“You Don’t Exist in the System”: What GRC Gets Wrong About Identity Risk

In the hierarchy of security risks, identity rarely makes the front page. It’s often relegated to access control matrices and provisioning workflows—important, yes, but rarely urgent. It’s considered a convenience feature. A means to an end.

Until the day it vanishes.

“I went to the unemployment agency,” says Alexandre Blanc, a cybersecurity expert and former military contractor. “And they said: you don’t exist.”

This wasn’t a metaphor. It wasn’t a clerical error. His state-recognized identity had been deleted. His number was gone from the French civil registry. healthcare access, andNo social security. No access to healthcare. No recognition as a citizen.

In the eyes of the system, Alexandre had ceased to exist.

This isn’t just a harrowing anecdote. It’s a sobering reminder of how fragile identity is in a digitized society—and how little most governance, risk, and compliance (GRC) programs do to treat it with the gravity it deserves.

The illusion of identity permanence 

“Basically, I was born dead,” Alexandre says. A complication during birth deprived his brain of oxygen, leading to cognitive delays that lasted years. His teachers wanted him expelled from mainstream education. But his father fought back. Alexandre caught up—then some. He went on to win national skiing medals and became a sailing instructor.

The path to selfhood was hard-earned. But it was his experience as an adult—after unknowingly taking a job with a company linked to a separatist organization and later cooperating with French authorities—that cost him his identity in the eyes of the state.

The price of cooperation? Erasure.

When systems delete you, there’s no appeals desk. “I wasn’t a person anymore. I had paper records, but they didn’t match anything in the system.”

This moment marks a rupture most GRC frameworks are not built to reckon with. What if the system is a threat?

Why identity risk in GRC is underestimated

Most GRC programs give identity governance a passing mention—as if it begins and ends with provisioning and de-provisioning accounts. It’s folded into IAM, labeled as “access management,” and handed off to IT to sort out. But this framing mistakes identity as a convenience layer, not as the foundational risk surface that it really is. 

When Alexandre Blanc’s identity was erased from the French civil system—no name in the registry, no social security number, no ability to work or prove who he was—it wasn’t a glitch. It was a systemic failure with existential consequences. It’s also a warning: identity isn’t just a technical artifact. It’s the backbone of legal, financial, and social personhood.

And yet, most GRC structures continue to underestimate this. They focus on controls—can this person access this system?—without asking the deeper question: what happens when the trust anchor is compromised? What’s the failover when the system no longer recognizes you?

Identity providers ≠ identity itself  

There’s a quiet but dangerous assumption buried in most GRC frameworks: that identity is synonymous with the system managing it. You’ll see it in how organizations default to Active Directory, Azure AD, or Okta and assume the problem is “solved.” But that assumption outsources more than just authentication—it offloads accountability. 

Worse, most frameworks still treat these systems as “always on.” They assume the IdP is up. That it’s secure. That it can be trusted to assert who someone is without ever being compromised. There’s rarely a fallback. 

But digital identity isn’t a login box. It’s the sum total of who someone is in the system—their entitlements, their activity trail, their unique behavioral patterns across platforms. And in reality, most people operate with multiple identities across multiple systems. Your work credentials live in one place. Your personal identity somewhere else. Your pseudonymous or federated identities scattered across platforms.

To govern identity well, GRC can’t just manage access. It has to be designed for failure. For drift. For abuse. And most importantly, for recovery—without assuming the provider will always be around to vouch for you.

What happens when trust anchors fail

Digital identity systems have become the scaffolding of modern society. They authorize payments, regulate access, anchor reputations, and govern entitlements. But they are not immutable. They fail—quietly, sometimes catastrophically.

Digital identity wallets, touted as the future of self-sovereign authentication, come with an unsettling list of liabilities: attack surface expansion, weak interoperability, device loss, biometric data leakage, and inconsistent compliance with evolving regulatory regimes.

And this is a governance problem. And it’s compounded by the assumption that our digital scaffolding is neutral. It isn’t. Identity systems mirror the biases of those who build them. From flawed facial recognition algorithms to discriminatory datasets, digital identity infrastructures can encode the very inequalities they claim to transcend.

Systemic resilience rarely factors into GRC conversations about identity. But it should. 

Active directory isn’t the solution 

Active Directory (AD) remains a cornerstone of enterprise identity management. Its dominance is so widespread that its presence is often assumed, not questioned. But familiarity should never be mistaken for integrity.

Despite decades of deployment, AD continues to suffer from structural design flaws and dangerous defaults. Most organizations still run with permissive baseline configurations: too many domain admins, insufficient audit trails, over-provisioned service accounts, and dormant accounts that function as silent backdoors. Any domain user can enumerate the AD structure by default. And attackers know it.

Active Directory is used by over 90% of Fortune 1000 companies to manage employee access and internal permissions—making it one of the most attractive targets for ransomware operators today.

Designing for resilience 

To meaningfully address the risks associated with digital identity, organizations must move past architectures that depend on singular systems or authorities.  

We can borrow from physical security paradigms here. In that world, “fail-safe” means defaulting to access in the event of a malfunction—prioritizing availability. “Fail-secure” does the opposite: it defaults to lockdown—prioritizing protection. Both approaches have their place in digital identity systems. A fail-safe IAM system, for instance, might ensure continued access to critical systems during outages. A fail-secure setup would ensure that no unauthorized access slips through in the event of failure. The right balance depends on your risk tolerance and what’s truly mission-critical.

But neither is achievable without thoughtful design.

Decentralization 

The conversation around decentralized identity is often hijacked by blockchain evangelists. But you don’t need a ledger to understand the value of distributed control.

Decentralization is about shifting power—from institutions to individuals. It reduces reliance on a single point of verification, spreading identity data across multiple nodes, often controlled by the users themselves. Done right, this model reduces the risk of mass breaches, prevents vendor lock-in, and builds resilience by design.  

Self-sovereign identity (SSI) is a powerful example. It gives individuals full autonomy over their identity data—how it’s stored, shared, and revoked. The principles behind it—portability, verifiability, persistence, and control—are highly transferable to enterprise identity systems, even outside the SSI paradigm.

There are also promising non-blockchain implementations of these ideas. Veridas’s ZeroData ID, for instance, uses zero-knowledge proofs to verify biometric identity without ever storing raw biometric data. Decentralized Web Nodes (DWNs), which pair with Decentralized Identifiers (DIDs), offer a way to store identity data across distributed infrastructure—without the overhead of a public chain. 

Stakes, higher than ever

According to Socure’s State of Digital Identity in 2024 report, state governments across the U.S. are grappling with unprecedented levels of fraud, exacerbated by brittle identity systems and outdated verification methods. Even as 63% of constituents say they want to engage with government services entirely online, only 13% feel confident those systems can prevent fraud.

That delta—the gap between user expectation and systemic capability—is where risk festers. It’s also where GRC leaders have the most to gain.

Meanwhile, countries like Estonia and frameworks like the EU Digital Identity Wallet are actively engineering digital identity as a secure, standardized layer across both public and private services. In the U.S., while a fully national identity system doesn’t exist, momentum is building. Agencies like the TSA are beginning to integrate digital IDs into travel checkpoints. 

Public benefit delivery systems are exploring secure, privacy-preserving authentication. Behind the scenes, NIST, GSA, and others are working to build shared infrastructure that centers equity, accessibility, and resilience.

If we want critical services to be equitable, secure, and resilient, we must treat digital identity with the gravity it deserves.