Beyond Passwordless: The Era of Identity Fabric and Zero Trust Identity Administration (ZTIA)
My last article broke down how ShinyHunters and APT28 proved that identity is the perimeter. That MFA was bypassed in real time and the federated SSO trust was weaponized. Trusted sessions became the attack path. If that article was the diagnosis, this one is the treatment plan: how do you actually architect an identity fabric, and what does it look like to operationalize Zero Trust at the identity layer?
Executive Summary
The cybersecurity industry has reached consensus that identity is the new perimeter. But consensus without architecture is just awareness. In 2026, organizations that treat identity as "just SSO plus MFA" are building on a foundation that adversaries have already proven they can bypass. The ShinyHunters campaign against Panera, Match Group, Bumble, and Crunchbase demonstrated that a single compromised Entra session cascades across dozens of federated applications simultaneously. APT28's exploitation of CVE-2026-21509 showed that even zero-day vulnerabilities ultimately converge on identity theft and abuse it as the operational objective.
This article provides the architectural blueprint for what comes after that realization. It introduces the Identity Fabric as your unified security control plane and defines Zero Trust Identity Administration (ZTIA) as the operational doctrine governing every access decision across your environment. We will walk through five foundational pillars of enterprise identity security, address the emerging challenge of non-human and agentic AI identities, and outline how MSPs, vendors, and enterprise security leaders can translate these concepts into operational realities.
For security practitioners who implement these controls daily, this is your technical roadmap. For business leaders evaluating risk and making investment decisions, this is your calculus. For MSPs building Security-as-a-Service offerings, this is your growth strategy.
Key Takeaways:
Passwordless authentication is necessary but on its own insufficient. Passkeys and passwordless MFA solve for credential theft, but they do not address session hijacking, token replay, over-provisioned service accounts, or the explosion of non-human identities. Authentication gates are one layer of defense. The identity fabric is the whole architecture.
An Identity Fabric is the control plane, not a product you buy. It is the abstraction layer that unifies your IAM, PAM, IGA, and ITDR tools into a cohesive, policy-driven governance layer spanning workforce, workload, SaaS, device, and agentic AI identities.
Zero Trust Identity Administration (ZTIA) operationalizes the fabric. ZTIA is the operational doctrine that ensures every control, every workflow, and every SaaS onboarding step starts with continuous identity posture assessment and least-privilege enforcement, not just network reachability and a successful sign-in.
Non-human identities are the fastest-growing and least-governed attack surface. Machine identities already outnumber human identities. AI agents, service accounts, API keys, and MCP-connected workflows require the same lifecycle governance we apply to human users: provisioning, entitlement management, continuous monitoring, and deprovisioning.
MSPs must evolve from identity tool providers to identity fabric architects. Security-as-a-Service offerings that stop at SSO configuration and MFA enrollment are fundamentally fragile. The real market opportunity is delivering identity fabric management, ITDR-as-a-service, and identity-aware incident response as core capabilities.
Why "Go Passwordless" Is Not the Finish Line
The push toward passwordless authentication has been one of the most meaningful security improvements of the past decade. Passkeys backed by the FIDO2 standard, biometric authentication, and certificate-based login flows have materially reduced the risk of credential phishing and brute-force attacks. This is real progress, and organizations that have not yet adopted passwordless MFA should prioritize it immediately.
But here is the uncomfortable truth that our industry needs to internalize: passwordless solves one problem while leaving the broader identity architecture exposed.
Think about what ShinyHunters accomplished in early 2026. Their adversary-in-the-middle (AiTM) proxies did not just steal passwords. They captured session tokens and authentication cookies in real time, after MFA had already been completed. A user authenticating with a passkey through a proxied login page still produces a session token that can be harvested and replayed. The authentication gate was passed successfully. The problem was everything that happened after that access was successful.
This is the distinction that security leaders must internalize: authentication is an entryway, but the identity fabric is the entire building. Doors and gates matter. But when adversaries can steal the key after you have already walked through the entryway, the quality of the lock(s), becomes secondary to the architecture of the buildings security itself.
What Passwordless Does Not Solve
Session token theft and replay: AiTM attacks harvest tokens after authentication completes. Passwordless does not change the token lifecycle.
Over-provisioned service accounts: Non-human identities often hold standing privileges that far exceed operational necessity. These identities do not use passwords or passkeys at all.
Federated trust cascade: SSO means a single compromised session inherits access to every federated application. Passwordless does not shrink the blast radius of SSO compromise.
Identity lifecycle gaps: Stale accounts, orphaned entitlements, and ungoverned OAuth grants create attack paths that no authentication mechanism can close.
Agentic AI identities: AI agents operating with elevated privileges do not authenticate with passwords or passkeys. They use tokens, API keys, and service credentials that require entirely different governance models.
Passwordless is a critical investment. But it is one thread in a fabric that needs many more to hold together under adversarial pressure. The rest of this article is about those other threads.
Key Resources:
What Is an Identity Fabric
(And Why It Matters Now)
The term "identity fabric" has become a fixture in cybersecurity marketing, which means it risks being dismissed as empty jargon. Anyone remember SASE coined by Gartner a couple years ago and how well that permeated in the industry? So let us cut through the noise and make sure that this isn't just aspirations of analysists who do not actually work with these tools' day in and day out.
An identity fabric is the abstraction layer that allows your disparate identity and access management systems to work together without ripping out what you already have. Think of it as weaving together different threads: your identity provider, your privileged access management tools, your governance platform, your threat detection capabilities, your business continuity and recovery objectives. The result is a strong, flexible, and adaptable security fabric that covers the entire organization under a unified policy engine.
So does this matter operationally? Well, the average enterprise today manages five different identity solutions and four different network access solutions, often from multiple vendors. Each solution enforces access differently with disconnected policies that limit visibility across the identity and network layers. Adversaries do not see your tool boundaries. They see and aim to exploit the seams between them. The ShinyHunters campaign exploited exactly this kind of fragmentation: the gap between the identity provider (Microsoft Entra), the federated SaaS applications, and the browser-layer controls that were supposed to protect users at delivery of the attack. Your fabric should minimize the blast radius of the frag getting through, like a flak jacket protects the wearer from the frag that could possibly get through the armor of their vehicle.
An identity fabric does not replace your existing tools. It augments them under a unified strategy, with a consistent governance model, actioned from a centralized visibility and response plane. It is the difference between having five separate, non-communicating alarm systems in your building and having one integrated security operations center that sees and controls everything, everywhere in your building.
The Five Identity Types Your Fabric Must Cover
In my previous article, I outlined four categories of identity that your security program must govern. As the threat landscape has evolved, I am adding a fifth that has earned its own classification over the last two years of innovation in our industry:
Workforce Identities: Your human users. Employees, contractors, partners. These are the identities most organizations manage today through IAM and SSO. They are the most visible and most targeted, but not the most numerous.
Workload Identities: Non-human identities powering your infrastructure. Service accounts, automation credentials, CI/CD pipeline identities, managed identities in cloud environments. These run your operations 24/7 and often carry more privilege than the humans who created them.
SaaS Identities: Per-application, per-tenant identities created within each SaaS platform. These frequently exist outside your central IdP and are governed by application-specific policies that may or may not align with your organizational standards.
Device Identities: Endpoints, servers, OT/IoT devices. Each one requires a unique, attestable identity for granular Zero Trust policy enforcement and company compliance requirements to access the digital workplace. Without device identity, you cannot verify the integrity of the systems from which your users are working.
Agentic AI Identities: The newest and fastest-growing category. AI agents, copilots, and autonomous workflows that act with delegated authority. These require purpose-bound, time-limited credentials with clear delegation chains back to accountable human owners.
Your identity fabric must provide centralized lifecycle management, consistent policy enforcement, and continuous posture assessment across all five categories. If any one of them are ungoverned, you have a gap in your fabric and in 2026, our adversaries will find it.
Key Resources:
The Five Pillars of Enterprise Identity Security
An identity fabric without operational structure is just a concept on a miro whiteboard. These five pillars provide the architectural framework for building, measuring, and maturing your identity security program. Each pillar maps directly to the gaps exposed by recent attack campaigns and aligns with established frameworks from NIST, CISA, and yes, Gartner.
Pillar 1: Identity Governance and Administration (IGA)
Identity Governance and Administration is the discipline of managing the full lifecycle of every identity in your environment. Provisioning. Entitlement assignment. Access certification. Deprovisioning. If you cannot answer the question "who has access to what, the why, and for how long" at any given moment, your IGA practice needs work.
This is the first pillar because every unmanaged identity is an opening. When ShinyHunters compromised the Entra credentials, the blast radius of that compromise was determined by how many applications trusted those credentials and how broadly those identities were entitled. Over-provisioned accounts, orphaned entitlements, and stale access grants do not just represent poor access hygiene. They directly amplify the impact of any identity compromise event.
What Mature IGA Requires
Automated provisioning and deprovisioning tied to HR lifecycle events and role changes, not manual ticket-based workflows
Regular access certification campaigns with genuine business owner attestation, not rubber-stamp approval cycles that exist only to satisfy auditors
Entitlement analytics that identify over-provisioned accounts and toxic access combinations before adversaries can exploit them
Separation of duties enforcement across mission critical and highly sensitive business processes.
Governance coverage that extends to non-human identities, not just workforce accounts
Here is a simple litmus test: can you tell me right now exactly how many identities exist in your environment, what each one has access to, and when that access was last reviewed? If the answer involves spreadsheets or guesswork, this pillar demands the investment of your teams time.
Pillar 2: Privileged Access Management (PAM)
Privileged Access Management governs elevated access: administrative credentials, break-glass accounts, service account privileges, and any identity with the ability to modify security configurations or access sensitive data at scale. PAM is where identity security meets operational reality, because privilege is the accelerant that turns a single compromise into a full breach.
APT28's campaign demonstrated this explicitly. Once MiniDoor and Covenant Grunt implants were established, the adversaries extracted cached credentials from Windows systems, harvested tokens from browser stores, and dumped LSASS memory to obtain plaintext passwords and NTLM hashes. Every standing privilege they discovered became a lateral movement path. Every administrative credential that was not protected by just-in-time controls became a steppingstone deeper into their victim's environment.
What Mature PAM Requires
Just-in-time (JIT) privilege elevation replacing standing administrative access wherever operationally feasible
Session recording and real-time monitoring for all privileged activities
Vault-based credential management with automatic rotation on defined schedules
Privileged access workstation (PAW) requirements for high-impact administrative operations
A target state of zero standing privileges: no identity holds persistent elevated access without continuous, documented justification
Ask yourself: how many accounts in your environment have standing administrative privileges right now? How many of those are actively monitored with session recording? If the ratio of standing privilege to monitored access is high, your PAM pillar is exposed.
Pillar 3: Identity Threat Detection and Response (ITDR)
This pillar is where many organizations have the largest blind spot. ITDR provides continuous monitoring and response capabilities designed specifically to detect identity-based attack indicators. Not malware signatures. Not network anomalies. Identity-specific threats: abnormal authentication patterns, token abuse, privilege escalation, service account manipulation, and federated trust exploitation.
Traditional detection tools missed both the ShinyHunters and APT28 campaigns because those tools were looking for the wrong signals. Network security controls saw legitimate Microsoft IP addresses and valid TLS certificates. Endpoint detection observed normal browser behavior connecting to authentic Microsoft domains. Identity providers authenticated requests with valid tokens and could not distinguish replayed sessions from legitimate user activity. The attacks were invisible to any tool that does not understand identity-specific attack patterns.
What Mature ITDR Requires
Anomalous token issuance detection: tokens minted from unusual locations, devices, or at unusual frequencies
OAuth grant monitoring for suspicious application consent patterns and scope escalation
Service account behavioral analysis to detect deviation from established access patterns
Federated trust relationship monitoring for unexpected cross-tenant or cross-application access
Automated response playbooks for token revocation, session termination, and emergency credential rotation
Here is the critical shift that separates good security programs from great ones: ITDR must converge with your SOC operations. Identity threat detection cannot live in a silo. It must feed the same detection pipeline, the same alert triage workflows, and the same incident response procedures that handle endpoint and network detections. As I wrote in my previous article, incident response without identity context is just log collection. ITDR is the tip of the spear for your SOC and their incident response procedures.
Pillar 4: Non-Human Identity Management
If Pillars 1 through 3 represent the foundation your organization likely already has in some form or fashion, Pillar 4 will expose how much work remains. Non-human identity management covers governance, lifecycle management, and continuous monitoring of every identity that is not a human user: service accounts, API keys, certificates, managed identities, CI/CD credentials, and the rapidly growing category of agentic AI identities.
Recent numbers tell the story. Machine identities already outnumber human identities in most enterprise environments today, and the gap is widening. Research from the Cloud Security Alliance and Oasis Security found that 78% of organizations lack formal policies for creating or removing non-human identites, and 92% lack confidence that their legacy IAM tools can manage the risks. That gap between the speed of AI adoption and the maturity of identity governance for those AI systems is the single largest emerging risk in enterprise security today.
What Mature NHI Management Requires
A centralized inventory of all non-human identities across cloud, on-premises, and SaaS environments
Automated credential rotation with defined maximum lifetime policies, eliminating long-lived secrets entirely
Purpose-bound, time-limited credentials for AI agents that automatically expire after task completion
Clear ownership chains linking every non-human identity to an accountable human owner
Behavioral monitoring and anomaly detection calibrated for machine-speed access patterns
Deprovisioning automation tied to workload lifecycle events: when a service is decommissioned, its identities must be revoked
A direct question for your team: can you produce a complete inventory of every non-human identity in your environment right now? Do you know which ones hold credentials older than 90 days? Which ones have administrative privileges? If those questions are difficult to answer, this pillar is where your next investment should go.
Pillar 5: Identity-Aware Business Continuity
This is the pillar most organizations skip. It is also the one that determines whether a breach becomes a business disruption or a business-ending event.
Identity-aware business continuity means having tested plans, documented procedures, and proven technical capabilities for maintaining, recovering, and reconstituting your identity infrastructure during and after a security incident. When ShinyHunters compromised Microsoft Entra credentials, many victim organizations discovered something alarming: they had no rehearsed procedure for emergency token revocation across their federated SaaS applications. They could not answer basic operational questions. How do we invalidate all active sessions across every connected application? How do we re-issue credentials to legitimate users while adversaries still hold valid tokens? How do we verify that reconstituted identities have not been backdoored?
This is not a technology problem. It is a planning problem. And it is solvable.
What Identity-Aware Business Continuity Requires
Tested backup and recovery procedures for identity stores and authentication systems
Emergency token revocation playbooks that can invalidate sessions across all federated applications within a defined SLO.
Identity reconstitution procedures for re-establishing trusted identities after compromise, including verification that no attacker persistence mechanisms remain
IdP failover capabilities: secondary identity providers that can be activated for disaster recovery while the primary is being remediated
Tabletop exercises focused specifically on identity compromise scenarios, not just the familiar data exfiltration or ransomware simulations
Documented procedures for revoking and rotating credentials across non-human identities during active incidents
Have you run a tabletop exercise in the last 12 months that specifically simulated a compromised identity provider? Do you have a documented, tested procedure for emergency token revocation across every federated application in your environment? If the answer to either question is no, this is the most critical gap in your operations today.
Key Resources:
Zero Trust Identity Administration: From Principle to Practice
Zero Trust as a concept is well understood: never trust, always verify. But in too many organizations, Zero Trust implementation stops at network segmentation and conditional access policies. The network gets the Zero Trust treatment. The identity layer does not. After a while the Zero Trust may be rolled back because it was too disruptive to business productivity and user experience. The Access is not the issue, the administration of it is.
Zero Trust Identity Administration (ZTIA) extends the principle to its logical conclusion. Every administrative action, every entitlement grant, every identity lifecycle event must be continuously validated against posture, context, and least-privilege principles. Where Zero Trust Architecture (ZTA) provides the framework and Zero Trust Network Access (ZTNA) secures the transport, ZTIA governs the identity layer itself. It is the operational doctrine that ensures your identity fabric does not just exist on paper. It works under pressure.
ZTIA Core Principles
These principles are drawn from NIST SP 800-207, the CISA Zero Trust Maturity Model, and the Federal ICAM Architecture (FICAM), synthesized into an operational model for enterprise and MSP adoption:
Continuous Identity Posture Assessment. Every identity's security posture is evaluated continuously, not just at authentication time. Device health, behavioral patterns, risk signals from ITDR, and contextual factors inform ongoing access decisions throughout the session and beyond.
Least Privilege as Default State. No identity holds standing access beyond what is required for current, active work. Privileges are granted just-in-time, scoped to specific resources, and automatically revoked when no longer justified.
Explicit Verification at Every Layer. Authentication and authorization are discrete, continuous functions. A successful sign-in does not grant implicit trust to downstream resources. Every access request to every resource is evaluated independently.
Identity Lifecycle as Security Control. Provisioning, entitlement changes, and deprovisioning are treated as security events requiring validation, logging, and attestation. They are not just IT service tickets to be fulfilled.
Assume Compromise. This architecture operates on the assumption that any identity may be compromised at any time. Controls are designed to limit blast radius, detect possible abuse quickly, and enable rapid remediation when compromise is suspected or confirmed.
How ZTIA Maps to Established Frameworks
ZTIA is not a competing framework to our existing ones. It is an operational layer that sits on top of the architectural guidance already published by well-known organizations in our industry:
NIST SP 800-207 provides the conceptual framework: policy engines, policy administrators, and policy enforcement points. ZTIA operationalizes these components specifically for identity decisions.
CISA Zero Trust Maturity Model defines the Identity pillar with maturity stages from Traditional through Advanced to Optimal. ZTIA provides the operational doctrine for moving between those stages with measurable outcomes.
FICAM (Federal ICAM Architecture) establishes the foundation for identity, credential, and access management across federal agencies. ZTIA extends FICAM principles to modern hybrid environments, non-human identities, and agentic AI.
Microsoft's Zero Trust Identity deployment guidance recommends cloud identity federation, conditional access policies, identity governance, and real-time analytics. ZTIA wraps these capabilities in a continuous governance model that prevents configuration drift and enforces posture over time.
What ZTIA Looks Like in Practice
Policy-as-code: Identity and access policies defined, versioned, and deployed through automated pipelines. No more manual configuration changes in admin consoles that introduce drift and escape audit trails with fingerprinted code verification to detect unauthorized changes to the code.
Continuous compliance validation: Automated drift detection that alerts when identity configurations deviate from approved baselines, before adversaries exploit the gap.
Identity-aware conditional access: Access decisions that incorporate identity posture (credential age, device compliance, behavioral risk score) alongside traditional network context.
Automated response orchestration: When ITDR detects identity-based threats, response actions including session revocation, credential rotation, and privilege reductions are executed automatically within defined guardrails.
Cross-pillar telemetry: Identity signals correlated with endpoint, network, and application telemetry to provide complete attack chain visibility. No pillar operates in isolation.
Key Resources:
The Agentic AI Identity Challenge
In my previous article, I noted that once an adversary holds a trusted session, they can leverage agentic AI assistants to supercharge their exploitation goals. That observation is becoming a reality faster than most security programs can adapt to it.
Agentic AI systems that can plan, execute multi-step tasks, and make decisions without continuous human oversight are being deployed across enterprises at an accelerating pace. These agents access CRM platforms, code repositories, financial systems, and customer data. Each one represents a non-human identity with delegated authority, and the vast majority of them operate outside the traditional identity governance frameworks that organizations have spent years building for human users.
Why Traditional IAM Was Not Built for This
Traditional identity governance assumes access requests come from people: users who can be trained on security policy, who can be subjected to access reviews, and who can be held personally accountable for their actions. AI agents break these assumptions across four dimensions:
Speed. AI agents operate at machine speed, making thousands of access decisions per minute. Human-speed governance processes like regular access reviews and manual attestation campaigns cannot keep up with this pace.
Scope. Agents often accumulate effective permissions far exceeding their intended scope. This is especially true when Model Context Protocol (MCP) frameworks enable cross-platform tool invocation with loosely defined permission boundaries controlling them.
Invisibility. Many AI agents do not appear in traditional IAM dashboards at all. They may use service account credentials, shared API keys, or platform-specific authentication mechanisms that never register with your central identity provider.
Inheritance. When an agent acts, it typically inherits the permissions of its creator, including both the intentional permissions and the accidental ones. Every instance of excess privilege on the creator's account becomes an instant exposure through the agent.
Where to Start: Practical Guidance
Organizations do not need to solve every agentic AI governance challenge tomorrow. But they do need to start on foundational controls today:
Treat AI agents as first-class identities. Every agent gets provisioned, entitled, monitored, and deprovisioned through the same governance framework as applied to human users, with no exceptions.
Enforce purpose-bound, time-limited credentials. Agent credentials should be scoped to specific tasks and automatically expire after completion. Eliminate long-lived API keys and standing service account access for agentic workloads.
Establish delegation chains. Every AI agent must link back to an accountable human owner. If an agent's actions cause a security incident, there must be a clear and documented chain of responsibility.
Monitor at machine speed. Behavioral monitoring for AI agents must operate at the same speed the agents themselves do. Anomaly detection should flag excessive data access, unusual cross-system actions, and high-velocity operations.
Build an agent inventory. You cannot govern what you cannot see. Start by cataloging every AI agent operating in your environment, including shadow AI deployments that business units have created without IT oversight.
Key Resources:
The MSP and Vendor Opportunity
For MSPs and security service providers, the shift to identity-centric security is not just a technical evolution. It is a market opportunity. Organizations of every size should recognize that identity is their primary attack surface. Most lack the internal expertise, the tooling depth, and the operational discipline to build and maintain an identity fabric on their own. That is exactly the gap that MSPs are positioned to fill.
Where the Market Is Moving
Security-as-a-Service offerings that stop at "SSO plus MFA" are table stakes now. They are necessary, but they are not sufficient to retain clients or command premium positioning with your offerings. The market differentiation and the client retention advantage lies in delivering your capabilities that go deeper than others in the wake:
Identity Fabric Management: Continuous configuration, monitoring, and optimization of the client's identity infrastructure across workforce, workload, SaaS, device, and AI identities.
ITDR-as-a-Service: Identity-specific threat detection and response delivered as a managed service, integrated with broader MDR/XDR capabilities so identity signals feed the same detection pipeline for more efficient response capabilities.
Identity Posture Management: Continuous assessment and reporting on identity security posture, including credential age, entitlement sprawl, over-provisioned accounts, and ungoverned non-human identities.
Identity-Aware Incident Response: IR capabilities that include identity-first investigation workflows, emergency token revocation, identity failover and identity reconstitution procedures.
Non-Human Identity Governance: Service account auditing, API key lifecycle management, and AI agent governance delivered as a managed capability.
Building the Business Case
For MSPs evaluating this investment, here are some dynamics that make the case compelling:
First, identity compromise is now the leading cause of breaches. Clients who experience identity-based attacks will look for partners who can prevent and respond to them, not partners who only managed their SSO configuration and MFA enrollment.
Second, ITDR and identity fabric management create recurring revenue streams with high retention. When you are deeply integrated into a client's identity infrastructure, the switching cost is significant. That is good for your business and good for the client's continuity.
Third, regulatory compliance requirements from frameworks like SOX, GDPR, HIPAA, and the EU AI Act increasingly demand identity governance capabilities that SMBs cannot build internally. MSPs who deliver compliance-aligned identity services become indispensable partners.
Fourth, the non-human identity challenge is only growing. MSPs who develop expertise in NHI governance now will hold a significant competitive advantage as the market matures and client demand accelerates with the digital workforce tools of the future.
Your strategic positioning starts when you stop thinking of your MSP as a tool reseller and start positioning as an identity fabric architect. You are not selling licenses in identity. You are delivering the operational discipline, the continuous monitoring, and the incident response capability that turns a collection of identity tools into a functioning security architecture. That is a fundamentally different value proposition, and clients will pay for it.
Key Resources:
The Path Forward: Building Your Identity Architecture
ShinyHunters and APT28 were not outliers. Their attacks are blueprints which will be weaponized and iterated on in the adversarial space because it proves this is the highest return on investment when it comes to attacking victims. The convergence of two very different threat actors centered on identity-based tradecraft confirms what the security industry has been saying for years: identity is the perimeter, and it must be architected and scrutinized, not just defended.
For Cyber Security Leaders
Audit your identity fabric across all five identity types: workforce, workload, SaaS, device, and agentic AI
Assess your maturity against the five pillars outlined in this article and identify your weakest link, then make a plan to harden it.
Implement ZTIA principles: continuous posture assessment, least privilege as default state, assume compromise as your operating model
Test your identity reconstitution procedures through tabletop exercises that simulate IdP compromise
Build a complete inventory of all non-human identities and establish governance for agentic AI deployments before the next breach forces your hand
For MSPs and Security Service Providers
Evaluate your Security-as-a-Service portfolio honestly: does it extend beyond SSO and MFA into ITDR, posture management, and identity-aware incident response?
Develop identity fabric management as a core service offering, not a premium add-on that few clients purchase
Build incident response playbooks specifically around identity compromise scenarios
Invest in non-human identity governance expertise now, while the competitive landscape is still forming
Position your firm as an identity fabric architect that delivers outcomes, not a tool reseller that delivers licenses
For Technical Practitioners
Implement policy-as-code for identity and access configurations to eliminate manual admin console changes
Deploy ITDR capabilities that monitor token issuance, OAuth grants, service account behavior, and federated trust anomalies
Integrate identity telemetry into your SIEM/SOAR pipelines alongside endpoint and network signals
Enforce just-in-time privilege elevation and work toward zero standing privileges for all administrative access
Start cataloging AI agents and non-human identities today. You cannot govern what you cannot see.
What Comes Next: The Identity Fabric Playbook
This article provided the architectural framework and strategic rationale for identity fabric and ZTIA. In later articles, I will expand on the ZTIA operational guidelines for building your identity fabric.
The shift from perimeter to identity is not a future trend. It is our current battlefield. The question is not whether your organization will build an identity fabric. The question is whether you will build it before the next adversary comes knocking on the door or worse; after they have kicked it down and are inside your dominion.
Forward Unto Dawn,
Michael Carter II
About the Author
Carter leads identity, network, and endpoint security initiatives as a Sr. Solutions Engineer for Pax8, a Cloud Marketplace for MSPs, and serves as CEO of Nomaden, a Colorado-based firm. He specializes in helping MSPs and enterprises design security architectures and identity-centric security programs to beat the breach before Zero-Day comes. Carter has a deep passion and unwavering mission of wanting to Secure All of Our Futures, Together. Connect with Carter to discuss cybersecurity defense strategies and how your business can benefit from solutions that turn these strategies into repeatable outcomes.
