A matter of perspective

Here’s that I find interesting about this article. ( Aside from the fact they drop some stats, you all know I loooove me some stats). But reading this and it speaks to the broader issue we’ve had with identity and cybersecurity this entire time. We overrate on prevention and not on response. Cybersecurity leaders and budgets flood to the latest firewall, CASB, threat hunting, <insert random security acronym> here. But do nothing about what’s behind it. When a breach does happen, how does your system respond? What can they get access to? How can you control blast radius? All questions that identity help solve.

We’ve got some blame in this too. ( We the identity community). We’ve got to stop thinking of ourselves as IT administration, and as apart of the security strategy. So that means vendors making products that help drive actions and spot problems. Practitioners working to align identity products with security products, and identity leaders learning how to speak both security and to the business.

The truth is, we’ve spent far too long treating identity as an administrative function rather than a security cornerstone. We’ve built complex IAM systems to provision, deprovision, and review access—but we’ve done little to make identity an active player in security response. Meanwhile, cybersecurity teams chase the latest perimeter defense technology, forgetting that the real attack surface isn’t the firewall, it’s what’s behind it.

If identity is the key to limiting blast radius, controlling post-breach access, and enforcing Zero Trust, then we—the identity community—need to step up and own our seat at the security table. That means:

🔹 Vendors designing products that detect, respond, and adapt—not just govern.

🔹 Practitioners integrating IAM more deeply with security operations and threat intelligence.

🔹 Identity leaders who can speak security and business fluently, showing executives why IAM is critical beyond compliance.

Because at the end of the day, cybersecurity isn’t just about keeping attackers out. It’s about limiting what they can do when they get in. And if that’s not identity’s job, then I don’t know what is.

The Identity Version of the Luka and AD Trade

Well, kind of. Recently Ian Glazer announced he’s joining SGNL as VP of Product Strategy. This is kinda of a big deal, because Ian will never say it himself, but he’s a freaking LEGEND in the IAM game. ( Ok, I might be a little biased because I’m honored to be able to call him a friend, but still….he’s a legend). I know the SGNL team is excited to have him, and I know he’s excited to get in and do some amazing things! We’ve got some heavy hitters at some up and coming companies ( Sarah Cechetti and Dean Saxe at BeyondIdentity). Going to be fun seeing what these amazing identity leaders build over the next couple of years.

From Admin-Time to Runtime: The Evolution of IAM and the Future of Authorization

Identity and Access Management (IAM) has long been stuck in a rigid model—one where governance, policy enforcement, and access decisions happen at admin time rather than runtime. But what if we flipped that model? What if IAM evolved to make real-time decisions, dynamically adjusting access based on who you are, what you’re doing, and the context of your interaction?

That was the crux of a recent conversation I had, and it’s a shift I believe is not only possible but necessary. Here’s why.

Authentication vs. Authorization: Drawing the Line That Never Existed

Authentication has largely been solved. With widely adopted standards like SAML, OpenID Connect, and WebAuthn, authentication has been commoditized. You log in, you prove you are who you say you are, and then—well, then we get to authorization.

And that’s where things get complicated.

Authorization has never had the same level of standardization because it’s deeply embedded into the business logic of applications. Unlike authentication, which simply verifies identity, authorization determines what you can do once you’re inside. This means that while authentication decisions can be outsourced, authorization decisions remain tightly coupled to the app.

But what if they didn’t have to be?

Rethinking IAM: Making Authorization Dynamic at Runtime

If I were to build an IAM platform from scratch today, I’d take advantage of two key data sources:

1. Authentication Information – Who you are and how you proved it.

2. Session Data – What you’re trying to do in the moment.

With those two data points, I could make access decisions in real time—granting permissions dynamically based on user intent and context rather than static role assignments. This is the foundation for true Zero Trust and Zero Standing Privilege:

🚀 No more pre-assigned access – Instead, users get just-in-time permissions based on their current need.

🚀 No more over-permissioned users – Since access is transient, there’s no long-term risk.

🚀 No more stale access reviews – If I can derive a user’s permissions on demand, I don’t need quarterly campaigns to verify access.

This vision would require systems that can communicate, process, and enforce authorization policies thousands (or even millions) of times per day—something today’s IAM platforms weren’t built to handle.

How This Changes IAM as We Know It

Shifting authorization to runtime has huge implications for IAM. Consider:

• Access Reviews Become Obsolete – Why run access review campaigns if you can attest to permissions dynamically? Instead of collecting stale snapshots of access, we can run real-time tests that validate controls in action.

• Policy-Based Access Takes Center Stage – Instead of rigid role-based access control (RBAC), policies would determine access dynamically based on context, intent, and security posture.

• IAM Becomes a Security Function, Not Just an IT Function – Real-time authorization decisions would integrate more closely with security monitoring, threat detection, and risk-based access enforcement.

The Future of Authorization: What Needs to Change?

For this shift to happen, IAM platforms must evolve in three key ways:

1. Standardization of Authorization – Just like authentication, authorization needs a universal framework that decouples policy enforcement from applications.

2. Scalability & Performance – Systems must handle millions of access decisions per day at near-instant speed.

3. Interoperability – IAM, security, and business applications must seamlessly share data to make context-aware decisions.

Final Thoughts

The move from admin-time IAM to runtime IAM isn’t just a technological shift—it’s a paradigm shift in how we think about identity, access, and security. Instead of treating access as something you grant and then review later, we should treat it as something ephemeral, dynamic, and constantly evaluated.

If we get this right, we eliminate unnecessary access, reduce risk, and finally bring authorization into the modern age.

But I know I’m missing something right? By know means do I think this is an easy thing to do. But we’ve got some pathways to get there. Things like Shared Signals makes the way for technology products to talk and share information. But is that enough? Let’s talk about it!

The Identity Jedi Universe

Powered by OnTheCornerMedia

Be Good to each other, Be Kind to each other, Love each other

-Identity Jedi