One thing that I find interesting is that we tend to frame “the human factor” as a flaw to control instead of a system to design for. More often than not, people aren’t careless. They're just contextual. They respond to urgency, authority, and habit. When security programs ignore that reality, workarounds become inevitable.
Organizations need to ask different questions if they want to make real change. Instead of asking how to stop people from making mistakes, it's better to consider ways to help people recover faster when mistakes inevitably happen.
Culture is ultimately determined by how comfortable people feel flagging problems, not how perfectly they follow rigid policies. https://t.co/A2SdrnXBy4
I really enjoyed every individual trend that #IBM listed here, but piecing them all together tells a pretty interesting story.
#AI is hitting a new "era," so to speak. It's being met with completely new limits (compute, energy, organizational, etc.), and people aren't confident in how to move forward. There's a growing collective realization that scaling forever isn’t a strategy. It's just a phase.
There's now a lot more emphasis being put on orchestration and control—we're seeing it with smaller models, purpose-built systems, and even clear ownership of agents and outcomes.
Personally, I see that as a sign of maturity. Breakthroughs may be exciting, but we need well-integrated systems that behave predictably in environments where mistakes matter. https://t.co/zB5jkeyQc8
When access is slow, abstract, or owned by “someone else,” people optimize for speed every time. Not because they want to bypass controls — but because momentum is how modern work survives.
As systems become more automated and distributed, access tends to sprawl. Privilege gets copied, inherited, and forgotten. And when responsibility for identity is scattered, cleanup becomes no one’s job.
We often label IAM issues as technical debt, but many are really organizational debt. Until access ownership is clear, visible, and connected to outcomes people care about, policy and reality will stay out of sync — no matter how many controls exist on paper. https://t.co/MDRGQ7VIX7
The scale of everything #Microsoft is building is impressive, but I think their willingness to slow down, listen, and course-correct speaks volumes to their genuine motivations. With demand and expectations being as high as they are, pausing isn't the obvious approach. It's the compassionate, human-first one.
When communities worry about power bills, water use, or long-term jobs, companies need to understand that the real concern isn't necessarily about the technology itself. It's about the need for more security from what that tech could represent.
The future of data centers is going to depend largely on how businesses handle their growth. That's why Microsoft's approach works so well. Instead of building as quickly as possible, they're staying thoughtful about how they're integrating into the places they serve. https://t.co/aHm7XO2n2J
I think it's pretty easy to look at these numbers and conclude that security leaders are in the wrong, but I see a different problem. In my experience, most #security teams are actually good at preventing the attacks they’ve modeled, rehearsed, and bought tools for. The issue is that they're trying to solve outdated problems.
#Ransomware keeps winning because it doesn’t play by any assumptions. It sneaks in through #identity sprawl, standing access that has discreetly outlived its purpose, and exceptions everyone agreed were “temporary.”
Confidence isn’t the real problem. Overconfidence in static controls in a very dynamic identity environment usually is.
I think #AI demand is sometimes talked about as if it's just "more usage."
It's not.
It's always on, always growing, and far less forgiving when something breaks. It's far more involved and complex. That's why this kind of grid modernization is so much more significant than it may seem on the surface.
The ability to predict weather impacts, plan transmission differently, and speed up operations takes a massive strain off of infrastructure that's under constant pressure. Reactive systems aren't enough anymore, and this #Microsoft partnership proves that. https://t.co/vX87969sAF
#Identity governance has always been designed around people. It made sense when people were the scarce resource. Accounts were created deliberately, access was reviewed periodically, and risk moved at human speed.
But quite frankly, that world doesn’t exist anymore.
When machines and agents outnumber humans this vastly, identity becomes something that multiplies automatically, often without a clear owner or expiration. Governance models that rely on tickets, reviews, and static credentials simply can’t keep up.
Honestly, one of the biggest dangers I see with this is the potential for authority to persist long after purpose disappears. Orphaned identities don’t raise alarms. They sit there, waiting to be reused. At that point, attackers don’t need to be clever. They just need to be patient.
Many organizations aren’t necessarily “behind” on security. Truth is, they're operating a system that was never meant to function at this scale. https://t.co/XMEpTnbkjD
There's a lot about this stat that I find pretty concerning. One of the biggest issues I see is that if #IAM spend is justified mainly by user experience, it usually means identity is being positioned as a productivity tool instead of a control plane. That framing shapes every downstream decision—how much risk is acceptable, how exceptions get handled, how temporary access quietly becomes permanent, etc.
UX should absolutely be part of the conversation, but it can’t be the reason the conversation exists. Identity is where trust is established, enforced, and continuously re-evaluated. If security isn’t the primary driver there, we’re just deferring complexity until it shows up as an incident.
Fragmentation actively works against us, and this is pretty clear here. Identity teams, network teams, and device teams all do the “right” thing in isolation, yet attackers manage to exploit the seams between them.
#Microsoft’s Access Fabric idea is interesting because it acknowledges that access decisions are no longer binary or static, like many seem to still think. They’re contextual, fluid, and constantly renegotiated.
If your controls can’t adapt mid-session, you’re defending yesterday’s environment against today’s threats. Your systems need to actually behave like you believe breach is inevitable. https://t.co/mgth5ISb9Z
Love how #IBM Research is framing CUGA as configurable rather than prescriptive. The idea that you can tune reasoning modes based on cost, latency, and accuracy feels much closer to how enterprises actually operate. We often see that tradeoffs are constant, not theoretical.
To me, releasing this on #HuggingFace also feels intentional. It invites scrutiny from a community that’s very good at finding where systems bend or break. If CUGA holds up under that pressure, it strengthens the case that structured planning and controlled execution are the right counterweight to brittle, prompt-heavy agent designs. Solid way to build trust over time. https://t.co/S5REIYfhDY
Oritse Uku makes a very important, rarely recognized point here about #ZeroTrust and #IdentitySecurity:
"Zero trust was always the right idea; identity security may finally make it effective."
Zero trust isn't inherently wrong. It was just too abstract to implement at scale. Identity security works because it’s concrete. You can point to an identity, its access, its privileges, and its risk. That makes it easier to explain, easier to fund, and frankly easier to improve.
It allows security to finally be anchored in something organizations can measure, own, and evolve as humans increasingly give way to machines. https://t.co/9tRnIYdghg
When we started Webmethod, the goal was never to sell tools. It was to help organizations make sense of identity, access, and risk in environments that keep getting more complex.
Most of the problems we’re brought in to solve aren’t caused by a lack of technology. They come from fragmented identity programs, unclear ownership, and security controls that don’t scale as the business grows. That’s true whether we’re working with a federal agency or a commercial enterprise.
Our work centers on building practical identity and access governance: programs that align with real risk, real compliance requirements, and how systems are actually used. That includes IAM strategy and execution, identity governance, privileged access management, and targeted security assessments that give teams a clear path forward.
We’re also intentional about how we partner. As a trusted Microsoft and IBM partner, we help clients use platforms like Defender for Identity, IBM Verify, and WatsonX in ways that fit their environment, not force-fit architectures that look good on paper but fail in practice.
Cybersecurity isn’t about doing everything at once. It’s about getting the fundamentals right and building from there. That’s the work we focus on every day.
A lot of the debate around centralized IAM still feels stuck in an older world, one where identity mostly meant employees logging into applications. That’s not the environment most teams are operating in anymore.
What this article gets right is the shift in scale and mix. Human identities are now the minority. APIs, services, workloads, bots, and AI agents outnumber people by orders of magnitude, and they often hold far more power inside systems than any single user.
The question I hear most often isn’t whether centralized IAM can handle both human and non-human identities. It’s whether teams are actually ready to treat machines like first-class users, with ownership, lifecycle controls, and accountability. The fundamentals haven’t changed: clean identity data, least privilege, clear ownership, and governance that keeps up with how systems actually behave. The difference is that the blast radius is much larger when those basics are missing.
Machines are users now. Treating them any differently is where most identity programs start to break down. https://t.co/qfeAs7j6GN
Really enjoyed this episode. A lot of AI governance conversations start with data, but the piece I see leaders struggle with most is tying that data back to clear ownership and access boundaries. If you don’t know who (or what) can use the data, it’s almost impossible to build a meaningful governance strategy around it, especially as AI agents start interacting with systems on their own.
Microsoft’s expanded investment in India is notable not just for the size of the number, but for where the emphasis is going.
Yes, hyperscale infrastructure matters. Having local #data centers, resilience, and low latency is table stakes as #AI moves into real operations. But what stood out to me is the combination of infrastructure, skills, and sovereignty being treated as one system, not separate initiatives.
Embedding AI into platforms like e-Shram and the National Career Service is a good example of what “AI at scale” actually looks like. Not labs or pilots, but systems used by hundreds of millions of people, where trust, access, and reliability aren’t optional.
When AI is woven into national platforms and critical services, questions of data location, access control, and accountability move from technical details to foundational requirements. Big investments always grab headlines. What matters more is whether the pieces fit together in a way that can be sustained. This one looks like it’s being built with that in mind. https://t.co/NooYTeAFaL
IBM’s acquisition of Confluent makes sense to me when you look at where AI deployments are really struggling: data in motion.
Most enterprises don’t have a data problem, they have a fragmentation problem. Data is spread across clouds, data centers, and legacy systems, and AI systems don’t work well when they’re fed stale or batch-processed information.
Confluent’s strength has always been real-time streaming: moving data as events happen, not hours later. Pairing that with IBM’s hybrid cloud strategy feels like a logical step as organizations move from experimenting with AI to running it inside core operations.
What stands out is less about Kafka itself and more about the implication: agentic and generative AI need continuous, trusted data flows across environments. Without that, governance breaks down and decisions lag behind reality. From an architecture perspective, this is another signal that AI infrastructure is shifting from isolated systems to connected platforms where data, automation, and control planes have to work together.
Execution will matter, but directionally, this aligns with what many enterprises are trying to solve right now. https://t.co/0c7Peye0pS
Identity has been through a lot of “big moments” over the years, but every so often you see something that signals a real shift in the maturity of the space. IBM being named a Leader in the 2025 Magic Quadrant for Access Management is one of those signals.
What I appreciate about Verify’s direction isn’t just the feature set... it’s the acknowledgement that access today spans far more than traditional workforce logins. You’re dealing with customer identities, partner ecosystems, APIs, workloads, and now AI agents that act on behalf of people. That’s a very different operational landscape than it was even five years ago.
The work IBM has been doing around passwordless experiences, lifecycle automation, modern governance, and hybrid identity fits that reality. It reflects a simple truth: identity isn't one system anymore. It’s the foundation that everything else sits on top of, and if you can’t unify access and risk across your environment, you’re guessing in the dark.
From my vantage point, the industry is finally treating identity as the connective layer of digital trust, not an add-on, not a compliance checkbox, but the actual control plane for how people and workloads operate. There’s still plenty of work ahead, but it’s the right trajectory. https://t.co/kJ4XUVtQnp