The Company Has No Perimeter—But Your IAM Still Thinks It Does

Once upon a time, there was a clear line between inside and outside. If you were on the network, you were trusted. Firewalls, VPNs, and corporate-issued machines created a sense of order and control. Identity was often just a checkbox on a long list of provisioning tasks—something to wire up to Active Directory and maybe sync with a few core apps.

But the modern enterprise doesn’t live behind the firewall anymore.

Employees work from anywhere. SaaS apps live in every corner of the cloud. Devices are personal, unmanaged, and mobile. External users—partners, vendors, contractors—connect to core business systems daily. There is no inside. There is no outside. There’s just a sprawling mesh of access.

Despite this, many organizations are still clinging to IAM systems that rely on rigid boundaries, static trust models, and centralized control.

And that’s a problem.

The industry has tried to adapt by proclaiming that identity is the new perimeter. And that’s not wrong—but it’s also not enough. Replacing the old perimeter with a login screen isn’t transformation. Real evolution means rethinking how identity works in a world where users, apps, and devices exist in constant motion.

Modern IAM must move from a gatekeeper mindset to a context-aware decision engine. It’s no longer just about authenticating a user once—it’s about continuously assessing risk, trust, and behavior across every interaction. That means understanding device posture, user behavior, location, and even intent, in real-time.

This shift isn’t just theoretical. GitLab, a fully remote company by design, faced this challenge early. With no office, no network, and no central infrastructure, they leaned into a Zero Trust model that centered everything around identity. Using Okta for adaptive multi-factor authentication and policy-based access, they eliminated traditional boundaries and instead focused on verifying every access request, every time—regardless of where the user sat or what device they used. (Source)

So why do so many IAM implementations still fall short? It starts with design assumptions. Traditional IAM was built around a fixed set of truths: users are employees, apps are internal, and the network is secure. Those assumptions break down fast in today’s reality.

First, the user population has exploded in complexity. External users—contractors, partners, vendors, third parties—now outnumber internal employees in many organizations. These identities often live outside your domain, lack lifecycle ownership, and are onboarded in ad hoc ways that defy traditional joiner/mover/leaver logic.

Second, applications no longer follow a linear path. Instead of provisioning users into a handful of corporate apps, identity teams must now govern access across a tangled web of SaaS platforms, microservices, cloud consoles, and internal APIs—many of which are controlled by different departments, purchased outside of IT, or don’t even support SCIM or modern provisioning standards.

Third, devices and environments are entirely untrusted by default. BYOD is the norm, and endpoint control is often minimal or nonexistent. The network itself no longer means anything—because the “network” is just the internet.

And yet, many identity platforms still rely on models where access is binary: either you’re in or out, based on static roles or group memberships set when the user was first hired. That might have worked when the world stood still. It doesn’t anymore.

Holding onto outdated IAM models in a perimeterless world doesn’t just create technical debt—it creates risk. We’ve seen organizations where users retain access to sensitive apps months after switching roles because access was granted based on a network zone or a team email alias. In recent examples, we’ve seen enterprise SaaS customers breached via a compromised contractor account—an account that had access to internal systems but no owner in the identity system, no expiration policy, and no monitoring.

It wasn’t a failure of policy. It was a failure of perimeter thinking.

That incident could’ve been prevented with better external identity governance, real-time access visibility, and behavioral anomaly detection—all things modern IAM is capable of when built for a perimeterless enterprise.

What does a perimeterless-ready IAM program look like?

It starts with identity federation—not just for convenience, but to establish trust across boundaries you don’t control. It includes dynamic access decisions that consider user behavior, device risk, and real-time signals. It leverages continuous monitoring to replace point-in-time access reviews. And it requires embracing lifecycle governance not just for employees, but for anyone who touches your data, systems, or APIs.

Organizations like Saviynt have taken this model further by introducing Identity Security Posture Management (ISPM), which blends traditional governance with continuous risk analytics. Rather than assuming static rules are enough, ISPM identifies toxic combinations of access, monitors behavior over time, and flags risky entitlements before they’re exploited. This is how you build trust—not once at login, but across the full identity lifecycle. (Saviynt ISPM Overview)

The era of castle-and-moat security is over. What’s replaced it is messier, faster, and far more complex—but it’s also an opportunity. An opportunity to design identity systems that reflect how people really work.

An opportunity to shift from static control to adaptive intelligence.

An opportunity to govern access not by where someone sits, but by what they need, what they’re doing, and how risky that behavior is.

Your company no longer has a perimeter.

It’s time your IAM strategy stopped pretending it does.