A new research stream on identity governance, privileged access management, and AI-assisted security operations is now formally established at the Toronto Institute of Technology and Science โ and is actively seeking research contributors from academia and industry.
The program addresses one of the most pressing gaps in enterprise technology today: the disconnect between how organisations theoretically govern digital identity and access, and how those controls actually perform under adversarial conditions, operational pressure, and the accelerating complexity of hybrid cloud environments.
The Problem We Are Researching
Identity has become the primary attack surface of the modern enterprise. According to the 2024 Verizon Data Breach Investigations Report, compromised credentials are now involved in over 60% of breaches โ a figure that has climbed steadily for a decade. Yet the tools and frameworks organisations use to govern identity were largely designed for an era of perimeter security, when users sat inside a defined corporate network and accessed a manageable set of on-premises applications.
That world no longer exists. The typical enterprise now spans hundreds of SaaS applications, multiple cloud providers, a remote and hybrid workforce, machine identities that outnumber human ones, and an attack surface that is effectively unbounded. Against this backdrop, identity governance frameworks โ the policies, processes, and technologies that determine who can access what โ have struggled to keep pace.
Research Streams
The program is organised into four interconnected research streams, each addressing a distinct dimension of the identity and access challenge:
Stream 1 โ Zero-Trust Architecture in Practice
Zero-trust is now the dominant framework in security architecture guidance โ from NIST SP 800-207 to the US Federal Government's 2021 Executive Order. But implementation lags far behind rhetoric. This stream examines the gap between zero-trust as a design philosophy and zero-trust as it is actually deployed in mid-market and enterprise environments, with particular attention to the organisational and cultural barriers to adoption.
NIST 800-207Zero TrustEnterprise ArchitectureStream 2 โ Privileged Access Governance
Privileged accounts โ those with administrative rights over systems, databases, and infrastructure โ represent the highest-value targets for attackers and the highest risk for organisations. This stream focuses on PAM programme design, the operationalisation of just-in-time and just-enough access models, and the organisational dynamics that cause PAM initiatives to succeed or fail.
PAMJIT AccessCyberArkBeyondTrustStream 3 โ AI-Assisted Anomaly Detection in IAM
Machine learning offers compelling potential for detecting anomalous access patterns โ login times, volumes, and locations that deviate from established baselines. This stream evaluates how effectively current AI/ML tools embedded in IAM platforms (including Microsoft Entra, Okta, and SailPoint) detect genuine threats versus generating alert fatigue, and what role human analysts should play in the detection workflow.
UEBAAnomaly DetectionMicrosoft EntraOktaStream 4 โ Identity Governance in Regulatory Context
Canadian organisations face a complex and evolving patchwork of regulatory requirements touching on identity and access: PIPEDA, Quebec's Law 25, OSFI guidelines for financial institutions, and PHIPA for healthcare. This stream maps those requirements to practical IAM controls, with the aim of producing guidance that compliance teams and security architects can use directly.
PIPEDALaw 25OSFIPHIPAComplianceMethodology
The program takes a mixed-methods approach. Quantitative work draws on breach data, incident reports, and the results of simulated attack exercises conducted in partnership with enterprise participants. Qualitative work involves structured interviews with CISOs, IAM programme leads, and security operations analysts at a cross-section of Canadian organisations.
Where possible, research will be published openly. Our working papers are available through the Research Portal, and we are committed to producing outputs that are accessible to practitioners โ not just to academic readers. We are explicitly not interested in vendor-sponsored research that confirms the effectiveness of a particular commercial product.
"The identity problem is fundamentally a human and organisational problem that happens to have technical dimensions โ not the other way around. Frameworks and tools fail because of how people use them, not because the technology is inadequate."
โ TITS Cybersecurity Research GroupThe Saviynt & Modern IGA Landscape
One area of active investigation is the rapidly evolving Identity Governance and Administration (IGA) market. Legacy IGA platforms โ many built on architecture that predates cloud computing โ are being challenged by modern cloud-native alternatives. Saviynt, SailPoint, and Omada represent a new generation of IGA tools that promise to unify identity governance across cloud, on-premises, and SaaS environments from a single platform.
Our research is examining the real-world implementation experience of these platforms, the total cost of ownership versus legacy solutions, and the degree to which their AI-assisted access certification and anomaly detection features deliver measurable security value โ as opposed to marketing value.
Call for Contributors
We are actively seeking research contributors with experience in the following areas:
- Identity and Access Management programme design and implementation
- Privileged Access Management (PAM) technologies and governance models
- Security operations and threat detection in IAM contexts
- Regulatory compliance in Canadian financial services, healthcare, or government
- Machine learning applied to user behaviour analytics
Contributors may participate as named researchers, anonymous interview subjects, or data partners. All participation is governed by a formal research agreement protecting confidential information.
Join the Research Program
Whether you're a CISO, an IAM engineer, or an academic researcher, we want to hear from you. Use the Research Portal to access working papers and register your interest.
Access Research Portal โ