Why the Illusion of Control Is Failing Australian Identity Security Programmes

Most Australian enterprises believe they have identity security under control. Frameworks are in place, policies are documented, and zero trust strategies feature prominently in boardroom presentations and annual reports. On paper, it looks robust. In practice, many organisations are running identity controls that were designed for a world that no longer exists.

Over the past few years, the industry has rightly shifted its focus toward identity. High-profile breaches linked to compromised credentials and excessive access have confirmed what attackers already knew. The traditional perimeter is gone, and identity is now the primary control point. The question facing organisations today is not whether identity matters. It is whether the controls they have in place are fit for the environment they are actually operating in.

For most, the honest answer is no. Traditional identity governance was designed for a more stable and predictable world, one where access requirements changed slowly, and periodic reviews were considered sufficient. That model was never perfect, but it was workable. Today it is not. Workforces are more fluid, application estates have expanded dramatically, and machine identities now outnumber human ones in most enterprise environments. Meanwhile, AI agents are operating across systems with a level of autonomy, introducing risks that quarterly access reviews were never designed to catch.

The Wrong Question

Static access controls ask a single question. What is this identity permitted to do? That was a reasonable question when identities were few, access patterns were predictable, and the biggest risk was an employee with too many permissions. It is the wrong question for 2026. Adaptive identity asks something more useful. Who is requesting access, from where, at what time, under what conditions, and does this behaviour match what you would expect? That shift from permission-based to context-aware security is the difference between governance that looks right on paper and governance that actually holds up under pressure.

The scale of the problem is measurable. Our recent research found that 75% of machine identities have no designated owner, meaning there is no one responsible for knowing what they are doing or whether their access remains appropriate. At the same time, 80% of organisations report that their AI agents have already taken unintended actions, including accessing systems they should not have and exposing sensitive data. These are not edge cases. They are happening now, at scale, inside organisations that would consider themselves security-mature.

Zero trust gets the philosophy right. Never trust, always verify. The problem is that it is an architecture, not an enforcement engine. If implemented without intelligent identity controls at its core, it becomes a framework that validates the pass but never questions whether the user holding it should be in that part of the building at all. Adaptive identity is the enforcement layer zero trust has always assumed but rarely had. Without it, you have the language of modern security without the substance.

Why the CFO Should Be in the Conversation Too

That enforcement gap also comes with a price tag. The Australian Government’s push to increase productivity through AI and data adoption is real and accelerating. Boards are demanding faster AI integration. But AI adoption at scale means more identities, more access pathways, and more autonomous decision-making running faster than human oversight can reasonably track. If identity governance is still built around periodic reviews and manual processes, the gap between digital ambition and security reality becomes a genuine liability, not just operationally but under frameworks like APRA CPS 234 and an increasingly assertive Privacy Act regime.

Identity security is also a growth argument. Our Horizons of Identity Security research found that enterprises with advanced identity programmes report a nearly threefold reduction in access-related incidents, and that identity security delivers the highest return on investment of any security domain, consistently outperforming endpoint, network and compliance tools. Security maturity and business agility turn out to be the same investment.

Control is not something you declare in a framework document or a board presentation. Most organisations still lack a complete picture of their identity landscape, particularly across machine and AI agent identities. You cannot prove control over what you cannot see. Identities are multiplying and acting with increasing independence. Control has to be proved, continuously. The organisations that treat identity security as an ongoing discipline, rather than a project with a completion date, are the ones that will not be caught out when the next breach confirms what the numbers already show.