The problem starts with visibility
At Brussels Airport Company, a set of applications that evolved separately over the years had created what Dewit called “permissions creep.” Employees accumulated access as they changed roles, often keeping old rights long after they were needed. “We had no end-to-end visibility on identities,” she said. The answer was one central IAM governance platform with role-based access management. But it’s a transition that takes years, not months.
Proximus faced a similar state of affairs. Its original IAM platform had become too static and too dependent on organisational structures. When the company moved towards agile working in 2021, the IAM model had to evolve too. This was a transformation that required huge change management skills and experienced partnerships. As Clément put it: “We ended up stopping after one year and restarting with another platform and another partner.”
IAM only works if the business owns it
At Proximus, defining the roles for 32,000 employees and 40,000 external partner users was supported by an internal community of identity and access officers embedded in the business. “They know exactly what people actually do,” Clément said.
Brussels Airport Company adopted a similar model. HR remains the source for employee identities, while more than 300 partner companies manage their own users through delegated governance. That business involvement is essential, because access rights only make sense when linked to real operational responsibilities. “It is something you do together with the business,” Dewit stressed.
The business value of IAM
At Brussels Airport Company, access for departing employees can now be immediately removed across systems, reducing the risk of forgotten accounts. At the same time, automated provisioning reduces pressure on the service desk and speeds up onboarding. For Proximus, role-based recertification offered a major improvement. Instead of manually reviewing thousands of individual permissions, access reviews can now take place at the role level. Segregation of duties and compliance controls also became easier to automate and monitor.
Change management matters more than technology
Proximus built landing pages, management briefings and dedicated onboarding communication for teams entering the new IAM environment, while Brussels Airport Company focused on explaining why the transformation mattered. “It’s not about blocking people, it’s about giving access in a controlled way,” Dewit said. That communication becomes even more important when changes affect thousands of users. Clément shared one striking example: Proximus rolled out MFA to 40,000 partner users in just two weeks. “That only worked thanks to good communication and change management,” he said.
The next challenge: AI agents with autonomy
Machine identities and service accounts were already part of both IAM roadmaps long before generative AI became mainstream. But AI agents are different. Traditional non-human identities execute predefined tasks, whereas AI agents can make decisions, combine data from multiple systems, and act autonomously on behalf of users. That changes the risk model. “They are still non-human identities with specific permissions,” Dewit noted. But those permissions may now include access to emails, internal documents, workflows and sensitive operational data.
That is why AI governance is increasingly a part of IAM governance. Least privilege, monitoring and risk-based access control still apply, but they must evolve for identities that can independently interpret, decide and execute. IAM is no longer just about access. It is becoming a question of trust, control and accountability in systems that are starting to act on their own.
