Why identity has always been infrastructure, and always the defense...
There’s a peculiar amnesia that sets in within this industry every few years. Vendors straighten their posture, clear their throats, and announce, solemnly, that identity is now critical. That IAM has finally crossed the threshold from plumbing to defense. That some invisible Rubicon has been passed and a new era has begun. Slides are updated. Language is refreshed. Urgency is manufactured.
It’s a fine speech. It’s also historically false.
Identity has never been optional. It has never been decorative. Long before it was wrapped in experience narratives or compliance frameworks, it functioned as infrastructure in the most literal sense, load-bearing, unforgiving, and impossible to ignore when it failed. IAM didn’t become infrastructure. It always was. The stone beneath the walls, not the banners hanging from them.
What changed wasn’t the role of identity. It was the tolerance for denial. For years, organizations benefited from stability they mistook for safety. The walls held, mostly. The gate creaked but didn’t collapse. And so identity was allowed to remain invisible, underfunded, and politely ignored, right up until scale, speed, and adversaries exposed the fantasy.
IAM 3.0 isn’t a revolution. Revolutions imply novelty. This is older than that. It’s a confession. A belated admission that identity has always been the defense layer that everything else quietly depended on. That we built higher walls, brighter dashboards, and louder detection systems on top of a control plane we refused to modernize.
The walls were always there.
We just stopped pretending they could hold without being maintained, reinforced, and allowed to move with the world they were built to protect.
Before firewalls. Before SOCs. Before blue dashboards glowing in dark rooms full of coffee and resignation, defense was brutally simple: control the gate. Not inspect every street. Not patrol every alley. Decide, clearly and decisively, who could enter, when they could enter, and under what authority. Everything else was downstream of that decision.
Medieval cities understood this instinctively. Walls mattered. Towers mattered. Moats bought time. But none of it meant anything if the gate failed. The gate was staffed, watched, and challenged. It opened with intent and closed with consequence. It was where trust was tested, not assumed. Once the gate was breached, once the wrong party was allowed through, no amount of internal order could save what lay inside.
IAM has always been that gate.
Early directory services, access control lists, and authentication mechanisms were never “user convenience tools,” no matter how politely they were later marketed. They were entry controls. Crude, yes. Manual, often. Built with the limitations of their era and the patience of administrators who knew they were guarding something fragile. But they were defensive by design. Binary in their judgment. Ruthless in their implications. If the wrong identity passed the gate, everything inside, data, systems, people, trust, was immediately exposed.
What changed over time wasn’t the role of identity. It was our willingness to acknowledge it. As cities grew more complex, we convinced ourselves that defense lived deeper inside the walls. As enterprises scaled, we told ourselves that inspection, monitoring, and response could compensate for weak entry control. We added guards to the streets and sensors to the buildings, all while letting the gate become ceremonial, checked occasionally, audited quarterly, assumed correct by default.
But history doesn’t change just because technology does. Control of entry has always been the first and last line of defense. Identity was the gate long before it was dressed up as governance, compliance, or experience. And every era that forgot that lesson paid for it the same way, quietly at first, catastrophically later.
That hasn’t changed.
What has changed is scale. The castle now has millions of gates. They open and close thousands of times per second. And many are operated by machines we barely inventory.
In the early enterprise era, identity lived in the basement, both literally and figuratively. It sat below the floorboards of the business, humming quietly, unseen, uncelebrated. Directories. LDAP trees. Active Directory forests. Provisioning scripts duct-taped together with brittle logic and tribal knowledge. Role tables hand-maintained by overworked administrators who knew exactly how fragile the whole thing was and prayed nothing changed on a Friday afternoon. It looked like plumbing because it was plumbing: pipes, valves, pressure, flow. Get it right and no one notices. Get it wrong and everything floods.
Like all serious infrastructure, IAM was ignored until it failed. No one wrote whitepapers praising clean directory design. No executive ever earned a bonus for “excellent access revocation hygiene.” Identity was not strategic. It was operational. Necessary. Boring. And absolutely load-bearing.
When breaches happened, and they did, they almost never began with exotic exploits or cinematic hacks. They started quietly, predictably, embarrassingly. Accounts that never should have existed were still active months or years after the humans behind them had left. Privileges granted for a single project calcified into permanent entitlements. Trust was established once, early, casually, and then never revisited, never revalidated, never questioned. The system behaved exactly as it was designed to behave. The problem was that no one had designed it to age.
This wasn’t an IAM failure in the way vendors like to frame failures today. It wasn’t a missing feature or a weak algorithm. It was a governance failure of infrastructure. Identity had been treated as static plumbing in a world that was already becoming dynamic. The pipes stayed the same while the pressure, the volume, and the threat landscape changed.
Even then, long before the marketing language caught up, IAM was defensive. It was a control plane, a boundary system, a mechanism for deciding who was allowed to do what and when. We just didn’t have the language to say it out loud. And if we’re being honest, many organizations didn’t have the courage. Calling IAM “defense” would have forced uncomfortable conversations about ownership, accountability, and risk. So instead, it stayed in the basement. Quiet. Critical. And one bad day away from becoming the headline.
Then came regulation. SOX. HIPAA. PCI. GDPR. The alphabet soup arrived wearing the costume of order and calling itself progress. For the first time, identity mattered in boardrooms, but not because it was recognized as defense. It mattered because it could be measured, documented, certified, and filed. IAM didn’t become strategic. It became admissible.
Access reviews turned into rituals. Certifications became ceremonies performed on a quarterly cadence, solemn and largely detached from lived reality. Screens were clicked. Spreadsheets were signed. Attestations were archived. Identity systems were optimized to satisfy auditors, not adversaries. The castle walls were freshly painted. The gate ledger was updated on schedule. Everyone slept better.
Attackers did not.
This is where the industry quietly drifted off course. IAM was still infrastructure. Still foundational. Still, at its core, a defensive control plane. But it was managed like a compliance artifact, static, periodic, backward-looking. Identity posture was assessed by looking in the rearview mirror, long after the road had already curved and the threat had already passed.
The poll you referenced is revealing precisely because it captures the fatigue of practitioners who lived through this era in real time. Strategy was declared. Tools were purchased. Frameworks were adopted. Boxes were checked with ceremonial precision. And yet identity-driven breaches kept happening, monotonously, predictably, almost boringly.
Not because IAM wasn’t there. Because it was frozen in time.
Identity did its job exactly as it had been asked to do. The problem was that the job itself was already obsolete.
Today’s attackers don’t batter the walls. They stroll through the gate, nodding politely as they pass. No siege engines required. They steal credentials. They inherit sessions. They exploit over-privileged service accounts that no human remembers granting but everyone assumes are necessary. They move laterally wearing the most convincing disguise of all: trusted identity. When access is valid, curiosity looks a lot like authorization.
They don’t need zero-days when they have credentials. They don’t need to break in when the system invites them to move freely once inside. Identity is not the weakness. It is the path.
This is why the industry is suddenly breathless about identity, speaking in urgent tones as if a great revelation has just occurred. But let’s be blunt, this isn’t a discovery. It’s a delayed acknowledgment. The evidence has been piling up for years. We simply chose not to name it.
IAM 3.0 exists because the old illusion finally collapsed: the belief that identity could remain static while everything else became dynamic. Cloud erased the certainty of perimeter. APIs multiplied trust relationships faster than humans could reason about them. Non-human identities exploded into the millions, silent, tireless, and rarely reviewed. Speed outpaced governance, and automation outran intent.
Infrastructure that doesn’t move eventually stops protecting anything. It doesn’t fail loudly. It becomes a liability, solid, familiar, and perfectly positioned to be bypassed.
IAM 3.0 isn’t about shinier tools or louder roadmaps. It’s about restoring identity to its rightful role as living defense. Not something reviewed annually and forgotten the next day, but something that decides continuously. Not static roles laminated in policy binders, but contextual authorization that understands now matters more than then. Not identity treated as inventory to be counted and reconciled, but identity operating as a runtime control plane, active, opinionated, and accountable.
This is where visual orchestration, policy abstraction, and intelligence finally enter the conversation, not as “innovation,” not as marketing theater, but as survival mechanisms. When systems move at machine speed, defense has to move with them. You cannot govern what you cannot see, and you cannot defend what you cannot change in motion.
In military terms, IAM 2.0 was a fixed fortification. Impressive. Expensive. Carefully engineered to repel yesterday’s threat. And, like every static defense in history, ultimately bypassed by maneuver warfare. The walls didn’t fail. The assumptions did. IAM 3.0 is mobile defense: sensing, adapting, and responding while the battlefield is still shifting underfoot.
The vendors calling this “new” aren’t pioneers. They’re late to their own history. Identity has always been defense. The only novelty here is finally admitting it, and building systems that behave accordingly.
IAM doesn’t fail because it is infrastructure. It fails the moment we convince ourselves that infrastructure doesn’t need to evolve. We treated identity like poured concrete, solid, permanent, finished, while everything around it became fluid, ephemeral, and fast. Cloud redefined where systems lived. APIs rewired how trust flowed. Automation collapsed timelines from weeks to milliseconds. The fault was never in the foundation. It was in the refusal to reinforce it, adapt it, and accept that load-bearing systems must change as the load changes.
The poll results resonate because practitioners don’t need to be persuaded or educated. They know this in their bones. They’ve lived through the budget cuts disguised as “optimization.” They’ve endured the grand promises that identity would be addressed “next year” or “in phase two.” They’ve watched IAM be underfunded, over-sold, and ceremonially governed, quarterly attestations standing in for real control, while quietly holding the line against operational chaos and existential risk. Identity teams didn’t fail the enterprise. In many cases, they were the only thing preventing it from collapsing sooner.
IAM 3.0 is not a product category waiting to be branded, packaged, and monetized into yet another analyst quadrant. It is a maturity admission, and not a comfortable one. It forces organizations to acknowledge what has always been true: identity has always been the primary defense parameter, whether anyone wanted to say it out loud or not. Every meaningful breach path runs through access. Every serious compromise involves trust abused, inherited, or left unquestioned.
It is also an admission that static control in a dynamic world isn’t prudence or discipline, it’s malpractice. Controls frozen in policy binders and enforced through quarterly review cycles cannot govern systems that change by the second. Identity decisions made after the fact are no longer decisions at all; they are documentation exercises. And most breaches are identity failures long before they ever manifest as network alerts, malware signatures, or late-night incident response calls.
Identity didn’t suddenly become important.
We simply ran out of places to pretend it wasn’t.
There’s a reason the oldest cities obsessed over their gates. Not the walls. Not the banners. The gates. Once breached, nothing inside mattered. Markets, temples, treasuries, irrelevant the moment control of entry was lost. The gate wasn’t symbolic. It was existential.
IAM has always been that gate. Not a feature. Not a product tier. The mechanism by which trust is granted, withheld, and revoked. Every era simply dressed it differently and pretended the responsibility belonged somewhere else.
IAM 3.0 doesn’t reinvent the gate. It doesn’t romanticize it or rebrand it with shinier language. It wakes it up. It restores motion, awareness, and judgment to something that was allowed to fall asleep under the false comfort of static controls and periodic reviews.
The organizations that truly understand this won’t be louder about it. They won’t flood conference stages or marketing feeds. They’ll be quieter. Fewer incidents. Fewer emergency calls. Fewer executive apologies delivered with rehearsed humility after preventable failures. Their success will be measured not in announcements, but in absence.
That’s what real infrastructure does.
It doesn’t ask for credit.
It doesn’t need applause.
It just holds.