Identity security: The critical shield for public sector digital transformation

In an era of increasingly sophisticated cyber threats, identity security has emerged as a front line of defence for public sector organisations, according to David Tyrell, principal strategist at SailPoint

During a fireside chat at the Think Digital Government event this week, Tyrell discussed the complex landscape of modern identity management – where attackers are now as likely to log into a system as hack into it.

“The level of sophistication around that has increased significantly, and AI is being used for nefarious purposes,” he explained.

However, the identity security journey is no longer a simple matter of tracking employee access. Tyrell said there is a need for a broader, more nuanced approach that encompasses employees, supply chains, and even non-human identities like AI agents.

SailPoint’s approach breaks down identity security into a strategic journey with multiple critical stages. The process begins with establishing a comprehensive identity foundation – identifying not just employees, but also non-employees, third parties, and emerging non-human identities.

This initial step is more complex than it might seem, particularly when tracking non-employee access. Here, AI plays a crucial role in this transformation. Tyrell highlighted how generative AI (gen AI) is being used to translate complex technical access information into business-friendly language.

“As a business user trying to understand who’s got access to what, we can now see what that means from a business-friendly perspective,” he said, adding this dramatically reduces the time and effort previously required to map and understand access rights.

Shockingly, roughly about 50 percent of the accounts SailPoint finds are non-human, said Tyrell. Even more concerning, about 20-30 percent of accounts don’t match up correctly, creating significant backdoor security risks.

The complexity of access management is staggering, too. With multiple systems, applications, and potential access combinations, the number of potential access scenarios can quickly reach billions. This dynamic landscape requires sophisticated AI-driven approaches to identify unusual access patterns and potential risks.

Tyrell is particularly focused on the challenges of tracking identity transitions. “How do you track when someone has changed their role, their responsibility, and now they’ve got access they shouldn’t have anymore?” he asked.

One answer is that AI technologies can now spot these situations, flagging potential security risks for further investigation.

Additionally, Tyrell warned that organisations cannot afford to wait for perfect conditions to implement identity security strategies.

“You really can’t wait for perfect here,” he said. “If you wait for those stars to align, if you say we’ll wait until this new system comes in or we fix our data, you’re never going to get started.”

The approach, added Tyrell, is not about achieving a final, static state of security, but maintaining a continuous journey of refinement. He noted that identity security is an ongoing process, with AI playing a crucial role in keeping systems clean and identifying potential risks.

Looking ahead, the emergence of agentic AI presents new challenges. Tyrell hinted at upcoming developments, suggesting that SailPoint is working on frameworks to manage AI agent access, applying the same principles of least privilege that have long governed human identity management.

The key message is clear: identity security is no longer a technical afterthought but a fundamental business strategy. Organisations must adopt a holistic, dynamic approach that bridges technology, business processes, and emerging AI capabilities.

“It takes good network administrators, it takes good technology, and it takes good process,” said Tyrell. “We have to accept that a breach is going to occur, whether it’s external or internal. The goal is to minimise the size of that blast radius.”