{"id":15438,"date":"2026-01-09T04:26:50","date_gmt":"2026-01-09T04:26:50","guid":{"rendered":"https:\/\/newestek.com\/?p=15438"},"modified":"2026-01-09T04:26:50","modified_gmt":"2026-01-09T04:26:50","slug":"enterprises-still-arent-getting-iam-right","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15438","title":{"rendered":"Enterprises still aren\u2019t getting IAM right"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Despite all the warnings, and constant news of <a href=\"https:\/\/www.csoonline.com\/article\/4110008\/top-cyber-threats-to-your-ai-systems-and-infrastructure.html\" target=\"_blank\">devastating cyberattacks<\/a>, enterprise users are still cutting corners when it comes to identity and access management (IAM).<\/p>\n<p>Nearly two-thirds (63%) of cybersecurity leaders admit their employees continue to bypass security controls so they can work faster, according to <a href=\"https:\/\/www.cyberark.com\/press\/new-study-only-1-of-organizations-have-fully-adopted-just-in-time-privileged-access-as-ai-driven-identities-rapidly-increase\/\" target=\"_blank\" rel=\"noreferrer noopener\">new research<\/a> by security company CyberArk. Furthermore, enterprises are struggling to establish access policies for emerging AI agents and other agentic tools.<\/p>\n<p>This seems to strongly implicate identity and privilege control as central to operational risk.<\/p>\n<p>\u201cThe data points to a cultural pattern where immediate productivity wins often outweigh long\u2011term security posture,\u201d said\u00a0 <a href=\"https:\/\/www.linkedin.com\/in\/charleshchu\" target=\"_blank\" rel=\"noreferrer noopener\">Charles Chu<\/a>, GM of IT and developer solutions at CyberArk. \u201cIt is clear that security is still perceived as something that slows people down.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"privileged-access-management-inadequate\">Privileged access management inadequate<\/h2>\n<p>CyberArk surveyed 500 leaders involved in privileged access management (PAM) in identity and infrastructure roles, including DevOps engineers, <a href=\"https:\/\/www.csoonline.com\/article\/4110151\/cybersecurity-leaders-resolutions-for-2026.html\" target=\"_blank\">security managers<\/a>, cloud security architects, database managers, site reliability and software engineers, and IT support specialists.<\/p>\n<p>They report that in their organizations:<\/p>\n<ul class=\"wp-block-list\">\n<li>Just 1% have fully implemented a modern just-in-time (JIT) privileged access model;<\/li>\n<li>91% say at least half of their privileged access is always-on (standard privilege), providing unrestricted, persistent access to sensitive systems;<\/li>\n<li>45% apply the same privileged access controls to human and AI identities;<\/li>\n<li>33% lack clear AI access policies.<\/li>\n<\/ul>\n<p>The research also revealed a growing issue with \u201cshadow privilege,\u201d accounts and secrets that are unmanaged, unnecessary, and unknown to cybersecurity leaders. CyberArk found that 54% of organizations uncover these types of accounts and secrets every week.<\/p>\n<p>This suggests that access ownership is \u201cdiffuse,\u201d Chu noted. \u201cIf no one feels responsible for continuously pruning and governing privileged access, it naturally accumulates. Added to that is the fact that the majority of organizations (88%) manage multiple identity tools, which \u201ccreates confusion about who has authority and which system is the source of truth.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-riskiest-human-behaviors\">The riskiest human behaviors<\/h2>\n<p>CyberArk identified several of the riskiest human behaviors in access management, including:<\/p>\n<ul class=\"wp-block-list\">\n<li>Copying credentials into personal password managers, chat apps, or email, because the \u201cofficial\u201d process is slower.<\/li>\n<li>Spinning up cloud resources or test environments with privileged access outside central controls.<\/li>\n<li>Using shared admin accounts or recycling similar passwords\/tokens across systems and environments.<\/li>\n<li>Leaving always-on access in place \u201cjust in case,\u201d even when those elevated privileges are only required occasionally.<\/li>\n<\/ul>\n<p>\u201cEmployees bypass controls for very human reasons,\u201d Chu acknowledged. \u201cThey\u2019re under pressure to move fast, and the security tools that they are required to use are often not user-friendly and conflict with how they actually get work done.\u201d<\/p>\n<p>This leads to ad\u2011hoc local admin creation, and long\u2011lived IAM roles and API keys that \u201cno one revisits.\u201d<\/p>\n<p>AI is only exacerbating the problems. Users paste keys, logs, or configuration files into AI tools, unintentionally exposing secrets, Chu noted. AI can also deploy apps and alter systems faster than existing controls can keep up, so engineers tend to work around the controls. Further, AI systems and agents are increasingly acting on behalf of users in ways not yet fully visible to security teams. This makes risky shortcuts even more difficult to detect.<\/p>\n<p>\u201cThe net effect is that the gap between what the policy says and what actually happens in production is widening,\u201d said Chu.<\/p>\n<h2 class=\"wp-block-heading\" id=\"give-ai-agents-unique-identities\">Give AI agents unique identities<\/h2>\n<p>The bottom line: AI agents operate quite differently than human users. As well being speedier, they work continuously and touch multiple systems and data sets in a single workflow. They present a unique risk because they can very quickly execute large numbers of privileged actions.<\/p>\n<p>With this in mind, security teams should treat AI agents as distinct identities with their own access controls, Chu advised. Every individual agent should be assigned a dedicated identity and credentials, with tightly-scoped permissions for specific systems and data sets. Short-lived tokens should take the place of long-lived keys, and elevated rights should only be granted just in time, and for specific tasks. Further, all actions taken by AI agents should be logged and attributable.<\/p>\n<p>Just as with humans, reduced standing access, better visibility, and strong governance must be \u201capplied explicitly and consistently\u201d to AI, Chu noted.<\/p>\n<h2 class=\"wp-block-heading\" id=\"jit-is-hard-to-implement\">JIT is hard to implement<\/h2>\n<p>JIT is a technique that grants select permissions only when required, for a specific purpose, and for a limited period of time. When users or systems request access, they receive a \u201ctime-bound and scope-limited\u201d set of privileges, allowing them perform the required task, then automatically \u201creturn to a lower baseline.\u201d Chu explained.<\/p>\n<p>\u201cEvery step is logged so that organizations can see who or what has powerful access and why,\u201d he said.<\/p>\n<p>But JIT remains difficult to realize in practice, Chu noted, resulting in a heavy reliance on standing privileges, even as enterprises are fully aware of how risky that practice is.<\/p>\n<p>A number of factors are to blame, he said: IT teams can be hesitant to make changes to legacy systems for fear of disruption, and complex IT environments comprising on-premises infrastructure, multiple clouds, and SaaS applications can complicate implementation. Some teams also worry that JIT can slow down incident response or other routine practices.<\/p>\n<p>Adding to the challenges, existing cybersecurity tools haven\u2019t been designed for highly complex enterprise environments, Chu said. \u201cThat combination points to fragmentation: There is plenty of tooling, but not enough unified visibility and control.\u201d .<\/p>\n<h2 class=\"wp-block-heading\" id=\"how-enterprises-can-protect-themselves\">How enterprises can protect themselves<\/h2>\n<p>Today\u2019s enterprises need security that is built around centralized identity, least privilege, and automation, Chu emphasized. This means strong single sign\u2011on (SSO) with multi\u2011factor authentication (MFA) and contextual policies; modern secret management for passwords, keys, and tokens for both humans and machines; privileged access capabilities that can issue short\u2011lived access on demand with full logging; and analytics that stitch together activity across human accounts, service accounts, and AI agents.<\/p>\n<p>From a cultural perspective, organizations should establish clearer ownership of identity and privilege management, shared goals, and top-down messaging around <a href=\"https:\/\/www.csoonline.com\/article\/4110699\/8-things-cisos-cant-afford-to-get-wrong-in-2026.html\" target=\"_blank\">cybersecurity practices<\/a>, he said.<\/p>\n<p>Also, critically, organizations must adopt tools that easily integrate into existing processes and workflows, thus reducing friction and reducing user workarounds. \u201cThe key to effective implementation is to make security as invisible as possible to the user as they do their daily work,\u201d Chu asserted.<\/p>\n<p><em>This article originally appeared on <a href=\"https:\/\/www.computerworld.com\/article\/4114749\/enterprises-still-arent-getting-iam-right.html\" target=\"_blank\">Computerworld<\/a>.<\/em><\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Despite all the warnings, and constant news of devastating cyberattacks, enterprise users are still cutting corners when it comes to identity and access management (IAM). Nearly two-thirds (63%) of cybersecurity leaders admit their employees continue to bypass security controls so they can work faster, according to new research by security company CyberArk. Furthermore, enterprises are struggling to establish access policies for emerging AI agents and&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15438\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15438","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15438"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15438\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}