identient
Executive Summary: This article challenges the traditional tech-centric approach to Identity and Access Management (IAM) by emphasizing the need for Sentient IAM—an approach that integrates strategy, governance, and expertise to drive real business impact. It argues that the industry’s focus on products and quick fixes leads to unnecessary risks, inefficiencies, and missed opportunities. Sentient IAM goes beyond technology, considering the broader context of philosophy, politics, economics, and human behavior, ensuring that technology decisions are aligned with strategic business goals. To excel, next-gen IT leaders must think like business strategists, investing in skills such as data science, AI, security architecture, and change management. By embracing this mindset, leaders can transform their careers and organizations, turning IAM from a technical task into a powerful driver of business success.
Welcome to this inaugural edition of Sentient Insights, the Identient blog where we cut through the noise to deliver bold, actionable perspectives on IAM strategy, governance, and expertise that drive real business impact.
First off, our industry’s obsession with shiny new tech products is fueling a crisis. Data breaches are skyrocketing, not because of a lack of technology but because we’ve lost sight of what truly matters: strategy, governance, innovation, and expertise. Without a sentient approach to IAM—one that prioritizes purposeful direction over quick fixes—we are setting ourselves up for failure, putting users, sensitive data, national security, and even democracy at risk.
The 2024 Verizon Data Breach Report paints a harsh picture: breaches are on the rise, and the worst part? They’re mostly preventable. Human errors and outdated security practices are still the main culprits, with nearly 70% of breaches linked to basic mistakes like misconfigurations and phishing.
The same report also confirms that stolen credentials are a persistent problem: they remain the top method for attackers to gain initial access, and account for 77% of Basic web application attacks, reinforcing that credential theft is a primary vulnerability that continues to be exploited.
We’ve got the tools to stop this, but as long as we’re stuck in a reactive mindset, we’re just asking for trouble. Time to wake up and get strategic—because this isn’t a tech problem; it’s a failure of planning and execution.
Our fixation on products has sidelined governance, the core pillar that ensures consistent and secure access controls across the enterprise. While products promise quick fixes, they lack the strategic oversight that governance provides, leading to inconsistent policies, shadow IT, and unchecked vulnerabilities that attackers exploit. It’s time to shift focus: governance isn’t just a support function; it’s the strategic backbone that turns IAM into a proactive, resilient defense rather than a patchwork of disjointed solutions.
CIAM products that typically enable improved user experience through features like single sign-on or passwordless authentication often fail to address the critical requirements for protecting sensitive data or aligning with data security controls for data in-use, leaving gaps in security that attackers can easily exploit.
Last year, PayPal fell victim to a credential stuffing attack that compromised 35,000 customer accounts. This breach, while significant, barely scratches the surface when you consider PayPal’s 429 million active accounts that are constantly under threat of similar attacks. The scary truth is that this wasn’t some rare, sophisticated cyber event—it was a preventable attack using a well-known, repeatable playbook.
Credential stuffing is a low-effort, high-reward tactic that cybercriminals exploit repeatedly because it works. Yet, the typical advice—“turn on 2FA” and “use stronger passwords”— or even worse to check Have I Been Pwned isn’t cutting it. It’s not enough to play defense with basic safeguards when the real issue lies in our failure to integrate strategic, sentient approaches that secure sensitive data at every level. The question isn’t just how PayPal will protect these 35,000 breached accounts, but how it plans to defend all 429 million accounts against the next inevitable attack.
It’s also noted that the adoption of 2FA remains low, that the authentication failure rate in this case was low, but when we are talking about millions of accounts, a single digit success rate of compromise is still a very large number.
Under the NIST framework, cybersecurity budgets are often disproportionately allocated to technology-focused solutions across its five core functions: identify, protect, detect, respond, and recover. While these functions are essential, relying too heavily on technology without addressing the underlying strategy, governance, and expertise creates gaps. Simply identifying and protecting against threats isn’t enough—organizations must also ensure they have the right IAM strategies in place to detect breaches, respond quickly, and recover effectively. A tech-heavy approach without the balance of strong IAM governance and expertise leaves businesses vulnerable to evolving threats.
In 2019, Capital One suffered a major data breach that exposed the personal information of over 100 million customers. The breach occurred when a former employee of Amazon Web Services exploited a vulnerability in a misconfigured web application firewall (WAF). The attacker was able to access sensitive data stored in the cloud, including social security numbers, bank account information, and credit scores. Capital One had invested heavily in security technology and was considered ahead of the curve in its cloud migration. However, this single misconfiguration allowed an outsider to slip through undetected, leading to one of the largest financial data breaches in U.S. history.
The Capital One breach highlights significant gaps in product. While NIST focuses on identifying, protecting, and detecting threats, it often overlooks critical operational and architectural factors like configuration management and third-party risks. In this case, the firewall was technically in place, but poor management oversight and lack of operational judgment around configuration exposed the company to vulnerabilities. Additionally, training and third-party risk management were not adequately addressed, despite the increasing reliance on cloud infrastructure. This underscores the need for a broader, more holistic IAM approach—one that accounts for not only technological defenses but also the human and operational factors that are equally vital to safeguarding sensitive data.
Technology alone can’t solve the problems plaguing identity security. Human errors and broken processes are often the weak links that attackers exploit, and until these are addressed, even the most advanced tools will fall short. Our obsession with technology and products has distracted us from addressing the fundamental human and process failures that make organizations vulnerable.
These non-technical risks represent the hidden challenges that can derail IAM initiatives and technology transformations, often leading to operational failures, compliance issues, and security gaps that extend beyond mere technical flaws.
Sentient IAM goes beyond traditional frameworks, products, and isolated technology fixes by integrating strategy, governance, and expertise across all organizational layers. It spans the full spectrum from NIST standards and vendor solutions to operational practices, ensuring that every decision is informed by a broader context of business needs, leadership intent, and a unified vision for security and performance.
Philosophy: Philosophy sets the guiding principles and values that shape an organization’s vision and culture. Without a clear philosophy, strategies lack direction, leading to misaligned goals and ineffective decision-making.
Politics: Politics reflects the power dynamics and decision-making processes influenced by the organization’s philosophy. When philosophy is clear, politics can align to support unified action, but misaligned politics can derail strategic intent.
Economics: Economics governs the allocation of resources, shaped by the political landscape and strategic priorities. Strong alignment in philosophy and politics ensures that investments are purposeful, driving the right outcomes rather than just funding isolated initiatives.
Technology: Technology is the operational layer that executes on the economic decisions informed by broader strategic and political contexts. Without understanding the layers above, technology solutions remain disconnected from business objectives, reducing their effectiveness and impact.
Tech-centric thinking is inherently limited, exposing businesses to unnecessary risks and inefficiencies. A product-centric or purely NIST-based approach often misses the bigger picture, treating technology as the solution rather than an enabler. Sentient IAM offers a strategic vantage point, aligning IAM initiatives with business objectives, reducing risks, and driving better outcomes for both the organization and its customers.
Shifting from a tech-first mindset to seeing technology as one piece of a larger strategic puzzle demands more than just tools; it requires new skills, business focus, and strategic insight. Partnering with experts who bring an external perspective can accelerate this shift, equipping teams with the influence, data-driven decision-making, and stakeholder engagement skills needed to elevate their performance.
To excel, next-gen IT leaders must think like business strategists, not just technologists. They need to be deliberate about defining their goals, understanding the resources required, and knowing when to seek expert help. Sentient IAM helps organizations become more intentional, aligning technology with a deeper understanding of human behavior, strategic objectives, and change management for real, impactful results.
To drive impactful change and lead with confidence, today’s leaders need more than just technical expertise—they need strategic vision. Investing in next-gen skills empowers leaders to navigate the complex intersection of technology and business, turning challenges into opportunities and aligning their teams with broader organizational goals. It’s about evolving from managing technology to influencing outcomes that matter.
Here are some next-gen skills that leaders can invest in to transform their careers and organizations:
Finally, success is the result of proactive development and intentional growth. Leaders must take charge of their trajectory, continuously learn, and strategically position themselves to make a difference. The journey to sentient IAM begins with a commitment to growth and development—start today.
Steve is the Principal Consultant at Identient, bringing over a decade of experience in cybersecurity and identity and access management (IAM). He has led strategic security transformations, helping organizations modernize IAM frameworks from strategy to implementation.
As a leader in IAM, Steve has designed and executed advanced identity solutions for government and Fortune 500 clients. He spearheaded Washington State’s CIAM modernization, creating strategic roadmaps and designing workshops that drove the selection of a preferred vendor.
Steve’s background includes consulting roles at VMware, US Bank, and the Big 4, where he managed global security teams and enterprise programs. His expertise in IAM, incident response, and business development, combined with thought leadership, makes him a trusted security strategist and advisor.
Identient empowers businesses to innovate, modernize, and execute enterprise IAM initiatives and programs effectively.
Our expertise, leadership, and perspectives combined with business analytics, market analysis, and change management transforms privacy and trust, elevating customer experiences through modern IAM.
Headquarters
Bremerton, WA 98312