EY's Ayan Roy on why identity security is now the foundation of defense in depth

In episode 10 of SaviTalk, Ayan Roy, Head of Cybersecurity at EY, joined David Lee and Henrique Teixeira to discuss why identity security has moved from a compliance checkbox to a critical layer of modern cyber defense. Drawing on 25 years in the space and EY's post-breach forensic work, Ayan made the case that nation-state actors using AI have shrunk the time-to-exploit window, and that identity is now the countermeasure most often missing from the kill chain. The conversation covered why CISOs are finally calling identity their biggest gap, how to reframe identity as a business enabler, and the three design principles that should guide every identity program going forward.

Key findings

• Identity is involved in 90% of breaches through lateral movement and privilege escalation, making it the most critical and most overlooked layer of cyber defense.
• Nation-state actors are using AI to significantly compress the window between vulnerability discovery and active exploitation.
• Non-human identities and AI agents now outnumber human identities, and identity programs must adapt by scaling beyond workforce access management.
• Identity security is a direct business enabler. EY clients have used it to accelerate product launches and unlock nine-figure revenue from digital channels.
• If a certification campaign only eliminates 2–5% of entitlements, you're doing compliance. A 60–70% reduction should be the goal for real security improvements.

90% of breaches trace back to identity (and most organizations are missing the fix)

EY's post-breach forensic work reveals a consistent pattern. Threat actors get in, move laterally, and escalate privilege, all because the identity controls that could have stopped them remain unconfigured. Endpoint detection and SIEM tools need identity signals to catch these attacks in real time. Without identity security, zero trust falls apart, conditional access has nothing to enforce against, and AI security has no foundation to build on.

How to make the case for identity as a business enabler (hint: talk revenue, not risk)

Identity teams that frame their work in revenue terms get a fundamentally different response from the C-suite. EY has helped clients use identity to launch products on compressed timelines and deliver digital revenue channels that would otherwise be impossible to secure.

Ayan shared two stories that reframe how identity teams should pitch their work. An automotive client launching a new brand at the New York Auto Show needed web SSO done in eight weeks instead of eight months. The path to launch on time? Identity. A cruise line CFO promised the board a billion dollars in incremental revenue from digital channels. How did the omnichannel ship-to-shore experience fulfill that promise? By running on identity. M&A activity, supply chain shifts, and tariff-driven supplier changes all create identity work that directly enables business transactions. Identity teams that frame their work this way get a different reception from the C-suite.

The three design principles every identity program needs now

Ayan Roy's “three S’s” framework (that’s speed, scale, and smarts) reflects the changing threat landscape. Speed matters because zero-day exploit windows are shrinking and identity systems must react in near-real time. Scale matters because human identities are now the smaller half of the population, with non-human identities and AI agents growing fast. Smart matters because static rules and rubber-stamp certifications can't keep up. Saviynt CEO Sachin Nayyar's framing came up during the conversation. If a certification campaign removes 2 to 5% of entitlements, you're doing compliance, but if recommendations help you remove 60 to 70%, you're doing security.

Watch the full episode

The full episode dives deeper into hybrid infrastructure resiliency, how AI can bend the cost curve on identity programs, the difference between IVIP and ISPM, and Ayan's three A's for cyber leaders: accountable, adaptable, and agile. David and Henrique also get into why business language matters more than technical jargon when identity teams sit down with the CFO.

If you're a CISO or identity leader rethinking how to position your program, watch the episode to hear how EY is advising clients on the shift.

Frequently asked questions about identity security