Rushing into AI: Legacy IAM Bottleneck for Financial Services

The financial sector is currently gripped by a powerful narrative of fast-paced technological adoption, commonly referred to as "FOMO", the fear of missing out. As institutions race to deploy cutting-edge artificial intelligence solutions to optimize efficiency and lower costs, a critical structural challenge has emerged: standard Identity and Access Management (IAM) environments are fundamentally unequipped to secure this new horizon of automation.

A recent quantitative market assessment conducted by Enterprise Management Associates (EMA) highlights a stark reality. When security leaders were asked if their existing IAM configurations were robust and ready to handle internal and external automated AI agents, the negative response was overwhelming. Across core operational pillars, legacy architectures are failing to keep pace with innovation:

The Structural Reality: Non-Human Identities (NHIs) Outnumber Humans 144 to 1

This readiness deficit is critically compounded by the changing landscape of consumer-facing and back-office networks. According to cross-industry network mapping data, non-human identities, including API services, micro-tasks, and automated AI agents, now outnumber human identities at a ratio of 144 to 1 (Entro Labs). Despite this massive shift, standard corporate directories remain heavily anchored in old human-centric patterns, relying on basic employee directory schemas that do not scale to match the velocity of machine code execution.

When automated systems are rushed into deployment without proper structural boundaries, serious security incidents follow. The EMA study discovered that 92.1% of enterprises have already recorded visible negative operational impacts directly related to hasty AI implementations. Furthermore, 23% of surveyed organizations reported suffering a significant, unauthorized deletion of critical corporate data by automated systems within the past six months alone.

We are jumping into the deep end of the swimming pool with both feet first, entirely submerged, before ensuring our architectural foundations can withstand the pressure.

— Damon Tepe, Head of Product Marketing, Ory

The Deficiencies of Legacy IAM

29.7% of financial services organizations surveyed have deployed AI agents “in production”, and another 64.8% have limited deployments or Pilot Programs. Nearly all organizations are deploying AI in some capacity. Yet as seen in the below chart, particularly for the finance industry, IAM systems are not ready for the task.

Security Metric	% Overall claiming IAM “not ready”	% of Financial Services claiming IAM “not ready”
Resiliency	50.4%	62.2%
Compliance	39.7%	43.2%
Security	48.7%	59.5%

As shown in the chart above, the financial services industry, more so than than everyone else, believes their IAM systems are not ready for the agentic era. Adding to the complexity, 49% currently have 3 or more IAM systems.

Is adding a fourth or fifth IAM system the answer?

For the financial organizations surveyed, 35.1% cite “limited ability to customize or extend” current IAM platforms as a top barrier. Traditional corporate identity stacks typically struggle because of the following:

Rigidity and the "One-Size-Fits-None" Monolith Most commercial identity packages operate as rigid black boxes. They expect a single, predictable deployment method, often forcing data onto proprietary cloud environments. For financial firms bound by absolute data localization mandates (such as DORA, GDPR, or regional banking privacy acts), these unyielding structures present a non-negotiable roadblock to innovation.
Lack of Granular Access Privilege Frameworks Legacy systems typically lack the structural agility to restrict access on a dynamic, task-by-task basis. When an organization provisions an enterprise system to interface with an automated agent, engineers frequently over-privilege the system to bypass rigid configurations. If that machine identity is compromised or encounters an execution logic error, it has full, unchecked access across internal data silos.
Performance Decline at Scale Traditional legacy IAM solutions are built on stateful, monolithic architectures that quickly choke under the high-velocity traffic spikes generated by modern machine-to-machine and large-scale human interactions. Because their human-centric directory structures lack modular flexibility, scaling up to handle millions of non-human identities results in massive database bottlenecks and unsustainable infrastructure costs.

Key Takeaway: The Five Crucial Security Questions for Machine Automation

To safely scale automation, security leaders must implement identity guardrails that according to the Cloud Security Alliance (CSA) should answer five key questions for every execution thread:

Who are you? Strict verification of machine identity origin (distinguishing "good bots" from malicious ones).
What are you doing? Continuous monitoring and intent verification.
What are you consuming? Focus on data lifecycle & governance.
Where can you go? Fine-grained data access controls and boundary definitions.
How do we kill the process? An absolute kill-switch for rogue non-human identities (NHIs).

The Path Forward: Strategic IAM Consolidation

Rather than managing these complex security vulnerabilities by stacking a fourth or fifth specialized security vendor onto an already fractured corporate defense matrix, enterprise architecture teams should use the rise of automated technologies as an ideal catalyst for system-wide consolidation. By replacing brittle, home-grown identity solutions and aging black-box frameworks with a singular, high-throughput, composable IAM blueprint, financial institutions can systematically neutralize operational risks, establish verifiable compliance postures, and confidently accelerate their technical roadmaps.

Learn More:

EMA survey, sponsored by Ory: Agentic AI Identities – Is Your Organization Prepared?
View of financial service industry’s take on the above survey: The AI Identity Crisis: Balancing Innovation with Strict Compliance in the Financial Sector
Webinar where EMA’s Ken Buckler and Ory’s Damon Tepe review the survey results from the financial sector: The AI Identity Crisis Webinar

The Structural Reality: Non-Human Identities (NHIs) Outnumber Humans 144 to 1

We are jumping into the deep end of the swimming pool with both feet first, entirely submerged, before ensuring our architectural foundations can withstand the pressure.

— Damon Tepe, Head of Product Marketing, Ory

The Deficiencies of Legacy IAM

Security Metric

% Overall claiming IAM “not ready”

% of Financial Services claiming IAM “not ready”

Resiliency

50.4%

62.2%

Compliance

39.7%

43.2%

Security

48.7%

59.5%

Is adding a fourth or fifth IAM system the answer?

Rigidity and the "One-Size-Fits-None" Monolith Most commercial identity packages operate as rigid black boxes. They expect a single, predictable deployment method, often forcing data onto proprietary cloud environments. For financial firms bound by absolute data localization mandates (such as DORA, GDPR, or regional banking privacy acts), these unyielding structures present a non-negotiable roadblock to innovation.

Lack of Granular Access Privilege Frameworks Legacy systems typically lack the structural agility to restrict access on a dynamic, task-by-task basis. When an organization provisions an enterprise system to interface with an automated agent, engineers frequently over-privilege the system to bypass rigid configurations. If that machine identity is compromised or encounters an execution logic error, it has full, unchecked access across internal data silos.

Performance Decline at Scale Traditional legacy IAM solutions are built on stateful, monolithic architectures that quickly choke under the high-velocity traffic spikes generated by modern machine-to-machine and large-scale human interactions. Because their human-centric directory structures lack modular flexibility, scaling up to handle millions of non-human identities results in massive database bottlenecks and unsustainable infrastructure costs.

Key Takeaway: The Five Crucial Security Questions for Machine Automation

To safely scale automation, security leaders must implement identity guardrails that according to the Cloud Security Alliance (CSA) should answer five key questions for every execution thread:

Who are you? Strict verification of machine identity origin (distinguishing "good bots" from malicious ones).

What are you doing? Continuous monitoring and intent verification.

What are you consuming? Focus on data lifecycle & governance.

Where can you go? Fine-grained data access controls and boundary definitions.

How do we kill the process? An absolute kill-switch for rogue non-human identities (NHIs).

The Path Forward: Strategic IAM Consolidation

Learn More:

Rushing Into Agentic AI: The Legacy IAM Bottleneck in Finance

The Structural Reality: Non-Human Identities (NHIs) Outnumber Humans 144 to 1

The Deficiencies of Legacy IAM

Key Takeaway: The Five Crucial Security Questions for Machine Automation

The Path Forward: Strategic IAM Consolidation

Further reading

How a redirect broke login with Apple for a full day

Ory OSS v25.4.0 launch recap: The future of secure Identity & Access Management

The Structural Reality: Non-Human Identities (NHIs) Outnumber Humans 144 to 1

The Deficiencies of Legacy IAM

Key Takeaway: The Five Crucial Security Questions for Machine Automation

The Path Forward: Strategic IAM Consolidation