Identity Security Fundamentals for Government Agencies

Highlights from a conversation with Christopher Hills, Chief Security Strategist at BeyondTrust; Ross Foard, US Department of the Interior; Roman Kulbashny, US Department of Education; John Pretz, Internal Revenue Service; and Natasha Ibrahim, State of Maryland.

In a recent ATARC (Advanced Technology Academic Research Center)-hosted webinar, thought leaders from the Department of Education, Department of Interior, Maryland Department of Labor, IRS, and BeyondTrust discussed the changing threat landscape and its particular impacts on government agencies. During this session, each expert suggested how agencies can strengthen their identity security and privileged access management postures to meet these new and evolving threats. Read on for the highlights and key strategies recommended.

As agencies grow more connected, the threats they face increase dramatically, with both internal and external threats introducing a wide range of risks. These can include non-malicious misuse of privileges, but also fraud, organized crime, and even nation-state attacks. Minimizing risk starts with controlling who has access—and when—especially when privileged accounts are involved. As Natasha Ibrahim, Maryland Department of Labor suggests, “The tension we face is balancing access for legitimate users with measures to prevent fraud. It’s about making access smooth for those who need it, but keeping fraudsters out.”

Here are the top strategies our experts recommend can make the biggest impact:

1. Enforce least privilege: “It’s about minimizing risks by being proactive and limiting who has what access. We’re working to ensure that any ‘superpowers’—that is, admin privileges—are carefully assigned and overseen.” —John Pretz, IRS

2. Authenticate and verify: “The challenge now is to identify everyone coming into our systems and verify their roles. We can’t just let anyone access everything. Even with internal staff, identity proofing is critical, and Zero Trust principles guide us in managing that access effectively.” —Ross Foard, Department of Interior

3. Keep policies consistent across platforms: “Our department is using a multi-cloud architecture, which complicates identity and access management. To address this, we’ve implemented a Secure Access Service Edge (SASE) framework that keeps identity policies consistent across cloud platforms.” --Roman Kulbashny, Department of Education

Implementing a strong zero trust framework is another key strategy agencies are working towards to defend against modern threats by going beyond the perimeter to block unauthorized access for both internal and external threat actors. To do this effectively, agencies can’t just think about privileges themselves, but must also defend the potential pathways to privileged acess:

“In this digital identity era, your identity is the network boundary—attackers now target end users more directly because it's often easier to log in than to hack in. The challenge is that these identities often get managed in silos, creating visibility gaps that can be exploited. When we talk about Paths to Privilege™, we’re referring to the routes or connections that attackers exploit to gain access to privileges. They escalate access by leveraging weaknesses, whether it’s a misconfigured service or an exposed token.” -- Christopher Hills, BeyondTrust

Here are the zero trust principles our experts think could secure those pathways:

• Mapping data flows and enforcing policies at key junctions: “It’s all about mapping data flows and pinpointing where policy enforcement should happen. We need to disrupt potential paths that threat actors use to move laterally and escalate their privileges. Zero Trust is really about blocking those pathways to privilege.” -- Ross Foard

• Know who and where the threats can come from: “It’s also crucial to understand the variety of adversaries we’re up against. It’s not just ‘adversary’ in capital letters. We’re dealing with insider risks, external criminals, and even unintentional misuse. When we talk about Zero Trust, it’s essential to design systems that take all these personas into account.” -- Natasha Ibrahim

Here are the top methods our experts suggest have helped agencies secure identities and protect privilege pathways, while still allowing for rapid response to changing threats.

• Be identity aware: “Create an architecture that supports identity-aware policies. Our move to a multi-cloud environment forced us to rethink access management across systems, and we’ve leaned on solutions like Secure Access Service Edge (SASE) to maintain visibility and control.” --Roman Kulbashny, Department of Education

• Combine data minimization with least privilege: “Data minimization is key. We only collect the data we absolutely need, and access is granted on a least-privilege basis. Being agile is another principle we prioritize. Adversaries are evolving, so we have to be able to adapt just as quickly.” -- Natasha Ibrahim

• Practice strong security hygiene and governance: “Governance plays a huge role here, too. We focus on provisioning and de-provisioning, making sure accounts are disabled immediately when someone leaves. Governance is essential, but it has to be backed by resources to ensure rapid response.” -- John Pretz

• Consider everyone a privileged user: “The account and the user Id that you log on to your computer with should always be considered a privileged user. This is where SSO and MFA are critical. Verify everyone before authorizing access—but also implement a just in time access model. If there's no standing privileges, there are fewer pathways to get to those privileges.” –Christopher Hills, BeyondTrust

AI represents immense potential for identity security, but it also brings risk. Adversaries increasingly use AI to enhance their attacks:

• Impersonation of digital identities: “The adversaries are using AI and machine learning to impersonate digital individuals accessing systems. This is one of the new, evolving threats that agencies have to consider. These tools allow attackers to script privileged access, making it essential for us to remain vigilant and disrupt these tactics as they appear.” --Ross Foard, Department of Interior

• Organized attacks: “Now we’re facing organized attacks by AI-driven entities that aren’t restricted by government standards or regulations. This makes these AI-driven threats especially concerning because they’re fast-moving and highly capable.” --Roman Kulbashny, Department of Education

At the same time, agencies are racing to leverage AI for defense—but it presents both opportunities and challenges when it comes to bolstering identity security as well. Our experts advise proceeding with caution to ensure AI helps—not hinders—security.

• “At the IRS, we see AI as a way to enhance human oversight, not replace it. AI helps us detect and prevent issues, but we still need humans behind those tools to ensure they’re used safely and responsibly.” --John Pretz, IRS

• “AI is both an opportunity and a risk. Detection is invaluable, but without proper safeguards, it can lead to data exposure. We have to provide user training around AI usage, as misuse can introduce vulnerabilities. Even if you block AI on work devices, employees could still use it at home—so education is key. We can’t ignore the risks, even as we leverage AI’s benefits.” --Christopher Hills, BeyondTrust

• “AI can offer amazing detection capabilities, but we can’t ignore its biases. In benefits programs, these biases can restrict access unfairly, especially when it comes to people with less stable phone numbers or specific demographic markers. We need to be cautious and ensure AI doesn’t unintentionally lock people out.” --Natasha Ibrahim

As our experts have underscored above, achieving secure identity and privilege management requires a proactive and adaptive approach. Today’s threats are continuously evolving, so in order to remain effective, our methods for detection, prevention, and response must continuously evolve, too. By prioritizing Zero Trust principles, cross-agency collaboration, and responsible AI use, organizations can better defend against both internal and external identity-based threats.

“Our goal at BeyondTrust is to help organizations reduce the pathways that can be exploited, to minimize risks through strict privilege management, and to mitigate that potential ‘blast radius’ when something goes wrong. Security solutions don’t replace human error, but they help contain it by limiting privileges to only what's necessary.” -- Christopher Hills, BeyondTrust

Click here to watch the full webinar on-demand. And for more tips and strategies to help you develop a proactive and adaptive approach to security in your agency, visit our website.