Identity is the new perimeter
The "perimeter" defence model is functionally retired. Identity is the perimeter.Single sign-on (SSO)
- One identity provider — Okta, Microsoft Entra ID, Google Workspace
- Apps integrate via SAML 2.0 or OIDC
- User provisioning / deprovisioning automated via SCIM where possible
- Conditional access policies — require MFA, device compliance, location-based rules
The single biggest IAM win for most organisations: getting all internal apps behind SSO.
Multi-factor authentication (MFA)
- TOTP (authenticator apps) — fine baseline
- SMS — use only if no other option. Vulnerable to SIM swapping
- Hardware keys (FIDO2 / WebAuthn / Passkeys) — phishing-resistant. The right answer for high-value accounts
- Push notifications — convenient, but vulnerable to MFA fatigue. Use number-matching variants
In 2026, the move is to passkeys / WebAuthn.
Role-based access control (RBAC)
- Roles, not individual permissions, assigned to users
- Roles based on job function, not on individuals
- Periodic access review
- Separation of duties — sensitive operations require multiple people
Privileged access management (PAM)
- Just-in-time access — privilege granted for a defined window, then revoked
- Approval workflow for elevation
- Session recording for sensitive operations
- Vault-managed credentials with short rotation
- No shared accounts; per-user even for privileged
Service-to-service auth
- mTLS — mutual TLS, certificate-based
- OAuth client credentials — short-lived tokens
- SPIFFE / SPIRE — workload identity for cloud-native
- Cloud-native identity — IAM roles for EC2, service accounts for k8s pods
Long-lived static credentials between services are the risk. Replace them with short-lived, identity-bound credentials.
Lifecycle management
- Joiners / movers / leavers process formalised
- Provisioning automated (SCIM, IaC for cloud IAM)
- Deprovisioning within hours of departure
- Quarterly access reviews — manager reviews their team's access
- Annual deep review — full audit
Audit logging
- All authentication events
- All authorisation decisions
- All privilege changes
- All identity-system admin actions
- Centralised, with retention appropriate to compliance / forensic needs
One pattern we'd warn about
"We have MFA enabled" without verifying enforcement. MFA configured but bypass-able is barely better than no MFA.One pattern that always pays off
Quarterly access review meeting — managers walk through their team's access, confirm or remove. 30 minutes per team.What's your IAM stack?
