The agentic era is an opportunity to rebuild identity from its Core.
The identity platforms we depend on are the risk we were never meant to own.
The math is in the breach reports, and every security leader has read them. Identity-based attacks are now the dominant path into the enterprise: credential abuse, session hijack, MFA bypass, token theft. The post-mortems all point to the same place.
This is not a vendor problem. It is an architecture problem. Legacy IAM was built for a world pre-mobile and pre-cloud, and we have been retrofitting it ever since. That world is gone. In its place is a workforce of humans, services, workflows, and now agents. Autonomous identities that act, decide, and access at machine speed. And we have all inherited a lot of it.
Bolting AI onto a 15-year-old architecture is not modernization. Selling four products as a platform is not convergence. And when the platforms enterprises trust to authenticate their workforce become the most reliable way for adversaries to get in, what sits at the center of the stack is no longer an identity provider. It is a liability.
This is written for the security leader who has been thinking some of this already. Who has watched the last three breach cycles and quietly concluded that the foundation needs to change. Who would prefer a partner that has thought it through to a vendor that has read the room.
We started NewCore because we have been on both sides. We have built the security platforms enterprises run on. We have worked the attacker's perspective on identity infrastructure. We have run large IAM program rollouts. We have lived inside the IAM scar tissue of large organizations. This is what we offer: partnership, not procurement. We know what we are asking. We have done it before. And we know that getting there means starting over, because that is what we did.
Here is what we believe.
A future where identity is the strongest layer of the stack, not the weakest. Where the job is to reduce risk, not just manage access. Where post-quantum safety, agentic governance, and breach resistance are built in, not bolted on. Where the platform that authenticates the workforce is also the platform that defends it. We are building toward that future. The tenets below are how we get there.
Identity is the new perimeter. Not a feeder for the SIEM. Not plumbing the CIO owns. It is the control plane the CISO defends.
The IdP will be attacked. Architecture must assume it. Shared secrets, replayable tokens, and signature schemes that fail to a single forged assertion are not acceptable foundations. One stolen signing key should not become a Golden SAML skeleton key to the enterprise. Hardware-bound, phishing-resistant, split-trust by default. Built for breach.
Convergence is one fabric, not four products. Human, agentic, and workload identities belong in the same graph, governed by the same policies, observable in the same plane. Agents are first-class citizens of that graph, not service accounts with extra steps: they authenticate, they carry attribution, they answer to policy. Anything less is a billing arrangement.
Machine speed demands a new machine. Quarterly access reviews were obsolete the moment humans stopped being the dominant identity on the network. Agentic identity does not need ten percent more throughput or twice the policy engine. It needs an order of magnitude more, and then another. We are building for one hundred times the scale and one hundred times the resistance to attack of what came before.
Quantum is closer than you think. The rebuild is harder. Post-quantum safety timelines are shortening, with conservative estimates revised every quarter, and the data adversaries harvest now will be decrypted on a timeline none of us control. Worse: the protocols the identity estate runs on were not designed to be upgraded. SAML cannot be patched into post-quantum safety. It has to be redone. The same is true of most of the tokens, signatures, and federation primitives the enterprise depends on. This is an identity rebuild project nobody budgeted for. The runway is shortening. Starting later is not an option, and the incumbents are nowhere to be seen.
Migration is how we earn the seat. Zero downtime, zero rip-and-replace, parallel operation with what is already in place. If we cannot earn the seat, we should not have it. Applied correctly, AI collapses the migration math by orders of magnitude: the discovery, the mapping, the cutover that used to take months now takes hours or days. For fifteen years, the risk of changing the IdP outweighed the risk of staying with it. That calculus has changed. Lock-in is no longer defensible. It is a security failure dressed as a business model, and the excuse for it just expired.
The platform owes the answer. Phishing. MFA reset. Help-desk social engineering. IdP breach. Token theft. These have been treated as the customer's problems for fifteen years, with "shared responsibility" doing the work of disowning them. We reject the framing. The platform that authenticates the workforce is the platform that owes the answer when authentication fails. Owning these problems requires architecture that anticipates them and accountability that does not flinch when they arrive. Anything less is a vendor masquerading as a partner.
The era of identity-as-trade-off is over. For fifteen years the industry accepted a trade-off it should not have: that security and experience could not coexist, that breach was the cost of usability. It was never inevitable. It was a limitation of architecture written in a decade when an enterprise had thousands of identities and most of them were people. The enterprise now has millions, and most of them are not. The math has changed by two orders of magnitude. The platform must too.
What replaces the old world is being built now. We are calling it the converged identity platform because that is what it is: secure by design, seamless by experience. Both, not either.
— Zohar, Amihai, Erez