- Identity and Access Management (IAM) is the cornerstone of cybersecurity and critical for reducing risk from unauthorized access, insider threats, and credential-based attacks
- Effective IAM governance requires alignment with business objectives, regulatory frameworks, and a lifecycle approach to access control
- AI and machine learning can enhance IAM but also pose risks if data governance is weak or controls are incomplete
In this podcast, host Bill Truett speaks with cybersecurity expert Nick Lasenko to explore the vital role of Identity and Access Management (IAM) in today’s threat landscape. Lasenko emphasizes that nearly all cyber incidents—including costly data breaches—stem from unauthorized access, making IAM not just a technical necessity but a business-critical function. Drawing on real-world experiences, he outlines how weak governance, unclear identity definitions, and siloed systems create operational blind spots and risk. Organizations with poorly maintained user directories or inconsistent access review processes may unwittingly allow former employees or shadow accounts to retain access for months or years.
IAM effectiveness hinges on comprehensive governance that clearly defines identity standards, enforces policies, and ensures collaboration across business and IT functions. Lasenko advocates for a layered, risk-based model for access reviews, where responsibilities are divided between HR, business managers, and IT operations. He discusses how leading frameworks—like NIST 800-53r5, NIST CSF 2.0, and FIPS 199—can guide internal auditors in assessing control strength, while also noting the importance of data classification for mapping access rights appropriately. He cautions that even robust technical tools can fail without a top-down commitment to governance and a sustainable structure for continuous identity lifecycle management.
The conversation also explores common IAM pitfalls, including re-used passwords across environments, legacy accounts that go unmanaged, and flawed assumptions about access monitoring. Lasenko shares both success stories—where consolidating access logs and standardizing processes enabled faster breach response—and horror stories, such as access cutoffs due to outdated email conventions and neglected developer environments. The key, he stresses, is validating all environments equally and ensuring that privileged access management (PAM) is applied to both human and non-human actors based on risk, not just role labels.
AI and machine learning present both opportunities and challenges for IAM. Lasenko highlights the potential of AI to support continuous authentication and risk-based access decisions but warns that poor data governance can lead to sensitive data exposure or flawed logic. He recommends using the NIST AI Risk Management Framework to guide safe and trustworthy AI implementations. The episode closes with a call for auditors and business leaders to collaborate more closely in shaping proactive, resilient IAM strategies that reduce risk, support innovation, and ensure organizational trust in the age of AI.
Leave a Reply
You must be logged in to post a comment.