#IdFriday | Why Identity has an Identity Crisis

Why giving Identity and Access Management (IAM) clear ownership and purpose is essential to protect every person, process, and platform that depends on it.

Identity in Question: How IAM Became Everyone’s Responsibility and No One's Job

In cybersecurity, few disciplines are as misunderstood as Identity and Access Management (IAM). It’s at the heart of how we work, how we connect, and how we protect, yet it remains one of the least clearly defined functions in most organisations.

It’s a cliché to say something is “the foundation of everything,” but in the case of IAM, it’s true. Identity underpins the entire enterprise, every user, system, device, and process depends on it.

When that foundation is stable, everything built on top of it is stronger. But when it cracks, the whole structure is at risk.

The result? We’re now paying the price. Identity-related breaches are at an all-time high, and many stem not from lack of investment, but from lack of clarity. IAM has quietly become a victim of its own success , everywhere, but owned by no one.

When the Perimeter Moved, But the Mindset Didn’t

Once upon a time, network firewalls and endpoint protection were the crown jewels of cybersecurity. The perimeter was physical, defined, and defendable. But as cloud adoption, hybrid work, and Software as a Service (SaaS) took hold, that perimeter dissolved.

Identity became the new perimeter, the foundation of access, privilege, and trust. Yet, while the risk shifted, many organisations didn’t. Identity wasn’t treated as a critical layer of security; it was treated as an IT task.

Instead of a dedicated, business-aligned IAM function, responsibilities scattered across Platform, Infrastructure, Cloud, Security, and Application teams, with the Service Desk often left to pick up the access requests.

IAM sprawled, because it never had clear boundaries. As cloud and SaaS arrived, identity responsibilities scattered across the teams, while IAM itself remained treated as a back-office task.

A Discipline Without Boundaries

The trouble is, IAM doesn’t fit neatly into a single box. It touches everything, people, processes, devices, cloud services, applications, code, and policy.

That breadth makes it essential, but also misunderstood. IAM sits at the crossroads of technology ecosystems, yet rarely has a clear boundary of its own. It’s a system of systems, which means when no one owns it end-to-end, gaps emerge fast.

Too often, IAM skills were brought in late, once an application was already live, to "make it work" with single sign-on or to create a service account. By then, the opportunity to design security into the solution had already passed.

Even where dedicated teams existed, they were usually tied to specific enterprise directories and brought in late to integrate authentication mechanisms rather than shape identity security from the outset.

Many organisations also carry legacy IAM systems that continue to influence their environments today, including:

• Early directory and access frameworks such as Novell eDirectory, IBM RACF, Banyan VINES.

• First-generation provisioning and governance tools like Sun/Oracle Identity Manager, IBM Tivoli, CA/Broadcom Identity Suite.

• Older web access and federation platforms such as SiteMinder, Oracle Access Manager, or custom-built IAM interfaces

• Home-grown scripts and connectors linking HR systems, applications, and directories.

Without a single owner for the whole identity fabric, risks slip through the gaps, unmanaged service accounts, legacy protocols, and privileged access that outlives its purpose.

A Perfect Example

To understand IAM’s identity crisis, you only have to look at Microsoft’s Active Directory, or its modern cloud evolution, Entra ID. Between them, they underpin almost 90% of enterprise directory services worldwide.

These services aren't just a database of users. It’s an entire ecosystem that demands coordinated management across:

• Platform Management, Firewalls, Antivirus, and Patch Cycles

• DNS, Group Policy, File Services, and Replication

• Database Health, Object Permissions, and Schema Management

• Authentication and Authorisation Protocols

• Encryption Standards and Certificate Management

• Scripting Interfaces

• Cloud Identity, Cloud Sync, Conditional Access, Enterprise Apps, MFA, SSPR, Governance, SCIM, IGA etc.

And that’s before you even consider the security wrappers that protect these Tier 0 assets, such as Privileged Access Workstations (PAW), Secure Admin Workstations (SAW), or credential isolation strategies that prevent lateral movement and privilege escalation - we've not even mentioned Threat Detection, SOC and SIEM.

In any other discipline, those responsibilities would span multiple technology silos, network, server, database, desktop, application, and security teams. Yet in IAM, they’re one continuous chain. A vulnerability or misconfiguration in the wrong hands can unravel the whole thing and take the entire organisation with it.

Identity Incongruence

Because IAM has traditionally lived within infrastructure teams, it’s often been seen as “server management” rather than “business protection.” The result is that identity security, the thing attackers now target most, hasn’t always had the visibility or resourcing it deserves.

Without a centralised IAM function, risks that cross those silos, often fall between the cracks. These aren’t just technical gaps; they’re governance gaps.

The Tide is Turning

The good news is that change is happening.

Organisations are starting to recognise that IAM is not a back-office IT function, it’s a business-critical control.

Identity is the new perimeter, and that means it must be treated with the same strategic priority that firewalls, patching, or endpoint protection once held. Zero Trust, Conditional Access, and Privileged Access Management have helped bring IAM to the forefront of modern security.

But this evolution also needs a cultural shift, where IAM teams aren’t just maintaining systems but driving resilience. They should be empowered to collaborate across departments, raise red flags, and embed identity risk management at the heart of every project.

Giving Identity Its Own Identity

This means recognising IAM as a business-critical discipline, not an operational afterthought. It’s time for dedicated IAM teams, with the scope, skills, and authority, to own the identity landscape end-to-end.

Only then can organisations close the long-standing gaps between infrastructure, cloud, security, policy and governance, bringing identity protection to every person and every process that depends on it.

When identity is seen not just as technology, but as the connective tissue between people, process, and access, it becomes a driver of clarity and confidence across the business.

IAM done right doesn’t just reduce risk, it’s the thread that holds everything together.

At Orbital, we believe giving IAM its own identity. It isn’t just about technology, it’s about giving every organisation the clarity and confidence to secure what matters most.

If your organisation is ready to give IAM the attention it deserves, start by exploring your own identity landscape.

Our Identity Risk Assessment helps uncover where risk hides, and how to close the gaps with clarity and confidence.

Follow the conversation on Social Media with #IDFriday, and subscribe to our blog for more more ways to strengthen you identity first resilience, real-world identity insights, practical guidance, and updates from the Orbital team.