• In the AI era, identity is the most vulnerable attack vector. 
• Identity telemetry offers a wealth of information. 
• A new take on an old approach keeps that data in the right hands.
• Repatriating a modernized IAM can stabilize mounting costs and reduce identity-based risks. 

In Part 1 of this series, we established that in the AI-age of cybersecurity, identity drives the system. We also broke the bad news: The security world is changing at record pace, and SOC teams are racing to keep up. We unpacked the ways that AI, and its agentic minions, can multiply everything from threats to queries, leaving SOC teams facing unanticipated costs and feeling overwhelmed. In Part 2, we’re bringing you the good news: An updated IAM is ready to secure all-important identity and address new risks. Read on for a roadmap.

The goal: Gather the identity gold, then keep it safe

In a world where identity rules all, authorization logs and identity signals amass a goldmine of information about: 

• Who accessed what?
• From where?
• Under what device posture?
• With what privilege?
• Using which tokens?
• And which AI agent, acting on behalf of whom, made what call?

Now more than ever, SOC teams need rapid access to this data telemetry to assess, act, and secure their organization’s sensitive information. Streamlined access allows for swift action. But enter agentic AI, and things get…complicated. This all-important identity telemetry is not just valuable, it’s vulnerable. It can be used to reveal data domains queried by agents, patterns of user intent, high-value targets and workflows, and internal service topology (via API call patterns).

Repatriation is the key

Without the right security system, organizations risk leaving their data goldmine unguarded against malicious marauders intent on an identity telemetry raid. Want to stop those data pillagers outside the vault? Repatriating key IAM components helps ensure:

• Data residency and sovereignty where required
• Full-fidelity logging without sampling
• Consistent data retention aligned to risk
• Direct integration with detection pipelines—no throttles, delays, or “premium log tiers.”

When identity reigns, telemetry becomes the crown jewel

It’s time to stop treating telemetry like a feature add-on and start treating it like a precious gem–one that determines organizational rule. Protecting this jewel effectively requires a granular understanding of vendor risk. Some key defense components to consider are: 

• Operational control: Can I change behavior fast during an incident?
• Dependency blast radius: If dependency goes down, what else fails?
• Roadmap leverage: Will critical security features be on my timeline?
• Key custody: Where are the signing keys kept, and who has access?
• Exit feasibility: Can I migrate without a long-lasting disruption? that lasts quarters?

SaaS IAM offers strong security engineering. However, it can be weak when there’s an urgent need to do something now. For better or worse, AI pushes SOC teams to spend more time in the “right now” zone. As we explored in Part 1 of this series, AI adds identity types, new policy patterns, new audit requirements, and new attack paths, such as injection, agent impersonation, tool abuse, replay and more, across multi-agent flows. These changes necessitate greater readiness and agility so that we can act with well-informed urgency. 

If SOC teams want to move fast without breaking things or leaving them open to theft, they need critical infrastructure with defined and recognizable properties. Successful identity infrastructure must demonstrate: 

• Deterministic performance under load
• Local survivability during upstream failures
• Deep customization for risk controls
• Tight coupling to internal telemetry and response
• Predictable scaling costs

For best (repatriation) results, handle with care

When handled with care, IAM repatriation can work. Done right, it can support every key factor on the list above, and yield big cost and time savings to your strapped SOC team. Rather than attempting a big bang migration, it’s best to start with the pieces where the SaaS model hurts the most. 

Repatriation works best at an AI-driven scale. Here is a sequence proven to reduce risks while moving rapidly enough for big results:

1) Move authorization decisioning close to workloads

 Moving the policy evaluation into the environment you control lets your applications run the policy evaluation and: 

• Make fast, consistent decisions
• Continue operating during external outages
• Enforce fine-grained controls without latency anxiety

2) Elevate machine identities and workload IAM

Treat service accounts, agents, and workloads as first-class citizens with:

• Strong issuance and rotation
• Short-lived credentials
• Tight scoping
• Automated revocation
• Clear ownership and auditability

AI makes it impossible to avoid machine identity management. Bringing back the machine identity management layer helps scale repatriation without paying a per-token tax. Eliminating this tax reduces the unexpected cost surge noted in Part 1, making repatriation a step forward in money saved. 

3) Manage keys, token services, and session control

If tokens are the keys to the kingdom, they deserve careful consideration. A better IAM safeguards token with:

• Signing key custody
• Rotation cadence
• Emergency revocation capability
• Risk-aligned token lifetime
• Step-up auth and conditional access logic

4) Secure the identity telemetry pipeline

Repatriate–or at least ensure direct control over–the logs and signals containing precious dat intel. This will give you IAM with:

• Full fidelity
• Real-time access for detection/response
• No “tier gating” of critical events

Take a step forward with modernized IAM

These moves aren’t regressing and turning the IAM clock back to 2012. They’re enforcing a security infrastructure built to address AI impacted in 2026. They’re also informed by over a decade of IAM experience. Past-proofed repatriation works only if it follows modern methodologies and uses modern tooling such as:

• Infrastructure as code
• Automated patching pipelines
• SLOs and load testing
• Regional redundancy
• Chaos testing for dependency failure
• Strong key management (HSM/KMS)
• Clear ownership between security and platform engineering

The goal is not to rebuild an identity monolith. The goal is to run identity like a product: built, measured, and strong enough to stand the test of a brave new AI world. If this seems like too much too fast, it’s okay to slow down. Follow your organization’s pace and repatriate only what you need. In time, you may be ready for a full repatriation. 

SaaS isn’t bad. It’s just not the best tool for a time when AI impact on identity scaling demands a different response. So, while SaaS can still be great for things like rapid onboarding and integration catalogs, standard lifecycle workflows, and certain SSO use cases in organizations with stable, human-centric identity patterns, repatriation merits revisitation. Especially if you are: 

• Building AI agents that call systems at scale
• Moving toward continuous authorization and fine-grained controls
• Seeing auth/event volume grow faster than headcount
• Facing hard data residency constraints
• Unwilling to accept rate limits as security policy

Get ready for the decade of more

As mentioned in Part 1, repatriation doesn’t mean rejecting the cloud. Rather, it means designing identity so that the identity ecosystem can grow for the next decade. This next decade will be the decade of more: more agents, more machines, more decisions, more logs, and more risk. The identity ecosystem must stand ready to handle that increase without compromising enforcement.

Identity is the engine that will enable AI. We must stop treating identity like a convenience service. I need to be able to weave my business processes into my identity ecosystem and not model them after what the SaaS vendor thinks I need. 

In 2026, identity is critical infrastructure. We need a system that treats it that way.

What to do next:

• Stress-test your identity control plane with Symantec Identity Security Platform(IDSP): Use IDSP’s centralized policy and high-throughput authorization services to identify where current SaaS IAM rate limits, latency, or outages would impact AI agents, service accounts, and high-volume workloads.
• Modernize machine identities with Symantec PAM and IDSP: Use Symantec Privileged Access Manager and IDSP to inventory and tighten service accounts, agents, and workload identities with strong issuance, short-lived credentials, and just-in-time access at scale.
• Read this case study to learn how Broadcom repatriated over 16 million identities onto the Symantec Identity Security Platform while improving scale, resiliency, and ownership.

Stay tuned for the next installment in this series as we explore specific industry drivers and guidance for identity repatriation.