Securing Australia's digital future: identity security as a national priority

The federal government’s 2023–2030 Australian Cyber Security Strategy sets an ambitious vision to become a world-leading cyber-secure and resilient nation by 2030. While phase one focuses on strengthening defences and protecting vulnerable stakeholders, agencies must also lay the groundwork for phase two’s broader mission of improving cyber maturity across the economy, including significant investment in identity security.

Yet, while digital transformation accelerates, many remain in the early stages of their identity security maturity. According to SailPoint’s Horizons of Identity Security 2024–2025 report, over 40% of organisations are still at the lowest maturity level, lacking the fundamental strategy and technology to enable secure digital identities. For example, many government agencies still rely on outdated or manual processes to manage access permissions, increasing their exposure to risk.

This gap between digital ambition and security reality creates significant vulnerabilities.

Modern threats put government agencies at risk

For government agencies, the security challenge is multifaceted. Beyond managing employee access, they must secure an expanding universe of digital identities that includes third-party contractors, citizen services and, increasingly, machine identities. These non-human identities — including service accounts, APIs and automated processes — are now growing faster than human identities, yet often lack clear ownership or governance. For instance, several recent breaches have been traced back to unsecured APIs or service accounts that were not adequately monitored or governed.

This complexity is compounded by the rise in privileged access requirements across systems and applications. In today’s threat landscape, cybercriminals don’t need to break in — they simply log in, exploiting compromised credentials or weak identity controls. In January 2024, Russian hackers exploited vulnerabilities in legacy systems to compromise 2.5 million documents across 65 government departments, underscoring critical gaps in identity governance — particularly in outdated authentication methods and unmonitored privileged access accounts. The Australian Government’s ranking among the top five sectors for data breaches in the OAIC’s February 2024 report underscores a pressing reality: human error and weak identity controls continue to put sensitive government data at risk.

The risks are further amplified by emerging AI-driven threats, as evidenced by the recent ban of DeepSeek over national security concerns, highlighting the dangers of AI-powered data mining and unauthorised access. Traditional security measures, focused primarily on compliance and static controls, are proving insufficient against modern threats.

Bending the curve: the investment imperative

Forward-thinking organisations are moving beyond traditional role-based access control towards dynamic, attribute-based models. These identity attributes are the new ‘keys to the kingdom’, replacing static credentials with continuous, context-aware verification. AI-driven identity security systems enable real-time governance, adapting to evolving risks and preventing unauthorised access before damage occurs.

The metadata about identities — who they are, what they’re accessing, and in what context — is now critical for intelligent, risk-based access decisions. This is particularly important for machine identities and third-party access, where traditional security models often fall short.

Poor data hygiene and inadequate metadata management create a perfect storm of risk: over-provisioned access, compliance failures, and insufficient protection of sensitive government data. Agencies that strategically invest in identity security are seeing transformative results. Those at higher maturity levels are twice as likely to leverage identity data effectively, with about 50% using intelligent guidance for user access and reviews, compared to fewer than 20% of those at lower maturity levels. For example, one Australian government department successfully reduced the risk of data breaches by implementing an AI-driven identity security solution, enabling fine-grained access controls that dynamically adjust permissions based on real-time threat intelligence.

This ‘bending of the curve’ delivers exponential benefits across risk reduction, business value and workforce productivity, building a foundation that fundamentally transforms how government agencies secure and manage access to sensitive information. By moving beyond basic encryption to structured, role-based governance and dynamic access controls, agencies can achieve both stronger security and improved operational efficiency.

A call to action

As Australia pursues its digital ambitions, identity security must be a national priority. The cost of inaction is too high, with each new digital initiative potentially expanding the attack surface. To stay ahead of evolving threats, governments worldwide have set a global benchmark for securing digital identities. For example, the UK’s Government Digital Service (GDS) has implemented a robust digital identity framework that balances security with user privacy.

Government agencies in Australia must move beyond compliance minimums and embrace comprehensive and unified identity security strategies to address every type of enterprise identity, and location of data, while managing risk. The future of cybersecurity will be defined by AI-driven identity security combined with strong policy leadership that goes beyond protecting against current threats to build the foundation for Australia’s digital future. Agencies that invest in mature identity security capabilities today will be better positioned to face tomorrow’s challenges while enabling the innovation and agility that digital transformation demands.

Image credit: iStock.com/da-kuk