Between Compliance, Access, and Accountability: Why CISOs Are Stuck Owning Identity Risk
Published
Key Takeaways
- Identity governance often breaks down between strategy, execution, and oversight.
- Paige says that when identity risk falls between teams, CISOs are left bridging the governance gap.
- APK keys, service accounts, and AI agents outnumber employees, and attackers know it.
- Most organizations know what good identity governance is, but the blockers are operational and political.
- Boards understand identity risk better when CISOs show how much access exists and how quickly it is removed.
Kevin Paige, Field CISO at ConductorOne, explains that most organizations do not lack a security strategy or controls. They lack a working connection between planning, implementation, and accountability. As a result, strategy gathers dust in documents, execution covers only half the environment, and oversight becomes little more than rubber-stamp reviews.
Paige’s career spans military, government, and enterprise security, including roles with the U.S. Air Force, the U.S. Army, MuleSoft, Flexport, and Salesforce. He says that identity decisions moved to CISOs because no single function owns the risks between systems, roles, and automation.
DevOps handled service accounts, HR managed hiring and exits, and engineering issued access. This left security consequences unowned. As attackers began exploiting those gaps, responsibility shifted to the organization’s CISO. They now inherit responsibility for governing service accounts, API keys, automation, and AI agents that may outnumber employees across enterprise environments.
Paige notes that many organizations maintain governance frameworks that appear mature on paper but may function primarily to satisfy compliance reviews. Companies have the tools and knowledge to fix identity governance, but progress often stalls when teams cannot agree on ownership, budget, and implementation.
Vishwa: In your experience, where does identity governance typically break down inside large organizations — at strategy, execution, or oversight?
Kevin: Everyone asks whether it's strategy, execution, or oversight. In my experience, it's the space between them.
Most (if not all) large organizations have a strategy — it just lives in a document nobody references. They have execution — it just covers half the environment. They have oversight — it just rubber-stamps reviews that catch nothing.
The governance isn't broken. The feedback loop is. Nothing connects them. Oversight doesn't change strategy. Strategy doesn't prioritize execution. Each one runs on its own calendar, for its own audience, solving its own version of the problem. That's not governance. That's theater.
Vishwa: You’ve described identity as a security problem rather than just an IT function. What specific risk decisions are CISOs now being forced to own that previously sat elsewhere?
Kevin: The biggest shift I see is that identity decisions used to be about convenience — how fast can we get someone access so they can do their job?
Now they're about consequence — what happens if this access is wrong, compromised, or exploited?
I'd point to three decisions that used to live somewhere else and now sit squarely on the CISO's desk:
- Who governs the non-human identities. Service accounts, API keys, AI agents
- The things that outnumber your employees a hundred to one but have never appeared on anyone's org chart.
- That used to be a DevOps problem, or honestly, nobody's problem.
- Now it's a security problem because those are the identities attackers are targeting.
- They don't take vacations, they don't change passwords, and nobody reviews their access.
- What happens when someone changes roles. HR handles onboarding and offboarding, but nobody owned the middle
- When someone moves from engineering to sales and keeps all their old access.
- That accumulated privilege is a risk decision.
- HR doesn't think about blast radius.
- What AI agents are allowed to do. This one has no previous owner because it didn't exist two years ago.
- Someone has to decide what an autonomous AI system can access, under what conditions, and who's accountable when it does something it shouldn't.
- That decision landed on the CISO's desk by default — because nobody else was willing to own it.
The common thread? Identity used to be logistics. Now it's risk. And risk is the CISO's job
Vishwa: Many organizations appear stuck on the IGA maturity curve. What operational constraints or internal dynamics most often prevent progress?
Kevin: It's almost never a strategy problem. Most organizations know exactly what good identity governance looks like. The blockers are operational and political.
If you're passing your access reviews and your auditors are satisfied, most organizations declare victory and move on. The problem is that those reviews are theater — managers certifying access they don't understand, so a compliance box gets checked.
The process exists, but it doesn't produce security. And as long as the board sees 'compliant,' there's zero urgency to do the harder work. After that, it's ownership.
Every department touches identity — HR, IT, security, DevOps — but nobody owns it end-to-end. I've never seen an IGA modernization stall because of technology. It stalls because three VPs can't agree on whose budget it comes from and whose team does the work.
The technology to fix this exists today. The organizational willpower usually doesn't.
Vishwa: You’ve referenced the IAM pyramid being “upside down.” What does that mean in practical terms for access reviews, approvals, and accountability?
Kevin: It means we've spent a decade focused on the answer to “are you who you say you are?” While completely ignoring the harder question: “should you still have this access, and does anyone even know you have it?”
Practically, access reviews become theater. Managers certify hundreds of entitlements they don't understand because there's no system telling them what changed or what matters. They rubber-stamp it. Compliance is met.
Approvals become trust exercises, not risk decisions. A manager clicks approve because they know the person, not because they understand the access.
- No context
- No risk signal
- No visibility into what that person already has.
And accountability? There is none. Nobody has the full picture, so nobody can be held responsible. We locked the front door and left every window open. That's the upside-down pyramid.
Vishwa: In the AI era, how do non-human identity — service accounts, automation, and machine identities change the risk equation for CISOs?
Kevin: Think of it this way. Imagine you manage an office building. You know every tenant — they have badges, they sign leases, they check in at the front desk. Then one day, you discover there are a hundred times more workers coming and going through doors you didn't know existed.
They have no badges, no leases, nobody remembers letting them in, and some of them have keys to every room in the building. That's the non-human identity problem. Service accounts, API keys, automated bots, AI agents — they outnumber your employees by orders of magnitude, and most organizations have never governed them at all.
No inventory. No lifecycle management. No reviews. What changes the risk equation isn't just that there are more identities. It's that you went from knowing who's in your building to not knowing who's in your building. And you can't secure what you can't see.
For CISOs, the shift is existential. Every risk model, every compliance framework, every review process was designed for the tenants with badges. The ones without badges are now the majority — and they're the ones with the most access.
Vishwa: When you step into customer environments, what signals tell you identity controls are strong versus only appearing compliant?
Kevin: The fastest diagnostic I have is a single question: 'Show me the last access you revoked and tell me why.'
Organizations with real governance have an answer. It's specific — this person, this entitlement, this risk, this date. They can tell you because revoking inappropriate access is what their system is designed to do.
Organizations with compliance theater can show me that reviews were completed on schedule. Every box checked. 99% approval rate. Beautiful audit trail. But they can't point to a single entitlement that was actually removed because a review caught it. The process ran. It just didn't produce a result.
That's the signal I look for everywhere: are you measuring activity, or are you measuring outcomes? Compliant organizations count how many reviews were completed. Secure organizations count how many risks were actually reduced. Most can only answer the first question.
If your governance has never told you 'no,' it's never actually governed.
Vishwa: How should CISOs measure identity risk in a way that resonates with boards without oversimplifying the problem?
Kevin: Here's what I tell CISOs:
- Your board already understands risk.
- They do it every quarter for financial exposure, operational liability, and market risk.
- They don't need an education in identity.
- They need you to translate identity risk into the framework they already use.
That means three metrics.
- Exposure — what percentage of your identities have access beyond what their function requires.
- Velocity — how fast access is removed when something changes.
- Coverage — what percentage of your identity surface, including non-human identities, is actually governed.
If you walk into a board meeting and your exposure is 35%, your revocation time is three weeks, and your coverage is 40% — every person in that room understands you have a problem. No jargon needed.
The mistake CISOs make is reporting compliance instead of risk. '100% of reviews completed' sounds good until someone asks what those reviews actually caught. If the answer is nothing, the number was never meaningful
Vishwa: Where do identity governance programs most often create friction with engineering or business teams, and how can that tension be managed?
Kevin: Governance creates friction the moment it's designed for the auditor instead of the person doing the work. An engineer needs prod access at 2 AM — governance says 'submit a ticket.' A manager gets 300 entitlements to review — they rubber-stamp all of them.
A developer needs broad access to ship fast — security says 'least privilege.' In every case, the process is technically correct and practically useless. The answer isn't less governance. It's governance that's invisible when it can be and undeniable when it must be.
I keep going back to the brake analogy — we don't put brakes on a car to make it go slow. We put brakes on a car so the driver has the confidence to go fast. If your governance is slowing people down, you didn't build brakes. You built a wall.
Vishwa: What real-world lessons from incident response have reshaped how you think about identity as a foundational control?
Kevin: Here's what incident response teaches you that no framework ever will. The first question in every investigation is the same:
- What account was used? Not what vulnerability. Not what malware.
- What identity. The initial vector gets the headline. Identity is the entire story after paragraph one.
Every lateral movement, every privilege escalation, every piece of data exfiltrated — it all traces back to an identity decision someone made months ago. The attacker didn't defeat your controls. They used a legitimate badge and walked right past them.
That's the lesson that rewired my thinking. Identity isn't authentication — it's blast radius. How far can a compromised account reach before anyone notices? Most organizations have no idea.
They built a fortress and handed out master keys. That's not a vulnerability. That's architecture. And architecture is a choice.
Vishwa: If a CISO could fix one identity weakness in the next 12 months, where would you advise they focus first?
Kevin: Close the gap between what access you think exists and what actually does. That's the one thing. Everything else — least privilege, Zero Trust, governance that isn't theater — is downstream of that.
- You can't revoke access you don't know about.
- You can't govern non-human identities you haven't discovered.
- You can't measure blast radius if you don't know what each identity can reach.
Every CISO initiative I see stall isn't stalling because of technology or budget. It's stalling because the map doesn't match the territory.
The industry keeps selling destinations — Zero Trust, passwordless, continuous verification. But nobody talks about the starting point. And the starting point is knowing what's real. Not what your tools say should be true.
What is true? The distance between those two is your actual risk.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular