The shift to adaptive identity: A conversation with SailPoint and State Farm

Identity and access management is not a static, set-it-and-forget-it discipline. Business technology is constantly evolving due to cloud adoption, AI, and the rise of digital identities. In this dynamic environment, traditional security models based on periodic reviews and fixed policies are proving insufficient. The future of identity security lies in a more agile, intelligent, and responsive approach. Welcome, adaptive identity.

This was the central theme of a recent discussion between Lori Robinson, VP of Product Management at SailPoint, and Victor Montgomery, Director of Information Security at State Farm. They explored how organizations can move beyond outdated practices and embrace a model that continuously evaluates risk in real time.

From static policies to real-time response

For years, identity management revolved around defining policies and periodically checking for compliance. You decided who should have access to what, and then, perhaps quarterly or annually, you reviewed those permissions. Lori Robinson described this as a static world. Today, that world is gone.

Adaptive identity is the response to our new, dynamic reality. It’s about creating systems that can react to changes in the environment as they happen. This means moving from a state of periodic compliance checks to one of constant evaluation. The core question is no longer just "Who should have access to what?" but rather, "Should they have access right now?" This shift is crucial for addressing sophisticated threats and complex business needs.

Victor Montgomery provided a candid look at how a major enterprise like State Farm has navigated this evolution. Their journey, which spans a 15-year relationship with SailPoint, mirrors the broader changes in the industry. Before implementing a dedicated solution, State Farm’s access management was largely manual, ad-hoc, and reactive. The introduction of SailPoint’s on-premises solution brought a much-needed framework, particularly for certifications and user experience. However, even with this improvement, the systems were disparate and managed by multiple teams, creating complexity.

To address these challenges, State Farm began migrating to SailPoint Identity Security Cloud. This move was driven by a larger organizational strategy to consolidate tools and shift away from on-premises data centers. Victor noted the immediate benefits, namely that the migration enabled State Farm to have a true single platform. This consolidation provides a unified view of access across the organization, which is the foundational step toward a more adaptive model. Having all identity data in one place makes it possible to leverage advanced capabilities for risk analysis and real-time decision-making. “As we get into that adaptive identity conversation, Identity Security Cloud is the thing that will enable us to be able to do that,” Victor commented.

Adaptive identity in practice

Victor explains that while State Farm is not there yet, leveraging adaptive identity is a future state they would love to be in. “I’m excited to see where adaptive identity takes us. I do believe it will enable us to move faster and to influence the future of what we can do at State Farm.”

For Victor, adaptive identity is about real-time evaluation of an individual's credentials and devices, enabling them to get into the system. Based on this real-time evaluation, the system can then automatically take further actions such as:

• Restrict access until further verification is provided
• Trigger a step-up authentication challenge
• Alert a security team to investigate the potential threat

This is the essence of just-in-time (JIT) access. It’s a core component of the Zero Trust philosophy, which operates on the principles of "never trust, always verify," least privilege, and continuous monitoring. Instead of granting standing access that must be reviewed later, JIT provisioning grants temporary, time-bound access only when needed. This dramatically reduces risk and can even lessen the burden of traditional access certifications.

Lori comments, “There’s an opportunity here to think about access, provisioning, and policy at the time it’s needed, especially for those high-risk entitlements. We need to get into more of a just-in-time motion, so that you don’t have that standing access out there that needs to be reviewed and or revoked, which is a huge burden for our line business.”

A community effort

The journey toward adaptive identity is not just a technological transformation—it’s a call for a community-driven approach to security. As Victor highlighted, the challenges we face in today’s digital landscape are shared across industries and so must be the solutions. At its core, a community-driven approach means breaking silos, fostering collaboration, and sharing insights to collectively raise the bar for security. For organizations like State Farm, this shift represents a move away from operating in isolation and toward a model where partnerships and shared knowledge are key to staying ahead of evolving threats.

SailPoint’s commitment to fostering this community-driven approach is evident in initiatives like the Shared Signals Framework. This framework enables security tools and platforms to communicate in real time, creating a seamless flow of information that enhances visibility and responsiveness. For example, if an HR system signals that an employee has been terminated, the framework can trigger automated workflows to revoke access, wipe devices, and terminate active sessions across the ecosystem. This level of integration and collaboration ensures that organizations can respond to risks swiftly and effectively, reducing vulnerabilities and strengthening their overall security posture.

For both State Farm and SailPoint, the community-driven approach extends beyond technology. It’s about enabling people to do their best work while ensuring they have the tools and support needed to navigate an ever-changing threat landscape. Whether it’s empowering claims representatives to respond effectively during natural disasters or leveraging AI to secure machine identities, the focus remains on balancing enablement with security.