Practitioner essays from the trenches of enterprise IAM — privileged access, identity governance, Zero Trust, and the controls that keep regulated organisations audit-ready. No vendor fluff; just what works.
In 2025, a group of teenagers cost Marks & Spencer, Co-op and Harrods hundreds of millions — not with malware, but by phoning the IT help desk and asking for a password reset. An identity post-mortem.
AI governance is being drafted as a legal and ethics exercise. Treat it as a security and identity problem instead — and NIST's AI RMF, ISO 42001 and the EU AI Act stop being paperwork and become a control program you can actually run.
The business is adopting AI faster than security can govern it. Here's how I'd scale AI across an enterprise without spawning a new generation of shadow IT, silent data leaks, and over-privileged agents.
Orphaned accounts, dormant access, and forgotten leavers are the access nobody is watching — which is exactly why attackers love them. Decommissioning is a control, not an afterthought.
In August 2025, attackers stole OAuth tokens from a marketing chatbot integration and walked into the Salesforce environments of 700+ companies — Cloudflare, Google, Zscaler and more. The non-human identity reckoning has arrived.
Identity is now the primary attack vector, yet most SOCs still treat it as an afterthought. ITDR is about making identity signals first-class citizens in detection and response.
Mid-2025 brought reports of more than 16 billion exposed login credentials. The headline number is almost beside the point — the real story is the credential economy quietly feeding every other breach.
The largest healthcare data breach ever recorded — around 192.7 million people — traced back to one remote-access portal without multi-factor authentication. A study in how a single identity gap becomes a national crisis.
Generous birthright access makes day-one productive and least privilege impossible. Stingy birthright protects you and floods the help desk. Here is how I square the circle.
Service accounts, API keys, tokens, and workload identities now outnumber human users many times over — and they are governed a fraction as well. That gap is the next big breach class.
SoD is easy to state and brutally hard to enforce across hundreds of applications. The trick is detecting toxic entitlement combinations continuously, not at audit time.
Replacing a privileged access platform means touching the credentials that run the business. Here is the staged approach I use to migrate without breaking production or failing an audit mid-flight.
The ACSC's Essential Eight is framed around endpoints and applications, but four of the eight live or die on identity controls. Here is how I map them.
Strip away the marketing and Zero Trust reduces to a single discipline: making access decisions per-request, based on verified identity and context. Everything else is plumbing.
Boards don't fund 'better identity governance.' They fund measurable risk reduction. Here is the capability model and the handful of metrics I use to make the case.
IdentityIQ is powerful and unforgiving. Most production pain traces back to the same handful of misunderstandings about how aggregation, correlation, and provisioning actually fit together.
Role-based access control promises order and usually delivers a role explosion nobody can maintain. Here is a pragmatic model that survives contact with reality.
Most organisations buy a PAM tool, vault some passwords, and declare victory. The vault is the easy 20%. The governance is where the risk actually lives.
Quarterly access reviews where managers approve everything in ninety seconds are theatre. Here is how to design certifications that actually remove access.
APRA's information security standard is written for boards, but most of its weight lands on identity teams. Here is how I translate CPS 234 into controls an assessor can tick off.
Most JML programs look tidy on a slide and fall apart at the leaver stage. Here is the operating model I use to make identity lifecycle defensible rather than decorative.