It shouldn’t take an enterprise 11 hours to resolve a single identity-related security incident.
Does that sound controversial? It shouldn’t, considering identity-based breaches are one of the most common cyber-attacks. But that’s what the research tells us from Enterprise Strategy Group (now part of Omdia). It’s no fringe case either. It takes 11 hours on average just to figure out who did what, where and how across a company’s infrastructure.
If you’re a hacker (I’m hoping you’re not), you can do a lot in 11 hours: rip through a network, escalate your privileges, steal some data, and vanish without a trace. That's 11 hours during which some unfortunate security or engineering team is hunting down a single compromised credential.
It’s 11 hours of sitting ducks.
Something’s gone awfully wrong in identity management to get cybersecurity to this point. The only way to fix it is to redefine what identity means in the computing world.
Infrastructure Became a Liability
It wasn’t lazy engineers or underfunded security teams that got us here. No amount of skill or money could overcome the albatross around the tech industry’s neck: fragmentation.
Maybe we should have seen it coming: the inevitability of modern infrastructure looking like a map of walled-off nations. Whether it’s the cloud, the data center, identity providers, SaaS tools, developer platforms, Kubernetes clusters, databases or AI agents, each runs its own internal rules, logs and credentials. It’s like tracking people’s movements across countries with incompatible passport and visa systems. Meanwhile, somewhere out there, forged documents roam freely. Could you blame a customs officer for missing a beat?
It’s a world of digital borders, which have turned every security investigation into the most tedious of forensic puzzles – the type that expects you to manually stitch together fragments of evidence from across a dozen platforms. No wonder it takes 11 hours.
Identity Became a Liability
The tech industry introduced identity into computing to make systems safer. Instead, it became every attacker's favorite tool. Thank credentials, the theft of which now drives over one in five data breaches.
Just this year, compromised credentials have already seen a 160% surge compared to 2024, which wouldn’t matter so much, if not for the fact that stealing credentials today is trivial. Conversely, it’s incredibly hard to spot an attacker who’s using a perfectly legitimate token or key to blend into infrastructure.
“But we have tools to manage these incidents!” we hear. Indeed, enterprises do have lots of tools to manage incidents, 11 different identity and access tools on average, according to Enterprise Strategy Group. That’s a lot of tools and not one shows the full picture.
Consequently, engineers spend far too long answering the basic questions that should fetch instant answers: Who accessed that database? Which permissions did they use? Was that behavior normal? How did the user move from Okta to AWS, to Kubernetes, and then to the database?
Like fragmented tools, like fragmented identities. Humans, machines, workloads and AI agents all live on their own islands, and when every activity log lives inside the borders of another tool, it becomes extremely difficult to run infrastructure at scale. Now add false positives, fatigue alert and AI-generated attacks to the mix. Yikes.
No wonder 52% of enterprises ranked data privacy as the biggest AI risk, according to Enterprise Strategy Group. Who could confidently trace AI-generated activity back to a verified source in such a noisy mess?
An Account is Not an Identity
At some point, the tech industry got identity wrong, and it began with a simple misunderstanding: we confused identity with credentials.
Logging into Sabrina Carpenter’s email wouldn’t suddenly make you Sabrina Carpenter. You’ve stolen her access, not her identity. But when we brought the analogy of identity into the computing world, we built a whole identity management market around logins that can be stored, transferred, or ‘owned.’ It’s the computing equivalent of equating your identity with your car key, or your gym fob.
That one conceptual error has led to sprawling infrastructure systems built on false assumptions. It’s time we redefine identity in the electronic world. At the most fundamental level, there can be no anonymity in computing. Each server, laptop, cloud account and AI agent must have its own unique identity issued from the same source of trust – cryptographically signed and bound to hardware. Think of it like a digital birth certificate that’s impossible to fake.
The best part? You don’t have to look far for this model, because it already exists in zero-trust architectures and hardware-backed keys (Trusted Platform Modules for computers, Hardware Security Modules for servers, etc.). When you digitally derive identity from private key material protected by hardware, it becomes impossible to steal, sell, clone, or lose.
That principle, however, must be extended to every human, machine, workload and AI across infrastructure. Architecturally speaking, whatever layer you build in your infrastructure that supports cryptographically- and hardware-backed identities needs to treat every user the same – like an employee.
If you apply zero trust frameworks to different categories of users like AI in a vacuum, you’re back to the same fragmentation as before. You wouldn’t design access controls for every floor and room separately in a huge building: no one would know who has access to which room. It’s why ‘identity is the new perimeter’ is an ill-conceived saying, because it implies the same flawed model of closed-off borders.
The future of tech should be borderless. It might not be the easiest task getting everyone’s buy-in right away, but if we can give identity in computing a new definition – the right definition – it could be the best thing that’s happened to cybersecurity, and to tech, in a long time.