Skip to main content

Identity security at inception: A CISO’s guide to proactive protection

Published Date
Author James Creamer

Identity security at Inception

Modern enterprises are facing an identity explosion. Fueled by cloud adoption, DevOps acceleration, and now agentic AI, the number of human and machine identities is growing faster than most organizations can manage.

According to the CyberArk 2025 Identity Security Landscape, 9 out of 10 organizations report a successful identity-centric breach, with relentless and sophisticated bad actors continuing to target identities. Machine identities now outnumber human identities by an astonishing 82:1. And with AI expected to be the No. 1 creator of new identities with privileged and sensitive access, the risk surface is expanding exponentially.

Yet despite this, identity security remains overwhelmingly reactive. Teams often apply privileged access controls only after deploying cloud accounts, workloads, and resources. The result? Mounting security debt that must be remediated by security teams that don’t even own the resources they’re tasked with protecting. This disconnect between ownership (CIO and CTO) and accountability (CISO) not only creates inefficiency—it also widens the gap of identity-related risk.

Why identity security must start at inception

It’s time for CISOs to draw a line in the sand. The current state of identity sprawl demands a shift to a proactive model: protecting enterprise resources and privileged access at the moment of creation. This paradigm, known as “security at inception,” requires embedding automated identity controls into DevOps and infrastructure-as-code pipelines like Terraform, Ansible, and CI/CD workflows.

Security at inception means:

  • Vaulting privileged accounts at provisioning: Embedded local admin and other long-lived privileged accounts and secrets are vaulted automatically when resources are created.
  • Enforcing zero standing privileges (ZSP): Human users receive just-in-time (JIT), ephemeral access only when needed, by default when new resources are spun up, reducing persistent risk.
  • Validating secure coding practices: Workload identities are verified through a secure software development lifecycle (SSDLC), ensuring identity hygiene is built into code from the start.
  • Automating certificate lifecycle: Certificates should be automatically requested through a certificate lifecycle management service to govern their creation, management and renewal across all public and private certificate authorities (CAs).

This approach eliminates the lag between creation and protection, reduces attack surface, and scales with the velocity of digital transformation. It changes the role of security from reactive gatekeeper to proactive enabler.

Why now is the moment for proactive identity security

Four converging forces make this transformation urgent:

  1. AI acceleration: Agentic AI systems—autonomous or semi-autonomous software agents—can perform a wide array of privileged actions, acting like humans but scaling like machines. These systems multiply complexity and reduce human oversight. Once deployed, they’ll be challenging to secure retroactively.
  2. Cloud velocity: Infrastructure and services are being spun up faster than ever. Modern enterprises deploy cloud workloads by the thousands, often dynamically and ephemerally. Manual security processes can’t keep up with this speed and scale.
  3. Audit and compliance pressure: Regulatory frameworks increasingly demand evidence of control, particularly for privileged access. Without automation, satisfying these requirements is costly, slow, and inconsistent.
  4. Talent scarcity in cybersecurity: Security teams are stretched thin. With mounting responsibilities and limited headcount, organizations must find ways to do more with less. Embedding security into automated workflows significantly reduces the operational load on teams and frees up capacity to focus on strategic initiatives.

Enterprises are left exposed when identity and privilege management lag behind resource creation. The only sustainable solution is to embed security at the point of inception, which automates security and governance at scale.

Identity Security at Inception

Bridging the gap between ownership and accountability

The challenge of securing identities at the pace of modern infrastructure isn’t just technical—it’s organizational. In most enterprises, the CIO or CTO owns the creation and management of enterprise systems, cloud accounts, and machine identities. Meanwhile, the CISO is held responsible for protecting those same assets and access.

This disconnect creates significant friction. Security teams must chase down risks introduced by infrastructure they didn’t provision and identities they didn’t approve. They’re stuck applying controls after the fact—reactively responding to audits, alerts, or breaches.

The burden of remediation falls on the CISO’s organization, while the source of the risk often originates upstream in IT or engineering.

This siloed approach is unsustainable. According to the 2025 Identity Security Landscape, 70% of security professionals believe identity silos are a core driver of cybersecurity risk. And as organizations adopt more clouds, microservices, and AI agents, those silos become more dangerous.

The path forward requires strategic alignment between CIO, CTO, and CISO leadership. Not just shared responsibility, but shared workflows—a collaborative effort to embed security into the operational fabric.

Automating identity security: the key to secure-by-design

Security at inception can only be achieved through automation and orchestration. Manually onboarding identities and privileged access policies doesn’t scale. Instead, enterprises should embed identity controls into:

  • Infrastructure-as-code templates: Make sure every Terraform or CloudFormation template that provisions a cloud provider account or workload includes identity security platform onboarding steps to protect local accounts and establish the root of trust for your identity security control plane.
  • Secure SDLC: Integrate static code analysis tools into your secure software development lifecycle to enforce machine identity security best practices like just-in-time (JIT) secret retrieval. This means that as code flows through your Git repositories, CI/CD tools and software development pipelines, no workload identity secrets are exposed.
  • IT service management (ITSM) and ChatOps: Use governed and approved workflows for ZSP, JIT and provisioning access requests that automatically protect the privileged entity at the moment of creation.

When done right, these controls are invisible to end users. Developers and engineers get what they need—fast, secure access—without jumping through extra hoops. And security teams get full visibility, control, and auditability.

In addition to automation, organizations should invest in reference architectures and governance playbooks that standardize security-at-inception principles across business units. Building this into your IT operating model can help to ensure that identity security isn’t a one-off project, but a persistent and evolving capability.

How agentic AI is accelerating identity risk

The rise of agentic AI compounds this issue. These autonomous software agents—built on large language models (LLMs) and operating with increasing independence—are beginning to provision resources, make decisions, and interact with systems at scale.

Each AI agent independently interacts with enterprise resources and data and, given its level of privilege, has the potential to create other secrets or resources. These agents are coming online outside the purview of security, as is their authorization and authentication to these resources. If security controls aren’t embedded into the agents’ operating workflows from the outset, the enterprise could soon be flooded with unmanaged identities and unchecked access.

Trying to secure them after deployment is like chasing shadows—or as the metaphor goes, trying to put toothpaste back in the tube.

Without proactive governance, agentic AI will outpace our ability to secure it. Only security at inception can help ensure these systems operate within defined guardrails at scale from day one. Get ahead of the curve while your business is in its exploratory phase of agentic AI by observing your agents at runtime and securing the secrets they authenticate with.

What CISOs and CIOs gain from security at inception

For CISOs, the strategic benefits include:

  • Reduced breach risk by operationalizing Zero Trust and eliminating standing privileges
  • Stronger cloud and SaaS security posture, aligned with modern threat models
  • Audit and compliance readiness, through consistent policy enforcement and automated evidence collection
  • Operational efficiency, by reducing manual onboarding and remediation tasks
  • Improved resilience, protecting mission-critical services from disruption

For CIOs and CTOs, the model offers:

  • Faster time to access for developers and engineers
  • Lower friction with security through seamless workflow integration
  • Greater trust in the CISO, knowing risks are mitigated without slowing innovation

Security at inception represents a shared opportunity for CISOs, CIOs, and CTOs alike. It supports the business imperative to move fast and stay secure, so everyone wins.

CISOs: Lead the shift to embedded identity security

To lead this transformation, CISOs should:

  1. Engage CIO and CTO peers in structured discussions about embedding identity security into infrastructure provisioning. Emphasize partnership, not ownership transfer.
  2. Reset expectations with security teams. Encourage a mindset shift from retroactive defense to proactive design. Task them to build reusable onboarding automation, track time-to-protection metrics, and prioritize new resources over legacy fixes.
  3. Own and champion a security-at-inception initiative across the enterprise. Start by mapping current provisioning flows and identifying where automated identity controls can be inserted. Define clear success metrics, such as:
    • Percentage of new assets onboarded at the time of creation
    • Reduction in standing privilege access across environments
    • Mean time to onboarding of enterprise resources
  4. Codify identity security into DevSecOps practices. Make identity security a standard requirement for deploying infrastructure, similar to logging, monitoring, and cost tagging.
  5. Communicate results to executive leadership and the board. Highlight the reduced time to protection and access, improved audit outcomes, and decreased workload hours spent remediating. By translating technical progress into business value, CISOs can help to secure ongoing support for identity-centric initiatives.

Lead the shift: Build identity security into inception

The future is arriving fast. Cloud workloads, machine identities, and AI agents are being created faster than security can respond—unless that security is built in from the beginning.

By embracing security at inception, CISOs can finally break the cycle of inherited security debt, lead with clarity, and elevate their teams from firefighting to forward-thinking leadership. And in doing so, they can secure their enterprise and enable it to innovate without fear.

Embedding identity security at inception is the new mandate for modern cybersecurity leadership. It’s time to move from “secure it later” to “secure by design”—and the moment to start is now.

James Creamer is the director of CISO Advisory at CyberArk. He is a founding creator of the CyberArk Blueprint framework and a lead author of the book, “The Identity Security Imperative: A Leader’s Guide to Securing Every Identity.”