Modern identity programs are expected to do everything: govern access, enforce least privilege, enable zero trust, detect threats, and now extend to emerging AI-driven identities. Yet most organizations still struggle to implement the fundamentals across fragmented and legacy environments. This session brings CISOs together to discuss how to prioritize identity investments where they matter most, acknowledge practical limitations, and focus on high-impact controls that reduce risk despite incomplete coverage. As new identity types like AI agents expand the attack surface, the challenge isn’t just adding more controls—it’s knowing where to draw the line, align stakeholders, and secure what matters first.