AI Agents, Denominator Problems, and the New Authority Control Plane: The Urgent Need for Evolving Identity Governance
In today’s rapidly changing cybersecurity landscape, identity governance remains a critical concern, especially as automation and artificial intelligence (AI) become more prevalent. Puneet Bhatnagar, an authority in identity security and cyber risk management, is shedding light on why current identity governance practices must accelerate their evolution. With nearly two decades of experience, Bhatnagar expresses both fatigue and excitement regarding the industry’s slow response to the complexities introduced by modern technology, particularly AI.
Bhatnagar observes that many enterprises still regard identity management as a mere compliance obligation. His voice exudes a mixture of weariness over how businesses often neglect essential security practices regarding identity governance, paired with a burgeoning enthusiasm for the necessary changes AI can precipitate. He emphasizes a crucial point: many breaches trace back to inadequately managed identity governance—a reality often overlooked by boards more focused on high-profile threat intelligence.
Bhatnagar likens the current cybersecurity landscape to a cluttered garage filled with mismatched components, where organizations continue to invest in cutting-edge solutions while their identity governance remains fragmented and underdeveloped. He warns that this complacency, coupled with the rise of autonomous AI agents, could lead to catastrophic breaches, describing it as a "perfect storm" for Chief Information Security Officers (CISOs) if they fail to adapt their identity management strategies.
Two Perspectives: AI for Security vs. Security for AI
In addressing the conversations surrounding AI, Bhatnagar differentiates between two crucial perspectives: security for AI and AI for security. The former addresses the urgent need to protect AI systems themselves, a topic that has dominated recent discussions. However, Bhatnagar insists that the latter perspective—leveraging AI to improve cybersecurity—has been grossly neglected. He poses a striking analogy, suggesting that organizations cannot effectively engage in modern cybersecurity challenges unarmed; they must harness the potential of AI to construct sophisticated identity governance architectures that can address the explosion of identities and access points across organizational systems.
Identity as the New Security Perimeter: An Ideal Yet Unmet
For over a decade, the security industry has emphasized that identity represents the new security perimeter. Bhatnagar recalls 2012 as the year this paradigm shift gained traction, yet he claims that many practitioners still do not feel adequately shielded by effective identity governance. Despite buzzwords like "zero trust" and "continuous access evaluation," he argues that many enterprises can only offer partial coverage of their identity attack surface.
He points out that identity governance has often been relegated to an auditor’s responsibility, creating a significant disconnect between compliance and security. Instead of broadening their scope to include all systems and applications, organizations have been content with a narrow focus, effectively operating under a "denominator problem." This issue exposes a glaring gap between what governance practices were designed to manage and the realities of exploitative attacks that focus on weaknesses in identity management.
Addressing the Denominator Problem
Bhatnagar coins the term "denominator problem," encapsulating the core challenge of identity governance. Organizations have historically focused on a small fraction of their environments for compliance, leading to incomplete threat coverage and a false sense of security driven by passing audits. This limited oversight means that attackers can navigate around inadequate governance structures without detection.
He explains that while technologies for identity verification, such as SAML and OAuth, have made strides, they only touch on identity verification rather than the more complex landscape of access governance. The reality is that each application has its own access model, creating a tangled web of permissions that the current identity governance frameworks struggle to navigate.
Evolving from Access to Decisions
Bhatnagar advocates for a seismic shift in governance focus—from managing access to governing decisions. Traditionally, organizations have monitored what users are permitted to do, neglecting the critical need to assess what decisions are actually made within systems. This oversight is even more pronounced now that AI agents are intermingling with human processes, making instant decisions across various platforms and workflows.
The role of AI in decision-making adds a layer of complexity that cybersecurity professionals must grapple with. Bhatnagar emphasizes that it is imperative for organizations to comprehend where authority lies, especially as AI technology begins to proliferate.
The Authority Control Plane: Governing with Purpose
The concept of an “authority control plane” is central to Bhatnagar’s vision for the future of identity governance. Instead of simply managing access rights, organizations need to ensure that every action taken by both human and non-human actors is underpinned by appropriate authority. He emphasizes that decision-making processes must be transparent, encompassing who or what is authorized to act under specific circumstances.
Bhatnagar envisions a future where AI governance becomes a horizontal accountability initiative, cutting across various departments rather than being confined to the CISO’s responsibilities. This horizontal structure is necessary for effective governance, pulling together various C-level leaders to address emerging AI challenges collectively.
The Urgency of Change: Concrete Steps for CISOs
Bhatnagar’s insights culminate in a call to action for CISOs and senior security leaders. Rather than investing in every new technology that enters the market, practitioners must first address the foundational elements of their identity governance structures. His recommendations include:
-
Fixing the Denominator: Organizations must clarify their actual identity attack surface, utilizing AI where appropriate to achieve comprehensive observability across all identities—human, machine, and AI agents.
- Shifting to Decision-Centric Governance: Governance processes should evolve to prioritize the decision-making context, allowing organizations to scrutinize every action taken across platforms.
As the technological landscape continues to shift, organizations must not remain stagnant. While it may be tempting to simply layer new solutions atop existing frameworks, Bhatnagar urges that such approaches can mask fundamental deficiencies.
In a world where AI agents already act within organizations—sometimes beyond administrative oversight—it becomes critical for leaders to proactively manage not only who can access systems but how decisions are made in real-time. The future of identity governance may no longer conform to yesterday’s models, compelling organizations to rethink their entire architecture. The conversation must now shift from reactive controls to an integrated, governance-centric approach that can withstand the complexities presented by autonomous agents in enterprise settings.