How AI is reshaping identity governance for CISOs and CIOs

2025 has been a defining year for identity security, marked by a rapid increase in the volume, variety, and velocity of identities that organizations must now govern. The changes have been building for a long time, as identity tools have evolved from early single sign-on solutions and compliance-driven governance to the cloud-first, AI-powered world we live in now, which must enable employees with the access they need at lightning speed while maintaining security. But organizations have reached a critical point due to the sheer complexity of balancing these priorities.

Machine identities already outnumber human ones by more than 80 to one, and with the rise of AI agents, the ratio is only getting larger. Every one of these access points, if left unchecked, poses a potential doorway for an attacker. Often, AI agents are accessing the most privileged and proprietary information, which means governance over them is of the highest priority.

In just one recent example, our team spoke with a large bank with 30,000 service accounts, but their team couldn’t trace human ownership or the access audit trail for most of them. This lack of accountability is a common problem.

And as inventory counts climb, machine identities create blind spots that no CISO or CIO can cover with a standard compliance audit or manual governance process.

Why traditional IGA is failing in the AI era

Legacy identity governance and administration (IGA) solutions came onto the scene in the mid-2000s to solve problems related to regulations like the Sarbanes-Oxley Act (SOX). The goals were straightforward: manage compliance and identity lifecycles, ensuring employees had appropriate access and that it was reviewed, approved, and eventually revoked.

The problem is, those legacy tools were built for a world of static, on-premises systems. They depended on custom development, complex integrations, and professional services that didn’t scale. They weren’t designed for today’s cloud-first businesses, which often have hundreds of SaaS apps, thousands of workloads, and millions of entitlements sprawled across applications owned by different business owners.

Here’s what that leaves us with:

• Excessive entitlements and orphaned accounts.
• Long-forgotten service accounts with powerful privileges.
• Employees who still can’t get the access they need in a timely manner.
• Skyrocketing governance costs that do not contribute to the organization’s overall identity security posture.

In short, what started as a compliance checkbox has turned into a significant strategic opportunity for identity and security.

Three forces reshaping identity governance

As identity governance evolves, there are three powerful trends reshaping how organizations protect access and manage risk:

1. The rise of machine identities

Service accounts, workloads, APIs, and now AI agents are everywhere. Dynamic, often short-lived, and easily forgotten, machine identities are perfect targets for attackers. Even auditors are catching on to the risks, demanding access reviews for these accounts; however, most organizations aren’t equipped with the visibility or tools to review access and deliver robust evidence.

2. Convergence of IGA, PAM, and identity security

Keeping identity tools in separate silos no longer works. CISOs need a single control plane that brings together privileged access management (PAM), IGA, and machine identity governance. By bringing these separate disciplines and tools together, security teams can gain the continuous visibility they need to make more consistent, risk-based access decisions across the entire organization.

3. AI-driven automation

Right now, IGA is 84% manual work and 16% automation. But due to today’s surge of machine identities, that ratio must flip within a few years. We’ll start to see AI agents recommending changes to entitlements before carrying them out themselves, within risk-defined limits. This change is critical to keeping up with the speed of business and the transforming nature of workforce identities.

Recognizing these forces can help security leaders better understand the evolving identity landscape.

Modern IGA: New priorities for CISOs and CIOs

As identity governance evolves in the AI era, security leaders must rethink their priorities to keep pace with new risks and opportunities. Here’s what should be at the top of every CISO and CIO’s agenda:

• Identities beyond humans: The most crucial change is to stop thinking of identity as being only about people. Your most significant risks are increasingly coming from AI and machine identities. To govern those risks, you must link your machine identities back to the humans who own, create, and manage them.
• Zero standing privileges (ZSP): Static entitlements are no longer effective. Automated, just-in-time access and the principle of least privilege must become defaults, especially for machine identities at enterprise scale.
• Identity Threat Detection and Response (ITDR): Just as endpoint detection and response (EDR) changed endpoint security, ITDR is emerging as the identity equivalent. Security operations centers (SOCs) must integrate identity intelligence into their detection and response workflows, helping to bridge the long-standing gap between identity and security teams.
• Outcome-driven metrics, not projects: Finally, time-to-value is the metric that matters. How fast can your organization onboard its key applications? And how fast can employees get access to them? How quickly can it complete access reviews? How much can you reduce the number of provisioning tickets? Without measurable goals, IGA programs tend to stall.