Chloe Maraina understands that in today’s digital landscape, identity is no longer a peripheral IT function; it is the very fabric of enterprise security. As a Business Intelligence expert with a deep focus on data science and a vision for integrated data management, she brings a unique perspective on how the massive influx of data and automated agents is shifting the threat landscape. Our conversation explores the modern identity perimeter, where the lines between human and machine actions blur, and the traditional walls of the network have been replaced by credentials and access tokens. We delve into the critical risks of overprivileged cloud roles, the staggering rise of non-human identities that now outnumber human employees, and the sophisticated ways attackers use generative AI to bypass human trust through deepfakes. We also address the governance debt many organizations carry, which manifests as orphaned accounts and unmanaged SaaS applications, and discuss the shift toward continuous verification in a zero-trust world.
In cloud and SaaS environments, we often see roles that have accumulated far more permissions than they actually need to function. Why is this “privilege creep” becoming such a significant security gap, and how does it change the way attackers approach an organization?
The core of the problem lies in the tension between security and the frantic pace of modern productivity. Organizations frequently grant broad access across AWS or Azure environments just to ensure that a project doesn’t hit a technical wall, but they rarely have the bandwidth to go back and trim those permissions down once the work is done. This creates a massive attack surface where a single overprivileged IAM role can become a skeleton key for sensitive data stores, administrative APIs, or even infrastructure provisioning systems. When an attacker compromises one of these accounts, they no longer need to find a complex technical exploit; they can simply move through the environment using legitimate, trusted workflows that are incredibly difficult to detect. This shift in strategy means that for a hacker, logging in is the new breaking in, and the excess permissions we leave behind are the open doors they are looking for. To combat this, we have to move toward a model of periodic access recertification and rigorous entitlement governance that treats every permission as a temporary necessity rather than a permanent right.
We’ve seen a dramatic increase in the number of non-human identities, such as API keys and service accounts. Since these often outnumber human users, what unique challenges do they pose for an identity and access management program?
The rise of non-human identities, or NHIs, represents a silent explosion in the corporate attack surface that most traditional IAM programs simply aren’t built to handle. These identities, which include everything from OAuth tokens and containers to AI agents and serverless functions, now dramatically outnumber human employees in many organizations, yet they often operate in the shadows without the same level of scrutiny. Because these service accounts and API keys operate continuously across cloud and SaaS environments, they often bypass the standard multi-factor authentication and user-focused monitoring that we rely on for human security. We frequently see these NHIs using long-lived credentials that are almost never rotated, making them a gold mine for attackers who want a persistent, unmonitored foothold in a production system. To secure this front, we must implement full inventory tracking and automated credential rotation, while shifting toward workload identity federation to ensure that these autonomous agents only have the specific, short-lived permissions they need to complete a task.
With many enterprises now operating hundreds or even thousands of SaaS applications, how does this sprawl complicate the task of maintaining visibility and control over who has access to sensitive business data?
The sheer volume of SaaS applications creates a fragmented reality where each platform—whether it’s Salesforce, GitHub, or Slack—essentially acts as its own siloed identity store with its own set of roles and permissions. This sprawl makes it nearly impossible for a centralized security team to maintain a clear picture of the permissions landscape, leading to a dangerous accumulation of “shadow IT” and unmanaged accounts. One of the most common and frustrating risks we see is the “orphaned account,” where a former employee retains access to a business-critical SaaS tool long after they have left the company because the offboarding process was decentralized. Furthermore, the ease with which users can grant third-party OAuth integrations creates a web of hidden dependencies that can expose intellectual property and customer records to external vulnerabilities. To regain control, organizations need to prioritize SaaS security posture management and centralized identity federation, ensuring that conditional access policies are enforced consistently across every single platform the business touches.
The emergence of generative AI has introduced the threat of deepfakes and sophisticated impersonation. How are these technologies specifically targeting the “human trust layer” of identity management, such as the help desk?
We are entering an era where the human trust layer is being weaponized through synthetic voice and video that can be chillingly accurate. Attackers are now using GenAI to generate convincing deepfakes that can trick a help desk administrator into resetting a password or bypassing MFA for a high-value executive account. This is a particularly insidious threat because it targets the empathy and urgency that help desk staff are trained to provide, making it a psychological exploit rather than a technical one. We’ve seen scenarios where synthetic voice impersonations are used to infiltrate vendor-payment workflows or request fraudulent wire transfers, often with enough legitimacy to bypass voice-authentication systems used in customer service. Because of this, the help desk must now be treated as a high-security function, requiring stronger identity proofing and callback verification procedures to ensure that the person on the other end of the line is truly who they claim to be.
Why have identity-centric attacks, like session hijacking and token theft, become the preferred entry point for modern breaches compared to traditional malware?
Attackers are fundamentally pragmatic; they want the path of least resistance, and in a cloud-first world, stealing an identity is significantly more efficient than developing a complex malware chain. By using stolen credentials or hijacked session tokens, an attacker can bypass the entire perimeter and operate within a legitimate session, effectively making them invisible to many traditional security tools. These methods allow them to use trusted APIs and legitimate administrative tools to move laterally, which is much faster and less likely to trigger alarms than deploying an exploit that might be caught by endpoint protection. This trend is driving a critical need for continuous session validation and identity threat detection, where we aren’t just checking a user’s ID at the login screen, but constantly monitoring for anomalous behavior like “impossible travel” throughout the entire session. We have to realize that a valid credential does not always equal a trusted user, and our security models must evolve to reflect that constant state of verification.
Even with advanced technology, many organizations still struggle with the basics of identity governance. What are the most common failures in lifecycle management, and why do they persist in hybrid environments?
The persistent struggle with identity governance usually stems from a lack of clear ownership and the overwhelming complexity of hybrid environments that span on-premises systems, cloud infrastructure, and various third-party platforms. We see a “role explosion” where organizations create so many specific sets of permissions that it becomes impossible to audit them effectively, leading to a cluttered landscape of excessive administrative access. In many cases, there is a significant delay in deprovisioning accounts, meaning the “ghosts” of past contractors and employees still have keys to the kingdom, waiting for an attacker to find them. This governance debt is further compounded by the introduction of AI agents and autonomous systems that might inherit or request permissions dynamically, creating new challenges for accountability and audit trails. Building a bulletproof program requires a commitment to just-in-time privileged access and automated deprovisioning, but more importantly, it requires a cultural shift where identity ownership is seen as a core business responsibility rather than just an IT ticket.
What is your forecast for the future of Identity and Access Management over the next few years?
I anticipate that we will see a total departure from static, “one-and-done” authentication toward a model of continuous, risk-aware trust that persists for the duration of every digital interaction. As AI agents become more autonomous and begin to manage their own workflows, the focus will shift heavily toward governing these machine identities with the same—if not more—rigor than we currently apply to humans. We will likely see the help desk and identity recovery processes become fully hardened against deepfakes through a combination of phishing-resistant MFA and hardware-based identity proofing. Ultimately, the organizations that thrive will be the ones that stop viewing IAM as a simple directory management task and instead treat it as the central, intelligent nervous system of their entire security architecture. The perimeter hasn’t just moved; it has become individual, dynamic, and data-driven, and our management tools will need to be just as agile to keep pace with the threats of tomorrow.
