< ciso
brief />
Tag Banner

All news with #identity security tag

168 articles

Microsoft Secure Future Initiative July 2026 Report

🔒 This progress report outlines Microsoft’s Secure Future Initiative (SFI) two-year effort to strengthen security foundations, apply AI for proactive defense, and prepare for future challenges such as post-quantum risks. It highlights layered controls—identity, access governance, segmentation, and secure engineering defaults—paired with cultural and governance measures to make protections durable. The report also shares lessons, practical guidance, and metrics of organizational adoption.
read more →

Verification Step Emerges as New ATO Attack Surface

🛡️ Passkeys and passwordless flows are reducing credential stuffing, but attackers now target identity verification and recovery paths such as magic links, step-up flows, and re-enrollment. Generative AI has made impersonation and synthetic media widespread, increasing fraudulent verification attempts. Defenders must adopt biometric liveness, risk-based re-verification, intent binding, and network-effect signals to stay ahead as regulations and threats evolve.
read more →

Agentic AI Exposes Zero Trust Blind Spots

🤖 Stephen Wilson of HashiCorp describes agentic AI as “really smart kindergartners” — capable of execution but lacking judgment. This mismatch strains traditional zero trust models that authenticate humans and grant privileges gradually, because agents can be created and destroyed rapidly. Organizations often respond by lowering controls, risking incidents such as accidental deletion of production data. Wilson argues this will force necessary long-term improvements like zero standing privilege and dynamic credentials while keeping humans "on the loop."
read more →

Governing Identity for Agentic AI Operations

🛡️ Existing security controls weren’t built for autonomous AI agents, and static credentials and standing privileges are insufficient. Organizations must define agentic identity, secure agent-to-agent communication, adopt dynamic secrets management, enforce least privilege for delegated workflows, and unify workforce identity. Governance across the identity lifecycle is essential to ensure auditable, revocable, and context-aware access for agents.
read more →

Operationalizing agentic AI: From assistants to operators

🤖 Stephen Wilson of HashiCorp explains how enterprise AI is evolving from human-assisted tools to autonomous agents and operators, and why governance must mature accordingly. He describes three adoption patterns—AI as assistant, AI as agent, and AI as operator—and details the increasing needs for identity, access controls, auditability, and accuracy at each stage. As organizations grant agents more autonomy, security controls must expand from user-level boundaries to team and organizational governance.
read more →

SMB Cyber Readiness: Prioritize the Fundamentals

🔒 AI is reshaping attacker toolkits, but familiar failures—phishing, unpatched vulnerabilities, poor monitoring and weak passwords—remain the primary causes of incidents for SMBs. ESET telemetry and research show AI mainly amplifies these risks rather than replacing them with pervasive, real-time AI malware. Practical mitigations like patch management, identity protection, MFA, password managers and MDR services remain the most effective ways to improve readiness and resilience.
read more →

Identity lifecycle challenges posed by AI agents

🔒 This article explains how traditional identity lifecycle management — built around HR-driven joiner, mover, and leaver events — fails to govern AI agents. It describes how agents are created outside HR and IGA workflows, arrive with embedded credentials, and expand access dynamically at runtime. The piece highlights gaps in provisioning, access reviews, and offboarding when agents proliferate across parallel instances and orchestration layers.
read more →

Claude Apps Gateway for Google Cloud announced

🔒 Anthropic’s Claude Apps Gateway is a self-hosted intermediary that centralizes identity, policy, telemetry, spend controls, and routing between local Claude Code clients and Google Cloud. It replaces per-developer credentials with OIDC-based sessions, enforces RBAC server-side via gateway.yaml, and attributes metrics to verified user sessions. Deploy as a stateless container on Cloud Run (or GKE) with Cloud SQL and Secret Manager for state and secrets.
read more →

Palo Alto Networks Defines Identity Security Future

🔒 Palo Alto Networks announces Idira™, its next-generation identity security platform, following the acquisition of CyberArk to position identity as a core control plane for AI-driven enterprises. The platform treats every identity—human, machine and AI agent—as privileged, offering real-time discovery, just-in-time privilege and continuous governance. Partners are urged to adopt new advisory and delivery models to help customers reduce fragmentation and secure hybrid, cloud-native, and AI-enabled environments. The move aligns with customer demand for integrated, AI-powered security and supports partner enablement through the NextWave program.
read more →

IAM Identity Center: Customer Managed App Account Access

🔐 IAM Identity Center now lets customer managed applications programmatically discover user-assigned AWS accounts and roles and retrieve temporary credentials for account access. If your application authenticates users via an external identity provider (IdP), you can configure that IdP as a trusted token issuer and enable AWS account access so users who already signed in through the IdP can obtain credentials without re-authenticating. Administrators must explicitly enable this for each customer managed application, and only management account or delegated administrators can grant the capability, ensuring centralized governance. The feature is available across all commercial, GovCloud (US), and China Regions.
read more →

Guardian Agents: The Next Layer of Identity

🛡️ This guide examines how agentic AI shifted enterprise identity risks and why existing IAM controls fall short. It explains how AI agents inherit human permissions, traverse systems at machine speed, and create an expanding population of autonomous identities often deployed without security review. The piece outlines the guardian agent concept: a purpose-built runtime control layer that inventories agents, baselines behavior, detects anomalies, and enforces least-privilege at execution time to close the governance gap.
read more →

One Million Passports Exposed in Data Leak

🔐 A database containing nearly one million passport records from multiple countries was leaked online. The incident highlights how high-value credentials like passports can be compromised when reused within lower-security systems; in this case, an ID verification service used by cannabis dispensaries was breached. The exposure demonstrates the cascading risk when sensitive identity documents are trusted by ancillary services with weaker protections.
read more →

AI-Driven Identity Security: Microsoft Entra Updates

🔒 AI is accelerating cyberattacks, increasing speed and scale across the attack chain while identity remains a primary entry point. Microsoft highlights integrated visibility and response through Microsoft Entra and Microsoft Defender, including a unified identity risk score and an updated Entra ID Protection experience. New features aim to reduce fragmentation, enable least-privilege response roles, and automate policy optimization to help teams prevent, detect, and respond faster.
read more →

Estonia Proposes Government IDs for AI Agents

🛡️ The Estonian AI Council proposes government-backed digital identities for AI agents to define delegated powers and responsibilities. Prime Minister Kristen Michal emphasized that clear attribution, rights, and accountability are essential as AI increasingly acts on behalf of people and organizations. The ID could specify permissions such as data viewing, document editing, or making payments with defined limits. Estonia aims to leverage its digital ID leadership and become the first country to formalize agent identities.
read more →

Sovereign Cloud Alone Won’t Solve AI Risk

🔒 European enterprises tested sovereign cloud under regulatory pressure and found residency alone doesn’t equal control. Vendors offer sovereignty features, but practitioners at EIC 2026 emphasized that identity governance — not just data location — determines operational sovereignty for AI workloads. Weak identity controls, especially for non-human AI agents, undermine claims of control despite customer-managed keys or regional data centers.
read more →

Rising Multi‑Layered Identity Crime Affects More Victims

🔍 The Identity Theft Resource Center's 2026 Trends in Identity Report, based on over 6,000 reports from April 1, 2025 to March 31, 2026, shows nearly 26% of victims experienced two or more concurrent identity incidents. Unauthorized device/PC access rose sharply to 27% of compromises and is now the primary threat for adults aged 35–64. Account takeovers made up 50% of misuse cases, while recovery rates dropped significantly when financial loss occurred. Experts warn that compromised devices enable broader attacks and call for testing and automation to improve incident response.
read more →

Adapting Security to the Frontier AI Era

🛡️ Frontier AI is accelerating cyber threats and outpacing traditional governance across JAPAC, forcing regulators and enterprises to shift from committee-based oversight to real-time defensive postures. Urgent regulatory action in Australia, Singapore, and South Korea has prompted organisations to modernise identity, access, and incident response frameworks. Real-time AI vs AI engagements now dominate the threat landscape.
read more →

Amazon S3 Access Grants Arrive in Germany Region

🛈 Amazon S3 Access Grants are now available in the AWS European Sovereign Cloud (Germany) Region. The feature maps identities from directories like Microsoft Entra ID and AWS IAM principals to S3 datasets, enabling automated, scalable data permission management. This simplifies granting S3 access to end users based on corporate identities. Check the AWS Region Table for full regional availability and refer to the product page for details.
read more →

JLR CISO Ordered In-Person Password Resets

🔒 At Infosecurity Europe, Ashish Shrestha, then group CISO of Jaguar Land Rover, recounted the September 2025 cyber-attack response that required over 30,000 staff to reset passwords on site. He said the in-person resets ensured trusted identities for communications after the incident and validated Microsoft 365 integrity. The firm also reset MFA and validated users’ identities physically to mitigate risks of remote account takeover.
read more →

Microsoft Teams Phishing Risks and Mitigations

🛡️ This Unit 42 report examines how threat actors use Microsoft Teams to impersonate IT staff, leveraging external chat and compromised or typosquatted accounts to phish employees. It outlines real-world incidents, explains how permissive federation and external chat settings widen the attack surface, and emphasizes that identity systems are the ultimate target. The article recommends tighter configuration, identity-centric controls, monitoring, and updated user training.
read more →