Identity security remains a reactive rather than proactive concern for most organizations, according to Eric Woodruff, Chief Identity Architect at Semperis. Speaking at the Span Cyber Security Arena conference, Woodruff explained that boards typically view identity as an IT hygiene problem until a security incident forces a change in perspective. While some organizations are beginning to integrate identity teams into security operations, the shift has been slow, accelerated primarily by the remote work transition during COVID-19 rather than strategic planning.

Identity platforms present significant complexity challenges, particularly for small and medium-sized businesses where staff members handle multiple roles beyond identity management. These platforms default to usability over security, requiring substantial expertise to configure properly. The situation is complicated by identity's unique position between IT and security departments, with security teams sometimes making configuration errors because they lack experience dealing directly with end users, a requirement that distinguishes identity work from other security functions.

A major misconception in the industry involves phishing-resistant authentication technologies like passkeys and Windows Hello for Business. Many enterprises avoid these solutions, believing they will confuse users or refusing to implement them unless they solve 100 percent of authentication challenges. Woodruff argues this approach is flawed, noting that protecting 90 percent of users from phishing attacks represents significant value. He points to consumer applications like Amazon, where users readily adapt to MFA and passkey enrollment when given little choice, suggesting security teams underestimate user flexibility and fail to communicate the importance of security changes in accessible terms.

Agentic AI systems present emerging identity challenges that current frameworks cannot adequately address. These autonomous agents typically act with full user permissions and lack proper non-human identity controls. While initiatives like Agent ID exist, they remain vendor-specific and easily bypassed when users instruct AI systems to operate differently. Most agentic systems prioritize task completion over security constraints, and users can often override intended guardrails simply by requesting alternative approaches. Recent incidents where AI accidentally deleted databases or caused other problems demonstrate the risks of inadequate controls.

Short-term solutions for AI-related identity risks focus on endpoint controls and permission restrictions rather than comprehensive identity frameworks. Organizations should limit what users can do on work devices and ensure employees do not have overly broad system permissions. Looking forward, the Chief Identity Architect role requires understanding both security operations and IT infrastructure, including device management and related technologies. As more cybersecurity graduates enter the field with limited identity training, organizations need to prioritize hiring professionals with backgrounds in Active Directory, Entra, or Okta, while also developing expertise in AI systems and their security implications.

Source: https://www.helpnetsecurity.com/2026/05/26/eric-woodruff-semperis-identity-security/