Reference Point
This article is written from one reference point only:
How identity actually behaves inside modern production systems. Not how we document it, not how tools describe it, and not how access reviews assume it works.
When you look at identity from that lens, a quiet but fundamental shift becomes impossible to ignore.
Identity is no longer just a security layer.
It is becoming the operating system of the modern enterprise.
The Shift No One Announced
There was no roadmap presentation.
No architectural review.
No executive decision.
Yet over the last decade, identity has absorbed responsibilities that operating systems traditionally owned:
- Deciding who can execute
- Deciding when execution is allowed
- Brokering trust between components
- Enforcing policy at runtime
- Orchestrating automation
- Gating system state changes.
Today, almost every critical action in an enterprise is mediated by identity:
- Code reaching production
- Infrastructure being created
- APIs being called
- Data being accessed
- Privileges being delegated.
Remove identity and systems don’t slow down; they stop functioning.
That’s the definition of an operating system.
Identity No Longer Just Answers “Who”
Classic IAM was built to answer one question
Who are you?
Modern identity systems answer a very different set of questions:
- Is this action allowed right now?
- Under what conditions?
- From which environment?
- Triggered by which workflow?
- With what downstream impact?
Conditional access, workload identity, CI/CD pipelines, and policy engines have quietly turned identity into a decision runtime.
Identity now schedules work.
Identity now gates execution.
Identity now brokers trust between machines.
This is not an access control problem anymore.
It’s a control-plane problem.
Why This Matters: OS Level Failure Modes Are Different
When an application fails, it crashes.
When infrastructure fails, it degrades.
When an operating system fails, something worse happens:
It behaves incorrectly while still running.
Identity failures increasingly look like this:
- Nothing is “down”
- No secrets are leaked
- Yet authority moves in ways no one intended.
A pipeline deploys more than expected.
A workload gains transitive trust.
A service identity propagates farther than designed.
This is not misconfiguration.
This is emergent behavior.
And emergent behavior only appears at system scale.
Non-Human Identities: The Processes of This OS
In operating systems, users don’t do the work.
Processes do.
Non-human identities are the processes of modern enterprises.
They include:
- CI/CD pipeline identities
- Workload and service identities
- API integrations
- Automation frameworks
- SaaS-to-SaaS connectors.
They don’t authenticate to log in.
They authenticate to execute continuously.
And increasingly, they:
- Create infrastructure
- Modify policies
- Deploy to production
- Move data across trust boundaries.
In other words they don’t just use the system; rather, they shape it.
CI/CD Pipelines: Kernel-Level Privilege, Quietly Granted
If identity is becoming the operating system, CI/CD pipelines are operating with kernel-level authority.
A mature pipeline can:
- Modify source code
- Deploy infrastructure
- Inject secrets
- Assume cloud roles
- Create or modify IAM policies
- Spin up new identities automatically
And yet, pipelines are rarely modeled as privileged identities.
We audit developers.
We review pull requests.
But once code enters automation, trust expands dramatically.
The pipeline doesn’t ask should this change exist.
It asks is this change valid.
That distinction matters.
The Uncomfortable Truth: Identity Risk Is Emergent
At OS scale, risk is rarely tied to a single control failure.
It emerges from:
- How identity decisions compose
- How trust propagates
- how automation chains together
No individual policy looks wrong.
No single tool is broken.
Yet the outcome is unsafe.
What Professional Are Starting to Do Differently
They are changing how they design.
1. They Model Identity Flows, Not Just Permissions
They ask
- Where does authority originate?
- How does it propagate?
- Where does it become irreversible?
2. They Treat Non-Human Identities as Platform Components
Identities have
- Ownership
- Versioning
- Lifecycle expectations
- Decommission paths
3. They Design for Blast Radius, Not Prevention
They assume
- Misuse will happen
- controls will fail
The Future: Identity-Native Architecture
We’ll see
- Identity treated as runtime infrastructure
- CI/CD pipelines as governed control planes
- Policy evaluated as execution logic
- Assume misuse replacing Assume breach
This isn’t about zero trust.
It’s about system trustworthiness.
The Paragraph That Changes the Frame
We don’t run modern enterprises on operating systems alone. We run them on identity systems.
Identity schedules work, enforces policy, brokers trust, and gates execution. When identity fails, systems don’t go offline but they behave incorrectly at scale.
Closing Thought
Secrets management tells us how securely an identity authenticates.
CI/CD pipelines determine how far that identity’s authority can travel.
The organizations that succeed won’t be the ones with the strongest secrets, they’ll be the ones that design identity so its authority degrades gracefully instead of compounding silently.
One-Line Takeaway
Identity is no longer a security layer. It’s the operating system your business now runs on.
Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.
Author
Malhar Vora is a Principal Security Engineer and Engineering & People Leader at ANZ Bank with nearly two decades of experience in identity and privileged access security within highly regulated financial environments.
He leads the solution and engineering delivery of enterprise-scale PAM platforms across on-premises and multi-cloud ecosystems, with a focus on systemic risk reduction and resilient identity controls.
Malhar mentors security engineers and collaborates closely with enterprise architecture, cloud, and risk teams to advance modern identity engineering practices.
He is a CyberArk MVP, frequent industry speaker, and active contributor sharing practical insights on identity-centric security and privilege risk management.
