Identity Is the New Perimeter: What Comes After IAM

For a decade, the security community has used the phrase "identity is the new perimeter" as shorthand for a simple observation: as enterprise environments moved to the cloud and the traditional network boundary dissolved, controlling what identities could access what resources became the primary security control that mattered. The incumbents of identity and access management — Okta, Microsoft, CyberArk, SailPoint — built large businesses on this shift. But a new disruption is underway, and the companies that will define the next era of identity security are still being built.

The disruption has two drivers that are tightly interconnected. The first is the explosive growth of non-human identities — machine accounts, service principals, API keys, AI agents, IoT devices, and automated pipelines — that now substantially outnumber human identities in most enterprise environments. The second is the increasing sophistication of identity-targeting attacks, driven by AI-powered tools that can phish, clone, and manipulate human identities at scale while simultaneously exploiting the governance gaps in non-human identity management.

Traditional IAM platforms were designed for human users, and their governance models reflect that design. They are remarkably well-evolved for their original purpose and still essential. What they are not designed for is the new reality where identity management must cover millions of non-human identities with wildly heterogeneous characteristics, lifecycles, and risk profiles.

The Non-Human Identity Explosion

The scale of the non-human identity problem is difficult to overstate. A typical mid-size enterprise with a few thousand human employees may have tens or hundreds of thousands of non-human identities in its environment: service accounts in Active Directory, OAuth tokens issued to SaaS integrations, API keys for third-party services, AWS IAM roles, Kubernetes service accounts, CI/CD pipeline credentials, and increasingly, identity credentials issued to AI agents and orchestration systems.

These non-human identities are poorly governed by most organizations. A 2024 survey by the Identity Defined Security Alliance found that the average enterprise has no visibility into 40% of the non-human identities in its environment. Of the identities that are known, a substantial fraction have excessive privileges, expired credentials that remain valid, or no rotation policy. Many were created for specific projects and never cleaned up.

The security implications are severe. Adversaries who compromise a single non-human identity — through credential theft from a developer's workstation, exploitation of a dependency chain, or discovery of a hardcoded secret in a public code repository — can often pivot to significant access within the enterprise environment. Unlike human identity compromises, non-human identity compromises are extremely difficult to detect because the behavior of a service account after compromise may look largely similar to its behavior before compromise.

The AI dimension makes this problem substantially more acute. As enterprises deploy AI agents with broad tool access, each agent represents a non-human identity with potentially significant access to enterprise systems. An AI agent that can read internal documents, send emails, access databases, and execute code represents an enormously high-value target. The governance frameworks that enterprises have built for traditional service accounts were not designed with AI agent characteristics in mind.

AI-Powered Identity Attacks

While non-human identity governance represents a structural gap that enterprises have not yet closed, the threat to human identities is also evolving in ways that challenge the defenses built around traditional IAM. The driver is the application of AI to the attack techniques that have always targeted human identity — phishing, social engineering, credential theft — at a scale and level of personalization that was not previously achievable.

AI-powered spear phishing represents a qualitative improvement over previous phishing techniques. Where traditional phishing relied on volume and generic templates, AI-powered phishing can generate personalized messages that reference the target's recent activities, professional relationships, and interests — information scraped from public sources and synthesized by language models into highly convincing communications. The barriers to personalized social engineering attacks have collapsed.

Deepfake-assisted fraud represents a related threat that is already being used in real attacks. In several documented cases, attackers have used AI-generated audio and video of executives to instruct employees to take actions — transferring funds, disclosing credentials, modifying access controls — that they would not have taken on the basis of text communication alone. Voice cloning from public audio samples has become a commodity capability.

Session token theft remains a workhorse attack technique that traditional MFA does not fully address. Adversary-in-the-middle frameworks that capture authentication cookies after MFA completion have been used in attacks against organizations with robust MFA policies. AI-powered tooling has made these attacks faster to configure and harder to detect. The security community's response — phishing-resistant MFA based on hardware security keys or passkeys — is effective but adoption has been slow.

What Comes After Traditional IAM

The successor to traditional IAM is not a single product category but a convergence of several emerging capabilities. We think about the next generation of identity security across three dimensions: non-human identity management, continuous identity risk assessment, and identity threat detection and response.

Non-human identity management is the most immediate need. Enterprises need platforms that can discover, inventory, classify, and govern non-human identities with the rigor currently applied to human identities — including lifecycle management (creation, rotation, and deprovisioning), privilege management (right-sizing permissions based on actual usage), and anomaly detection (identifying non-human identities whose behavior deviates from their expected operational pattern). The AI agent dimension adds urgency: as enterprises deploy more AI systems with real-world action capabilities, the governance infrastructure for AI agent identities needs to exist before the deployment, not after.

Continuous identity risk assessment moves beyond the point-in-time access reviews that traditional IAM supports. In a continuously assessed model, every identity in the enterprise has a dynamic risk score that reflects its current behavior, recent access patterns, privilege level relative to normal, and contextual factors like time of day, location, and device posture. Access decisions are made in real time based on this risk score rather than on static permissions that were last reviewed months or years ago. This model is more resource-intensive to implement but substantially more effective at catching the identity-based attacks that evade static controls.

Identity threat detection and response represents the convergence of identity management with security operations. Traditional security operations centers monitor network, endpoint, and log data for indicators of compromise. Identity threat detection and response systems monitor the identity fabric itself — detecting credential theft, privilege escalation, lateral movement using stolen credentials, and anomalous access patterns that indicate a compromised identity. The most sophisticated systems correlate identity events across human and non-human identities to detect coordinated attack chains that span multiple identity types.

The Vendor Landscape and the Startup Opportunity

The incumbent IAM platforms are responding to these challenges with product extensions, acquisitions, and partnerships. Microsoft's identity platform, Okta's workforce and customer identity products, CyberArk's privileged access management platform, and SailPoint's identity governance tools all have significant customer bases and are investing in capabilities to address the non-human identity and AI agent challenges.

But incumbent platforms optimizing their existing architectures to cover new use cases move more slowly than purpose-built solutions designed for the new reality from the ground up. We have seen compelling early-stage companies building specifically for non-human identity management in cloud-native environments, AI agent identity governance, continuous identity risk scoring, and identity threat detection and response. These startups have the advantage of architectural clarity — they are not constrained by the design decisions their incumbent competitors made when the world looked very different.

The market opportunity is substantial. Identity and access management is already a multi-billion dollar market, and the expansion to non-human identities, AI agents, and continuous risk assessment represents a significant expansion of the addressable market. Enterprises that have spent years and significant resources building their identity programs are motivated buyers for solutions that extend those programs to cover the new attack surface.

Guidance for Enterprise Security Leaders

For CISOs and security architects who are assessing their identity security posture, we offer several recommendations. First, conduct a comprehensive non-human identity audit. Most organizations have significant gaps in their visibility into service accounts, API keys, and automation credentials. Understanding what non-human identities exist, what access they hold, and whether that access is still justified is the prerequisite for meaningful improvement.

Second, prioritize AI agent identity governance as an immediate concern rather than a future one. If your organization is deploying AI tools that take actions in enterprise systems, those AI systems need well-governed identities with least-privilege access, rotation policies, and behavioral monitoring. This is not a future best practice — it is a current security requirement.

Third, evaluate phishing-resistant MFA deployment for your highest-risk user populations. Security keys or passkey-based authentication for privileged users, executives, and employees with access to sensitive systems significantly reduces exposure to credential phishing attacks, even sophisticated AI-powered ones. The deployment friction is real but manageable, and the risk reduction is significant.

Fourth, engage with the emerging category of identity threat detection and response tools. Your SIEM and EDR systems provide important visibility, but they were not designed to detect the identity-specific attack patterns that are increasingly how enterprise breaches begin. A dedicated identity threat detection capability fills a meaningful gap in most security architectures. Learn more about our portfolio companies working on these challenges.