The claim that "identity is the new perimeter" has become common enough to be a cliché. The more precise framing is that identity is becoming the control plane — not just the perimeter that replaces the network boundary, but the active orchestration layer that evaluates signals, enforces policy, and drives remediation across the entire access surface in real time.
This is a meaningful distinction. A perimeter is a boundary — you're either inside or outside. A control plane actively routes, evaluates, and manages decisions. The shift from identity as perimeter to identity as control plane is the shift from "can this person log in" to "should this person have this access, right now, based on everything we know about their current context, role, behavior, and the sensitivity of what they're accessing."
Why Network Perimeters Failed as the Primary Control
Network perimeters as security control worked on an assumption: that location implied trust. If traffic came from inside the corporate network, it could be trusted. If it came from outside, it was suspicious.
This assumption collapsed for three reasons:
The inside of the network stopped being inherently trustworthy. Lateral movement in security incidents — an attacker who compromises one internal system and moves through the network to reach high-value targets — demonstrates that internal network position provides limited assurance. The 2020 SolarWinds incident and countless others since show that sophisticated attackers operate from within the trusted perimeter.
Users and applications moved outside the perimeter. Remote work, cloud-hosted applications, and SaaS proliferation mean that most access patterns now involve users connecting from outside the corporate network to applications hosted by third parties. The traffic path never traverses the corporate network boundary that was supposed to be the control point.
Applications multiplied beyond what perimeter controls could meaningfully govern. A typical enterprise uses hundreds of SaaS applications, each with its own authentication, each holding company data. The network perimeter can inspect traffic but not the authorization decisions inside each application.
The result is that network-based controls — firewalls, VPNs, network segmentation — remain important for specific threat scenarios (lateral movement, network-level attacks) but can no longer serve as the primary mechanism for access decisions across the application landscape.
What Identity as a Control Plane Actually Means
A control plane, in networking terms, is the layer that makes routing decisions — determining where traffic should go and on what terms. An identity control plane makes access decisions — determining who can access what, under what conditions, and with what oversight.
Four capabilities define a mature identity control plane:
Signal aggregation. The control plane needs to see everything relevant to an access decision: authentication strength (password vs. MFA vs. phishing-resistant MFA), device posture (managed vs. unmanaged, patched vs. vulnerable), user behavior (is this login pattern unusual for this person?), location (is this a trusted location?), and role context (is the user's current role still consistent with what they're accessing?). The better the signal quality, the better the access decision.
Policy enforcement across the full access surface. A control plane that only governs SSO-connected applications enforces policy on a fraction of the actual access landscape. Effective identity control requires governance coverage that extends to shadow IT, non-SSO applications, legacy systems, and non-human identities (service accounts, API keys, AI agents). Discovery is the prerequisite for governance.
Real-time evaluation, not periodic snapshot. Legacy access management made access decisions at provisioning time (was this access appropriate when it was granted?) and at certification time (is this access still appropriate according to this quarter's review?). A control plane model evaluates access continuously — detecting when an account becomes dormant, when an employee's status changes, when a credential is compromised — and responds in real time rather than waiting for the next scheduled review.
Automated remediation. Detection without action is monitoring, not control. The control plane capability requires that detected access anomalies — a compromised account, a suspended user still accessing systems, access that failed a certification but hasn't been removed — trigger automated remediation rather than generating alerts that wait for a human to respond.
The Policy Design Challenge
If identity is the control plane, policy quality determines control plane quality. This is the implication that matters most for identity teams:
Signal quality determines policy accuracy. An HR system that records terminations days after the actual exit date produces a control plane that allows access for days after employment ends. An HRMS with missing department data produces provisioning logic that can't make accurate role-based access decisions. The identity control plane is only as reliable as the data flowing into it.
Policy must cover edge cases, not just standard flows. Standard joiner-mover-leaver automation handles the predictable cases. The edge cases — contractors who transfer between subsidiaries, employees on extended leave who need modified access, service accounts created for temporary projects that never get decommissioned — are where control plane gaps develop. Identifying and governing these requires both comprehensive discovery and explicit policy for non-standard cases.
Least privilege requires ongoing enforcement, not one-time configuration. Access accumulates over time through role changes, project assignments, and provisioning decisions that were appropriate at the time. A control plane that enforces least privilege must continuously evaluate whether current access is still consistent with current role, department, and actual usage — not just at initial provisioning.
Zero Trust as the Architectural Framework
Zero Trust is the architectural expression of identity as a control plane. The Zero Trust model — never trust, always verify — operationalizes continuous verification across every access decision rather than establishing trust zones that grant implicit access to everything inside them.
The NIST Zero Trust Architecture framework (SP 800-207) describes the policy decision point and policy enforcement point as the central elements of the zero trust architecture. The identity system is the policy decision point: it evaluates signals and determines whether an access request should be approved, denied, or granted with conditions. The policy enforcement points are distributed across the access surface — the SSO layer, the cloud provider IAM, the application API gateway, the privileged access system.
For identity teams, this means:
Conditional Access policies that incorporate multiple signals. Not just "is the user authenticated" but "is this authentication strong enough for the sensitivity of what they're accessing, from this device, at this time, with this behavioral context."
Continuous session evaluation, not just point-of-entry authorization. Long-lived sessions that were authorized at login time but haven't been re-evaluated since represent a trust assumption that the zero trust model doesn't accept. Session revocation when context changes (device posture degrades, unusual behavior detected) is the control plane response.
Non-human identity governance at the same standard as human identity. Service accounts, API keys, and AI agent credentials represent identities that the zero trust model needs to govern. A zero trust architecture with strong human identity controls but ungoverned service accounts has a significant control plane gap.
Identity Security Posture Management: The Continuous Assessment Layer
Identity Security Posture Management (ISPM) is the emerging capability category that continuously evaluates the configuration and state of the identity infrastructure itself — not just whether individual access decisions are correct, but whether the underlying identity system is configured correctly and whether the access graph is free of excessive permissions, misconfigurations, and policy violations.
Where traditional IGA performs periodic certification campaigns, ISPM provides continuous assessment: detecting over-privileged service accounts in real time, surfacing misconfigured SAML assertions, identifying unused privileged credentials, and flagging access combinations that create SoD violations as they develop rather than discovering them at the next quarterly review.
The relationship between IGA and ISPM is complementary: IGA governs the lifecycle of access and produces compliance evidence, ISPM continuously monitors the security posture of the identity infrastructure and surfaces drift between intended and actual configuration. Together they provide both the governance process (IGA) and the continuous security monitoring (ISPM) that a mature identity control plane requires.
What This Means for Identity Teams
The implication of identity becoming the control plane is that identity teams are now responsible for security outcomes, not just directory hygiene. The access decisions an identity system makes determine who can reach sensitive data, critical infrastructure, and production systems. Poor signal quality, coverage gaps, and slow remediation translate directly into security exposure.
This raises the stakes on several capabilities that have historically been treated as optional or future roadmap items:
Shadow IT and shadow AI discovery. You can't govern what you can't see. If the identity control plane doesn't know that 15% of your application access happens outside the SSO perimeter, its coverage of those access paths is zero.
Non-human identity governance. Service accounts, API keys, and AI agent credentials are identities that the control plane must govern. The explosion of AI agent usage creates new NHI categories at a pace that most existing governance programs aren't covering.
Real-time activity intelligence. The move from periodic certification to continuous assessment requires usage data as a first-class input to access decisions. Access reviews informed by "this account hasn't been active in 90 days" are fundamentally different from reviews that see only the access assignment without usage context.
Automated remediation velocity. In a control plane model, the time between detecting a security anomaly and remediating it determines the window of exposure. Manual remediation workflows that take days to resolve a detected access violation are inconsistent with identity as a real-time control mechanism.
Frequently Asked Questions
What does "identity as the control plane" mean in security?
The control plane is the layer that makes routing decisions — in networking, it determines where traffic goes. An identity control plane makes access decisions: who can access what, under what conditions, with what oversight. Identity as the control plane means that access decisions across the enterprise are driven by identity signals (authentication strength, role, behavior, device context) and enforced through identity-based policy rather than network-based controls like firewalls and VPNs.
How does Zero Trust relate to identity as a control plane?
Zero Trust is the architectural framework that operationalizes identity as the control plane. Its principle — never trust, always verify — replaces the network perimeter trust model with continuous verification at every access attempt. The identity system (IAM, IGA, PAM) becomes the policy decision point that evaluates signals and determines access. Zero Trust is how you build identity-centric access control; identity as the control plane is what you're building toward.
What is Identity Security Posture Management (ISPM)?
ISPM continuously evaluates the configuration and security state of the identity infrastructure — detecting over-privileged accounts, misconfigured identity provider settings, unused credentials, and access combinations that violate SoD policy. Where IGA governs the lifecycle of individual access decisions and produces compliance evidence, ISPM monitors whether the identity infrastructure itself is configured correctly and alerts on drift between intended and actual security posture.
Why do non-human identities matter for identity as a control plane?
Service accounts, API keys, OAuth tokens, and AI agent credentials are identities that make access decisions in automated systems. If the identity control plane governs human access but not non-human identities, attackers who compromise service account credentials or API keys can move through the environment outside the governance perimeter. A complete identity control plane requires the same level of governance — least privilege, lifecycle management, activity monitoring — for non-human identities as for human users.
.svg)
