Building a threat-aware IAM strategy: What CIOs and CISOs should prioritise next

Posted on behalf of CIO Association of Canada’s sponsor, ManageEngine.

Jay, Head of growth, IAM and SIEM, ManageEngine

Identities have always been the threads that stitch enterprise IT together, but their nature has changed dramatically. Twenty years ago, an identity meant a username and password sitting in a corporate directory. Access was tied to a desktop in a corporate LAN, compliance meant ticking boxes under PIPEDA, the regulation enforced in 2001, and identities were relatively static, human, and predictable.

Fast-forward to today, and everything has changed. For Canadian organisations, the federal government’s ongoing cloud migration, the financial sector’s rapid shift toward open banking, and the energy industry’s push toward operational technology integration have all dramatically expanded what an identity means in practise.

Identities today extend far beyond the human user to encompass a rapidly expanding fabric of non-human and workload identities, including autonomous AI agents operating across systems. In many environments, these identities already outnumber human users, and that disparity is only accelerating. At the same time, identities now operate across deeply distributed hybrid and multi-cloud ecosystems, traversing platforms, applications, and regulatory boundaries. This significantly amplifies complexity and risks.

The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2025–2026 identifies cyberthreat actors’ tradecraft as actively evolving to avoid detection, with critical industries like energy, finance, health, and government at the top of the target list. Minister of National Defence David McGuinty and Minister of Public Safety Gary Anandasangaree said in a joint statement, “Malicious cyber activity targeting Canada’s critical infrastructure—like power, water, health, finance and transportation—are on the rise and are a real and urgent threat.”

In other words, the identity surface exploded, and so did the attack surface.

This expansion forced IAM to change. Hybrid clouds, SaaS adoption, and remote work triggered identity sprawl, sprawling accounts, overlapping entitlements, and inconsistent controls. Misconfigurations and privilege creep became routine. Attackers noticed, and credential misuse rapidly became the easiest path for lateral movement.

That shift is now being accelerated by AI. Attackers are using AI to automate reconnaissance, generate targeted phishing messages, and impersonate users convincingly enough to bypass verification layers. According to the State of Cybersecurity in Canada 2026, the collapse of traditional trust signals and the rise of AI-driven impersonation have made identities the primary attack surface.

Security teams now face a deluge. Analysts bounce between EDR, SIEM, IAM, PAM, and MFA consoles, trying to stitch together incomplete pictures while attackers slip through with:

• Credential dumping on compromised endpoints.
• MFA fatigue that pushes users into approving fraudulent logins.
• Lateral movement across hybrid AD and cloud connectors.
• Living-off-the-land tactics that abuse legitimate admin tools.

The most devastating breaches of the last five years were identity failures, misconfigurations, excessive privileges, and overlooked accounts chained into attack paths. The Snowflake data breach of 2024 illustrates this. Attackers from the UNC5537 group compromised around 165 Snowflake customers by using credentials stolen via infostealer malware. Numerous customer environments lacked MFA, letting attackers authenticate themselves directly with just a username and password. Victims included AT&T, Santander Bank, and Ticketmaster. The data exposed ranged from PII to 50 billion call and text records.

As a result of such breaches, IAM has shifted from an operational enabler into an existential defence layer. Ten years ago, IAM success was measured in the onboarding time or password reset volumes. Today, how fast an organisation can disable a compromised account, cut off privilege escalation, and stop a breach from cascading into a systemic outage determines success.

IAM’s trajectory reflects the changing shape of enterprise risks:

• The operational era: IAM focused on provisioning accounts and enforcing password policies.
• The proactive era: SSO, MFA, and conditional access improved access control but remained preventive.
• The reactive era: IAM signals fed into SIEM tools, but a response lag created gaps.
• The continuous era: IAM is now embedded into security operations with continuous posture checks and automated responses.

What is different now is the role of AI on both sides. Attackers use it to move faster. Defenders need it to keep up. Identity signals are no longer just logs. They are inputs into real-time decision-making systems.

The line between IAM and the SOC has effectively disappeared. If an AI agent is misused to access sensitive data, or if a service account is exploited to escalate privileges, it is both an IAM issue and a SOC issue.

The priority is not adding more tools but reshaping IAM into a discipline that actively defends the enterprise. That requires implementing continuous posture assessment, attack path analysis, and automated mitigation.

1. Consolidating identities into 1 source of truth

Fragmented directories create fragmented defences. Identities now include human users, service accounts, workloads, APIs, and AI agents. There should be a single authoritative view of every identity:

• Eliminate duplicates so each identity maps to one record.
• Assign ownership and accountability.
• Track not just users but also machine and AI-driven identities.

Without this single source of truth, organisations cannot reliably understand their risk exposure.

2. Continuous posture assessment: Managing exposure as it happens

Quarterly reviews and annual audits no longer reflect reality. Identities change constantly, especially with automated provisioning and AI-driven workflows. A modern program must move from static audits to continuous assurance:

• Detect privilege drift in real time.
• Identify dormant or orphaned accounts.
• Apply the same scrutiny to machine and AI identities.
• Use context-aware controls based on behaviour and the environment.
• Detect anomalies such as unusual API usage or automated access spikes.

3. Attack path analysis: Exposing how compromise spreads

Attackers chain together small weaknesses across systems. Organisations need visibility into how compromise could unfold:

• Map relationships across identities, roles, and systems.
• Identify privilege escalation paths.
• Assess the blast radius of a compromised identity.
• Simulate attacker movement.

This becomes more critical with AI in the mix. Automated attack techniques can identify and exploit weak paths faster than manual defences can respond. IAM needs to move from listing access to understanding how access can be abused.

4. Pulling identities into the SOC nerve centre

IAM and SOC teams cannot operate separately. To close the gap:

• Stream identity signals into SIEM and SOAR pipelines.
• Enable SOC teams to act directly on identity controls.
• Run joint response exercises.

The State of Cybersecurity in Canada 2026 also highlights a shift toward integrated security models that bring identity, fraud, and cybersecurity teams together. This ensures that identity compromise is treated as a security event.

Enterprises have layered on security controls, yet attackers still find their way in because identities connect everything. AI is accelerating this challenge. Every new AI agent, automation workflow, or integration introduces a new identity that must be governed, monitored, and secured. These identities act independently, operate at scale, and often have privileged access. That makes IAM more than a security tool. It is the foundation of resilience.

In Canada, cyber resilience is now seen as a business priority, with identities and trust at the centre of that conversation. For CIOs and CISOs, the question is not whether to invest in IAM but how to make it work as a defence system.

A threat-aware IAM strategy is built on ensuring continuous visibility, understanding how attacks unfold, and responding quickly when identities are misused. In a world where users, machines, and AI agents all operate as identities, defending identities with the same rigour as networks and endpoints is what separates organisations that contain attacks from those that do not.