Strengthening identity governance and administration in the age of digital trust.

1. The Growing Risk Landscape

The CIO’s Dilemma: Lack of Access Visibility and Governance

As digital transformation accelerates and critical infrastructure becomes increasingly interconnected, CIOs and CISOs face a growing dilemma: how to secure sprawling hybrid environments where identity is now the primary attack vector.

The convergence of IT and OT systems, combined with expanding cloud adoption, legacy infrastructure, and third-party integrations, has made identity governance more complex—and more critical—than ever before.

CIOs must now navigate a dynamic risk landscape with mounting internal and external pressures:

Key challenges facing CIOs and CISOs today:

* Fragmented access visibility: Gaining a unified view of who has access to what across diverse environments—cloud, legacy IT, operational technology (OT), and third-party platforms—is increasingly difficult. This lack of visibility is a leading cause of policy drift, privilege creep, and latent risk.
* Limited real-time monitoring: Identity-related threats are frequently undetected due to fragmented oversight.
* Manual, outdated governance processes: Many organizations still rely on spreadsheets or siloed approval flows to manage identity governance, resulting in blind spots, inefficiencies, and elevated risk exposure.
* Evolving regulatory landscape: New and updated regulations such as NIS2, GDPR, and industry-specific standards are placing fresh demands on identity governance programs. Compliance is no longer optional—it’s mission-critical. This is a very clear and present threat.
* Audit and compliance risks: Poor access controls and ungoverned identities increase the likelihood of failed audits, regulatory penalties, and reputational damage.
* Operational bottlenecks: Without streamlined access reviews and attestation processes, organizations struggle to enforce the principle of least privilege—hampering agility, productivity, and security.
* Insufficient role-based controls: Many organizations struggle to implement and maintain role-based access.

As Zero Trust adoption grows in response to escalating threats, it’s important to note: Zero Trust without identity governance is just a slogan. Without clear ownership, accountability, and visibility, Zero Trust architectures will always fall short.

Navigating Identity at Scale: Insights from a Senior CIO

Bjørn Watne, former Group CISO at Telenor, shared his first-hand experience managing Identity and Access Management (IAM) for one of Norway’s largest telecom providers. With thousands of users, an ever-changing workforce, and multiple international operations, identity at scale presented both strategic and operational challenges.

Watne highlighted the sheer volume and variety of identities—including employees, consultants, customers, and devices—as a key challenge. Managing IAM across such a dynamic environment meant that no single platform could accommodate all needs. Telenor responded by establishing a dedicated Shared Services Company to handle in-house IAM, but regional compliance requirements necessitated multiple IAM solutions.

This fragmented approach introduced complexity in threat detection, incident response, and enforcing zero trust principles. To address this, Telenor launched a unified security strategy called “OneSecurity”—a coordinated effort across all business units and platforms. This common function allowed teams to share threat intelligence, manage vulnerabilities, and practice group-wide incident response, ultimately strengthening their security posture.

Watne’s insight underscores a growing reality: in global enterprises, scalable IAM isn’t about a single solution—it’s about orchestrating people, processes, and platforms around a shared security vision.

Understanding IGA and IAM

For the purposes of this white paper, it is important to differentiate between these two “separate” but inseparable protocols:

IGA (Identity Governance and Administration) – The nerve centre
IGA is the oversight layer setting the rules, ensuring compliance, and continuously validating access decisions.

IGA is the policy and oversight framework that:

* Defines who should have access and why
* Enables periodic reviews and certifications of access rights
* Ensures compliance with regulations (e.g., SOX, GDPR, NIS2)
* Audits and provides transparency into how access is granted, used, and reviewed

IAM (Identity and Access Management) – The gatekeeper and operational management mechanism
IAM is both the gatekeeper and operational management mechanism, effectively making real-time decisions about who gets in and what they can do. Operationally, it is responsible for:
* Authenticating and authorizing users
* Managing digital identities
* Granting or revoking access to systems, apps, or data
* Deploying user tools (e.g., Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Password Management)

A recent report by Coalition, a cyber insurance provider, issued as part of their recent 2025 Cyber Threat Index, indicates that compromised credentials and software exploits were the top two drivers of ransomware attacks in 2024. Of these, compromised credentials accounted for an unacceptable 47%. This underlines the critical need for effective identity governance to prevent access-related vulnerabilities from being exploited in increasingly sophisticated attacks. (Source: Coalition 2025 Cyber Threat Index)

2. The IAM Imperative

IAM is no longer a backend IT function – it is a frontline business enabler and a central part of digital risk management. Yet for many critical infrastructure sectors, IAM capabilities remain underdeveloped, inconsistently applied, or siloed. As threats proliferate and regulatory demands grow, the ability to govern digital identities and their access rights has become mission critical.

Key challenges include:

* Limited visibility over who has access to what systems and data.
* Inconsistent joiner-mover-leaver processes.
* Over-reliance on manual controls and outdated directory services.
* Weak privilege escalation controls and dormant admin accounts.

Case Study: The Norsk Hydro Cyberattack

Frontline Insights: The Norsk Hydro cyberattack – a reflection on the importance of securing digital identities

Protecting against cyberattacks accessing IT and operational technology (OT) is a growing priority across all critical infrastructure sectors. Over the last three years alone, DNV research has shown rising concern among industry leaders about cyber threats. Criminal gangs, state actors, and current or former insiders pose particular risks, often compromising security unintentionally or maliciously—through revealing passwords, responding to phishing emails, or bypassing authentication measures.

These concerns have coincided with high-profile examples of attackers exploiting weaknesses in Identity and Access Management (IAM) to gain access to IT systems. The Norsk Hydro cyberattack is one such case, where attackers used a phishing email to infiltrate the network and move laterally through systems using legitimate credentials.

This incident serves as a stark reminder that IAM—ensuring only authorized people can access critical resources—is a key pillar of robust cybersecurity infrastructure. Despite this, many organizations still struggle with even basic IAM and see it as a technical function within IT, rather than a strategic business capability.

Key Takeaways:

* Strong IAM practices could have helped detect and contain the breach earlier.
* The incident demonstrates how compromised identities can be leveraged for widespread disruption.
* Organizations must treat IAM as a strategic enabler for resilience, not just a compliance checkbox.

Why Critical Infrastructure Is Uniquely Vulnerable

Critical infrastructure operates in a complex web of IT, OT, and third-party systems. Unlike traditional IT environments, OT systems often lack mature identity controls and may not support modern authentication standards. Insecure remote access, poor segmentation, and legacy protocols expose these environments to identity-based attacks.

Moreover, the rise of digital transformation initiatives, including IoT integration and cloud adoption, means that identity perimeters are fluid and constantly expanding. Every new system, device, or user introduces potential risk—unless governed by consistent identity policy and access controls.

New Thinking: IAM as a Security Fabric

IAM is not just a project—it’s a security fabric. IAM should underpin every process and technology stack, from field sensors to cloud analytics platforms. A maturity-based, capability-driven model should define how IAM services are rolled out across both IT and OT. This includes moving away from reactive control models to predictive governance, where behaviour, risk posture, and business criticality dynamically inform access decisions.

The security fabric concept also emphasized shared accountability between cybersecurity, operations, HR, and business leadership. IAM becomes most effective when it is embedded in enterprise architecture, mapped to regulatory compliance, and driven by real-time risk insights.

Strategic Actions:

* Embed IAM in digital transformation roadmaps.
* Create shared KPIs for IAM effectiveness across departments.
* Implement risk-adaptive access controls powered by analytics and AI.
* Normalize IAM as part of business continuity and crisis response planning.

From IT-Only IAM to Whole-of-Business Identity Governance

To respond effectively, critical infrastructure organizations must broaden the scope of IAM from IT-only to enterprise-wide identity governance. This means:

* Centralizing identity intelligence to get a unified view of who has access to what.
* Automating access workflows to reduce manual errors and enable faster responses.
* Implementing policy-based access controls tied to roles and risk profiles.
* Extending IAM capabilities to OT environments with secure gateways, segmentation, and MFA.

3. The IAM Landscape & Business Obligations

The rise of hybrid work and cloud adoption is reshaping the enterprise landscape. With more employees working remotely, organizations are relying on cloud-based systems to maintain collaboration and productivity. However, this shift has introduced new challenges in identity and access management. The corporate perimeter is no longer confined to physical offices, and securing digital identities across multiple environments is paramount.

Zero Trust

Zero-Trust frameworks have gained significant traction as organizations seek to ensure that no one, inside or outside the network, is automatically trusted. This model insists on constant verification of identity and access privileges for every user, device, and application. Without implementing Zero Trust, many organizations are exposed to unnecessary risks in their IAM strategies.

Compliance

The regulatory and compliance landscape is also evolving. In particular, frameworks like GDPR and NIS2 require organizations to implement stringent measures around personal data access, storage, and protection. These regulations are designed to ensure that organizations maintain control over digital identities, preventing unauthorized access to sensitive data. Non-compliance can result in severe penalties, making IAM and IGA board-level priorities for risk mitigation.

Certainly, among the recent regulatory fines in Europe related to deficiencies in Identity and Access Management (IAM) and Identity and Access Governance (IAG), the most recent is the €251 million fine imposed on Meta Platforms Ireland Limited by the Irish Data Protection Commission (DPC) on December 17, 2024.

This fine was due to a 2018 data breach that exposed personal data of approximately 29 million Facebook users, including around 3 million in the EU/EEA. The breach occurred because unauthorized third parties exploited vulnerabilities in Facebook’s “View As” feature, allowing them to access user profiles and associated personal data.

The DPC found that Meta had failed to implement appropriate technical and organizational measures to protect user data, leading to violations of Articles 25(1) and 25(2) of the General Data Protection Regulation (GDPR). Consequently, Meta was reprimanded and fined €251 million.

CIOs and CISOs must now recognise IAM and IGA as core pillars of their cybersecurity posture. Identity governance isn’t just about enforcing policies—it’s also about ensuring business continuity, safeguarding operational data, and complying with industry standards. Implementing strong IAM systems allows organizations to mitigate risks, protect sensitive data, and reduce the attack surface caused by unmanaged identities.

4. Key Challenges in Identity Governance & Administration

As organizations scale and diversify their digital ecosystems, the governance of identities and access rights becomes increasingly complex. The following key challenges reflect the most pressing issues faced by organizations today, each representing a critical friction point in achieving secure, efficient, and compliant identity governance. 

Visibility & Control – Managing access across hybrid environments

As organizations transition to hybrid environments, visibility and control over user access become increasingly difficult to maintain. The complexities of managing identities across cloud environments, legacy systems, and third-party platforms create numerous opportunities for unauthorized access and increased risk exposure. This challenge highlights the importance of developing a unified view of access control and ensuring that the principle of least privilege is enforced across all access points.

Compliance & Auditing – Meeting stringent regulatory standards

Organizations are facing growing regulatory pressures related to data access and management. Regulations such as GDPR and NIS2 impose strict requirements around the management of identities and access to sensitive data. Compliance with these regulations requires robust IAM and IGA practices to avoid legal and financial penalties while maintaining operational efficiency.

Automation & AI – The role of intelligent access provisioning

Automation and AI are becoming increasingly important in reducing the risk of human error and improving efficiency in identity governance. Intelligent systems can detect anomalies in user behaviour, automate access reviews, and manage identity lifecycles, thus improving overall security and reducing the workload on security teams.

User Experience vs. Security – Balancing frictionless access with risk reduction

Organizations must balance the user experience with security. While frictionless access is crucial for productivity, it can introduce security vulnerabilities if not properly managed. IAM solutions need to ensure that access is both secure and seamless for users to avoid unnecessary bottlenecks and reduce the potential for breaches.

5. Strategic Approaches to IAM and IGA

Addressing the identity challenge requires a proactive and strategic mindset. The following approaches highlight how organizations can modernize their IAM and IGA practices—balancing risk mitigation with operational agility through proven principles and emerging technologies.

Zero Trust & Least Privilege – Why they are the foundation of modern IAM

Zero Trust and the principle of least privilege form the foundation of any modern IAM strategy. Zero Trust assumes no implicit trust, meaning every access request must be continuously validated, regardless of the user’s location or origin. By integrating Zero Trust principles with IAM, organizations can ensure more granular control over access and reduce the attack surface.

Identity Lifecycle Management – Best practices for access control

Effective identity lifecycle management ensures that user access rights are appropriately granted, modified, and revoked throughout their tenure. Best practices include regular access reviews, integration with HR systems to automate user provisioning and de-provisioning, and enforcing least privilege to limit users’ access to only the resources necessary for their roles.

AI & Automation in IGA – Reducing human error and increasing efficiency

Leveraging AI and automation in IGA processes helps organizations streamline access reviews, reduce human error, and ensure that compliance requirements are met. AI can automate the detection of suspicious activities, enabling proactive threat management.

Third-Party & Supply Chain Risks – Addressing vulnerabilities beyond internal users

As organizations increasingly rely on third-party vendors and partners, managing access rights across external parties is crucial. Supply chain vulnerabilities can pose significant risks, and ensuring that third-party access is appropriately governed is a critical component of a comprehensive IAM strategy.

6. The Future of Identity Governance

As digital ecosystems continue to evolve, so too must the strategies that govern them. The future of identity governance is being shaped by emerging technologies, new risk models, and a growing demand for user-centric security. The following trends highlight where identity management is heading—and why future-proofing IAM strategies is now a critical priority for leadership.

Emerging trends (Decentralized Identity, Blockchain in IAM, Passwordless Authentication)

The future of identity governance is being shaped by innovative technologies. Decentralized identity models, powered by blockchain, are providing users with greater control over their identity and access management, moving away from centralized identity systems. Passwordless authentication is also gaining traction, improving both security and user experience by eliminating the vulnerabilities inherent in traditional password-based systems.

The impact of AI/ML on risk-based access control

AI and machine learning are expected to revolutionize IAM by enabling more dynamic, risk-based access control. These technologies can assess risk in real-time, dynamically adjusting user access based on behaviour, context, and risk levels, offering enhanced protection against evolving threats.

Why CIOs must future-proof their IAM strategies

CIOs must anticipate the future needs of their organizations by investing in scalable, flexible IAM systems that can adapt to emerging technologies and growing regulatory requirements. By adopting forward-thinking IAM solutions, CIOs can ensure their organizations are well-positioned to manage risks effectively and remain compliant in the face of evolving cybersecurity challenges.

Summary of Key Insights

The complexity of modern identity governance and access management is increasing, driven by digital transformation, hybrid work, and emerging technologies. IAM and IGA are now core pillars of enterprise cybersecurity, protecting organizations from the growing risks posed by compromised credentials and unauthorized access.

Actionable Next Steps for CIOs

CIOs must prioritize the implementation of robust IAM and IGA strategies that ensure compliance, minimize risk, and improve operational efficiency. By adopting Zero Trust, embracing automation, and leveraging AI for risk-based access control, organizations can strengthen their security posture and future-proof their identity management processes.

Invitation to Explore DNV Cyber’s Solutions

Explore how DNV Cyber’s solutions can help your organization manage identity governance, mitigate risks, and comply with evolving regulations. Contact us today to learn more about securing your critical infrastructure.