Identity & Access Management — Identity Is the New Control Plane

Almost every breach I have investigated in the last two years had identity at the center of it — either as the initial access vector, the privilege-escalation path, or the persistence mechanism. Identity isn't a control plane anymore; it's the control plane.

What's shifting right now

• Passwordless and phishing-resistant MFA are no longer aspirational. Passkeys, FIDO2, and hardware-backed credentials are deployable at scale. The barrier is process and policy, not technology.
• Machine identity has overtaken human identity in volume. Service accounts, workload identities, API keys, and OIDC-federated tokens between SaaS apps now outnumber humans by an order of magnitude in most environments. Almost none of them rotate the way humans' credentials do.
• ITDR (Identity Threat Detection & Response) is becoming its own discipline. Detecting an account takeover, a stale OAuth grant, or a privilege creep pattern is a different problem from detecting malware. Tooling and tradecraft are still maturing.

What keeps proving true

• Joiner/mover/leaver is harder than you think and more important than it sounds. Most over-privileged accounts in the wild are former employees, contractors, or role changes that never had their access pruned.
• The blast radius of a federated identity is the blast radius of every service it touches. When you SSO into a hundred SaaS apps with one IdP, that IdP becomes a single point of catastrophic failure.
• Just-in-time access works. Standing privilege is the easiest control to remove and the hardest habit to break.

The feed below tracks identity-vendor research, IdP outages, and the ATO/social-engineering landscape that targets every program.