Identity Management Day: identities are more at risk than ever

The second Tuesday in April, Identity Management Day, was established by the Identity Security Alliance and the US National Cybersecurity Alliance to raise awareness about the importance of identity management.

Concept art generated by Google Gemini to convey the challenges of identity management in 2026.

"As organisations across Asia Pacific accelerate digital transformation and pivot towards AI-native operations, identity has now become one of the most important foundations of a modern enterprise, yet also one of the most vulnerable. In today’s hyperconnected world where users, applications, APIs, and data are deeply intertwined, every digital interaction is a potential risk," observed Reuben Koh, Director of Security Technology & Strategy, APJ at Akamai. 

"Recent data from Akamai reveals a staggering 300% surge in AII-powered bot activity over the past year, sending a clear signal that threat actors are already weaponising AI for attacks and abuse. At the same time, AI-enabled tools have
effectively lowered the barrier for attackers to carry out sophisticated cybercrimes like impersonation, social engineering, and identity fraud at scale. While enterprise AI agents have also increased the sprawl
of non-human identities across the organisation."

Takanori Nishiyama, Japan Country Manager, Keeper Security, noted that identity has become the primary cyberattack surface in modern enterprises. "As organisations expand across cloud environments, SaaS platforms and distributed workforces, the traditional network perimeter has effectively dissolved. What remains constant is identity, and increasingly, it is the weakest link. Stolen credentials, over-privileged accounts and poor access governance continue to underpin the majority of successful breaches," Nishiyama said.

"Identity Management Day should be treated not as a symbolic milestone, but a strategic checkpoint. Organisations must move beyond basic identity and access management (IAM) toward a more rigorous, identity-centric security model, one that enforces least privilege access, continuous verification and robust credential protection. This is where privileged access management (PAM) becomes critical, ensuring that elevated permissions are tightly controlled, monitored and audited."

"Identity security has moved beyond an IT issue to become a business risk issue. For C-suite leaders, the question is no longer whether identity is part of the threat landscape, but whether their organisation has the visibility and control required to defend it. Without that, Zero Trust remains theoretical rather than operational," Nishiyama concluded.

John Cannava, CIO, Ping Identity, commented that Identity Management Day takes on new urgency in 2026 as "both individuals and organisations are managing human identities while also governing AI as it takes on increasingly agentic roles". "The impact AI will have on identity will likely be far greater than we anticipate, which means our approach to security has to evolve in lockstep," he noted. 

"In this new reality, the login is no longer the primary security boundary - access must be continuously evaluated and enforced. In agentic systems, risk doesn’t end at sign-in; it evolves dynamically at runtime as users and systems interact. Identity can no longer be verified once and trusted indefinitely. It must be continuously evaluated at every high-impact action." 

Like Nishiyama, Cannava also touched on Zero Trust. "That’s why approaches like Zero Trust and decentralised identity are becoming critical to reducing risk while still enabling the business to move quickly. As AI-driven attacks increasingly target centralised data and try to imitate legitimate users, organisations need to move away from single points of failure and verify every access request in real time, no matter who or what is behind it. This requires rethinking identity across both workforce and customer environments," he said. 

"As the way we work continues to change, the focus has to be on securing the workforce, maintaining customer trust, and delivering digital experiences that are both seamless and secure. The future of identity will depend on how well we adapt to this more dynamic, continuous model of trust.”   

Ananth Nag, VP and GM, Asia Pacific, Rubrik, noted that agentic AI is accelerating identity sprawl faster than most organisations can secure it, leading to the challenge of moving "from experimentation into production before governance and recovery controls are fully in place". 

"Non-human identities now outnumber human users 82 to 1, and according to Rubrik Zero Labs, 91% of APAC IT and security leaders say identity-driven attacks are their top concern. As attackers increasingly exploit valid credentials and identity systems to move laterally and persist undetected, identity compromise is no longer a contained incident. It is an operational risk that can spread quickly across the organisation," he cautioned.

"That is why the conversation must move beyond detection. Most security tools can alert teams to suspicious activity, but they still leave organisations to manually investigate malicious changes and rebuild trust across compromised identity environments. In today’s threat landscape, resilience is defined by how quickly an organisation can recover, by reversing malicious identity changes with precision, restoring trusted identity systems and returning to operations in hours rather than days."

Alex Lei, Senior VP, APJ at Saviynt, added more colour to why the conversation must move beyond detection. "Most organisations assume that if someone can log in, their access is legitimate. This is a dangerous assumption. An employee might need system access to do their job, but that should not give them the green light to trigger a million-dollar transaction," he pointed out.  

"Over time, access accumulates; it’s rarely pruned, leaving a trail of hidden risks. Now, AI is accelerating the bloat as most teams have lost count of the service accounts, API keys, and autonomous AI agents running in their environment, let alone what those identities are actually allowed to touch." 

"The real challenge has shifted. Rather than being about authentication, it’s now about what happens after the 'front door' is opened. To stay secure, organisations must move toward continuous validation, constantly questioning who, or what, still needs that level of power," Lei added.

Sean Deuby, Semperis Principal Technologist, noted that even after 26 years of general availability, identity governance is far from a given in Active Directory environments, especially smaller ones. He outlined what has changed over the years, and what has not: 

"The meteoric rise of AI in general and its impact on non-human identities (NHIs) has focused attention on identity security as never before. But in the long view, it simply highlights the same issues we have seen in identity management since it was called 'identity management'. And discovery has aways been a part of it," Deuby said.  

"Enabling the business has always been the priority for IT. Managing the identity pieces you have created for the business has not, because it does not directly benefit the business." 

Deuby described typical scenarios: "Do you need this group created, populated, and added to an application? Sure. Do you need this service account immediately? Right away. Let’s give it some extra privileges because we know we will not have to troubleshoot permission problems in the future. But ask yourself: how often have you seen 'Please remove this account because we’re not using it anymore'? Rarely. Unless you’re a regulated business, identity governance and administration (IGA) is usually an afterthought. This has been the reality of IT as long as there’s been IT."

"Since identity systems such as Active Directory have very long lifespans, these daily decisions accumulate over years or decades of production. Organisations find they have thousands or tens of thousands of under-regulated NHIs (we call them service accounts on premises)," Deuby warned. 

"This is one of many reasons identity systems are a favorite target of threat actors; they know very well these NHIs are overprivileged, under protected, and neglected."  

AI has made things worse, Deuby said, likening it to a raging fire. "Take these same factors, surround them with the tinder of cloud services’ ease of use, pour the gasoline (petrol) of AI onto it - and give developers the match. That’s the dumpster fire we’re looking at today, with NHIs outpacing human identities at what seems like a geometric progression," he said. 

"We must put controls in place as soon as possible. And we must discover what’s already out there, using any tools we have, so we know the scope. You don’t know the size of your dumpster fire until you’ve looked."

"Identity Management Day is a timely reminder that securing identities across the digital ecosystem is fundamental to maintaining trust, resilience, and business continuity. Identity can no longer be treated as a line item in an IT budget or a checkbox in a compliance audit. Organisations that successfully integrate identity risk governance, supported by continuous verification and stronger access controls across every touchpoint, will be able to innovate faster and with confidence," Koh concluded. 

"In a landscape currently defined by volatility, securing the 'who' and 'what' are accessing your data isn't just a security measure, but one of the foundations to operational resilience." 

Hashtags: #IdentityManagement, #IdentityManagementDay2026

*APAC refers to the Asia-Pacific region. SaaS stands for software-as-a-service.