BOSTON – Former CISA Director Jen Easterly said cybersecurity professionals must rethink their outdated approaches to identity security as AI accelerates the threat landscape.
"Identity isn't a security problem. Identity is the security problem," Easterly said, arguing that as AI becomes more embedded in both offensive and defensive cyber operations. For that reason, traditional identity and access management frameworks are dangerously outdated.
Delivering a keynote here at CyberArk’s IMPACT 25 conference on Thursday, Easterly emphasized the importance of identity as central to cyber defenses.
Intelligent identity systems powered by AI
Her central theme was a call for intelligent identity systems powered by AI. These systems, she said, must go beyond basic authentication to continuously evaluate context, behavior, and intent.
"Machine identities now outnumber human identities by 45 to 1 in enterprise environments," she noted. "If we don't know who or what is accessing our systems, nothing else matters."
She said identity should not be seen as a gatekeeper, but as the foundation of all cyber defenses. Easterly urged the industry to adopt intelligent identity systems powered by agentic AI.
“This is less about stronger passwords or more authentication factors,” Easterly explained. “It’s about systems that understand user behavior in context — systems that can detect subtle anomalies, infer intent, and act autonomously to mitigate risk before any human is alerted.”
In this vision, also echoed by other speakers at IMPACT 25, identity is dynamic. Machine learning models ingest behavioral patterns, device signals, time-of-day data, location context, and historical baselines to continuously verify users and machines.
If an odd login pattern is detected, a privileged account performs an unusual task, a machine identity requests sensitive data outside its norm the identity system adapts in real time. For example, it might revoke access, trigger an investigation, or isolate the activity automatically.
“Every identity — human or machine — is now a potential attack vector,” she said. “That’s why we need systems that don’t just validate identity, but deeply understand it.”
Easterly’s call represents a shift from legacy access controls to identity systems that operate more like autonomous agents — sensing, reasoning, and acting within the security environment. And in her view, building those systems securely, with transparency and resilience, is one of the most urgent missions in cybersecurity today.
Ex-CISA director, mum on White House war against Krebs
In her keynote, the former CISA director did not directly address the latest Trump administration controversy — specifically, the revocation of security clearances of her predecessor, Chris Krebs, and employees at cybersecurity firm SentinelOne. However, she underscored the ongoing importance of CISA's role amid heightened geopolitical threats, especially from China.
Easterly noted the multifaceted nature of deterrence required to secure U.S. critical infrastructure against adversaries who may leverage cyber capabilities.
"China does have the ability, and they've shown the desire, to hold U.S. critical infrastructure at risk," she said. "We look at deterrence from a government perspective in terms of deterrence by denial and resilience, and that's why some of the work in CISA, in terms of our cyber defense work, is so important."
Easterly’s remarks come at a sensitive moment, with the recent executive order from President Donald Trump stripping Krebs of his security clearance and alleging misuse of his former role at CISA. Krebs has been recognized for his bipartisan efforts to safeguard the integrity of the 2020 election and combat disinformation, efforts that the White House labeled as politically motivated censorship.
Without referencing Krebs directly, Easterly emphasized the necessity of a holistic cybersecurity strategy. "We can't be overly focused on one thing over the other," she advised. "We have to look at a multifaceted approach to keeping our infrastructure as safe and resilient as possible."
Her comments underscore ongoing tensions within the cybersecurity community about the politicization of national security roles and reinforce the critical, bipartisan mission of agencies like CISA, even amidst controversy.
‘Will we shape AI or be shaped by it?’
Easterly warned of AI’s dual-use nature as a tool to defend networks but also being weaponized by threat actors. She referenced the SolarWinds and Microsoft email breaches as case studies in how stolen credentials and forged tokens have become the go-to tools for advanced persistent threats.
"Abuse of trust, not malware, is the modern attacker’s playbook," she said.
Her proposed solution includes a shift in industry mindset. Echoing a theme she has long championed, Easterly said companies must prioritize security by design and embed safeguards during the system development phase, not after deployment.
Easterly railed against “move fast and break things” culture, arguing that in the age of AI, such recklessness could “break humanity.” She outlines a three-part framework: security by design, radical transparency, and prioritizing resilience — even if it slows down innovation.
“Will we shape AI or be shaped by it?” Easterly asked.
Framing today’s cybersecurity imperative as a turning point, Easterly asked whether cybersecurity leaders will rise to the challenge of shaping secure AI systems. The alternative is to watch as attackers do it first. She called on the conference attendees to be “good ancestors” and take responsibility for ensuring a secure foundation for AI’s evolution, proper governance and moral clarity.
The keynote closed with a challenge to the audience: to become “security visionaries,” shaping AI for good rather than reacting to its misuse.
“This is our moment to re-imagine identity as the foundation of digital trust,” she said. “If we get identity right, everything is possible. If we get it wrong, nothing else matters.”
