The traditional security perimeter, based on firewalls and network segmentation, has dissolved. The massive adoption of cloud, hybrid work, microservices architectures, and the explosion of connected devices have blurred the boundaries of the corporate network, leaving organizations without a single point of control. In this new scenario, identity emerges as the common denominator that spans networks, endpoints, applications, and multicloud environments, becoming the new security perimeter.

The End of the Classic Perimeter

Rodrigo Jiménez del Val, Head of Engineering and Cybersecurity Architecture at CyberProof (UST), explains it clearly: “The traditional perimeter—based on firewalls and network segmentation—has dissolved.” The reason is digital transformation: data and applications no longer reside within a single protected data center but are distributed across multiple clouds, devices, and locations. In this context, identity becomes the only common element that allows verifying who accesses what, from where, and with what privileges.

The Zero Trust model—“never trust, always verify”—positions identity as the first pillar of the security strategy, according to the NIST SP 800-207 framework. Additionally, European regulation drives this trend: Article 21 of the NIS2 directive requires IAM controls, MFA for critical access, and Zero Trust principles for approximately 160,000 entities in the EU, while Article 9 of the DORA regulation (applicable from January 2025) obliges financial entities to implement identity and access management controls within their ICT risk framework.

Identity as the Central Control Point

Martín Trullás, Director of Advanced Solutions at Ingram Micro Spain, points out that “for years, cybersecurity relied on a relatively defined perimeter: corporate networks, internal systems, etc. But that model has evolved hand in hand with cloud, hybrid work, and the proliferation of distributed devices and applications.” The Thales 2026 Data Threat Report confirms that credential theft is the primary attack vector against cloud infrastructure, cited by 67% of organizations that have suffered incidents. “If identity fails, the rest of the controls lose effectiveness,” emphasizes Eutimio Fernández, Regional Sales Manager for Iberia at Thales Cybersecurity Products.

Óscar Vierge, Director of Strategic Accounts at Serval Networks, adds: “Today, an employee accesses critical company data from home, an airport, or a café; the new point of contact and the only common element in each transaction is identity.” Organizations no longer operate from closed corporate networks but in hybrid and distributed environments with remote users, SaaS applications, multicloud infrastructures, APIs, ephemeral workloads, and automated agents. “The perimeter firewall is still necessary, but it is no longer where security is decided,” states Rafael Rosell Tejada, Chief Revenue Officer (CRO) at S2GRUPO.

The Verizon DBIR shows year after year that most breaches involve abuse of credentials or legitimate identities. Incidents like Okta in 2023, Midnight Blizzard against Microsoft in 2024, or the campaign against Snowflake clients share a pattern: they do not exploit a technical vulnerability but a valid identity. “The attacker no longer breaks in; they log in,” Rosell Tejada asserts. Therefore, IAM, PAM, and Identity Threat Detection and Response (ITDR) occupy a strategic position, along with Zero Trust, which replaces implicit trust with continuous verification based on context and risk.

The Risk of Non-Human Identities

Javier Torres, Cybersecurity Solutions Architect at Westcon-Comstor Iberia, warns about “the most underestimated problem in the sector”: machine identities—API keys, tokens, automated workloads, AI agents—already outnumber human ones, but many IAM programs are still designed for people. “The result is a structural blind spot: machines operating with excessive privileges, credentials that never rotate, and accesses that no one revokes,” he explains. Eutimio Fernández adds that “a compromised human identity has a limited radius of action; but a compromised machine identity can move laterally, access sensitive data, or trigger large-scale automated processes.” The Thales Bad Bot 2026 report shows that 53% of global internet traffic is automated and 27% of bot attacks target APIs.

The solution, according to Torres, involves treating non-human identities with the same rigor as human ones: full inventory, automatic credential rotation, secure vault storage, and continuous visibility. “The goal is for them to have the same lifecycle, traceability, and security controls as human users,” he concludes.

CIEM: Cloud Permission Management

Cloud Infrastructure Entitlement Management (CIEM) focuses on applying the principle of least privilege in cloud environments. Ross McKerchar, CISO of Sophos, explains that “access permissions multiply in modern cloud environments; each application, workload, and integration introduces rights that remain active long after their purpose expires.” CIEM provides continuous visibility of permissions in multi-cloud environments, but McKerchar warns that “visibility alone is not enough. At Sophos, we consider CIEM more effective when combined with ITDR. CIEM reduces the attack surface by identifying excessive permissions, while ITDR monitors how identities are used and responds to suspicious behavior.”

Carlos Arnal Cardenal, Product Marketing Manager at WatchGuard Technologies, clarifies the difference with IAM: “IAM manages identities across the organization, while CIEM specializes in the cloud part, where environments change faster and traditional tools fall short.” Its real value lies in moving from “we think it’s well configured” to measurable evidence.

Common Mistakes and Trends

Gorka Sainz, Director of Systems Engineering at Fortinet Iberia, points out common errors such as overly permissive access management, accounts with unnecessary privileges, active users after role changes, lack of MFA, and fragmentation of IAM tools. Vincent Nguyen, Cybersecurity Director at Stoïk, adds five key trends: consolidation of ITDR as its own category, specific governance of non-human identities (NHI Management), convergence of IAM, CIEM, ITDR, PAM, and secrets management into unified platforms (Identity Fabric), the massive entry of AI agents as a new class of identity, and the combination of regulation (NIS2, DORA, Cyber Resilience Act) and cyber insurance pushing identity governance from good practice to demonstrable obligation.

Marcos Arévalo Pérez, IAM Consultant at Factum, predicts that “we will continue to see a strong bet on Zero Trust models, more contextual access, and much more controlled privileges, especially for critical accounts. I also believe that passwordless will grow in the user domain.” Finally, Carlos Arnal Cardenal warns that “the dominant solutions in identity security today tend to be designed for large corporations, but the bulk of the business fabric are SMEs that rely on MSPs to diagnose their risks and operate the technology. Serving that model well is a design decision, not an afterthought.”

To delve deeper into how identity governance relates to artificial intelligence, we recommend our article Snowflake acquires Natoma: AI agent governance as the new enterprise frontier. Additionally, token discipline and security in cloud environments are crucial; see Opus 4.8: Smarter Claude, more urgent token discipline. For a solid foundation, don't miss our article on Hardening and maintenance of Linux servers.

Original source: ComputerWorld. Analysis and adaptation by ForgeNEX.