Identity is no longer a perimeter and calling it a "control plane" undersells what's happening: it is a workload class – one that spans three different actors. Human identities, non-human identities, and AI identities each carry different lifecycles, blast radii, and  detection signals. Most organizations are managing all three with a playbook designed for none of them.   Security teams have reached the end of what access management alone can deliver. The path forward is a risk-based operating model that assembles three capabilities that are fragmented across the market today: Identity Security Posture Management, Identity Exposure Management, and Identity Threat Detection and Response. They are three tenses of the same risk question – past, present, and active – and none of them work without the others.   Takeaways   Human, non-human, and AI identities are three distinct workload classes – not a spectrum. Each has its own lifecycle and governing all three with a single access-management playbook is the root cause of today's identity risk gap.   ISPM, exposure management, and ITDR are tenses of the same risk question, not three product categories. Posture reflects what was true, exposure reflects what is exploitable right now, and detection reflects what is active in the moment – all three must work as one system.   A risk-based identity operating model gives identity leaders a defensible way to evaluate and remediate identity risk. Attendees will see a concrete lifecycle – Discover, Assess, Reduce, Detect, Respond, Evolve – along with practical moves they can begin.