‘Don’t let the best be the enemy of the good’ as your organisation starts its internal digital identity journey. That was a key lesson from David Tyrrell, principal strategist at SailPoint, speaking at the first in a new event series, ‘Identity on Tap’.
The event brought together digital identity experts from across and beyond government to The Feathers pub, at the heart of Westminster, on Tuesday June 3. It built on David’s fireside chat at the Think Digital Government conference a few weeks earlier.
‘Digital identity’ has been in the news recently, with government initiatives such as One Login and GOV.UK Wallet designed to help people use government services, and thinktank reports calling for the government to go further with fully-fledged digital ID systems or ID cards. There has been less of a conversation around internal identity, but David made the case for why that needs to change.
He set out an increasingly familiar scenario: imagine a contractor leaves your organisation one week, and starts a new role at a supplier the following week. But nobody has thought to change, or revoke, their access to your systems. They may not be malicious, but it is a security risk. And multiply that across your organisation, with tens, hundreds, thousands of staff; siloed teams and legacy systems; and a web of different contracts and employment models. Managing internal identity quickly becomes less of an IT problem and more the security frontline, and strategic imperative for organisations to address.
David joined SailPoint after working for the NHS on patient administration systems, and later for companies like IBM on identity security, where he realised that identity was a critical part of security and an interesting mix of technology and wider organisational processes.
He said that SailPoint thinks of their product as a customer journey, rather than simply features and functions. This is split into two broad areas: application onboarding, data clean up and initial risk remediation; and continuous refinement and staying clean.
If you liked this content…
No trust, no problem? Why identity security is central to generative AI in government
11 emerging technologies the public sector needs – Forrester
Identity security: The critical shield for public sector digital transformation
Securing the perimeter: Lessons from implementing identity management in a complex government organisation
Employee and non-employees: breaking down the siloes
The first of these starts with identity foundation (understanding what’s in scope of the identities the organisation wants to govern – who might have access?), followed by system connectivity (bringing the systems you want to govern), visibility and context (understanding who has access to what, and in what context), account classification (is this a human account, a non-human account like a bot or automated agent, or accounts that don’t belong to anybody), identifying outliers (accounts with unusual levels of access), and then reviewing access (which should be periodically reviewed, every three to six months).
The second part – continuous refinement – involves doing some of this on an ongoing basis. It also involves some use of AI for a variety of tasks (from using generative AI to turn meaningless technical lists of access descriptions into something with organisational context, to spotting users with unusual levels of access). David also spoke about Agentic AI, where AI agents could play a role in delivering government services, but these AI identities would need to be managed – an example of where AI (and SailPoint’s approach) can enable new services, and not just reduce risk or drive efficiency.
Questions from the audience covered needing to think about how much data organisations should ‘put out there’ in the first place, where to start in tackling the challenges of internal identity, and how to convince others in the business to prioritise it.
We called time on the event with David’s final piece of advice, which was that organisations cannot wait for everything (budgets, systems, timing) to align and you have to start somewhere. This should be something achievable where you can demonstrate progress and which allows you to build further – in other words, don’t let the perfect be the enemy of the good. The audience certainly drank in David’s insights, and we look forward to another round in the future.
You can hear from David and SailPoint at Think Digital Identity and Cybersecurity for Government on September 30, 2025.
