Identity and Access Management (IAM) is on the cusp of rapid transformation, fueled by the maturity and adoption of AI. For years, IAM has been central to both our professional and personal lives, providing access to virtually everything we do. It maintains and manages the keys to the kingdom and is highly targeted by an increasingly advanced threat landscape.

And yet, for all its importance, it remains incredibly complex and directly affects our ability to conduct business and drive change. This is precisely why IAM is so well-positioned to benefit from AI, making it a strong investment for driving tangible business impact.

The perfect storm: Why IAM risk continues to be critical

The risks are significant, and the threat landscape is evolving with alarming speed.

According to the Verizon 2025 DBIR, "credential abuse" remains the number one path to exploitation, and the use of AI-assisted malicious emails has doubled in just two years. This external pressure is colliding with a perfect storm of internal complexity that has been brewing for decades.

Identity capabilities have evolved organically, in a piecemeal fashion, leaving most organizations with an IAM landscape that is incredibly complex and convoluted.

This isn’t a failure of any one team; it’s the natural result of three compounding factors:

1. A Distributed Workforce: Responsibility for identity operations is rarely centralized. It’s a tangled web of stakeholders, including IAM analysts, security admins, the help desk, and even business managers, all caught in the critical path of every access request and review.

2. A Disparate Technology Stack: Identity stacks are almost always a patchwork of disparate technologies from different vendors - from modern cloud IdPs to legacy on-prem directories - each with its own rules and interfaces.

3. Multiple Layers of Governance: On top of this, we have a complex web of governance requirements, from industry frameworks and regulatory mandates to internal policies and contractual obligations.

This combination of external threats and internal complexity creates a high-risk, low-velocity environment. The investment climate is responding, as highlighted by the recent slew of investments in the identity space, but for those of us on the ground, the pressure to simplify, automate, and reduce risk has never been greater. This is precisely why identity is so well-positioned to benefit from AI.

The AI advantage: From data overload to actionable insight

AI is not a panacea, but its core capabilities are perfectly suited to solving the core challenges of IAM. AI is like giving every IAM analyst a team of a thousand junior analysts to do the data gathering and a seasoned expert to spot the patterns. It enables us to move from data overload to actionable insight by excelling at three key things:

• Summarization: AI can condense, correlate, and map large and disparate data sets from across the identity landscape, giving us a unified view that has never been possible before.

• Pattern Recognition: AI can analyze activity data to identify patterns, anomalies, and outliers, providing insights into everything from inefficient workflows to potential security threats.

• Automation: Agentic AI can execute tasks, from gathering context for an alert to automating the steps in a user provisioning workflow, freeing up our human experts to focus on strategic outcomes.

Using GenAI to understand friction, workflows, and metrics can provide the insight to make small adjustments without significant investment or disruption.

For organizations with advanced data and workflow capabilities, AI can be layered on top of existing investments to unlock new levels of efficiency and intelligence.

The complicated reality of modern IAM

While many opportunities abound, successfully driving and investing in change for core and critical capabilities is more easily said than done. IAM at scale and velocity is expensive, time-consuming, complicated, and integrated with everything everywhere.

IAM is often oversimplified: just create/delete users and add, modify, or delete permissions. While this is accurate at a fundamental level, it doesn’t represent the complicated reality of what is required in larger, highly distributed, and/or more legacy organizations.

There are fundamental considerations when managing IAM end-to-end at scale and speed for many entities:

1. Many technologies: Identity Providers (IdP), Identity Governance and Administration (IGA), Human Resource Information Systems (HRIS), Directory Services, system accounts, networking/communications services, integration/workflow, Privileged Access Management (PAM), and MFA technologies. There may also be multiple estates, such as customer/client and enterprise, that utilize different technologies.

2. Multiple stakeholders and teams: Application business owners, end-user computing/customer service, data administration, IAM technology operations, GRC, infrastructure and networking, cyber, and application development. Additionally, there may be multiple organizations that manage different parts of the identity estate, such as customer/client and enterprise.

3. Multiple layers of governance (policies, standards, and practice): Industry frameworks, enterprise-wide, business unit-specific, data class-specific, country/governance jurisdiction (location and citizenship), regulatory requirements, and contractual obligations.

These complexities create friction and directly impact an organization’s speed of execution and change.

Opportunities for business impact and value

AI can drive business impact across both operational and strategic capacities. It can be incredibly effective in reducing friction and achieving more consistent execution.

Here are a few examples that align with the tactical use cases I explore in my next post:

• Automating Recertification: Correlate data and identify patterns about PAM activity to support recertification cycles.

• Triaging Alerts: Gather data and context to analyze or triage an identity situation.

• Streamlining Operations: Automate steps in a task to add users to groups and validate the final outcome.

• Improving Reporting: Create and edit documents and reports to summarize weekly identity activity reports for teams and leadership.

• Visualizing the Estate: Build metrics, images, and graphics to represent the status of a major identity initiative.

The journey has just begun

AI, like any technological shift, will take years to deeply understand, reach maturity, and deliver ROI. The opportunities and incentives are profound, and it eases many barriers to entry for data analysis, content development, orchestration, and automation that have traditionally required significant expertise and investment.

To get started, organizations should take a dual-track approach to reaping the opportunities of AI. This involves focusing on simpler, tactical use cases that can provide quick wins while simultaneously building a long-term strategic roadmap. In the next two posts in this series, I will provide a detailed guide to both of these tracks, including 5 Quick Wins for AI in Identity Security and The Strategic Imperative of AI in Identity Security. This post provides a comprehensive framework for building a long-term, strategic AI-powered IAM program.