by deepfakes and impersonations, the ability to verify who—or what—is behind an access request has become critical.
Identity is the key to accessing, navigating, and leveraging enterprise resources over the long term. In this sense, the data speaks for itself: according to CyberArk, 90% of organizations have suffered at least two identity-related breaches in the past year, and 83% have paid a ransom to recover data.
At the same time, users are weary of managing passwords and constant verifications, while companies struggle to keep pace with digital transformation, grappling with fragmented identity infrastructures.
It’s time to adopt an Identity-First approach — one that places the management and protection of access to data, applications, and increasingly, GenAI models, at the center. But how can this be put into practice? In today’s evolving landscape, four key steps stand out.
The first transformation on the horizon is the demise of passwords. Their decline is inevitable: credential abuse is on the rise, fueled by AI, which, while supporting defense, also enables more sophisticated attacks. The shift toward technologies like passkeys is already accelerating in sectors such as telecommunications, fintech, and big tech. Authentication must become adaptive, passwordless, capable of recognizing behavioral anomalies in real time, and extend verification not only to people but also to devices, applications, and autonomous agents.
Today, for every human identity, there are at least 80 machine identities, and soon that number will reach 100. If these identities are not systematically protected, the risk of exploitation increases exponentially. Compromising a service account can mean gaining privileged access to sensitive resources and moving undetected across cloud infrastructures. Yet only 37% of companies consider machine identities as “privileged” — a costly oversight. Too often, we forget that an application can access vast amounts of data and systems, expanding the attack surface and enabling lateral movement by attackers.
Artificial intelligence is revolutionizing access management: it introduces advanced monitoring, intelligent anomaly detection, and adaptive governance. It’s no longer just about defense, but about anticipating and adapting to threats. However, the security of AI systems and their machine identities becomes equally critical. If manipulated, AI can be induced to run queries, make API calls, or access network systems, with jailbreak success rates on some models approaching 100%. The stakes are incredibly high, and understanding the “friend-or-foe” dynamic of these tools is essential.
Many organizations believe that implementing an IAM system means they’ve solved the identity problem. That’s not the case. Traditional IAM only determines who can access what; true identity protection involves understanding how exposed, monitored, exploitable, or compromised that identity is. A user may be authorized, but if their credentials are stolen, access is technically legitimate — but malicious. Operational identity protection must integrate behavioral security, dynamic privilege control, and anomaly detection. Only in this way can we reduce the attack surface, eliminate unnecessary privileges, manage just-in-time access, monitor in real time, and strengthen audit and compliance.
At its most basic, identity security can be seen as a set of technologies and practices that detect, prevent, and respond to identity-based attacks. But the truth is, it’s much more than that: it must be a continuous process, a proactive and intelligent approach designed to anticipate and prevent issues before they become full-blown incidents.
Ensuring secure access in a way that allows organizations to maintain productivity and collaboration without compromise is perhaps the most challenging aspect of today’s landscape. Yet by embracing the principles of passwordless verification, machine identity governance, the evolutionary use of AI, and a shift from identity management to identity protection, organizations can significantly strengthen their security posture, reduce the impact of identity-related threats, and build a more resilient digital future.
Identity is at the heart of digital transformation, but also its most vulnerable point. Understanding this complex paradigm is the first step toward achieving greater business continuity.