EP 10 – A new identity crisis: governance in the AI age

Imagine this: a global bank discovers over 30,000 service accounts scattered across its systems. No one knows who created them or what they still access. Some date back years, tied to unmonitored cloud workloads with active privileges—but no oversight. And the number keeps growing. This isn’t just a one-off scenario.

As cloud adoption accelerates, machine identities now outnumber human identities by more than 80 to one. Unchecked, they become vulnerabilities—entry points for attackers. It’s a new kind of identity crisis, one that demands not just governance but a complete mindset shift. Addressing these risks reduces cyber risk, ensures compliance, and builds resilience in an increasingly complex digital landscape.

Today I’m joined by Deepak Taneja, founder of Zilla Security and now general manager of identity governance at CyberArk. Deepak’s built platforms that bridge security, compliance, and cloud innovation. Our discussion explores how identity has become the new foundation of enterprise security, why this year may be the biggest inflection point yet, and what organizations need to do to stay ahead.

Let’s dive in.

David Puner: Deepak Taneja, co-founder of Zilla Security and general manager of identity governance at CyberArk—welcome to the podcast.

Deepak Taneja: Thanks for having me on the podcast, David.

David Puner: Absolutely. Really excited to speak with you today. You came over to CyberArk earlier this year by way of the acquisition of Zilla Security, which you co-founded and where you were the CEO. What sparked the idea for Zilla, and how does joining CyberArk fit into your broader career path?

Deepak Taneja: When my co-founder and I started Zilla Security in 2019, we felt that identity was at an inflection point. IT and security leaders were starting to realize that identity was replacing the network as the new foundation of enterprise security.

The industry has been talking about Zero Trust for more than 15 years, but the implications of that in terms of authorization, entitlements, compliance, and security were really starting to kick in around 2019–2020. And as cloud adoption accelerated, organizations were realizing that having an identity provider for the cloud wasn’t enough.

They needed identity security to manage who has access to what, in a way that could scale to hundreds or thousands of cloud applications and millions of resources—some dynamic. Both human and non-human identities. That shift in perception led us to say, there’s an opportunity here for a modern identity governance and security solution.

David Puner: So before the founding of Zilla in 2019, you had been in the identity space for quite some time. What had you been doing in the identity space? When did that start, and how did your perception of what identity or identity security is evolve?

Deepak Taneja: I’ve spent almost my entire career in identity. I started out as a developer in the 80s working on directory services software—this was before there was a security space. In the early days of the internet, I was part of the founding team of a company called Netegrity, which led the shift to web-based single sign-on and directory-enabled authentication. Those were the days of LDAP directories and so on, and Netegrity was a leader in that space. I was the head of engineering there.

We got acquired, and I founded a company called Aveksa, which was the pioneer in identity governance. That was around 2004–2005. Large organizations were starting to worry about compliance in the wake of Enron and WorldCom and the regulatory mandates that followed, like SOX. Aveksa led that space for many years—we were joined in the market by SailPoint and others—and were eventually acquired by RSA.

So I’ve been fortunate to have been at the forefront of identity for a long time. And in the mid-2000s and beyond, the cloud emerged and we saw a big shift. Zero Trust started to gain traction, but it wasn’t until 2018–2019 when the notion of identity as the new foundation of enterprise security really started to take hold.

Joining CyberArk fits well into my career arc. As an entrepreneur, you want to change the world—and while we were making progress in the modern IGA space, joining CyberArk gave me the opportunity to do that on a much larger scale. Privileged access management, identity security, and IGA are converging. Security, compliance, and ease of use are the drivers, and the opportunity to build the identity security platform of the future was very attractive to me.

David Puner: Let’s dive into identity governance and IGA. To set the stage, at a high level, what is identity governance and identity governance and administration (also known as IGA)? And why has identity governance historically been so difficult to get right?

Deepak Taneja: Identity governance is fundamentally very simple. The concept is all about entitlements—the entitlements that identities have. It’s the administration of who or what has access to what.

How do you discover the current state of entitlements in the organization? How do you review them for compliance? How do you assign them so people can do their jobs? How do you ensure that they are correct? How do you remove them when people leave the organization or move off a project?

This space was originally important, as I said, for compliance in the mid-2000s—because regulations like SOX demanded it. Then lifecycle administration—the joiner, mover, leaver processes; provisioning and deprovisioning—joined compliance and became IGA.

So IGA had two business drivers: compliance and lifecycle management. That made sense because you don’t want the source of truth for entitlements in two places. You need a single source of truth for compliance and lifecycle management—always in touch with the current state and able to make changes to it.

Now, in the cloud era, security has become a new driver. This idea of who has access to what—human and non-human identities alike—has become critical from a security angle.

It’s difficult to get right, partly due to organizational complexity. Identity touches everything in an organization. It spans business processes, and the stakeholders range from supervisors to application owners to compliance teams. You need business processes that include all these stakeholders.

IGA is somewhat unique in the security world. Many security products are used primarily by the security team. IGA is different—it involves business processes used by people across the organization. That’s what makes it complex.

Also, the technology in this space has been static for about 10 years. It was designed for an on-prem world. But the cloud has broken that model. The legacy solutions rely heavily on manual work and professional services. They weren’t designed for the cloud’s scale.

David Puner: You mentioned risks—what are the biggest risks organizations face when governance is slow or incomplete?

Deepak Taneja: A lot of it comes down to compliance and lifecycle work. When that’s done manually, it becomes expensive, inaccurate, and time-consuming. Productivity suffers. Employees don’t get access quickly.

From a security lens, the risks are even greater. You end up with excessive entitlements, orphan accounts, long-abandoned service accounts—no governance around them. IGA may have started as a checkbox compliance issue 20 years ago, but it’s now a cornerstone of enterprise security.

If you can’t get your arms around identities and access, you can’t do compliance right. You’re spending a lot, but still falling short on security and efficiency. DevOps engineers, for instance, won’t wait a week to get access—they need to be productive immediately.

David Puner: Earlier, you mentioned the cloud as a game changer for IGA. What has changed most dramatically—technologically or otherwise—in the past few years?

Deepak Taneja: The cloud era has brought three major shifts: SaaS proliferation, cloud infrastructure platforms, and digital transformation. Organizations now use hundreds of SaaS apps. They’re building their own apps, which means separate engineering and DevOps teams.

And it’s not just about human identities. There’s ephemeral access, dynamic entitlements, and a surge in non-human identities—machines, APIs. In many organizations, machine identities now vastly outnumber human identities.

Auditors are now starting to demand access reviews for non-human identities—something previously limited to human users. That’s a significant change.

David Puner: Our 2025 Identity Security Threat Landscape Report found that machine identities outnumber human identities by more than 80 to one.

Deepak Taneja: Exactly—and that ratio will only increase. We’re entering the AI era. Organizations will soon have hundreds of thousands of AI agents doing all kinds of work.

That means we’ll need governance not just for machines and APIs, but for agent identities too. This includes compliance, joiner-mover-leaver processes, and more.

Least privilege is becoming a key driver of IGA. It’s no longer just about compliance—it’s about managing security risk proactively.

David Puner: AI and agent AI—which you just brought up—you recently described a future of identity governance that’s fast, secure, and scalable. What does that vision look like, and how do AI and agent AI bring it to life?

Deepak Taneja: If security is the new driver for IGA, the future needs to prioritize easy system integration, automation, and a simple user experience. That’s how IGA will scale in a world of dynamic, human and non-human identities.

Automation is key. It enables self-service experiences, easier deployment, and real-time governance. Agentic AI takes automation further. Today, IGA is 80% manual and 20% automated. In the near future, I see that flipping—80% automation and 10–20% manual.

AI agents will start by offering insights and recommendations. But eventually, they’ll carry out governance actions themselves, within defined risk parameters. This shift will drive faster time to value—IGA that keeps up with the pace of business.

David Puner: It may seem obvious, but why is time to value such a critical metric?

Deepak Taneja: Time to value is one of the most important metrics CISOs should track. Many organizations have struggled with legacy IGA deployments that took years to onboard systems. Measuring how quickly an organization can integrate key applications and hit milestones is crucial.

Say an organization wants compliance. A good first milestone might be completing a supervisory access review for 30,000 employees across 6,000 supervisors. How quickly can that happen?

Or maybe it’s application-level access reviews. If an organization has 25 key apps, how fast can it get those app owners to review access?

Or reduce manual provisioning tickets by 50%. These are tangible, outcome-driven metrics—not just adjectives like “better” or “faster.” You can’t manage what you don’t measure. Metrics make the program real and actionable.

David Puner: You’ve talked about the need for AI not just to manage entitlements, but to anticipate where attackers will strike next. What does that look like in practice—and how close are we to seeing AI-driven identity threat protection become mainstream?

Deepak Taneja: A lot of smart people are now focused on applying AI to identity and security. The number of contributors has grown exponentially.

Every organization has vast datasets about how identities—human and non-human—operate: what access they use, from where, on what devices. AI can leverage this to identify anomalies, predict threats, and even flag imminent breaches.

That said, the data is scattered—in logs, across platforms. It’s hard to normalize. Some vendors start with Active Directory or identity providers, but that’s not enough. IGA must get closer to security incident and event management (SIEM) and SOC infrastructure. Those systems must become more identity-aware.

This is also an organizational issue. Identity teams don’t always understand detection and response. SOC teams understand threats but not identity. AI may help bridge that gap.

David Puner: You’ve already touched on this, but why is it important to think of identity governance as part of a broader identity security strategy?

Deepak Taneja: Historically, privileged access management (PAM) focused on IT users and infrastructure—vaulted credentials, rotated passwords. IGA focused on all users and resources, but mostly for compliance and lifecycle management. They operated in silos.

Now, the explosion of identities—human, machine, agent—and resources—apps, infrastructure, data—demands unified control.

PAM and IGA are converging around a shared control plane. We need a single view of identity, a single view of resources, and a shared understanding of who should have access to what.

At CyberArk, we call it the right privilege controls for the right identities. This common framework brings together PAM, IGA, and machine identity management. It enables decisions based on resource risk and identity responsibility.

Not everything needs to be vaulted. Some access can be just-in-time. We’re heading toward zero standing privileges. That’s the new model—and CyberArk is leading the way.

David Puner: You’ve called 2025 an inflection point for identity security, particularly due to overlooked dependencies like machine identities. How can organizations proactively identify identities and mitigate these hidden risks before attackers exploit them?

Deepak Taneja: It’s absolutely an inflection point. The realization is setting in—non-human identities are just as important, if not more so, than human ones.

But these machine identities don’t exist in a vacuum. They’re created and maintained by people—application owners, DevOps engineers. To govern machines, you must understand the humans behind them.

I recently spoke with a large bank. They had 30,000 service accounts, many of which they couldn’t trace. No idea who created them or what they accessed. This is common.

You need to track those workloads back to the applications and the people responsible. That’s the only way to apply effective governance and security controls. If the person responsible leaves, there needs to be an alert and a reassignment. The human-to-machine identity link is critical.

David Puner: Are there any cultural or mindset shifts that you think are essential for organizations to succeed in today’s identity landscape?

Deepak Taneja: Definitely. First, stop thinking of identity as purely human. It can be human, machine, or agent. That’s the foundation of modern identity security.

Second, break down silos. Identity teams must think like security teams—about threats, remediation, and SOC alerts. SOC teams must also understand identity—not just networks or endpoints.

We had EDR (endpoint detection and response), MDR (managed detection and response)… Now it’s about ITDR—identity threat detection and response. Identity is the new foundation.

David Puner: Before we wrap—on a lighter note—I see album covers behind you. The Doors, Abbey Road, Fleetwood Mac. Do you have a favorite?

Deepak Taneja: That’s a longer conversation. But I’d say Prince. His music was truly innovative. There’s something mysterious and magnetic about it. He was a genius. And yes, Fleetwood Mac is a classic too.

David Puner: Let’s look ahead. What’s your bold prediction for where identity governance is headed over the next three to five years?

Deepak Taneja: Things always take longer than we expect—but the big shift is non-human identity governance. In five years, we’ll be talking about that far more than human identity governance. The AI shift will happen fast—and the risks of ignoring machine identities will become impossible to ignore.

David Puner: Deepak Taneja, thank you so much for coming onto the podcast. Really appreciate it—and we look forward to having you back when machine identities outnumber humans by who knows how many.