How Modern IGA Supports the Codification of Zero Trust Cybersecurity Standards Like AB 749

As the danger of cyberattacks from both recognized hacker threats and unrecognized insider threats (e.g., employees, contractors, partners, etc.) increases, national and regional governments are mandating that agencies serving the public under their authority adopt a Zero Trust Security Model to help ensure the IT systems upon which the public relies remain operational.

One such measure, known as California Assembly Bill 749 (AB 749) has been adopted by the US state of California and put into effect on January 1, 2025. The law requires that every state agency implement security standards including multi-factor authentication, enterprise endpoint detection and response solutions, and robust logging practices. Further, the law requires agencies to follow uniform technology policies, standards, and procedures developed by the Chief of the Office of Information Security.

AB 749 is part of a trend toward Zero Trust Security Model mandates for both government-run agencies, businesses, and other organizations. In this post, we’ll define what a Zero Trust Security Model is and explain why it is foundational to an effective cybersecurity posture. We’ll provide a brief overview of the key provisions of AB 749, a timeline for compliance, and list the potential risks and consequences of non-compliance. Finally, you’ll learn how Modern Identity Governance & Administration (IGA) solutions—particularly Omada Identity Cloud — support Zero Trust Security Models, help organizations with compliance, and strengthen cybersecurity overall.

What is a Zero Trust Security Model?

The Zero Trust Security Model is based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter. Implementing Zero Trust is critical for organizations that must manage identity security challenges associated with remote work, third-party integrations, and evolving attack vectors such as phishing, social engineering, compromised endpoints, and credential theft. The Zero Trust Security Model shifts from the starting point of trusting but verifying to a posture that “denies first” and sees everything and everyone as a threat. It actively governs permissions and continuously monitors activity.

Overview of AB 749

AB 749 has been implemented to mitigate cybersecurity threats to state government networks that traditional “trust but verify” requirements fail to address. In the modern threat landscape hackers use tactics such as phishing to try and sometimes succeed in fraudulently meeting these requirements. It is also common for trusted individuals like employees and executives to use legitimate network access to steal and expose secure information.

AB 749 requires the California state government’s security architecture to authenticate and authorize every interaction between a network and a user or device and work on the ‘never trust, always verify’ principle that assumes that attacks will come both from within and outside of the network.

Timeline for AB 749 Compliance

AB 749 require California state agencies to adopt certain cybersecurity standards and methodologies outlined in former US President Biden’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. On January 1, 2025, covered state entities must have implemented the following:

1. Multi-factor authentication for access to all systems and data owned, managed, maintained, or utilized by or on behalf of a state agency.
2. Enterprise endpoint detection and response solutions to promote real-time detection of cybersecurity threats and rapid investigation and remediation capabilities.
3. Robust logging practices to provide adequate data to support security investigations and proactive threat hunting.

Risks and Consequences of Non-Compliance

Non-compliance with these implementations would leave California responsible for all costs related to a potential breach or shutdown of a covered state entity’s systems. Cybersecurity breaches in critical computer systems operated by the state would likely have adverse consequences for public health, food assistance, labor and workforce development, and occupational licensing, to name a few. If these systems were disabled or malfunctioned as a result of a cyberattack, millions of vulnerable Californians and their families could be harmed.

The Role of a Modern IGA Solution in Fulfilling AB 749 Requirements

Deploying a modern IGA solution is the least costly and disruptive way to create a mature Zero-Trust Security Model. The principal capabilities that a modern IGA solution supports to close a Zero-Trust implementation gap include:

Full User Activity Tracking and Monitoring

A modern IGA solution identifies suspicious or unauthorized actions across the entire IT infrastructure.

More Efficient Access Management

When users change roles or responsibilities within an organization, a modern IGA solution helps administrators modify permissions more easily based on new requirements.

Sharper Role Definition

Role-based access control (RBAC) in a modern IGA solution enables organizations to assign permissions based on users’ roles and restrict access to what is sufficient to do their jobs.

Safer Privilege Elevation

When users require temporary elevated permissions to perform specific tasks, a modern IGA solution enables controlled privilege elevation mechanisms and eliminates the risk of permanently granting high-level access.

Automated Provisioning and Deprovisioning

Automated tools and processes in a modern IGA solution provision and deprovision user accounts and their associated permissions. This reduces the risk of human error and ensures that access is granted or revoked consistently.

How Omada Identity Cloud Can Help

Omada Identity Cloud is a practical modern IGA solution that can help state agencies establish strong identity governance, meet compliance deadlines, and reduce risk. This next-generation IGA-as-a-service platform provides:

1. Centralized Identity Management: Omada Identity Cloud can unify identity data, automate processes, and simplify compliance.
2. Seamless Multifactor Authentication: Integrates with leading MFA solutions, ensuring secure access across on-premises, cloud, and hybrid environments.
3. Real-Time Visibility & Logging: Offers detailed activity logs and analytics for faster threat detection and regulatory reporting.
4. Continuous Policy Enforcement: Automatically enforces Zero Trust Security Model requirements for privileged access and monitoring, minimizing the need for manual oversight.