top of page
Search

When Identity Becomes Infrastructure

Identity is no longer just an access layer — it’s the infrastructure powering SaaS, cloud, and AI. Here’s what that shift means for security and governance.



Identity Used to Sit on Top of Infrastructure

For years, identity was treated as a supporting service. Users authenticated into systems that lived elsewhere — on servers, in data centers, behind networks.

Infrastructure came first. Identity followed.

That ordering no longer exists.


Today, SaaS platforms, cloud services, and APIs are built around identity, not protected by something underneath it. If identity fails, everything downstream fails with it.


Identity didn’t just move closer to infrastructure. It became the infrastructure.


The New Runtime Is Identity

Modern environments don’t run on hosts and IP addresses. They run on:

  • Users and roles

  • OAuth scopes and tokens

  • Service accounts and API keys

  • External identities and integrations


Every workflow — from CI/CD pipelines to CRM automations — is powered by identity-based trust decisions.


This is why the CISA Zero Trust Maturity Model places identity at the center of its architecture, not as a control layered on top of networking: https://www.cisa.gov/zero-trust-maturity-model

When identity becomes the runtime, security has to follow it.

Why Infrastructure Thinking Breaks Down

Traditional infrastructure security assumes:

  • Assets are deployed intentionally

  • Ownership is clearly defined

  • Access paths are stable


Identity-driven systems violate all three assumptions.


According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

  • 97% of SaaS applications are unknown to IT

  • 100% of organizations have unauthorized cloud accounts

  • Less than 1% of SaaS accounts enforce MFA


That means much of your “infrastructure” is:

  • Created without IT involvement

  • Accessed via delegated permissions

  • Invisible to traditional asset inventories


You can’t secure infrastructure you don’t know exists — especially when that infrastructure is identity-first.


OAuth Is the New Network Cable

OAuth is often described as a convenience feature. In reality, it functions like infrastructure wiring.

An OAuth token:

  • Grants persistent access

  • Operates without user interaction

  • Bypasses network controls

  • Often outlives the identity that created it


CISA’s Secure Cloud Business Applications (SCuBA) guidance warns that unmanaged OAuth connections create long-lived access paths that evade monitoring and survive offboarding: https://www.cisa.gov/secure-cloud-business-applications-scuba

When identity becomes infrastructure, OAuth becomes your most critical (and least visible) dependency.

Compliance Has Already Adjusted

Modern compliance frameworks no longer treat identity as optional context.

The NIST Privacy Framework and ISO/IEC 27001 both require:

  • Traceability of access

  • Accountability across systems

  • Continuous validation of permissions

These are infrastructure expectations — applied to identity.

If you can’t enumerate identities, tokens, and integrations, you can’t demonstrate control — no matter how strong your policies are.

What Changes When You Treat Identity as Infrastructure

When organizations make this mental shift, several things change immediately:

  1. Discovery Becomes Continuous Identity surfaces appear daily. Inventory can’t be annual or manual.

  2. Offboarding Becomes Systemic Removing a user isn’t enough. Tokens, integrations, and service access must be revoked everywhere.

  3. Ownership Becomes Explicit Every identity — human or machine — needs a responsible owner.

  4. Security Moves Left Identity decisions happen before data moves, not after an alert fires.

This is not an IAM upgrade. It’s an architectural change.


Why Most Organizations Struggle With This Shift

Identity tooling evolved to manage employees — not ecosystems.

But today’s environments include:

  • Contractors and partners

  • SaaS-to-SaaS integrations

  • AI assistants and automation tools

  • Shadow cloud tenants


Without discovery, identity infrastructure quietly grows outside governance — until an incident or audit forces visibility.


How Waldo Security Supports Identity-Centric Infrastructure

Waldo Security’s SaaS & Cloud Discovery Engine is built for environments where identity is infrastructure.

It provides:

  • Continuous discovery of SaaS and Shadow CSP accounts

  • Visibility into OAuth tokens and delegated access

  • Mapping of identities across compliance frameworks

  • Real-time evidence for Zero Trust and audit requirements


Not by replacing IAM — but by giving it the visibility modern identity infrastructure demands.


Conclusion: Infrastructure Isn’t Hardware Anymore

Servers, networks, and data centers are no longer the backbone of modern organizations.

Identity is.

Every login, integration, and token is now an infrastructure decision — whether it’s governed or not.

When identity becomes infrastructure, security has to become identity-native.

👉 See how organizations are adapting to identity-centric environments in the 2025 SaaS & Cloud Discovery Report.


About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By illuminating unmanaged identities, Shadow IT, and OAuth risk, Waldo enables security teams to operate confidently in identity-first environments.



Comments

bottom of page