Identity-based access control sounds simple in theory: authenticate users, authorize based on roles, audit everything. In practice, most organizations struggle with the gap between policy and implementation.
The problem isn’t the technology. AWS IAM, Azure AD, and GCP IAM all provide robust identity systems. The problem is that organizations treat identity as a replacement for secrets management, not as infrastructure.
When identity is bolted on rather than built in, teams end up with hybrid systems where some workloads use service accounts, others use instance profiles, and still others fall back to API keys stored in environment variables.