Managing risk is a constant concern for enterprises. Where that risk resides within IT infrastructure has evolved over time, but that evolution is now accelerating. As a result, many organizations are finding that familiar risk management and governance practices are no longer sufficient.
Risk expanding beyond the core
Traditionally, enterprise leaders have thought about risk as something that lives inside core systems -- and through access to those systems. Much of that framing still holds. But exposure to risk has expanded beyond the core into areas once considered peripheral to IT decision-making.
What's changed is not simply where risk shows up, but when it begins to form. Increasingly, exposure is created at the very beginning of planning, before decisions feel formal or fully defined. Once a decision is made, it becomes much harder to unwind, constrained by timelines, vendor models, organizational structures and other factors that are no longer entirely within an organization's control.
Many technology decisions that once unfolded over years are now being made in months, or even weeks. When decisions were slower, governance models could adapt as systems evolved. Today, commitments harden earlier, often before organizations fully understand the downstream implications. Risk forms upstream of deployment, not downstream of failure -- a pattern reinforced by shortening enterprise software adoption cycles.
This shift requires a reset in how enterprise leaders think about risk. It isn't just about systems and access anymore; it's about decision-making itself -- and when decision-making actually starts. In many cases, exposure begins before an organization even realizes a decision is being made.
Seen this way, the risk question facing enterprise leaders is no longer just about protecting core systems once they are in place. Instead, it is about recognizing how exposure begins to take shape much earlier, as assumptions are set and decisions quietly bind future outcomes. Risk follows decision-making now, not deployment -- and that shift changes where leaders need to pay attention first.
Nowhere is this shift more visible than in identity, which has moved from being a gate into core systems to something that increasingly influences how access, roles and trust take form early on.
Where enterprise risk forms
Traditionally, the role identity played in enterprise risk thinking was fairly straightforward: It was about making sure only the right people had permission to access specific resources. Identity protected data, infrastructure and core business operations. If access was properly controlled, risk was assumed to be contained.
That role has expanded significantly. Identity now sits across nearly every part of the enterprise application stack. It has moved to the top of the pyramid, shaping how systems connect, how workflows operate and how decisions flow across the organization. Rather than simply gating access to core systems, identity increasingly defines how people interact with the enterprise itself -- particularly through identity-driven access across endpoints and applications.
As identity has taken on this more central role, it has also compounded risk. Failures in identity and access management (IAM) no longer affect a single system or function. They can cascade across applications, teams and processes simultaneously. Where identity issues were once largely contained within core IT environments, they now carry broader consequences because so much else depends on them.
That dynamic explains why identity now behaves less like a control and more like an amplifier. When identity shapes access, roles and trust across systems at once, even small misalignments can have outsize effects.
Identity, in this sense, is no longer just about identification. It has become a kind of operating persona -- a nonvisual avatar that represents each employee across systems, tools and workflows. That persona determines what someone can see, do and influence, often long before a decision ever reaches a core platform or formal approval process.
As identity has moved into this central role, it has also become one of the most consequential amplifiers of enterprise risk. When identity shapes access, roles and trust across systems simultaneously, even small failures can propagate widely. That dynamic matters most at the moment identity is first created and begins to spread -- which is why people and hiring processes now play a much larger role in the enterprise risk picture than they once did.
Why identity now sits at the center of enterprise risk
Identity increasingly determines access before application selection.
Roles are often provisioned before workflows are fully defined.
Identity policies frequently outlive individual systems and platforms.
Identity failures propagate across tools simultaneously.
Calling identity a persona or "top of the pyramid" isn't poetic shorthand. It reflects observable system behavior that has been evolving for years
Hiring and people as an early risk surface
Hiring-related risk traditionally centered on the hiring process itself -- not on the systems a new hire's identity enabled them to access, or the kind of exposure that access created across the enterprise.
Today, just because you hire a good, honest employee does not mean risk is zero. That has never really been the case, given the ongoing realities of compliance, security and governance. But risk is higher now. This is not simply because people are people, or because they don't always follow perfect security hygiene; risk is higher because those kinds of issues now have much larger consequences. An employee's identity, in the system-access and usage sense, is embedded across far more applications, systems and platforms throughout the enterprise. A small compromise in one place is more likely to lead to cascading negative effects elsewhere.
Once a corporate identity is created, it opens access to corporate resources and networks. That process often happens very early and is frequently automated -- particularly as organizations pursue faster, more automated hiring and onboarding.
Hiring, simply bringing someone into the organization, becomes ground zero for risk because this is where all of that begins. This is the point at which identity is created, access is enabled and exposure starts to take shape -- often before teams fully appreciate how broadly that identity will travel.
Mobile devices and endpoints as an expanded risk surface
Traditionally, enterprises thought about endpoints and devices as a source of risk unto themselves. The focus was on the data that lived on those devices and the access they had to systems and resources.
That framing changes once identity is fully brought into the equation. Identity is now global across the enterprise infrastructure, from the edge inward. When identity functions this way, a compromise no longer stays local. It opens the potential for much broader exposure because that same identity connects to so many systems at once.
That makes risk harder to contain for a simple reason: It becomes harder to consistently confirm that the person using a device is who they say they are. Even small breaks in trust can ripple outward when identity is the connective tissue tying systems together.
Risk follows decision-making now, not deployment.
Partners, platforms and ecosystems as an expanded risk geography
Traditionally, enterprises tended to think about risk from vendors, partners and external platforms as relatively contained. Trust existed, but it was bounded. Each organization managed its own governance, security and controls, and integration points were limited enough that exposure could be isolated if something went wrong. That assumption has become harder to maintain as platforms and services have moved from the edges of IT into the center of daily operations. What were once supporting tools are now deeply embedded in how work gets done, how data moves and how decisions are made across organizations -- particularly as enterprises rely on deeply integrated collaboration and platform ecosystems.
Identity, access and workflows no longer stop neatly at organizational boundaries. Visibility becomes fragmented. Responsibility becomes harder to assign. Over time, it becomes genuinely difficult to tell where the enterprise ends and the ecosystem around it begins.
The tighter the integration, the harder it becomes to isolate risk -- and the harder it becomes to unwind decisions once they are embedded across organizations.
When identity extends beyond people
As organizations deploy AI copilots and automated workflows, IAM is no longer limited to human users. These systems grant software agents access to data, systems and decision-making authority -- often using governance models designed for people, not machines.
The result is a new class of ecosystem risk, where visibility and control can erode even as automation improves efficiency.
Why this shift is surfacing now
Pressure to move faster has always existed. What has changed is the pace and the accumulation of decisions made earlier, automated sooner and integrated more deeply.
Risk has not increased overnight. It migrated outward over time as infrastructure became more distributed, more identity-driven and more tightly interconnected.
This is not a failure of intent or discipline; it is a structural reality of modern IT environments, and one that traditional governance models were never designed to handle at this scale.
The challenge enterprise leaders face today is not that risk has suddenly increased, but that it has moved outward, earlier and into places that traditional control models were never designed to reach. Recognizing that shift is the first step toward understanding why risk feels harder to manage now, even when organizations are doing many of the right things.
James Alan Miller is a veteran technology editor and writer who leads Informa TechTarget's Enterprise Software group. He oversees coverage of ERP & Supply Chain, HR Software, Customer Experience, Communications & Collaboration and End-User Computing topics.
