A guest post on Know Your Worker from our friends at TechVision Research. Be sure to sign up for our upcoming webinar, September 9 2025.

After more than 10,000 years of human existence in an analog environment, we must all adjust to a digital world where we are prone to myriad fraud and theft schemes perpetuated by AI-savvy hackers, thieves, and adversarial nation-states. It is a different world, and enterprises need to adjust to this new world order. 

Humans today don’t typically have the cyber literacy to fend off complex influence operations and social engineering attacks that put the organizations’ information, brand, and reputation at great risk. The workers themselves are essentially the last bastion of protection an organization has. According to Verizon’s 2024 Breach Investigation Report released in March 2025, such human worker failures account for 75% of all data breaches and ransomware attacks today, either by human negligence or malfeasance.  

What exacerbates this very real threat is the fact that the workforce today is typically very distributed and fragmented across the spectrum from full-time employees managed in HR and Payroll to contractors hired into various departments, managed service providers managing the network and infrastructure from “offshore” locations, supply-chain partners interacting with the enterprise resource and planning (ERP) systems, business partners and vendors who often have access to some subset of each organization’s online and social media presence, sensitive information, application development environment or system configurations. That’s a lot of people to have access to organizations’ information and brand, especially considering most 3rd parties literally have a revolving door of hires and fires. 

Protecting against these insider threats starts with Know Your Worker (KYW): a concept that is an extension of the now widely supported Know Your Customer (KYC) standards, which are the processes by which banks obtain information about the identity of their customers. 

Because some of the most egregious security issues arise when people have too much access – which is sometimes known as aggregated access privileges, careful management of workers’ access privileges is a cornerstone of an Identity and Access Management (IAM) 2.0 Program for nearly every organization of every shape, size and industry. 

1. KYW and IAM are two sides of the same “information protection coin”: 

a) Identity and Access Management (IAM) has been a cornerstone of cybersecurity since the inception of modern computing – as well as today’s Zero Trust authentication and access control frameworks. 

b) KYW is the process of identifying, analyzing, and addressing the risks associated with worker digital identity and behavior as it relates to an organization's information management, access, processes and procedures. 

2. Mature IAM (2.0) can lessen your risks associated with human error or malfeasance. 

a) The IAM infrastructure should be designed and deployed to fully enable you to Know Your Worker. 

b) The inflection points where workers become associated with corresponding digital identities is where the rubber meets the road in terms of giving appropriate access to the right people at the right times and never otherwise. This is where the control architecture can be the place where actions by humans and agents are limited in terms of the damage they can do.  

Worker Risk Management must therefore have direct interaction with the enterprise IAM system(s) to Know Your Worker. This IAM visibility includes accurately and temporally verifying who (or what) someone is and facilitating access to sensitive information and configuration capabilities. 

Your mission should be to help your organization increase its attention to the very real threats posed by their own (extended) workforce. This is done by: 

1. First, properly vetting the identities of everyone and everything that interacts digitally with your organization  
2. Then, protecting access to their medium and high consequence information in a manner commensurate with the risk of that access.  

This requires an actionable organizational, technical control architecture and process improvements to help reduce the potential damage (i.e., “blast radius”) to the organization if (or when) a worker makes a mistake or goes rogue. 

In TechVision’s view of IAM 2.0, one of the emerging approaches that is gaining widespread attention regarding the vetting of users and AI agents that interface with your enterprise systems is centered on the concept of Verified Credentials (VCs).  W3C Verifiable Credentials (VCs) are a standard established by the World Wide Web Consortium (W3C) for creating and exchanging cryptographically verifiable digital credentials. This standard aims to provide a secure, privacy-respecting, and machine-verifiable way to express credentials on the Web. 

VC technology puts key pieces of information about individuals into the hands of those individuals and empowers them to present that information directly, purposefully and securely:  

• VCs are decentralized so the information they carry is valid on its face and can be presented directly, peer to peer, without intermediation 
• VCs rely on public key cryptography to encrypt and decrypt credentials using digital signatures to ensure the authenticity and integrity of data 

Verifiable Credentials enable empowerment, security, privacy and convenience of decentralized presentation with the benefit of centralized governance and the veracity of standards. With VCs, we can ensure someone (or something) is who they say they are and have immutable credentials to prove it. This is crucial for access entitlement assignments and runtime access control, because it acts to replace nebulous or missing key information (e.g., attributes) about a subject. It is truly a cornerstone of the Know Your Worker maxim. 

Large, well-known IAM and IGA vendors like Microsoft, IBM and Ping Identity have begun to fully support VCs. However, implementing verifiable credentials in the enterprise IAM stack isn’t easy. It means tackling legacy integration, interoperability, trust, privacy, lifecycle management, user experience, security, scalability, and governance. We are working closely with many of these vendors to assist our own enterprise customers in migrating from IAM and IGA 1.0 to 2.0.   

A new entry of note is VO. VO is breaking down the barriers by acting as an “identity orchestration platform”—reducing technical and operational barriers, providing governance and compliance frameworks, automating lifecycle workflows, and offering seamless user experiences. This lets enterprises leverage verifiable credentials for security, privacy, and interoperability without needing to rebuild from scratch or risk costly mistakes.  

In subsequent blog posts, we’ll discuss VCs in more detail, along with how they support a more dynamic and lasting trust architecture that fully supports the KYW agenda across today’s enterprises’ widely distributed and disparate workforce.