How identity becomes the control plane for Zero Trust—and why AI agents make identity even more important.
Key concepts
- Identity vs account: a person (or system) vs their representation inside an application.
- Attributes: data used for decisions (department, status, risk, device posture).
- Authentication vs authorization: proving identity vs deciding permissions.
- Lifecycle: joiner/mover/leaver events, provisioning, and revocation.
In practice
- What systems are involved (HR, directory, IdP, apps)?
- What’s the source of truth, and what’s derived?
- What identifiers are stable (employee ID) vs mutable (email)?
- What happens when something fails (retries, idempotency, rollback)?
Common pitfalls
- Treating email as a stable identifier.
- Confusing “group membership” with “business role.”
- Long-lived tokens/keys for automation.
- No ownership for entitlements (“who approves this?”).
Where to go next
- Access Management: /category/access-management
- IGA (lifecycle & governance): /category/iga
- PAM (privileged identities): /category/pam
- Identity for AI: /category/identity-for-ai
- Identity Security / Zero Trust: /category/identity-security