Top identity security themes at Identiverse 2025

Nonhuman identity risk finally gets seen

Nonhuman identities (NHIs), also referred to as machine identities, increase risks, but the topic hasn't yet garnered widespread attention -- until now. It got the spotlight at Identiverse, both in various agenda sessions as well as with an NHI Pavilion at the Identiverse Expo Hall.

Many of the major identity players -- CyberArk, SailPoint Technologies and Saviynt -- have brought NHI products to market that solve big parts of the NHI problem. Pure-play companies, such as Oasis Security, Astrix Security, Torch Security and Token Security, continue to innovate, but are increasingly focusing on risks associated with AI agents as the major NHI challenge that enterprises need to solve.

Laying the groundwork for agentic AI

Speaking of, much of the conversation at Identiverse focused on generative AI and agentic AI security. Agentic AI holds tremendous promise in boosting productivity and opening new enterprise revenue opportunities, but those agents pose reputational and security risks in the form of data loss and fraud.

AI agents need access to data, systems and resources. That access can be highly privileged and operate through API calls, service accounts, OAuth tokens and other NHIs. While it's early days for agentic AI, the risk will become real as agentic AI-related security incidents start making the news.

Lines of business are under pressure to show a return on the considerable investments they are making in generative AI (GenAI), and as they move quickly to deploy AI agents, mistakes will happen. What's more, standards are just beginning to emerge -- Model Context Protocol in November 2024 and Google's Agent2Agent in April 2025. These frameworks need time to mature as areas for improvement come to light.

Agentic AI concerns were mixed at Identiverse. Some attendees focused on the issue, while others said it was not top of mind. Those who had visibility into GenAI or agentic AI projects recognized the potential for damage, while attendees who were not involved in such projects were not as concerned.

In larger organizations, the corporate innovation team or line of business driving the agentic AI initiative might not be well-aligned with the identity security team. If this happens, mistakes will be made, the number of security risks will increase -- OWASP has a list of Top 10 issues -- and damage will occur before there is tighter alignment and adequate technologies are deployed.

Both emerging players, such as Silverfort, Natoma and Lasso Security, and established players, including CyberArk, IBM, Microsoft, Okta and SailPoint, are zeroing in on solving the problem. While some forward-thinking organizations are already wrestling with this problem, I suspect the industry needs a catalyst in the form of a significant security incident before resourcing and investment take off.

CIAM: The great migration from homegrown to DIY

Customer identity and access management (CIAM) was a major topic at Identiverse, with presenters sharing their deployment challenges and successes.

The ongoing migration away from homegrown CIAM to commercial-off-the-shelf products continues, but many attendees were focused on building on the commercial CIAM product that they had recently deployed. That frequently came in the form of better authentication and identity verification to avoid fraud and deepfakes, with technologies including AuthID, Badge and iProov approaching the challenge from different angles.

Solving identity pain points: Platforms and point products

The workforce identity security space has historically been fragmented with discrete products for access management, identity governance and administration (IGA), privileged access management (PAM), identity threat detection and response (ITDR), identity security posture management (ISPM) and more. A typical organization could have a dozen different commercial, open source or homegrown identity security tools.

Major players have embarked on unification or convergence strategies to establish holistic identity platforms -- CyberArk has expanded from PAM to access management and acquired Zilla for IGA; Okta now provides IGA; Saviynt is building ISPM and ITDR functionality; Thales holistically solves customer, partner and workforce identity challenges; and so forth. While convergence will gradually happen over time, there is continued innovation to solve painful identity problems.

IGA has traditionally struggled to integrate disconnected apps that do not support single sign-on or System for Cross-domain Identity Management, and those legacy apps are not going away. Many of these disconnected apps do not have MFA turned on and are ripe for abuse. Startups like Grip Security and Savvy Security can discover disconnected apps, and Cerby can manage them in conjunction with an IGA platform.

While CIAM players recognize the pain associated with third-party and synthetic fraud, the workforce identity community has to wrestle with similar issues, for example, in the case of fraudulent North Korean IT workers. Nametag, Persona Identities and Clear focus on combating that fraud by including essential integrations into the workforce identity stack.

It is an exciting time in identity security. If you are a new technology player with an innovative approach, I would like to hear about it. You can reach me via LinkedIn.

Todd Thiemann is a principal analyst covering identity access management and data security for Enterprise Strategy Group, now part of Omdia. He has more than 20 years of experience in cybersecurity marketing and strategy.

Enterprise Strategy Group is part of Omdia. Its analysts have business relationships with technology vendors.