Author: Mika Aromaa, CEO of Trivore
The three biggest data breaches of 2024 had one thing in common: the attackers walked in using ordinary, fake passwords. Ticketmaster, Change Healthcare, and AT&T had a combined total of nearly 900 million records stolen. The reason was not weak passwords but the fact that no one could see the fragmented jumble of identities scattered across dozens of different systems.
These weren’t isolated lapses. They were symptoms of a broader visibility problem that affects nearly every large organisation.
According to IBM’s recent Cost of a Data Breach study, nearly half of all data breaches are caused by a breach of trust: phishing, identity theft, malicious insiders or misuse of third-party access. If internal errors and misconfigurations are included, the share rises to well over half. The majority of data breaches are therefore not caused by exotic vulnerabilities but by fragmented and poorly managed identities.
Identity Sprawl Has Become the New Attack Surface
Over the past decade, the way we manage identities has changed beyond recognition. Most organisations today use a mix of HR systems, Active Directory, Azure AD, cloud applications, and partner portals – each with its own user store and access policies. The result is what analysts call identity sprawl: a landscape where every system, project, or business unit becomes its own miniature identity silo.
Today, employees often have dozens of separate digital identities across internal and external systems. One study found that 60% of organisations have more than 21 separate identities per user. Another recent report shows that companies have an average of 93 applications in use – more than 230 in large enterprises. This creates a wide, fragmented attack surface.
Many of these accounts are duplicated, outdated, or orphaned when people change roles. Contractors and partners often receive temporary credentials that linger long after their projects end. From a security standpoint, every one of these forgotten accounts is a potential entry point.
Nordic enterprises face a particular irony: their strengths have accelerated the problem. organisations that adopted cloud services early, built distributed operations, and integrated deeply with supplier networks now find themselves managing identities across dozens of disconnected systems. The fragmentation isn’t a sign of poor planning – it’s the inevitable result of digital transformation without identity federation.
Why Traditional IAM Tools Are Struggling
Traditional IAM (Identity and Access Management) systems were built for a different world: one where most users and applications lived inside the perimeter, connected to a central directory. They excelled at controlling who could access what within a well-defined boundary. But today’s IT environment has no clear boundary. Modern organisations operate across multiple clouds, integrate external services through APIs, and rely on partner ecosystems. Each new connection adds complexity and weakens the notion of a single “source of truth.”
In practice, most traditional IAM systems end up covering only a fraction of the application landscape. Because of architectural, integration, and feature limitations, they are typically connected to just a handful of older, on-premises systems – often five to ten at most. The vast majority of modern SaaS and cloud applications that employees use daily remain outside the IAM perimeter, relying instead on isolated credentials and inconsistent policies. As a result, the potential benefits of IAM — visibility, control, and risk reduction — never extend to where most identities actually live.
Analysts like Gartner have been warning about this for years. The problem isn’t that we don’t know – it’s that traditional IAM vendors keep selling the same architecture. The scale of this fragmentation makes effective governance increasingly difficult. Legacy IAM tools aren’t failing because they’re poorly designed. They’re failing because they’re solving a 2010’s problem.
Fragmentation Turns Risk into Routine
In security, the biggest risks are often the quiet ones: the routine operations that nobody checks because they “just work.” When identities are scattered, even routine processes become risky. Provisioning new users takes longer. Offboarding leaves gaps. Audit teams can’t reconcile who has access to what. Security policies drift apart between systems. And when a breach does occur, tracing the path of compromised credentials across dozens of disconnected systems can take weeks.
Fragmentation doesn’t only increase risk; it also multiplies cost. Every manual synchronisation, every duplicated access request, every audit exception consumes time from already stretched IT and security teams. The hidden cost of this daily friction is enormous – and largely invisible in most budgets.
The AI Oversight Gap
AI is accelerating both opportunity and risk. IBM’s 2025 report highlights a growing AI oversight gap: 13% of organisations have already suffered a breach involving their own AI models or applications – and 97% of those lacked proper AI access controls.
Shadow AI (unsanctioned use of AI) caused one in five of those breaches and added about USD 670,000 to the average cost. At the same time, attackers used AI in 16% of breaches, most often for AI-generated phishing and deepfake impersonation.
The result is a new class of “non-human identities” (models, agents and APIs) hat now require the same governance and lifecycle control as employees or partners.
A Federated Approach to Identity
The good news is that fragmentation is not irreversible. Forward-thinking organisations are treating identity as a shared infrastructure layer: a control plane that connects rather than duplicates.
Instead of forcing all identities into one monolithic directory, a federated IAM model allows different systems to maintain ownership of their user data while being governed centrally. Policies, approvals, and lifecycle events are orchestrated from one place, using standard protocols and interfaces.
This model reflects the way Nordic organisations already work: distributed, collaborative, and pragmatic. It doesn’t require a “big bang” replacement of existing systems. It builds coherence from the top, ensuring that every identity (whether from HR, Azure AD, a supplier portal, or an AI agent) is part of the same governance fabric.
Analysts recommend centralising policy and automating identity workflows across federated systems to reduce exposure and improve detection and response. Just as importantly, such an approach gives teams back time – time to innovate, to strengthen controls, and to prepare for the regulatory demands of, e.g., NIS2 and EU AI Act.
Bringing It All Together
The identity challenge facing Nordic enterprises is not a lack of technology or awareness – it’s fragmentation. Every year, more systems, suppliers, services and now AI agents enter the ecosystem, each with its own identity layer.
CISOs increasingly recognise that without federation and automation, this complexity will only grow – and with it, the risk of both breach and burnout. At Trivore, we see every week how Nordic organisations are reconnecting fragmented identity landscapes not by replacing everything, but by federating what they already have. It’s an approach that builds security through clarity, not complexity.
The question is no longer whether to modernise IAM – it’s how to do it without losing control. A federated, policy-driven model offers a realistic path: systems stay autonomous, but identity governance becomes central and visible. For Nordic CISOs managing NIS2 compliance, AI oversight, and identity sprawl across dozens of systems, this isn’t future planning. It’s the present.
For the Nordic CISOs who manage NIS2 compliance, AI monitoring and identity propagation across dozens of systems, this is not the future. This is archaic realism.
Identity cohesion requires deliberate design, not wishful thinking. The organisations that federate now will sleep through the night. Those who wait will have the conversation at 2 AM, with regulators, customers, and board members asking why basic visibility didn’t exist.
The only question that matters: how quickly can you bring clarity to what you already have?
