Get going with Cakewalk and manage all of your accesses
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

I understand that by submitting the form, Cakewalk will use the information collected above to schedule a meeting in accordance with our Privacy Policy.

💬 Chat with us in Slack

We'll send you a Slack Connect invitation so you can chat with our product experts directly.

I understand that by submitting the form, Cakewalk will use the information collected above to schedule a meeting in accordance with our Privacy Policy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
/
Resources
/
How To Scale Securely In 2026 Without Growing Your IT Team with Peter Kovacs
Webinar

How To Scale Securely In 2026 Without Growing Your IT Team with Peter Kovacs

February 4, 2026
Johannes Keienburg
8 minutes
Table of Contents
Example H2
Example H3

Access Management Is Now A Growth Operating Model

Access management used to be a back-office control. In 2026 it looks more like an operating model.

Fast-growing companies add apps, AI agents, teams and contractors at rapid speed. Access is created at the edges of the org, where work happens. But many companies still govern access through one central bottleneck.

That mismatch is why old-school access programs fail. Not because IT and Security teams are doing a bad job, but because the system they inherited cannot keep up.

This article pulls the most useful ideas from a recent conversation between Johannes Keienburg, CEO and Founder of Cakewalk, and Peter Kovacs, Head of Information Security at Nudge. It goes beyond the recap. It turns the discussion into a set of principles and decision points you can apply in your own environment.

Key Takeaways

  • Access breaks when creation is distributed but governance stays centralized.
  • Ticket queues turn into rubber-stamping, permanent exceptions and standing privilege.
  • The fix is not hiring a larger IT team. It is better system design.
  • Role clarity and identity lifecycle automation do more than another policy document.
  • AI agents and other non-human identities expand risk faster than humans if left unmanaged.

Why Access Management Breaks At 200, 400, Then 800 Employees

In smaller companies, access feels manageable because the same handful of people know the stack and can answer most questions from memory. A request comes in. IT approves it. Everyone moves on.

Once headcount grows, that model fails in predictable ways.

New apps enter through teams, not IT. Managers approve access without context. People switch roles and keep old permissions. Departures happen fast and offboarding becomes inconsistent. Meanwhile IT and Security teams do not expand at the same pace.

Peter put it bluntly in the session. Access is created everywhere while governance stays manual and centralized.

That is the root cause. Everything else is a symptom.

The Three Failure Modes You Can Spot Early

If you want a quick health check, look for these patterns. They show up in almost every company right before access becomes a constant source of risk and frustration.

1. The Ticket Queue Becomes The Policy

When approvals are driven by tickets, the ticket backlog becomes the real rulebook. The longer the queue, the more pressure there is to clear requests without scrutiny.

That is how rubber-stamping starts. People approve to keep work moving, not because the access is correct.

2. Exceptions Turn Into Defaults

Temporary access is rarely temporary. Someone needs access for a project. They get it. The project ends. Nobody removes it.

Standing privilege grows one exception at a time.

3. Evidence Lives In Too Many Places

Audit questions are rarely complex. They are basic.

  1. Who requested access.
  2. Who approved it.
  3. What changed.
  4. Why it was granted.
  5. How long it lasted.
  6. When it was last reviewed.

If you cannot answer those questions quickly, audits become a scavenger hunt across tickets, exports, spreadsheets and screenshots.

A Better Model: Distributed Decisions, Central Policy

Centralization becomes the problem when the people approving access are far from the business context where the need is created.

That does not mean you decentralize policy. It means you separate decision-making from rule-setting.

In practice, the model looks like this.

  • IT and Security set the rules, roles and guardrails.
  • Managers and app owners make decisions with context.
  • The system enforces policy and records evidence by default.

You get speed where the work happens and control where it should live.

This is also how you reduce bypass behavior. If the correct path is faster than the side path, people follow it.

Lifecycle Plus RBAC: Triggers And Templates

Most access programs fail because they treat every change like a new request.

Joiners, movers and leavers are predictable identity events. They happen every week. If your access model is built around tickets instead of these triggers, you get the same problems on repeat: manual queues, inconsistent offboarding and permissions that accumulate over time.

Peter’s approach at Nudge starts with a simple rule. HR is the most reliable signal that access should change. When HR drives identity change, access changes can be consistent, time-saving and auditable.

That still leaves a second problem. What does the right access look like.

This is where role-based access control earns its place. The lifecycle tells you when access should change. RBAC tells you what should change. Without a clear permission map, automation can speed up overprovisioning.

RBAC reduces ambiguity because roles create a shared language between IT, Security and the business. You can point to a role and answer the questions that matter to audits and operations.

  • Which roles exist
  • Who is in each role
  • What each role grants
  • Who owns the role
  • How often it is reviewed

Put together, lifecycle triggers and role templates do the heavy lifting. New hires get the right baseline access on day one. Role changes update permissions instead of stacking them. Departures remove access without relying on someone remembering a checklist.

This is not glamorous work, but it is the foundation that holds up when the company is hiring fast and auditors are asking hard questions.

Least Privilege Only Works When It Applies To Leadership

A standout moment from the conversation was a real story.

The CEO at Nudge requested privileged access. The request was blocked and routed through Security. The CEO followed the process. Access was approved for a fixed time window, logged and then revoked.

That is the point most companies miss.

Least privilege is not a policy. It is a behavior that becomes credible only when senior leaders follow the same rules.

If leaders bypass controls, everyone learns the real standard.

If leaders follow controls, the process becomes easier to defend and easier for employees to accept.

Audit Readiness Should Be A Byproduct Of Daily Work

Many teams treat audit readiness as a separate project. It becomes a quarterly push, a scramble for evidence and a set of late nights.

Peter’s view was closer to how mature programs operate. Audit readiness should come out of normal operations.

That only happens when evidence is captured by design.

If you want audit work to shrink, focus on one thing. Make sure every access change produces a usable record without extra work.

A good record includes:

  • Requestor
  • Approver
  • Reason
  • What changed
  • Duration
  • Review history

If you have that, audits become verification, not reconstruction.

Why AI Agent Access Is More Dangerous Than Human Access

When asked what keeps him up at night going into 2026, Peter answered quickly. Non-human access.

AI agents scale in ways humans cannot. With a few clicks, an agent can be connected to internal systems and external vendors. Many agents hold standing permissions. Some are controlled by multiple humans, which multiplies effective access.

Agents also shift trust boundaries.

You may trust your employee. But now you also need to trust the vendor, their staff, their subcontractors and their security posture.

And the agent does not care about intent. It does what it is instructed to do. If misconfigured, it can do damage at machine speed.

This is why agent access needs the same discipline as privileged access.

A Practical Way To Govern Non-Human Identities

You do not need a perfect solution to start governing agents. You need a consistent way to decide what is allowed.

A useful starting point is to treat every agent like a privileged identity and ask the same questions you would ask for a human with elevated access.

  • What NHIs are out there (i.e., used by my teams)?
  • What systems do they  touch.
  • What permissions do they get?
  • Who owns it.

If you cannot answer those questions, the agent is not ready for production access.

Peter also shared an internal approach that many teams can copy. Create a clear approval path for AI initiatives so engineers do not ship agent access through side channels. Give teams a place to propose use cases, get approval and document ownership.

That keeps innovation moving while keeping access visible.

What To Do If You Are Starting From Scratch

Peter shared a simple sequence for a new environment.

  1. Run a gap analysis against a clear standard you trust.
  2. Tie role-based access to joiner, mover and leaver events.
  3. Get visible buy-in from senior leadership.

That last point is not a soft factor. It is operational.

If leaders do not support the process when it is inconvenient, the process will not survive.

Measuring Security Outcomes Without Turning It Into Theater

A useful line from the conversation was about moving away from opinion-driven security. Security programs gain credibility when they can show measurable outcomes.

You do not need a long list of KPIs. You need a small set that tells you whether the system is working.

Here are a few metrics that tend to reveal the truth quickly.

  • Time to have a new joiner up and running with all access
  • Time to remove access after departure
  • Percentage of access that is time-based
  • Percentage of users with privileged access
  • Completion rate of access reviews
  • Number of exceptions older than 30 days

If those numbers improve, your security posture improves. If they do not, you know where to look.

Final Thoughts

Access management is no longer a secondary control. It determines whether your company can move quickly without accumulating silent risk.

The strongest programs treat access as a system. They connect access to the identity lifecycle. They reduce ambiguity with roles. They make evidence a built-in output. They govern AI agents before agent access becomes invisible sprawl.

If you are feeling the pressure, you are not behind. You are seeing the same structural shift that every growing company hits.

See How Modern Teams Run Access Without Growing Headcount

If you want to pressure-test your own access model, there are two easy next steps.

Chat with us in Slack

Connect with the Cakewalk CEO and product team. Bring your current setup, your edge cases and your audit constraints. Get direct answers in the place your team already works.

Book a Demo

Prefer a walkthrough? See how Cakewalk brings all identities, access, apps and AI agents into one system of record, automates access workflows and keeps you audit-ready by default.

Make Identity Governance a piece of cake.

Knowledge
5 min read

Everything Financial Companies Need to Know about DORA

June 19, 2025

by Johannes Keienburg

Up next