Copyright cityam
It is no surprise that cybersecurity is now at the top of boardroom agendas. Over the past 18 months, a spate of high-profile breaches has exposed vulnerabilities across sectors, from retail and finance to automotive supply chains. Jaguar Land Rover, the latest headline hit, was forced to halt production for five weeks in late 2024 after a cyberattack disrupted operations, reportedly affecting around 5,000 organisations and costing the UK economy an estimated £1.9bn. Incidents like these have shown a shift in how attackers operate, and how businesses need to defend themselves. Mark McClain, founder and chief executive of SailPoint, told City AM that the lesson from recent breaches is the biggest threat today is no longer the external network intruder, but the misuse of legitimate credentials. “The bad guys don’t break in anymore, they log in,” McClain explains. “They use valid credentials, move quietly through systems, and exploit excessive permissions. The consequences are far more damaging because they can remain undetected for months.” Identity at the centre of cybersecurity Identity security has emerged as the critical frontier in protecting businesses. While traditional measures like firewalls and endpoint protections remain important, McClain argues that the most sophisticated attacks now leverage stolen credentials or compromise non-human identities, including bots, service accounts, and AI agents. “It’s not just employees anymore. Contractors, seasonal workers, and machine identities all present unique risks,” he says. “And now we’re adding AI agents, semi-autonomous software that can adapt, learn, and act independently. From a security standpoint, that’s a whole new level of complexity.” The UK has seen this trend play out in practice. Retailers such as Marks & Spencer and Co-op have reported breaches linked to compromised credentials, while Jaguar Land Rover’s 2024 incident involved lateral movement that allowed attackers to access multiple systems before being detected. According to the National Cyber Security Centre (NCSC), nearly half of all nationally significant incidents in the past year were linked to advanced persistent threat actors, including criminal groups and state-affiliated operatives. For McClain, the solution lies in “adaptive identity”, a dynamic approach where access is granted contextually and revoked aggressively when no longer necessary. This method accounts for both human and non-human identities, ensuring that even highly sophisticated AI agents are subject to the right controls. “Identity should be the bedrock of security,” he says. “Access needs to be precise, contextual, and continuously evaluated. Only then can organisations mitigate the risks posed by modern attackers.” AI: opportunity and risk The rise of AI has added a layer of urgency. Enterprises are investing heavily in AI tools to drive productivity and innovation, yet McClain warns that uncontrolled adoption can create vulnerabilities. The MIT State of AI in Business 2025 study found that while employees in more than 90 per cent of companies use personal AI tools, only 40 per cent of organisations maintain official subscriptions, and a mere five per cent report meaningful returns. “Every business wants AI to work for them,” McClain says.” “But security teams are right to be cautious. AI doesn’t just accelerate legitimate work, it accelerates attacks, too. The sophistication of deepfakes and AI-powered social engineering is growing at an unprecedented pace.” SailPoint has developed what it calls “industry-first” controls to ensure that AI agents operate safely within enterprise environments. These solutions focus on monitoring AI behaviour, enforcing policy compliance, and maintaining auditability, so that the tech accelerates business outcomes while introducing unacceptable risk. Regulation and resilience High-profile breaches have forced boards to treat cyber risk as seriously as financial or operational risk. McClain noted a shift in governance, with companies now recruiting CISOs or cybersecurity experts to non-executive roles. “Boards are asking, ‘Where are we exposed, and what’s in place?’” he says. “Cybersecurity is no longer just an IT issuel, it’s central to risk management.” Government initiatives are also shaping the landscape. Tech secretary Liz Kendall has emphasised the importance of national cyber resilience, while the proposed cyber resilience bill would require regulated companies to report incidents within 24 hours. Meanwhile, plans for the UK’s digital ID system, the ‘Brit Card’, highlight the intersection of citizen identity and national security. McClain said: “Centralising identity increases risk”, he said. “You need distributed, adaptive controls to ensure that access is granted only when appropriate.” That’s true for enterprises and for national ID programmes alike. The combined pressures of AI adoption, identity complexity, and regulatory expectations are creating a new operating environment. Businesses have been warned to balance innovation with defence, making sure that rapid deployment of AI tools does not inadvertently open the door to attackers.
