< ciso
brief />
Tag Banner

All news with #iam tag

196 articles · page 5 of 10

How to Tell if a CSO Is the Real Deal or Inflated Today

🔍 Recruiters and current CSOs warn that true CSO capability combines technical fluency, business judgment, and clear communication. Inflated titles and hasty hires create false confidence, wasted budgets, and a culture of compliance rather than security. Top CSOs prioritize risk choreography, translate risk into business outcomes, and balance risk and revenue. Candidates and employers should verify mandate, budget, and cross‑functional influence before assigning the title.
read more →

AI Agents as Identity Dark Matter: Governance Risks

🔐 The article explains how Model Context Protocol (MCP)-driven AI agents are rapidly moving from chat assistants into enterprise workflows, creating an emergent class of non-human identities that often evade traditional IAM controls. It warns these agents gravitate to low-friction credentials—local accounts, long-lived tokens, and API keys—creating pervasive “identity dark matter.” The piece recommends pairing agents with human sponsors, enforcing dynamic, context-aware access, centralizing visibility and auditability, and applying consistent governance across hybrids to prevent privilege drift and regulatory blind spots.
read more →

Standardized IAM Context Keys for AWS-Managed MCP Servers

🔐 AWS introduced standardized IAM context keys for its managed remote Model Context Protocol (MCP) servers so AI agents can operate with existing IAM credentials while enabling distinct governance controls. The two keys — aws:ViaAWSMCPService (boolean) and aws:CalledViaAWSMCP (string) — let you allow or deny MCP-initiated actions and restrict access to specific MCP servers. AWS will also simplify public endpoint authorization so AI calls use standard IAM permissions (no separate MCP actions) and plans to add VPC endpoint support for private-network enforcement and two-stage authorization.
read more →

Amazon Cognito Enhances Client Secret Lifecycle Management

🔐 Amazon Cognito now supports on-demand client secret rotation and lets you bring your own custom client secrets for app clients in user pools. You can maintain up to two active secrets per app client to enable staged rollovers and avoid application downtime during transitions. These lifecycle controls address periodic rotation and migration needs and are available in all Regions where Amazon Cognito user pools are offered; management is supported via the Console, CLI, SDKs, or CloudFormation.
read more →

Identity Posture Becomes Key Metric in Cyber Underwriting

🔒 Insurers and regulators are increasingly using identity posture as a primary underwriting metric, shifting focus from isolated technical controls to evidence of ongoing identity governance. Evaluations emphasize password hygiene, visibility into credential exposure, privileged access management, and comprehensive MFA coverage across remote, email, and privileged access paths. Organizations that can demonstrate continuous monitoring, regular access certification, and the removal of shared or never‑expiring credentials are more likely to secure favorable premiums and avoid claim disputes.
read more →

AWS IAM Identity Center Available in Asia Pacific (NZ)

🔔 AWS IAM Identity Center is now available in the Asia Pacific (New Zealand) AWS Region, expanding the service to 38 AWS Regions globally. The service is the recommended approach for managing workforce access, offering centralized single sign-on and account management by connecting your existing identity source once. IAM Identity Center powers personalized experiences in services such as Amazon Q and enables user-aware access controls and auditing in services like Amazon Redshift. It is offered at no additional cost in supported regions.
read more →

Aurora DSQL: Go, Python, and Node.js Connectors Released

🔐 Amazon Web Services announced new Aurora DSQL Connectors for Go (pgx), Python (asyncpg), and Node.js (WebSocket for Postgres.js). The connectors serve as transparent authentication layers that automatically generate IAM tokens per connection, removing the need for manual token handling while preserving full compatibility with standard PostgreSQL driver features. The Node.js connector adds WebSocket support for environments where TCP is unavailable. All connectors accept custom IAM credential providers to match customer credential workflows.
read more →

Over-Privileged AI Drives 4.5x Higher Incident Rates

🔐 Teleport's 2026 report finds 69% of US infrastructure security leaders say identity management must evolve to address mounting AI risks. Respondents reported tangible AI-related incidents — 35% confirmed and a further 24% suspected — even as AI improved investigation times, documentation quality and engineering output. The report identifies over-privileged AI and reliance on static credentials as primary risk drivers and recommends least-privilege access, reduced use of long-lived secrets, and reorganizing identity teams to include platform and engineering stakeholders.
read more →

Amazon S3 Access Grants Available in Taipei Region

🔐 Amazon announced that Amazon S3 Access Grants are now available in the AWS Asia Pacific (Taipei) Region. Access Grants map corporate identities in directories such as Microsoft Entra ID or AWS Identity and Access Management (IAM) to S3 datasets, enabling scalable, identity-based data access. The feature automates S3 permission assignment for end users and simplifies data governance for enterprises operating in Taipei. Refer to the AWS Region Table and product documentation for regional availability and deployment guidance.
read more →

AWS Expands Resource Control Policies to DynamoDB Service

🔐 AWS has added Amazon DynamoDB to the set of services supported by Resource Control Policies (RCPs), enabling organizations to centrally constrain the maximum permissions available to resources. Administrators can now use RCPs to block identities outside their AWS Organization from accessing DynamoDB, helping enforce a data perimeter and baseline security standards. RCPs are available in all AWS commercial Regions and AWS GovCloud (US) Regions.
read more →

Gartner: Six Cybersecurity Trends Shaping 2026 Priorities

🔒 Gartner identifies six priority cybersecurity trends for 2026 that demand immediate attention from security and risk leaders. Key risks include uncontrolled agentic AI proliferation, global regulatory volatility, and the urgent need to plan for post-quantum cryptography. Gartner advises stronger governance to detect and control both approved and shadow AI agents, evolve identity and access management for machine actors, modernize SOCs with human-in-the-loop processes, and shift awareness programs toward task-focused, AI-specific behavioral training.
read more →

Top Customer Identity and Access Management (CIAM) Tools

🔐 CIAM platforms manage authentication, authorization, consent, and customer identity for public-facing applications. Analysts highlight six leading solutions — IBM Security Verify, LoginRadius, Microsoft Entra, Okta/Auth0, OneLogin, and Ping Identity — each balancing usability, extensibility, and security differently. Offerings range from turnkey, no-code deployments to developer-led, API-first systems and vary in native fraud analytics, FIDO2 support, consent-management capabilities, and integrations with BI/CRM ecosystems. Organizations should weigh marketing data needs, privacy compliance, and fraud protection when choosing a CIAM.
read more →

How CISOs Lose Their Jobs: Ten Mistakes and Fixes Now

🔒 The CISO role is increasingly precarious: average tenure is 39 months and 2025 turnover climbed to 15%. The article identifies ten common career-ending mistakes — from failing to prevent or manage major breaches and poor communication with the board to inadequate compliance, weak credential controls, burnout, and resistance to change — and offers concrete mitigations. Recommended actions include a documented incident response program, business-focused risk reporting, robust governance that maps controls to regulations, and a risk-based budgeting approach. It also highlights foundational fixes such as enterprise password management (for example, Passwork) to close credential gaps, build audit trails, and demonstrate due diligence to executives and regulators.
read more →

EKS Pod Identity Integration for Add-ons Now in GovCloud

🔐 Amazon EKS now directly integrates EKS add-ons with EKS Pod Identity in AWS GovCloud (US-East and US-West), simplifying lifecycle and IAM permission management for add-ons that need access to AWS services. You can manage Pod Identities via the EKS console, CLI, API, eksctl, and IaC tools like AWS CloudFormation. This GA expansion increases the set of Pod Identity–compatible add-ons available during cluster creation.
read more →

Orchid Security Adds Continuous Identity Observability

🔎 Orchid Security has introduced an continuous identity observability platform that discovers, analyzes, and governs identity usage inside enterprise applications. The solution instruments applications to reveal embedded credentials, non‑human identities, custom authentication flows, and access paths that bypass IAM controls. It then prioritizes risks, routes findings to control owners, and integrates with IAM, PAM, and GRC workflows to drive remediation and provide continuous audit-ready evidence.
read more →

AI Agent Identity Management: New Control Plane for CISOs

🔐 AI agents—custom GPTs, copilots, coding agents and other autonomous tooling—are proliferating in production while remaining largely outside traditional IAM, PAM, and IGA controls. The piece argues for treating agents as a distinct identity class and applying continuous identity lifecycle management to ensure visibility, ownership, dynamic least privilege, and auditability. Rather than slowing adoption, this approach positions identity as the control plane for balancing innovation and security.
read more →

Agentic AI Will Multiply Non-Human Identity Risks Soon

🔒 Early agentic AI experiments have exposed a rapidly expanding cybersecurity problem: enterprises are accumulating vast numbers of non-human identities (NHIs)—service accounts, tokens, API keys and automation credentials—that security teams largely cannot see or govern. Analysts predict counts will jump from millions to tens of millions within months, driving visibility into these assets into the single digits. Experts recommend containment and segmentation of legacy NHIs, strict ownership, and a clean-slate approach to provisioning future agents rather than attempting perfect retroactive inventories.
read more →

AWS STS Validates Provider Claims for OIDC Roles Now

🔐 AWS Security Token Service (STS) now validates select identity-provider-specific claims from Google, GitHub, CircleCI, and Oracle Cloud Infrastructure for OIDC federation via the AssumeRoleWithWebIdentity API. You can reference these custom claims as condition keys in IAM role trust policies and resource control policies to enforce finer-grained access control and establish data perimeters. This enhancement builds on IAM's OIDC federation capabilities and is available in all AWS Commercial Regions.
read more →

Non-Human Identities: The Overlooked Security Risk in 2026

🔐 Non-human identities — service accounts, API keys, automation credentials and AI agents — are proliferating across cloud environments and often sit outside governance, creating high-risk blind spots. The author recounts finding a dormant Azure service account with owner-level access and dozens of similar accounts, and cites industry data showing machine-to-human ratios of up to 500:1. He recommends continuous discovery, strict least-privilege defaults, elimination of static credentials and automated rotation to reduce this primary breach vector.
read more →

Amazon Cognito adds inbound federation Lambda trigger

🔐 Amazon Cognito introduces inbound federation Lambda triggers that let you transform and customize federated user attributes during authentication. You can modify responses from external SAML and OIDC providers — adding, overriding, or suppressing attributes — before they are stored in your user pool to avoid issues such as Cognito's 2,048-character limit per attribute. The trigger is available via hosted UI (classic) and managed login in all AWS Regions and is configurable through the Console, CLI, SDKs, CDK, or CloudFormation.
read more →