Identity as a Control Plane: The Successor to Zero Trust and the Architecture of Continuity

Enterprise security has reached a structural turning point. Perimeters have dissolved, cloud services stretch across dozens of providers, and attackers have shifted from exploiting systems to exploiting trust. In this environment, identity is no longer a provisioning workflow or an IT utility. It has become the decision point that governs access, the first signal of abnormal behavior, and the foundation of whether an enterprise can continue operating under stress.

Modern threat data reinforces this shift. Credential misuse remains one of the most common initial access vectors in the Verizon Data Breach Investigations Report, and identity-driven attacks continue to outpace traditional perimeter breaches. At the same time, regulatory frameworks—such as the EU’s Digital Operational Resilience Act (DORA)—now require firms to demonstrate that critical services can remain available even when core systems are compromised.

In my broader resilience work, identity is treated as a cross-cutting dependency. It affects how dependencies are mapped, how scenarios are tested, and how continuity decisions are executed. When identity fails, incident response can stall, recovery actions can be blocked, and even well-designed resilience plans can become unworkable.

I. The Path to Identity Security: An Evolution in Architecture

For decades, enterprises relied on a castle-and-moat approach: keep the bad actors outside, trust everything inside. It was a model suited to an era of offices, desktops, and monolithic applications. Once inside, attackers encountered minimal friction. Research from Google’s early BeyondCorp work made this clear: the moment an attacker breached the perimeter, the defensive advantage evaporated.

Defense-in-depth added layers—internal firewalls, segmentation, endpoint tools—but retained the belief that “inside” implied safety. As cloud adoption and remote work expanded, the model could not keep pace with credential theft, session hijacking, or misconfigured SaaS.

NIST’s Zero Trust Architecture guidance brought needed conceptual clarity: verify continuously, trust nothing implicitly, assume a breach has already occurred. But Zero Trust struggled operationally. It required multi-year identity modernization, re-architecting legacy applications, and cultural change across IT and business teams. As industry assessments from outlets like CSO Online show, most organizations implemented only fragments—often through narrow point solutions or branding exercises—without achieving the intended end state.

Identity Security has emerged not as a replacement for Zero Trust, but as the practical mechanism to implement it. It recognizes that cloud platforms enforce authorization through identity providers, SaaS is governed through federation and SSO, API traffic is authenticated via tokens, machine identities now outnumber human identities in many environments, and attackers increasingly target identity infrastructure itself. Gartner’s articulation of Identity-First Security reflects this pivot: the identity layer is now the most consistent, scalable enforcement point across diverse architectures.

II. Identity as the Control Plane

When describing identity as a “control plane,” the intent is not to equate it to the network or cloud control plane responsible for routing or infrastructure orchestration. Rather, it describes the policy, authentication, and authorization layer that governs who—and increasingly what—may interact with a system.

Seen this way, identity influences resilience in several ways. Identity governs every access decision. Whether it’s a user logging into a SaaS platform, a workload invoking an API, or a service account interacting with a database, identity is the single common verification element.

Continuity depends on identity availability. If the identity provider fails, the recovery process itself may be blocked. Workstreams such as failover, incident response, and credential rotation often require authentication to proceed.

Fraud detection begins with identity behavior. The earliest indicators of compromised accounts—location anomalies, device inconsistencies, unexpected privilege usage—emerge from the identity layer.

Cloud architecture is, increasingly, identity architecture. AWS IAM, Azure Entra ID, and GCP IAM collectively demonstrate that identity is the enforcement boundary in cloud-native environments. Machine identities shape inter-service trust. As microservices, pipelines, and AI agents interact autonomously, identity becomes the mediator of system-to-system communication.

Academic research has begun to formalize this view, describing an emerging “Identity Control Plane” capable of unifying workload, user, and machine identities across distributed architectures. It’s a conceptual model that matches what practitioners are increasingly experiencing on the ground.

III. Why Legacy IAM Cannot Support Today’s Enterprise

Legacy IAM approaches—designed for on-premises systems and periodic audits—cannot scale to the complexity and velocity of modern environments.

Managers are still asked to conduct entitlement reviews across hundreds or thousands of privileges they cannot meaningfully interpret. These processes, often mandated for compliance, are industrial-age workflows applied to cloud-age environments. Unsurprisingly, they result in rubber-stamp approvals and persistent privilege accumulation.

IAM teams, meanwhile, are responsible for the integrity of the enterprise’s most sensitive control surface but often lack meaningful authority. They are brought into application decisions late, treated as provisioning units rather than design partners, and rarely positioned to enforce identity architecture standards. This imbalance between responsibility and influence ensures identity anti-patterns proliferate.

Over time, this produces accumulated identity debt: dormant accounts, inconsistent role models, embedded credentials, shadow directories, and machine identities with no defined lifecycle. Identity debt becomes security debt. Security debt becomes resilience debt.

Even modern IAM platforms struggle when placed atop outdated processes. Strong MFA, single sign-on (SSO), identity governance & administration (IGA), and privileged access management (PAM) cannot overcome structural misalignment on their own. Governance must adapt too.

IV. Identity Security: The Discipline Zero Trust Needed

Identity Security reframes identity as a security and resilience discipline, not an administrative function.

It relies on continuous authentication and adaptive trust decisions rather than static MFA checks. Access becomes contextual—evaluating device posture, location, anomaly signals, and workload behavior each time a request is made.

It eliminates standing privileges. High-risk entitlements are granted only on a just-in-time basis and immediately revoked after use. This limits blast radius and aligns with modern attacker tradecraft.

It integrates identity telemetry into detection and response. Identity Threat Detection & Response (ITDR)—reflected in tools from major vendors—brings identity context into the SOC, enabling earlier detection of privilege escalation, token theft, or anomalous access patterns.

And it modernizes governance. Rather than performing exhaustive manual reviews, Identity Security relies on intelligent automation: flagging outliers, removing unused entitlements, and providing reviewers with contextual evidence, not raw lists.

Together, these practices operationalize the intent of Zero Trust. Identity becomes the mechanism through which “verify explicitly” and “least privilege” can be applied consistently across architectures. Identity is not sufficient on its own to address every class of risk, but it has become a necessary foundation for any credible resilience strategy.

V. What CISOs, CIOs, and CROs Must Do Now

Transitioning to identity as a control plane requires executive ownership and architectural intention.

Leaders must elevate identity to a strategic function rather than an IT utility. This includes modernizing identity providers; deploying phishing-resistant MFA; implementing conditional access; and automating provisioning and deprovisioning. Privileged access should default to “zero standing privilege,” with rights elevated only for the duration of a task.

Identity must be integrated into incident response. Responders need the capability to invalidate tokens, terminate sessions globally, and force reauthentication quickly. These actions, which once sat on the periphery of cybersecurity, now sit at the core of containment and resilience.

Continuity planning should explicitly include identity failure scenarios—testing redundant authentication paths, failover identity providers, and offline recovery workflows. Increasingly, organizations discover that identity service outages are among the most disruptive events they can face.

Machine identities must also be treated as first-class members of the identity ecosystem. Workload-to-workload trust, especially in AI-driven systems, is now a primary frontier.

Executives who connect identity, architecture, and resilience consistently drive better outcomes. They can explain how trust is established, how continuity is preserved, and how risk translates into operations. That ability has become a defining characteristic of modern security leadership.

VI. What Boards Need: Identity Evidence

Boards want evidence, not activity reports. Identity provides some of the clearest signals of operational soundness. Findings from recent NACD and PwC board surveys show that directors are increasingly expecting management to provide measurable evidence of identity governance, access hygiene, and control effectiveness.

In financial services, supervisory guidance such as the EU’s Digital Operational Resilience Act (DORA) and the UK Prudential Regulation Authority’s operational resilience framework reinforce this shift. Directors are being briefed more frequently on MFA coverage, orphan accounts, dormant privileges, and the timeliness of deprovisioning—indicators that strongly correlate with identity-related risk.

Leading boards are also beginning to consider identity continuity. They want to understand how identity services would recover during an outage and how quickly compromised accounts can be contained. When provided, trend data—such as reductions in exceptions, improvements in deprovisioning timelines, and increased automation—help directors assess whether identity risk is moving in the right direction.

Identity evidence aligns directly with board oversight responsibilities: operational resilience, risk reduction, and continuity assurance.

Conclusion: Identity Security Is the Architecture of Continuity

Each major security paradigm—castle-and-moat, defense-in-depth, Zero Trust—reflected the architecture of its era. Today’s architecture is distributed, multi-cloud, SaaS-driven, and API-mediated. In this world, identity is the one element that exists across every access point, every workflow, and every operational dependency.

Identity Security is not a rebranding exercise. It is the mechanism through which Zero Trust becomes executable and resilience becomes measurable. It provides decision-makers with the evidence they need and gives enterprises the ability to operate under stress.

An enterprise’s identity architecture is now its resilience architecture. Those who understand this—and design accordingly—will be better positioned not just to prevent incidents, but to endure and recover when they inevitably occur.

---

For interviews, briefings, or commentary on cybersecurity, architecture, or operational resilience, please visit the Media & Speaking page.