Session/cookie hijacking, phishing, credential stuffing and account takeovers are more prevalent now than before because barriers to entry are low. Throw in the SSO tax, where convenience is mixed with lack of binding and session presence, and you have a recipe for risky business (not the 80's movie though). This session will approach identity security from a mindset of "assume breach". This assumes threat actors have all accounts and all credentials and sessions are compromised. Eliminating standing access (zero standing privilege), where possible, should be a core tenet in an overall IAM strategy, especially for privileged access to sensitive/core systems. This session will showcase how to achieve this starting with foundational building blocks, provide real-world implementation examples, and explain why "assume breach" is a very important methodology in practice. In this talk, we’ll also look at how big of a role authorization plays and how this methodology is disrupting the identity governance (IGA) landscape. Lastly, we'll also dive into how this increases operational business efficiency, mitigates security risks while not becoming a productivity blocker for the business and streamlines complexities in the access management world.