As the risks associated with our digital lives accelerate, the ability to prove the effectiveness of these controls starts with one thing: identity. This is especially pertinent in sectors such as retail, where digital identities span employees, devices, and AI agents, and operations are largely decentralised — making material controls harder to establish and maintain. Organisations must prepare for the impending changes now and bring identity into the core of their governance and security strategy.
A Boardroom Wake-Up Call
Provision 29 requires organisations to actively monitor and review risk controls across financial, operational, compliance and reporting domains. Boards must declare which controls are effective, which are not, and what corrective actions are underway. This applies to companies listed under both commercial companies and closed-ended investment funds categories – regardless of where they are incorporated.
A key implication for this change is that cybersecurity oversight will become a formal Board duty. Boards will be required to oversee their entire internal control framework continuously and conduct an annual review. To effectively prepare, many are treating 2025 as a trial year, identifying material controls, assigning ownership, and stress-testing reporting mechanisms, including dashboards, board packs, and audit committee cycles, to ensure they are equipped and ready to sign off reports with confidence.
Identity: the Hidden Risk Surface
Every control ultimately depends on identity. Yet, identity is often one of the least visible, most fragmented, and complex areas of the risk landscape. This can be an even greater challenge for retailers as their sprawling networks include various identities such as employees (onsite, roaming, and remote), non-human identities such as IoT devices (self-checkout kiosks and in-store displays), cloud-based tools, and increasingly, AI agents.
To meet Provision 29’s requirements, organisations must confidently answer core identity governance questions: who has access to what? Why do they have that access? How is that access governed and reviewed? If the answers to these questions are incomplete, or reliant on manual processes and siloed data, boards may face serious visibility gaps and elevated exposure to regulatory, operational, and reputational risks.
From Visibility to Governance
Identity data is often scattered across HR systems, spreadsheets, and business units. It is also common that apps and tools are frequently integrated without audit trails, creating undocumented non-human identities with excessive access. Without a centralised, real-time view of users and systems, boards cannot demonstrate control effectiveness.
Before any governance framework can be implemented, visibility must be established through identifying and classifying all users and systems across the business, assigning ownership over identity data, and clarifying who is responsible for tracking identity changes over time. Without this visibility, any downstream governance effort will be built on shaky ground.
Embedding Identity into Your Control Framework
Once identity visibility has been achieved, robust identity governance can be implemented. Provision 29 demands continuous, auditable and enforceable controls. A strong Identity and Access Management foundation (IAM) foundation enables dynamic, risk-based access decisions based on contextual signals such as user behaviour, device health, and location. This makes governance continuous, automated, and traceable.
Two core pillars for an IAM programme are Identity Governance and Administration (IGA) and Privileged Access Management (PAM) controls.
- IGA: provides real-time insight into user access rights, automates access reviews, provides audit trails, and aligns access rights with business risk.
- PAM: Mitigates high-risk access using just-in-time access, session monitoring, and credential vaulting.
These two controls enable organisations to demonstrate that access controls are clearly defined, operating effectively, and that every action is traceable and reviewable.
The importance of managing access privileges and assessing the behaviour of the identity is currently reflected in how ransomware group Scattered Spider is working to exploit networks. The group exploit identity gaps by first contacting IT helpdesks to reset an employee’s credentials, then escalating access by targeting privileged accounts once within the network, before exfiltrating sensitive data undetected.
This underscores the need for robust identity controls, from both a compliance and resiliency perspective.
Identity Security as a Business Enabler
When governed effectively, identity becomes a source of trust and transparency. It aligns cybersecurity with business risk, enables real-time threat detection, and provides auditable evidence of control effectiveness.
Developing and maturing a robust Identity and Access Management (IAM) programme is a challenging and time-intensive process, that IT leaders often cannot manage alongside their existing responsibilities. To meet the January 2026 deadline with enough runway to become familiar with the IAM framework, businesses would benefit from partnering with a Managed Services Provider (MSP). Leveraging pooled consultancy and domain expertise can accelerate implementation and maximise the return on investment (ROI) and time to value.
