Today, April 14, 2026, the global cybersecurity community will observe Identity Management Day. Founded by the Identity Defined Security Alliance (IDSA) and the National Cybersecurity Alliance (NCSA), the day serves as a critical checkpoint for an industry that has seen the traditional network perimeter effectively dissolve.
In 2026, the mandate is clear: Identity is the new perimeter. As recent threat telemetry has shown, attackers aren't breaking into systems anymore; they are simply logging in using stolen, intercepted, or spoofed credentials. Identity Management Day is a call to move beyond "compliance-based" identity and toward a model of identity resilience.
For the practitioners on the front lines, Identity Management Day is an opportunity to move from reactive maintenance to strategic orchestration.
"Identity management has undergone a massive shift: humans now make up less than 3% of managed identities in cloud environments. The rest belong to machines that don’t log off, don’t take breaks, and often operate with elevated permissions," said Crystal Morin, Chief Cybersecurity Strategist at Sysdig. "As automation and AI-driven development explode, the gap between human and machine identities is becoming one of the defining security challenges of our time. Machine identities are ephemeral, autonomous, and often difficult to manage at scale with traditional controls, which were never designed for this speed. Identity is the primary access control, it defines an environment’s boundaries, and it’s the most common source of initial access in a breach."
Morin added, "To keep up, organizations must rethink identity security as a continuous, lifecycle-driven discipline. Businesses must treat machine identities as the new firewall."
Leadership and organizational strategy must reflect that identity is a business-critical asset, not just an IT checkbox.
"The C-Suite, CISOs, and CSOs need to look beyond siloed views of obviously privileged identities and take a holistic view of the combinations of privileges, entitlements and roles that could be exploited by an attacker to elevation privilege, move laterally and inflict damage," said James Maude, Field CTO at BeyondTrust. "The identity security debt accumulated by many organizations represents a far great risk than any other area as it only takes the attacker to login using the right identity and all is lost because of the paths to privilege that abound in their environment. Understanding and reducing your identity attack surface should be at to forefront of every organization thinking when it comes to cyber defense moving forward."
For the public, Identity Management Day is about moving from awareness to actionable defense.
Some more thoughts from industry experts from cybersecurity vendors:
Mark McClain, CEO at SailPoint,:
Identity is no longer about perimeter-based defense. The rise in AI-based agents and the massively accelerating threat landscape has rendered that approach inadequate, and prompted a shift towards identity as the critical element to enterprise security. This report's findings demonstrate that there is now a need for real-time, intelligent, and dynamic identity security, built to govern and secure not just “who," or in the case of AI agents, “what,” has access to the enterprise, but what data they can access and what they are able to do once inside."
"The modern enterprise requires a new control plane, driven by unifying identity, data, and security. The combined power of these contexts enables real-time decisions to reduce risk without impacting the business. These decisions can be driven by the nature of the identity, the context of the apps and data it can access, the behavior around how it is using these apps and data and the security signals and risk warnings that may surround it. To combat this new era of threats, driven by the force multiplier of AI, we need to embrace a new approach of adaptive identity."
Chris Radkowski, GRC Expert at Pathlock:
"The rise of AI agents and machine identities has fundamentally outpaced traditional identity security. MFA and legacy access controls were built for a world of human users, not autonomous agents, service accounts, and AI-driven workflows that now outnumber people across the enterprise by 20x. Making matters more complex, the productivity promise of AI is too compelling for employees to wait on IT, workers are signing up for AI-powered tools, copilots, and automation platforms using their enterprise credentials, connecting them directly to corporate email, productivity suites, and business applications, often without security's knowledge."
"As agentic AI takes on real business actions with real permissions, the attack surface expands in ways most organizations aren't prepared to see, let alone secure. Credential abuse, account takeover, and sophisticated social engineering are increasingly targeting the non-human identities that operate quietly in the background with little oversight. That is why we believe that securing the modern enterprise means treating identity holistically by extending governance, least-privilege, and adaptive controls across every identity, human or machine. In the AI era, identity isn't just an IT problem. It's the foundation of trust itself."
Shane Barney, CISO at Keeper Security:
"Instead of forcing their way through a firewall, adversaries are logging in with stolen credentials, hijacked tokens and abused permissions, then moving laterally under the cover of legitimacy. When identity controls are fragmented or overly permissive, attackers don’t need novel exploits. They just need access that looks routine. Identity now defines the enterprise perimeter. When every identity is governed with least privilege and continuously validated, a stolen credential becomes a contained event instead of an enterprise-wide incident."
Jason Soroko, Senior Fellow at Sectigo:
"Machines, and their full Non-Human Identity (NHI) taxonomy, such as workloads, ai agents, etc…should never be thought about in the context of human authentication methods. MFA does not apply, as that is a band-aid solution for human authentication based on passwords. How are you going to ask your docker container to type in a one-time password from their authenticator app? It’s silly even to talk about it. Biometrics - do I even need to justify why we can’t talk about biometric authentication for NHI?"
"Right now most workloads and agents authenticate with static API tokens. These are harvested exactly the same way as passwords. They aren’t managed well, they’re in the clear in many places, and they are not going to be sustainable for secure agentic ai systems."
"Cryptographically bound tokens will be needed, as proof of possession, so that when an adversary inevitably steals the static API key, the adversary can’t do anything about it. It turns out that PKI will be performing a critical function here. That shouldn’t be a surprise to anyone. So let’s drop the old vocabulary that was created in the human only authentication era."
Elad Luz, Head of Research at Oasis Security:
"To reduce the risks associated with Non-Human Identities (NHIs), security teams need to implement modern identity management practices, strong governance, and proactive security controls. Where possible, organizations should transition to cloud-native identities and establish a comprehensive lifecycle management strategy for NHIs that cannot be migrated. Maintaining good identity hygiene is critical—this includes removing stale or unused NHIs, conducting regular access reviews, and ensuring NHIs follow the Principle of Least Privilege (PoLP) by granting only the minimum permissions necessary."
"A structured policy and enforcement program should be built around risk analysis and compliance frameworks, ensuring NHIs align with both security best practices and regulatory requirements. Adopting short-lived credentials, automated credential rotation, and managed identities can further minimize risk by limiting exposure. Collaboration with app development and DevSecOps teams is also essential to integrate these security measures without disrupting workflows, ensuring that NHIs remain secure while maintaining operational efficiency. By treating NHIs with the same level of oversight as human identities, organizations can mitigate risk while maintaining agility and scalability across their development and cloud environments."
"The rise of AI agents will introduce new security challenges for NHIs. These agents often operate under machine accounts or service identities, acting on behalf of human users, which makes it difficult to track permissions, monitor usage, and enforce accountability. Without proper oversight, organizations risk losing visibility into which identities have access to critical resources and how they are being used."
"The main concern is governance. If AI agents are assigned persistent, unmanaged service accounts, these identities can quickly become overprivileged and unmonitored, increasing the organization’s attack surface. To mitigate this risk, security teams should implement automated monitoring, enforce least privilege, and establish clear policies for AI-driven NHIs. By putting these guardrails in place early, organizations can embrace AI automation without compromising security."