The real problem with identity security? Bad data.

Identity has long been framed as the new perimeter. It’s a catchy phrase, yet it misses the bigger, more urgent problem: we can’t secure what we don’t understand. 

And in most organizations today, identity is still misunderstood. This isn’t due to a lack of tools, but instead a lack of clean, complete, and actionable data.

This was the central theme of a recent conversation between KuppingerCole’s John Tolbert and Amir Ofek, CEO of AxoniusX. In a packed discussion, they dove into the state of identity governance, the shortcomings of traditional IGA deployments, and why identity security must begin with a radically different foundation: data integrity.

Check out a highlight from the conversation below. To dig into the full discussion, watch the on-demand webinar.

Identity is an expanding attack surface

More and more, organizations are realizing that identity is not just an access mechanism. It’s one of the largest and most actively targeted attack surfaces in the enterprise. 

Attackers aren’t brute-forcing their way into systems; they’re logging in using real credentials. Whether stolen, bought, or left behind by poor offboarding, these credentials grant access to sensitive systems without triggering alarms.

"Attackers don’t break in, they log in,” said Tolbert.

And the problem is not just compromised user credentials. It’s the sprawling ecosystem of entitlements, tokens, API keys, and service accounts that extend far beyond traditional IAM visibility. 

As Amir noted, “Today, identities, human and non-human, exist across GitHub, Jira, AWS, Active Directory, Okta, and countless SaaS apps. You need to view the identity in its totality, not just where HR or AD says it lives.”

ITDR and the limits of detection

Identity Threat Detection and Response (ITDR) is a promising way to close these gaps. By monitoring behaviors and flagging anomalies, ITDR promises to identify threats that would otherwise go unnoticed. But detection alone isn’t enough.

As Amir pointed out, “Unless you can see 90% or more of your identity environment, ITDR will miss things. It’s not just about detecting strange behavior. You have to first understand what normal looks like, and that’s incredibly difficult in dynamic, fragmented environments.”

Behavioral analysis, especially for non-human identities and agentic AI, depends on defining patterns. But if your foundational data is out of sync, if entitlements are inconsistent, ownership isn’t clearly assigned, or roles are inflated, then even the best detection models are operating on noise.

The real identity problem: data

Amir kept coming back to one core issue: identity security is a data problem.

“The issues we’re tackling today exist because identity hasn’t been treated as a data problem,” he explained. “You can’t govern what you can’t normalize. You can’t automate what you can’t trust.”

Years of siloed growth, manual processes, and band-aid integrations have led to a state of confusion. Organizations struggle with duplicate roles, inconsistent attribute mapping, and orphaned accounts left untouched for months. Schemas like SCIM were introduced to address standardization, but adoption has been sparse, and most apps still handle identity data in proprietary ways.

Without a unified identity data model, one that spans across human and machine identities, across cloud and on-prem, and across access systems, organizations are stuck guessing. Guessing leads to delays in offboarding, poor access reviews, and a bloated role model that obscures risk rather than clarifying it.

From roles to rules

One of the most eye-opening moments in the conversation came when Amir challenged the industry’s reliance on roles as the foundation of access governance. 

“There are often more roles than people,” he said. “And most of them don’t make sense anymore.”

Role-based access control (RBAC) served its purpose in simpler IT environments. But today’s workforce is dynamic. Teams shift frequently. Contractors come and go. New SaaS tools are onboarded weekly. Static roles just can’t keep up with that pace.

A better approach is rules-based access, where permissions are tied to contextual attributes like department, employment status, contract duration, and device compliance, not arbitrary role names. 

AI can play a critical role here. “We use machine learning to cluster entitlements, identify outliers, and recommend right-sized access profiles,” Amir said. “But AI is only as good as the data. If the foundation is dirty, the analysis is meaningless.”

Governance without actionability falls flat

Traditional IGA implementations have a reputation for being slow, expensive, and hard to maintain. Even when access reviews get done, they rarely lead to real remediation. And most teams aren’t eager to dive into another 12-month deployment cycle just to get incremental gains.

Amir didn’t shy away from this. “IGA projects stall because they’re overly focused on process. You chase access certifications without fixing the underlying data. That’s backwards. Governance should be built on clean, correlated data and supported by workflows that are easy to automate and evolve.”

The key, he stressed, is time-to-value. Organizations want to see improvements in weeks, not quarters. This means using automation to eliminate abandoned accounts, reduce role sprawl, and enforce just-in-time access. But more importantly, it means enabling security and IAM teams to take action when risk is found.

“Visibility without action is just noise,” Amir said. “You need to respond—not in hours or days, but in real time.”

The path forward: identity fabric as a blueprint

As identity extends beyond IT and into every corner of the business, a new model is gaining traction: identity fabric. Rather than ripping and replacing existing systems, organizations can take a modular approach, augmenting their identity programs with focused capabilities like ITDR, ISPM, or intelligent role mining.

The identity fabric model allows for interoperability, layering in new services without disrupting what’s already in place. Amir called it “a blueprint,” a way for IAM leaders to visualize their coverage across human and non-human identities, lifecycle stages, and risk detection and remediation capabilities.

This approach allows teams to address urgent gaps, like abandoned service accounts or agentic AI misuse, without waiting for the next IGA cycle. It encourages incremental improvements, backed by reliable data, and driven by operational realities.

Start fixing identity from the data up

Identity isn’t just about access anymore. It’s about risk. And the only way to reduce identity risk is to understand it holistically, through clean, normalized, and correlated data.

As organizations manage sprawling SaaS ecosystems, dynamic user behavior, and an explosion of machine identities, it’s clear that we need a new identity model. One that prioritizes data, embraces automation, and turns governance into action.

Identity chaos won’t fix itself. It has to be tamed, intelligently, systematically, and at scale.

To hear the full conversation between Amir Ofek and John Tolbert, including real-world use cases, audience Q&A, and practical advice on implementing ITDR, watch the on-demand webinar.