In today’s digital battlespace, the identity question is no longer limited to who can log in. Mission execution now depends on human users, administrators, contractors, mission partners, service accounts, APIs, workloads, automation, machine identities, and AI-enabled agents. Each may be able to access systems, invoke privilege, call APIs, move information, trigger workflows, or act on behalf of a mission function.
That means access must be understood as delegated operational authority: what an identity is allowed to do, where it can act, who owns it, when it should change, and whether the decision can be proven.
The adversary does not care whether an identity is human or non-human. The adversary cares what it can do. A compromised account, orphaned service credential, over-permissioned workload, unmanaged API token, or AI agent with delegated access can all become paths to mission impact.
For DoD and federal leaders, the mandate is clear: know every actor, map what it can do, reduce unnecessary privilege, govern access continuously, and prove every decision.