Why modern identity is more than just login
In the first article in this series, we introduced the AI Trust Triangle – identity, data security, and governance – as a practical way to think about trust in an AI-enabled workplace.
This article focuses on the first side of that triangle – identity – and the complexities of controlling access in a modern, AI-enabled workplace.
Identity beyond login
For years, identity was treated as an authentication problem.
If someone could prove who they were, they were allowed in.
That model assumed two things:
- A person was directly initiating every action.
- Access could be granted once at login and trusted from there.
Neither assumption holds in an AI-enabled workplace.
Today, a single identity may:
- Access systems from multiple devices and locations
- Trigger automated workflows
- Authorise AI agents to retrieve information or take action on their behalf
That means trust can’t be based solely on successful sign-in. It has to account for:
- Who is acting – human or delegated system
- In what context – device health, location, risk level
- With what scope of authority – what actions are actually permitted
Identity becomes the mechanism that carries those answers with every action – not just at login.
What modern identity actually means
So, if identity is no longer just login, what is it?
Modern identity is about evaluating access in context.
It considers:
- Who is requesting access – employee, admin, contractor, application, or AI agent
- From where – corporate network, home office, public Wi-Fi, another country
- On what device – managed and compliant, or unknown and potentially risky
- To do what – routine activity, or something sensitive and high impact
Access is no longer a single yes or no decision at sign-in. It’s a continuous assessment of risk, authority, and intent.
This is where Microsoft Entra becomes invaluable.
Entra acts as an identity and access control layer across cloud and hybrid environments. It enables organisations to:
- Manage identities for people, applications, and workloads
- Apply Conditional Access policies based on user risk, device state, and location
- Enforce multi-factor authentication intelligently
- Provide visibility into sign-ins and identity-related activity
- Centralise identity governance across hybrid environments
AI agents acting on behalf of users are also part of this identity picture. They need:
- Clearly defined scopes
- Delegated permissions
- Policy enforcement
- Auditability
Without that structure, AI will simply operate within whatever access already exists – including legacy permissions and overly broad roles.
Why devices matter
Today’s business users access corporate data from a variety of devices and locations – corporate laptops, personal mobiles, home networks, airports, and client sites.
Each of those devices and environments carries a different level of risk, which directly affects how much trust can be placed in that access.
Credentials alone can’t account for that difference.
A legitimate user signing in from a fully managed, encrypted, and compliant corporate laptop represents a very different risk profile from the same user accessing sensitive systems from an unpatched personal device.
That’s why device posture has become a critical input into identity decisions, and why Microsoft Intune plays such an important role.
Intune provides visibility and control over:
- Device enrolment and compliance
- Operating system and patch status
- Encryption and security configuration
- App protection and mobile access policies
Those device signals inform the access decisions made by Microsoft Entra.
In practical terms, that means:
- Entra evaluates who is requesting access and what they’re trying to do.
- Intune confirms whether the device meets the organisation’s required security standards.
Together, they allow organisations to:
- Block access to sensitive applications from non-compliant devices
- Provide seamless access from trusted, managed devices
- Step up authentication requirements when risk indicators change
Why modern identity is hard to get right
On paper, modern identity sounds straightforward. In practice, it’s one of the most complex transformations organisations undertake. Here’s why.
- Legacy environments don’t disappear overnight
Very few organisations start with a clean slate.
Many still operate with:
- On-premises Active Directory
- Legacy applications that don’t support modern authentication
- Multiple identity stores across HR systems, subsidiaries, or partner environments
Introducing Microsoft Entra into that landscape isn’t about replacing everything at once. It’s about designing a cohesive identity layer that works across old and new systems without breaking critical processes.
That requires careful sequencing, integration planning, and realistic timelines.
- Security and productivity are in constant tension
Security teams understandably push for:
- Multi-factor authentication everywhere
- Tight Conditional Access policies
- Strict device compliance requirements
Meanwhile, business users want:
- Seamless sign-in
- Fewer interruptions
- Flexibility to work across personal and corporate devices
Rolling out Entra and Microsoft Intune is rarely a technical exercise alone. It’s a balancing act between protection and usability. Too strict, and productivity suffers. Too loose, and risk increases quietly over time.
Modern identity requires thoughtful calibration – not blanket rules.
- Change management and communication fall short
From a user’s perspective, identity modernisation often looks like:
- New MFA prompts
- Device registration requirements
- “Your device is not compliant” messages
- Company Portal enrolment flows
Without clear communication, these changes feel like friction rather than protection.
Successful identity programmes invest in explaining:
- Why changes are happening
- What users need to do differently
- How these controls enable flexible, secure work
Identity transformation is as much about behaviour and communication as it is about configuration.
- Policy and operational complexity creeps in
Conditional Access can quickly become:
- A maze of overlapping policies
- Filled with regional or role-based exceptions
- Dependent on “temporary” bypasses that quietly become permanent
Similarly, Intune configuration decisions can:
- Affect application behaviour
- Block legitimate access unintentionally
- Create inconsistent user experiences if not thoroughly tested
Modern identity requires governance and regular review. Without it, policies sprawl and clarity fades.
Identity as the foundation for responsible AI
As organisations expand their use of AI and automation, identity is quietly becoming one of the most important control points in the environment.
AI agents, applications, and users all operate on top of the same identity framework. If that framework is fragmented or overly permissive, AI doesn’t just increase productivity – it increases the reach of whatever weaknesses already exist.
That’s why getting identity right matters.
When implemented thoughtfully, Microsoft Entra and Microsoft Intune do far more than manage logins. They bring consistency to access decisions, factor in device posture, and provide clear visibility into who – or what – is acting across the organisation.
At that point, identity stops being a background IT function and becomes part of the infrastructure that makes responsible AI possible.
It allows organisations to adopt AI, support hybrid work, and modernise securely – with confidence that access is deliberate, traceable, and aligned with how the business actually operates.
Stay tuned for our next article in this series where we’ll explore the second side of the AI Trust Triangle: data security – defining what AI can see and use, and how to set clear boundaries without slowing the business down.