Those of us who have been in the identity space for over a decade have seen many trends take center stage—zero-trust, lifecycle, and compliance to cloud, SaaS, NHI, and finally AI. Through it all, identity was treated as plumbing: necessary, complex, administrative, but largely ignored unless something broke.
That era is over.
Identity now sits at the center of enterprise risk, operational trust, and AI governance. The way we’ve historically approached identity security and governance is no longer sufficient, and incremental improvements won’t get us where we need to go.
It is critical to remember to note a few core principles as we look into 2026:
1.
Permissions metadata is the foundation of the modern identity security platform. If identity is meant to reduce risk, it has to focus on where risk actually lives. In modern enterprises where business happens across disparate systems, that risk is rooted in permissions and entitlements, not in users, groups, or directory services. Boards are increasingly aligned on this reality, because when something goes wrong, the question is never which group a user was in; it’s what their access actually allowed them to do.
Traditional IAM and PAM and IGA are optimized for a different era. Today, the dominant use case is understanding and governing and securing authorization at enterprise scale.
2.
Identity has become the enterprise control plane. Rather than directories or authentication, real control lies in the system that understands, secures and governs authorization. Micro-certifications are control-plane decisions—bounded, contextual, time-aware trust assertions. Micro-certifications represent a transformation, not just a modernization. They change the unit of trust from users to permissions, from periodic reviews to continuous justification. It’s no longer just about managing risk; it’s about building and training an access policy engine. An access policy engine that acts as a global system for defining, storing and evaluating access control lists. AI governance will force this model to scale. AI agents operate through access and access chaining, not logins. Without an authorization-aware control plane, AI governance becomes policy theater and creates more tech debt.
3.
Canonical data model for authorization is key to IAM transformation for the Agentic AI Era. The product should make value clear within minutes by showing who has access to what, how that access was gained, and where exposure exists, without requiring specialized expertise to understand the results. It should complement existing security controls by adding visibility and context, helping teams see how current protections interact and where the gaps are.
Risk understanding should be shared across the organization, supporting decisions by engineering, operations, and business leaders, not just security or compliance. As environments change, the product should continuously reflect how access and exposure evolve, allowing teams to identify new risks and unintended access early. The product should quickly indicate alignment with widely accepted industry expectations, helping teams focus effort where it matters most. Stakeholders should be able to explore questions independently, understand the impact of access decisions, and act with confidence without waiting on experts. Day-to-day operation should be lightweight, and expanding coverage should be simple and repeatable, keeping ongoing effort and cost low as the organization grows.
All generational innovations come with inefficiencies. That’s very very natural. That’s how innovation becomes real. Applying the same principles – for AI Governance to become a reality – the customer trust is the ultimate north star and all trust is built and won incrementally. Crawl, then walk, and then run. Trust is earned by shipping real products that deliver real value. Transformative platforms treat product design as P0. Innovation often requires additional work to realize its benefits, but we should strive to endure short-term pain for long-term gain. The trade-off is to accept purposeful, temporary friction in the service of better outcomes. Visibility is the crawl phase. Graph-based platforms show what can happen before enforcement (just like employing monitor-only policies before switching on enforcement).
AI Governance is forcing a new reality; it is revealing all the cracks that were already there: over-permissioning, fragmented visibility, and governance models that no longer match how enterprises operate. Graph architectures are foundational, context is relational, and authorization paths–not directories of users and group objects–define real risk. Identity doesn’t need another incremental upgrade; it needs to be recognized for what it has already become: the control plane for enterprise access, trust, and risk.
