Enterprises still aren’t getting IAM right

Enterprises still aren’t getting IAM right

5gDedicated
Yanac

Despite all the warnings, and constant news of devastating cyberattacks, enterprise users are still cutting corners when it comes to identity and access management (IAM).

Nearly two-thirds (63%) of cybersecurity leaders admit their employees continue to bypass security controls so they can work faster, according to new research by security company CyberArk. Furthermore, enterprises are struggling to establish access policies for emerging AI agents and other agentic tools.

This seems to strongly implicate identity and privilege control as central to operational risk.

“The data points to a cultural pattern where immediate productivity wins often outweigh long‑term security posture,” said  Charles Chu, GM of IT and developer solutions at CyberArk. “It is clear that security is still perceived as something that slows people down.”

Privileged access management inadequate

CyberArk surveyed 500 leaders involved in privileged access management (PAM) in identity and infrastructure roles, including DevOps engineers, security managers, cloud security architects, database managers, site reliability and software engineers, and IT support specialists.

They report that in their organizations:

Just 1% have fully implemented a modern just-in-time (JIT) privileged access model;

91% say at least half of their privileged access is always-on (standard privilege), providing unrestricted, persistent access to sensitive systems;

45% apply the same privileged access controls to human and AI identities;

33% lack clear AI access policies.

The research also revealed a growing issue with “shadow privilege,” accounts and secrets that are unmanaged, unnecessary, and unknown to cybersecurity leaders. CyberArk found that 54% of organizations uncover these types of accounts and secrets every week.

This suggests that access ownership is “diffuse,” Chu noted. “If no one feels responsible for continuously pruning and governing privileged access, it naturally accumulates. Added to that is the fact that the majority of organizations (88%) manage multiple identity tools, which “creates confusion about who has authority and which system is the source of truth.”

The riskiest human behaviors

CyberArk identified several of the riskiest human behaviors in access management, including:

Copying credentials into personal password managers, chat apps, or email, because the “official” process is slower.

Spinning up cloud resources or test environments with privileged access outside central controls.

Using shared admin accounts or recycling similar passwords/tokens across systems and environments.

Leaving always-on access in place “just in case,” even when those elevated privileges are only required occasionally.

“Employees bypass controls for very human reasons,” Chu acknowledged. “They’re under pressure to move fast, and the security tools that they are required to use are often not user-friendly and conflict with how they actually get work done.”

This leads to ad‑hoc local admin creation, and long‑lived IAM roles and API keys that “no one revisits.”

AI is only exacerbating the problems. Users paste keys, logs, or configuration files into AI tools, unintentionally exposing secrets, Chu noted. AI can also deploy apps and alter systems faster than existing controls can keep up, so engineers tend to work around the controls. Further, AI systems and agents are increasingly acting on behalf of users in ways not yet fully visible to security teams. This makes risky shortcuts even more difficult to detect.

“The net effect is that the gap between what the policy says and what actually happens in production is widening,” said Chu.

Give AI agents unique identities

The bottom line: AI agents operate quite differently than human users. As well being speedier, they work continuously and touch multiple systems and data sets in a single workflow. They present a unique risk because they can very quickly execute large numbers of privileged actions.

With this in mind, security teams should treat AI agents as distinct identities with their own access controls, Chu advised. Every individual agent should be assigned a dedicated identity and credentials, with tightly-scoped permissions for specific systems and data sets. Short-lived tokens should take the place of long-lived keys, and elevated rights should only be granted just in time, and for specific tasks. Further, all actions taken by AI agents should be logged and attributable.

Just as with humans, reduced standing access, better visibility, and strong governance must be “applied explicitly and consistently” to AI, Chu noted.

JIT is hard to implement

JIT is a technique that grants select permissions only when required, for a specific purpose, and for a limited period of time. When users or systems request access, they receive a “time-bound and scope-limited” set of privileges, allowing them perform the required task, then automatically “return to a lower baseline.” Chu explained.

“Every step is logged so that organizations can see who or what has powerful access and why,” he said.

But JIT remains difficult to realize in practice, Chu noted, resulting in a heavy reliance on standing privileges, even as enterprises are fully aware of how risky that practice is.

A number of factors are to blame, he said: IT teams can be hesitant to make changes to legacy systems for fear of disruption, and complex IT environments comprising on-premises infrastructure, multiple clouds, and SaaS applications can complicate implementation. Some teams also worry that JIT can slow down incident response or other routine practices.

Adding to the challenges, existing cybersecurity tools haven’t been designed for highly complex enterprise environments, Chu said. “That combination points to fragmentation: There is plenty of tooling, but not enough unified visibility and control.” .

How enterprises can protect themselves

Today’s enterprises need security that is built around centralized identity, least privilege, and automation, Chu emphasized. This means strong single sign‑on (SSO) with multi‑factor authentication (MFA) and contextual policies; modern secret management for passwords, keys, and tokens for both humans and machines; privileged access capabilities that can issue short‑lived access on demand with full logging; and analytics that stitch together activity across human accounts, service accounts, and AI agents.

From a cultural perspective, organizations should establish clearer ownership of identity and privilege management, shared goals, and top-down messaging around cybersecurity practices, he said.

Also, critically, organizations must adopt tools that easily integrate into existing processes and workflows, thus reducing friction and reducing user workarounds. “The key to effective implementation is to make security as invisible as possible to the user as they do their daily work,” Chu asserted.Global AI adoption is growing, and so is the digital divide – ComputerworldRead More