Identity and Zero Trust: What’s New in Digital Security (March 2026)

Feeling like identity is the new battlefield in cyber defence? You’re not wrong. The latest developments show that digital identity and access control are evolving—and they matter big time for businesses of any size.

Introduction

In the past week, we’ve seen emerging threats and trends reshape how organisations manage digital identity, authentication, and access. From AI-powered phishing tactics exploiting OAuth flows to shifts in zero trust maturity, these updates offer both risks and opportunities—especially for small and mid‑sized businesses. This article cuts through the buzz to highlight what’s fresh, why it matters, and what you can do now.

Key Story: AI‑assisted phishing and OAuth abuse

Researchers have observed a surge in phishing approaches that misuse OAuth redirection to bypass email and browser protections. Attackers craft seemingly legitimate authentication prompts—think e‑signature or meeting invites—that hide malicious OAuth links, leading to credential interception and MFA bypass. This trend isn’t isolated: attackers now deploy AI‑assisted phishing and identity fraud, ramping up scale and sophistication.  Why it matters: - Every digital identity becomes a gateway to risk - Small to midsize entities may lack visibility or tools to detect this - MFA alone isn’t enough if session tokens or OAuth flows can be abused Recommendations: - Review OAuth apps registered in your environment regularly; revoke unknown ones - Train staff to scrutinise authentication prompts—even if they come via email - Use browser and email filters to flag unexpected OAuth flows - Monitor unusual login activity or app authorisations—all revoked apps should be logged - Consider conditional access rules that limit third‑party app scopes

Funding boosts in identity and AI security governance

Several companies tied to identity and risk management secured new funding to grow AI‑driven security tools—something small and medium organisations should watch. Notably, ArmorCode raised US$16 million to power its agentic AI security exposure platform, offering automation across app, cloud, infrastructure, and AI systems. Another company, UpGuard, received US$75 million to scale its AI‑driven cyber risk posture management platform that unifies vendor risk, user risk and governance.  Why it matters: - Tools like these accelerate AI adoption while helping monitor identity footprint and risk - Expect more accessible, automation‑friendly tools tailored for SMBs soon Recommendations: - Evaluate exposure management platforms that surface identity risk across systems - Tap into AI‑powered risk dashboards to prioritise identity-related gaps - Pilot projects to test visibility tools integrating app, cloud and user vectors - Stay tuned for smaller‑scale or subscription versions aimed at smaller orgs

Trend snapshot: Identity‑first Zero Trust gains ground

Thought leaders note that organisations are increasingly seeing “identity‑first” Zero Trust—not perimeter control—as the foundation for modern security. This shift emphasises continuous verification, context‑aware access and adaptive identities over network fences.  Why it matters: - Legacy VPN‑centric thinking is out; new models centre on identity granularity - Small shops with hybrid or legacy systems may struggle to retrofit identity‑first models Recommendations: - Map critical assets and build identity controls layer‑by‑layer - Use risk‑based conditional access or policy stepping for users. - Where legacy apps exist, start with proxy front‑ends or authenticated gateways that support identity control - Seek IAM solutions that support legacy integration and gradual rollout - Document identity flows and policies to support maturity assessment

Observer insights: Legacy systems vs zero trust

IT practitioners report real‑world friction: zero trust tools often are designed for cloud‑native setups and clash with legacy infrastructure. Some revert to VPNs as stopgaps, because they ‘just work’ across mixed environments—even if they’re less secure. Why it matters: - Zero Trust isn’t always plug‑and‑play for small or mixed‑tech firms - You risk a false sense of security if tools break workflows Recommendations: - Conduct compatibility audits before selecting Zero Trust tools - Partner with vendors offering hybrid‑compatible deployment paths - Start small: pilot into one segment before broad rollout - Balance security with usability where legacy systems are critical to ops

What This Means For Your Business

Identity is no longer a checklist item—it’s the core perimeter. AI‑powered phishing and token‑theft attacks prove that every login point is a risk, and identity tools must evolve with it. At the same time, new funding indicates innovation is coming—and fast. For businesses without cloud‑first architecture, the path to Zero Trust may be rocky, but fallback to legacy approaches like VPNs carries its own risk. The way forward is pragmatic: map your identity landscape, choose tools that play nice with your stack, and build security in stages. Focus on unattended identity risks—legacy that breaks access, OAuth misuse, stale app registrations, orphaned accounts—that you can fix now. Most of all, stay curious about new tools that offer identity governance, risk context, and automation.

Call Webwire on 08 9386 0053 or contact us at enquiries@webwire.com.au.