Identity and Access Management (IAM) is no longer just about keeping the wrong people out—it’s about ensuring the right people, machines, and AI-driven agents can securely operate in an increasingly complex digital world.
Related: How IAM can be a growth engine
If 2024 was the year of Zero Trust acceleration, 2025 is shaping up to be the year where IAM itself is forced to evolve in ways that redefine security, risk, and even business operations.
The real story lurking beneath Forrester’s latest report on IAM trends isn’t just that phishing-resistant authentication, deepfake detection, and machine identity sprawl are escalating concerns. It’s that IAM is being fundamentally redefined—not by security teams alone, but by the rapid convergence of AI, automation, and post-quantum shifts that are blurring the lines between identity, security, and enterprise infrastructure.
As organizations scramble to keep up, one key question emerges: Are traditional IAM frameworks capable of handling what comes next? As deepfake-driven fraud outpaces detection capabilities, as agentic AI begins making security decisions autonomously, and as machine identities proliferate beyond human oversight, IAM is teetering on the edge of an identity reckoning.
Last Watchdog engaged Forrester Principal Analyst Geoff Cairns, the report’s lead author, in a discussion about whether today’s IAM strategies are equipped for the seismic changes ahead—or whether a fundamental reset is required. Here’s that exchange, edited for clarity and length.
LW: To what extent is traditional IAM governance breaking down in the face of AI-driven automation, not to mention innumerable other stressors?
Cairns: The growing frequency and severity of identity-based attacks clearly indicate that traditional IAM governance is breaking down. This breakdown is rooted in macro-level IT trends, such as the adoption of Cloud and SaaS, the rise of DevOps methodologies, and fundamental workforce changes. These challenges are compounded by historically siloed IAM functionalities, resulting in fragmented visibility into identity security posture and threats.
The good news is that foundational identity security principles (multifactor authentication, least privilege, just-in-time access, separation of duties, etc.) remain intact.
While AI-driven automation accelerates the IAM breakdown, AI also holds one of the keys to evolving IAM into proactive identity security. To keep pace with the speed and complexity of today’s IT environments, IAM solution platforms must leverage AI, analytics, automations, and integrations to enable centralized visibility, real-time identity context, strong authentication, adaptive access controls, advanced identity threat protection, and risk-based prioritization.
LW: How can organizations get ahead of deepfake fraud and AI-driven impersonation?
Cairns
Cairns: Detection methods are struggling to keep up. What emerging defenses should companies prioritize to counter AI-powered threats?
Deepfakes are easier to generate and more convincing than ever – a continuous cybersecurity “cat and mouse” game. They affect nearly every communication channel that organizations use and multiple points in the customer journey, including enrollment, conversion/onboarding, and support. Call centers are particularly vulnerable to audio attacks.
To identify and mitigate deepfake attacks, seek to incorporate a combination of technical methods that include liveness detection, behavioral analysis, and spectral artifact analysis – a technique that examines the frequency domain characteristics of images or videos to identify inconsistencies indicative of manipulation. Under certain circumstances, you can protect the image/audio data acquisition path to prevent direct injection of deepfake data into the system.
Remember, deepfake detection hinges not only on technical capabilities but also on human instincts and processes. As part of a defense-in-depth strategy, be sure to prioritize pen testing and training as well.
LW: Are AI-driven IAM agents creating more security risks than they solve?
Cairns: As AI takes over authentication and security decision-making, how can organizations prevent these systems from becoming black-box vulnerabilities?
As AI systems evolve from passive tools to autonomous agents capable of perceiving their environment, reasoning through complex scenarios, and leveraging external tools to achieve specific goals (i.e., agentic AI), they will introduce unique security challenges and new risks for organizations to assess. Agentic AI used specifically for performing IAM-related tasks is no exception. I believe that properly designed and implemented AI-driven agents can reduce risk and solve more problems than they create, but that is still very much a work in progress.
As you evaluate AI tools within your IAM product set, ask your IAM vendors about their AI model governance, efficacy of decisions, intellectual property protections, and how they avoid hallucinations. Ensure IAM governance within your environment enforces that the identities used by agentic AI to retrieve sensitive data from internal data sources adhere to the principle of least privilege. If there is uncertainty related to AI automation consequences, err on the side of caution and keep a human in the loop until a proper level of trust in the AI decision making can be established.
LW: What’s the real blocker to shared risk signals transforming IAM?
Cairns: Real-time security telemetry could revolutionize identity protection, yet adoption lags. What’s holding it back, and how can organizations move forward?
Until recently, the security industry lacked a comprehensive framework for different tools and systems to effectively communicate security events and to share risk signals across systems in real-time. The Shared Signals Framework (SSF) is an emerging standard that tackles this issue. SSF reduces the time to detect and mitigate identity-based attacks and increases visibility into the security posture of users and devices across multiple platforms, transforming IAM from a reactive to a proactive security model.
To move forward, review your IAM and security vendor product roadmaps for SSF support and interoperability, then identify potential use cases for an internal proof-of-concept (e.g., revocation of access across multiple systems when a compromise is detected, continuous evaluation of access permissions based on real-time security signals).
LW: Will enterprises ever fully embrace decentralized identity?
Digital wallets and self-sovereign identity promise user control, but interoperability remains a challenge. Is widespread enterprise adoption realistic?
Despite its potential to enhance security, minimize compliance risk, and build trust with privacy-conscious users, decentralized identity (DID) faces ecosystem interoperability issues and regulatory challenges that hinder widespread adoption. We expect gradually increasing enterprise uptake over the next 3-5 years through hybrid models, where DID is utilized for specific use cases, such as customer or employee onboarding, and in combination with a traditional centralized identity system. Realistically, enterprises will fully embrace decentralized identity only when driven by regulatory mandates and when government deployment of DID-based national identity systems or mobile driver’s licenses become commonplace.
In the U.S., a key indicator to watch will be the outcomes of Executive Order 14144 as it pertains to the issuance, use, and acceptance of digital identity documents.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.