50 Identity Access Management and Security Predictions from Industry Experts for 2025
As part of this year’s Insight Jam LIVE event, the Solutions Review editors have compiled a list of predictions for 2025 from some of the most experienced professionals across the Identity Access Management (IAM) and broader identity security marketplaces.
As part of Solutions Review’s annual Insight Jam LIVE event, we called for the industry’s best and brightest to share their IAM and cybersecurity predictions for 2025 and beyond. The experts featured represent some of the top solution providers with experience in these marketplaces, and each projection has been vetted for relevance and ability to add business value.
Identity Access Management and Security Predictions for 2025 and Beyond
Tim Eades, CEO and co-founder at Anetac
The AI Threat: It’s Real, and It’s Here
“We’re at a defining moment in cybersecurity that will determine organizational survival. Transform or be transformed by a competitor—this isn’t a slogan; it’s a survival mandate. As organizations integrate AI into their business and security operations, they face increased identity vulnerabilities. This requires enhancing organizational visibility within networks. AI amplifies cyber threats exponentially: it makes good hackers great and great hackers scale. Organizations that fail to implement comprehensive monitoring mechanisms will face devastating attacks. It’s not a question of if but when.
“We’re seeing the first wave of attacks, and they’re already mind-blowing. Take the Wiz CEO incident—where attackers used AI to perfectly replicate an executive’s voice to authorize a fraudulent transfer, bypassing traditional security measures. This represents just the first inning of AI-enhanced cyber-attacks and phishing attempts. Without robust visibility solutions that enable real-time detection of anomalies—such as unusual route updates, unexpected configuration changes, or suspicious account activities—organizations remain critically vulnerable.
“Drawing from collaborative guidance by top security agencies like the CISA, NSA, and FBI, critical infrastructure and organizations across the globe must prioritize enhanced visibility and cybersecurity hardening. As AI enables cyber adversaries to scale their operations, expect nation-state actors to increasingly target critical infrastructure and organizations essential to modern life—disrupting healthcare, supply chains, and financial services.”
Regulations Will Redefine “Identity”
“The evolving identity security landscape will force regulators to abandon the traditional separation between human and machine identities. At Anetac, we’re seeing a stark reality: for every human account, there are 40 connected non-human accounts. Soon, tokens, service accounts, and APIs will be treated as part of a single identity entity requiring unified protection. This shift mirrors the evolution of automotive safety—while seatbelts existed in the 1950s, mandating them came much later. We’re at that inflection point for identity security, and venture capitalists are already positioning their investments accordingly.”
Rom Carmel, CEO and co-founder of Apono
Deepfake-based Identity Fraud will Become More Common
“Deepfake-based identity fraud is rapidly evolving, with attackers leveraging highly sophisticated AI-generated media to convincingly impersonate high-level executives and trusted individuals. This new wave of social engineering attacks can easily bypass traditional verification methods like video calls or biometric authentication, leading to unauthorized access to sensitive systems and accounts. The consequences are severe: organizations face significant financial losses and reputational damage, while individuals suffer from privacy violations and the misuse of their likeness. Implementing advanced cloud access management can help mitigate these risks by ensuring that only verified identities gain access to critical systems.”
Cyber Criminals Will Develop More Successful Zero-Trust Evasion Techniques
“As organizations increasingly adopt zero-trust models for identity security, cyber-criminals will develop more sophisticated techniques to evade these defenses. Attackers may exploit gaps in network segmentation, misconfigurations in identity policies, or use AI to mimic behavior patterns and avoid detection. This evolution in tactics will lead to more sophisticated and harder-to-detect attacks, potentially compromising sensitive systems even within a zero-trust framework. To counter these threats, organizations must adopt more mature zero-trust architectures that effectively limit both vertical and lateral movement after a breach. Strengthening zero-trust access controls is essential to adapt to evolving threats and ensure comprehensive protection across all network layers.”
AI Models will be Key Areas of Exploitation
“As AI and machine learning become integral to identity verification systems, attackers will find ways to poison AI models or bypass them. This could involve feeding bad data to trick systems into false authentication or using adversarial attacks to manipulate AI’s perception of identity markers. Subtle changes to biometric data, like facial or voice recognition, could cause AI to misclassify users, allowing unauthorized access. To combat these threats, security teams must regularly audit and train AI systems with diverse data sets, implement AI model explainability and monitoring tools, and combine AI-based verification with traditional security measures like MFA to create a robust, layered defense. Regular audits and diverse training of AI systems are crucial for maintaining security and ensuring accurate identity verification.”
Blair Cohen, Founder and President of AuthenticID
The Future of Identity Verification
“We are witnessing a significant shift from traditional passwords to biometric and AI-driven identity verification methods as we approach 2025. These technologies are not just about security; they enhance the user experience and build greater confidence among businesses and their customers. Reauthentication is a crucial aspect of this evolution, which requires users to provide additional verification to maintain access to their accounts. This extra layer of security protects sensitive information by ensuring users are continuously validated, making it increasingly difficult for unauthorized individuals to gain access. By embracing biometric authentication and implementing regular reauthentication practices, organizations can greatly strengthen their security posture and mitigate the risk of identity-related fraud.”
Chris Borkenhagen, CDO/CISO at AuthenticID
Compliance in Cybersecurity
“In 2025, compliance will be more than just ticking off a box–it will continuously involve embedding robust identity protection into every layer of your security strategy. Organizations that align regulatory requirements with effective security measures will be best positioned to thrive in a complex security landscape. By leveraging identity verification tools, businesses can reduce the risk of regulatory fines, be better positioned for a successful litigation defense, and proactively detect fraudsters before they can access valuable information. Prioritizing identity protection enables businesses to safeguard sensitive data and build trust with customers and stakeholders.”
Neeraj Methi, Vice President of Solutions at BeyondID
Three identity-focused security challenges for the coming year.
“Identity security will no longer be limited to traditional Single Sign-On (SSO) and multi-factor authentication (MFA) as the core of access control. Organizations will move to continuous monitoring before, during, and after authentication. Threat actors are increasingly targeting identity as a weak point, making it essential for organizations to safeguard user identities throughout their entire digital interaction. As a result, identity verification will evolve into an ongoing process that extends well beyond the login screen.
“Taking that step further, AI-powered identity management will transform access control by integrating with popular AI frameworks to monitor and analyze user behavior continuously. These AI-enhanced IAM systems will detect anomalies and dynamically adjust permissions based on real-time context, reducing the risk of unauthorized access. This shift will make identity management more adaptive, providing enhanced security while responding to users’ changing behaviors and needs.
Generative AI will introduce sophisticated new attack vectors, with synthetic identity fraud becoming a prominent method for unauthorized access.
“Cyber criminals will leverage AI to create highly realistic digital identities, posing significant challenges for traditional verification methods. To combat this threat, organizations must adopt advanced identity verification tools capable of detecting synthetic identities and monitoring for anomalies in real-time.”
Gary Orenstein, Chief Customer Officer at Bitwarden
More organizations will prioritize simple security habits over outdated, friction-heavy processes and complex tech stacks.
“New NIST guidelines in 2024 reflected a growing awareness of user behavior and security fatigue, and other recent guidance, like CISA’s evolving cybersecurity mandates and the White House’s National Cybersecurity Strategy, pushed companies toward streamlined, secure approaches. By shifting away from burdensome requirements like frequent password resets, users will be more likely to adopt bad habits—like writing passwords down or using simpler passwords—when faced with frequent changes.”
Strong passwordless tech momentum will accelerate.
“FIDO2 WebAuthn adoption is growing, and more organizations will recognize that passwordless authentication—whether through biometrics, passkeys, or hardware security keys—offers a more secure, user-friendly alternative to traditional passwords. The Bitwarden Cybersecurity Pulse survey reported that 65 percent of tech leaders integrated biometric authentication in 2024, reflecting growing adoption and familiarity with passwordless methods across industries.”
Security tools will become more adaptive and contextual by using behavior, proximity, and permissions to create seamless authentication flows.
“Expect increased adoption of passwordless solutions, like passkeys and biometrics, coupled with AI-driven threat detection to further streamline user experiences and elevate security. This will allow for more granular policy controls across devices, helping organizations enforce security without adding friction to the user experience.”
Elia Zaitsev, Chief Technology Officer at CrowdStrike
In 2025, stopping cloud breaches will require a hybrid approach.
“With a 75 percent increase in cloud intrusions over the past year, securing the cloud is more critical than ever. But today, tools protecting the cloud alone are not enough. Attackers are increasingly moving laterally between cloud platforms and on-prem environments to evade detection and achieve their objectives, taking advantage of the complexity of hybrid environments and protection gaps created by disconnected point products.
“To regain control in 2025, businesses must have full visibility across public and private clouds, on-prem networks, and APIs from the same unified console and workflow. A holistic security platform that integrates runtime, posture management, identity, and data security across hybrid environments will be essential to protect against these sophisticated threats.”
Identity Will Open the Door to More Cross-Domain Attacks.
“Identity-based attacks continue to rise–75 percent of attacks to gain initial access are now malware-free. As adversaries become more skilled at exploiting stolen credentials, they will increasingly target interconnected domains within a victim’s architecture—identity, cloud, endpoint, data, and AI models. These attacks leave minimal footprints in each domain, appearing as isolated events, much like separate pieces of a puzzle—making them difficult to detect.
“In 2025, security leaders must integrate unified visibility across the entire kill chain, enabling cross-domain threat hunting to detect deviations from normal user behavior and catch anomalies before they escalate into breaches. While a strong focus on identity protection will be key to early detection, organizations cannot rely on automation alone to safeguard all areas of enterprise risk. Solving the cross-domain puzzle requires a combination of advanced technology, irreplaceable human expertise, and cutting-edge telemetry to inform proactive decision-making.”
Frédéric Rivain, the CTO at Dashlane
The Zero-Knowledge Revolution: Confidential Computing Goes Mainstream
“In 2025, organizations will focus on securing data while it’s in use via confidential computing and cloud secure enclaves, closing a critical gap in data protection. This will represent a major shift in how organizations protect sensitive data, turning privacy from a reactive safeguard into a core pillar of digital operations.
“Driven by growing privacy regulations and the alarming frequency of costly breaches, highly regulated industries with an abundance of sensitive data (like healthcare and finance) will lead this shift towards confidential computing and secure enclave architectures. This will set a new standard for ‘zero-knowledge operations,’ fostering the rise of privacy-preserving AI and analytics platforms that keep raw data encrypted, even during computation. As confidential computing technology matures and adoption grows in 2025, it will pave the way to a future where privacy by design becomes the standard for both businesses and end-users, better protecting customer data while reducing enterprise risk.”
The 2025 Quantum Security Wake-Up Call
“In 2025, the threat of quantum computing will escalate, putting encrypted data at risk of being stolen and decrypted later by quantum-capable attackers. It’s no longer a question of whether quantum computers will be able to break the current cryptographic primitives we use every day when accessing online services, but when. To mitigate this threat, businesses need to create a quantum threat roadmap to prepare for the post-quantum future. This roadmap should assess risks by identifying where cryptography is used in their systems and services, staying updated on NIST-approved quantum-safe algorithms, and integrating them into existing infrastructures. Budgeting for these upgrades now will mitigate future financial strain, ensuring that organizations are prepared for the inevitable technological wave to come.”
John Bennett, CEO of Dashlane
“Passkeys have started quickly moving from early adoption to wider use over the last year, as major organizations like X and Microsoft introduced or expanded passkey support. As a result of this recent momentum, Dashlane has seen passkey-based logins grow to nearly 500,000 per month, a sixfold increase since 2023. This growth trajectory is expected to continue in 2025, and I expect that two major events will push us over the tipping point for wider passkey adoption across enterprises and consumers alike. First, we expect all passkey providers to adopt new FIDO standards for secure credential exchange, boosting industry support for passkeys and eliminating concerns over vendor or platform lock-in.
“Second is syncable passkeys coming to Microsoft Windows in 2025, greatly improving the passkey experience for a huge swath of businesses and users. Amid these changes, we’ll see broad adoption of passkeys in 2025, followed by mainstream use in 2026.”
Phil Calvin, the Chief Product Officer at Delinea
“As the cybersecurity landscape grows more complex and organizations increasingly shift to the cloud, industry leaders have echoed the need for streamlined security tools to improve efficiency, cost savings, and faster threat response. However, not all tools are created equal, and simply combining systems without regard to their specific strengths and weaknesses can leave gaps in coverage. Effective consolidation means integrating tools that excel within their domains, whether it’s endpoint protection, identity security, or network monitoring. Each tool must seamlessly integrate with each other and across an organization’s cloud architecture to provide comprehensive, coordinated security.
“As organizations look toward consolidation, the evolving macro landscape–particularly under a new presidential administration–will influence the way businesses approach this transformation. With the potential for less emphasis on direct regulatory oversight, business leaders must prioritize interoperability to preserve key areas of expertise, allowing them to adapt quickly to emerging threats across all layers of the organization’s infrastructure.”
Gilad Shriki, Co-Founder of Descope
AI will continue to be leveraged as a prominent attack vector for cyber-crime.
“We’ll see a surge in fraud schemes where threat actors use AI to impersonate legitimate parties. At the same time, attacks against user-facing AI will rise because of their inherent vulnerability. Cyber-criminals will attempt to ‘jailbreak’ or social engineer their way past security protocols, which will drive the need to protect or limit AI agents from unauthorized access and manipulation.”
SMS authentication reaches end-of-life.
“The technical and economic limitations of SMS-based authentication will finally force companies to seek cost-effective and secure alternatives. Rising prices (Twilio), security vulnerabilities (Not All MFA is Equal), and UX friction will push organizations toward more modern methods.”
Rishi Bhargava, co-founder at Descope
AI will get a major authorization upgrade (or will require one)
“Today’s simple permission models won’t scale for AI systems that can generate code, access sensitive data, and interact with users in increasingly sophisticated ways. In 2025, organizations will need to build context-aware authorization that protects against AI systems’ unique vulnerabilities.”
The user experience will make or break AI apps
“When every application has AI capabilities (and they soon will), the differentiator will be seamless user experience. Companies that force traditional authentication checkpoints into AI interactions will see a significant dropoff. The winners will be those who make security feel like a natural part of the conversation.”
Passkeys will reach critical mass
“With major platforms completing their passkey rollouts in 2024, 2025 will be the year that passkeys become mainstream for everyone else. As SMEs gain access to better implementation tools and users grow more comfortable with biometric authentication, passwords will finally begin their long-overdue retirement.”
Itzik Alvas, CEO and co-founder of Entro Security
AI’s Growing Role in Securing Secrets and Non-Human Identities
“As the number of NHIs increases, traditional security measures will no longer suffice. AI will become essential in managing secrets and non-human identities by enabling advanced detection of potential vulnerabilities and misuse. These NHIs often go unnoticed but are critical to secure, especially in automated and cloud-based environments.
“AI tools will be used to predict and prevent unauthorized access to these sensitive machine identities by monitoring usage patterns and flagging any anomalous behavior. AI will continuously monitor the access patterns of an API key used by a microservice and immediately alert security teams if it begins making requests from unusual locations or in unexpected sequences, which indicates a compromise.”
AI Will Revolutionize Identity and Access Management (IAM)
“AI will play a significant role in the evolution of identity security, moving from traditional access controls to more dynamic and context-aware models. AI-driven systems will analyze behavior patterns to determine access rights in real-time. For instance, AI will revoke access to an employee if it detects anomalous behavior, even if that employee’s credentials haven’t been stolen outright, based on real-time analysis of their actions.”
Nick Franklin, Global Technology Alliance Director (AWS) at Fortra
CIOs will drive deeper reviews surrounding the impact security & observability tools can have on their organization in 2025.
“In July 2024, one of the world’s largest cybersecurity ISVs caused much of the globe to come to a halt due to a flaw in an update pushed to their agent. This has made plain that resiliency is as critical as ever, and CIOs can no longer allow their teams to be satisfied with the features and benefits a security product may offer. CIOs will require greater assurances that they are protected from disasters inadvertently caused by the tools they use to protect and monitor their environments.
“We will see this materialize in legal and contract discussions around terms and SLAs, enhanced scrutiny placed on the interaction between third-party tools and first-party systems and applications, and in deeper technical reviews, security, and observability vendors will need to be prepared to address. Does your endpoint agent have kernel access? Does your SaaS application’s cross-account IAM role grant overly permissive access to your employees who have no business accessing end-customer information captured by your tool? These are very basic but real scenarios I’m seeing come up with an increased frequency that is just the tip of the spear of scrutiny coming to security ISVs as organizations strive to mitigate 3rd party risk to their businesses.”
Theo Zafirakos, Cyber Risk and Information Security Expert at Fortra
Increase in operational resilience and incident response testing
“If operational resilience isn’t regularly tested, an organization may not be prepared for disruptions. This can result in long recovery times, operational downtime, data loss, and breach of service-level agreements (SLAs), leading to financial and reputational damage. Regular testing helps identify weaknesses in systems, processes, and responses, ensuring that the organization is prepared to continue operations or recover quickly after an incident. Testing also demonstrates compliance with regulatory requirements. Operational resilience testing can include more thorough and more frequent disaster recovery tests, Red Team/Blue Team exercises, tabletop drills, business continuity simulation, third-party unavailability simulation, etc.”
Dwayne McDaniel, Developer Advocate at GitGuardian
Non-Human Identities Take Center Stage in IAM
“In 2025, non-human identities (NHI) will come to dominate conversations in Identity and Access Management (IAM), emerging as a critical security and operational challenge. As organizations strive for resilience in increasingly complex environments, IAM for NHI will no longer be seen as an afterthought or an isolated IT or Security team function. Instead, it will evolve into a strategic priority with dedicated resources and leadership embedded at the highest levels of decision-making.
“While human identity management has been the focus for years, the rapid growth of machine identities—including applications, services, and automated workflows—has introduced new vulnerabilities. These identities, often managed with static, long-lived access keys and poorly monitored permissions, represent a massive attack surface across all industries. Organizations are shifting from perimeter-based security models to zero-trust frameworks that view identity, including NHI, as the foundation of a secure ecosystem.
To address these risks, IT and security budgets will be increasingly directed toward solving ‘secrets sprawl’ and managing the full lifecycle of non-human identities. A new generation of tools will emerge, designed to offer visibility into the creation, usage, and revocation of machine identities at scale. For organizations with legacy infrastructure, this transformation will be challenging but necessary. Meanwhile, smaller and more agile players, especially startups, are poised to adopt these advancements faster, gaining a competitive edge as they build secure platforms from the ground up.”
Chris Scheels, VP of Product Marketing at Gurucul
Insider threats will prompt the need for a new approach.
“As the threat landscape evolves, enterprises need to rethink traditional security approaches and consider a more holistic approach that encompasses both external and internal threats. By understanding the nuances of insider threats and their potential impact, enterprises can develop effective strategies to mitigate risk and protect sensitive information.
“To effectively address insider threats in 2025, organizations will need to adopt advanced technologies and strategies. A key focus will be on strengthening identity-centric defenses and implementing sophisticated detection methodologies. By investing in these areas, organizations can better protect their sensitive information and minimize the risk of insider-related breaches.”
Heather Case-Hall, Senior Security Solutions Architect at Myriad360
Authentication Maturation
“Biometric authentication methods, such as facial recognition and behavioral analysis, are poised to replace traditional password systems. Laptops and devices are already leveraging this technology to address privacy access concerns. However, the secure storage and management of biometric data will be critical to the widespread adoption and success of these systems.”
Regulatory Oversight
“Rising pressure from the insurance industry will push governments worldwide to implement stricter regulations on data privacy and cybersecurity practices. Organizations will need to make significant investments in compliance, including extensive testing and adherence to newly established global standards.”
API Security as a Priority
“APIs will continue to be a top target for cyber-attacks, driving organizations to adopt proactive measures to discover, assess, and secure their APIs. The emergence of a standardized API security framework will accelerate cross-industry adoption and elevate API security as a critical pillar of enterprise defense strategies.”
Cybersecurity-as-a-Service (CaaS)
“Managed Security Services are set to evolve into fully integrated CaaS models, offering end-to-end solutions tailored to small and medium-sized businesses (SMBs). This evolution will level the playing field by providing SMBs with affordable access to advanced security technologies, previously only available to larger enterprises.”
Benoit Grangé, the Chief Product and Technology Officer at Omada
GenAI will become a differentiator in the identity space
“Generative AI (GenAI) is poised to significantly impact the identity domain, driving software simplification through advanced recommendations and workflow automation. GenAI models will analyze vast data sets to provide intelligent recommendations for identity and access management (IAM). This includes automating role assignment and policy enforcement based on user behavior and enhancing risk-based authentication through real-time insights.
“GenAI will also streamline complex workflows by automating repetitive tasks like onboarding and offboarding processes and incident response in case of access anomalies. This will reduce administrative burdens and operational costs for enterprises. AI-powered chatbots and virtual assistants will do the same, guiding users in self-service portals, simplifying interactions, and reducing support tickets. “
GenAI will enable simpler, scalable identity systems
“In 2025, GenAI will be a cornerstone in advancing identity solutions, making them more efficient, secure, and user-friendly. Its adoption will empower businesses to meet growing demands for simplified, scalable, and automated identity systems. GenAI will enhance fraud detection in two ways: first, by identifying patterns in fraudulent activities and automating document verification, and second, by integrating with biometrics for adaptive and secure identity proofing.
“Driven by GenAI recommendations based on user context and activity, dynamic access provisioning and AI-generated alerts for policy violations or security risks will be possible. Compliance and reporting will become more accurate by automating audits and compliance tracking with AI-driven insights into identity activities. This will ensure adherence to evolving regulations (e.g., GDPR, eIDAS 2.0).”
Michael Garrett, the Chief Executive Officer at Omada
Evolving regulations will prompt businesses to seek out automated compliance functionality
“As organizations grapple with a wide variety of increasing regulations they must meet, they’ll quickly need to find less resource-intensive ways to ensure compliance. Meeting all the different aspects of these regulations in a continuous, manual fashion will quickly become untenable. Organizations will need to be able to prove who has access to what, where, and for how long, and they’ll need to have visibility across the entire company and a vast number of systems. They’ll have to demonstrate the right level of controls and access, and identity governance and administration will be core to this. This will need to be consistent, automated, cost-effective, and simple to adopt and use.”
Compliance and identity governance processes move from requirement to value driver
“While increased regulations are driving the need for identity governance and administration, the most successful organizations will be those that can turn compliance into a value driver. Moving beyond manual processes to a more streamlined, consistent, and operationalized function will not only improve compliance and security, but it can ultimately improve efficiency. Solutions that can provide modern, efficient automation of access control and reporting tasks will also drive additional business value that goes far beyond compliance mandates by reducing manual workloads and streamlining operations. AI will also play a key role in simple user interaction that will massively increase usage and, therefore, quality and compliance. “
Paul Walker, Field Strategist at Omada
The Rise of AI-Driven Human Augment Decision-Making in Identity Management
“In 2025, we may see the first widespread implementation of AI-human-augmented decision-making in identity management. Not all organizations are ready to configure systems to ‘just do it,’ that is, allowing AI to make decisions without human intervention; the industry will closely observe whether the human AI-augmented decision-making approach delivers value and can build trust. A key challenge to full automation of decision-making will be the transparency of recommendations and how humans can override automatically made decisions with feedback, adjusting the recommendation engine for future decisions. Decision makers need to feel confident that they can trust the recommendation and that their feedback is effective because they’re still accountable to the business when critical identity decisions are made without direct human oversight.”
From Preventative to Proactive Security with GenAI Integration
“Identity Governance and Administration (IGA) products will likely evolve into more proactive security tools. For example, they will offer real-time recommendations and insights to enhance IT security operations and maintain identity/data hygiene. They will move on from the analysis of existing assigned permissions and incorporate user behavior information as well, especially from cloud/SaaS systems that can easily share these logs. Integrating Generative AI will be a key driver in this change to become more proactive.
“For example, intelligent notifications using desktop collaboration tools to deliver daily ‘messages of the day’ with personalized suggestions to strengthen identity security posture. Traditionally focused on prevention, IGA will shift toward contributing to operational security and security hygiene posture. The adoption of new, user-friendly interaction methods, such as the Generative AI-powered natural language model, will drive this transformation.”
Ori Goldberg, CTO of Pynt
LLM models will be a double-edged sword for cybersecurity
“With the exploding growth of LLMs, AI risks will continue to grow in prevalence and severity. Existing issues like prompt injection and model misuse will evolve into new threats in tandem with more intelligent models. At the same time, tools powered by LLMs will enhance anomaly detection, automate threat responses, and perform autonomous vulnerability fixes.”
Continuous API testing will enable “Shift Everywhere”
“APIs connect microservices, enable third-party integrations, and support cloud-native architectures, representing 83 percent of internet traffic. Continuous security testing throughout the API lifecycle will be essential to mitigate risks like misconfigurations and injections. AI will be vital for detecting and remediating business logic vulnerabilities.”
Jim Routh, Chief Trust Officer at Saviynt
Identity security is growing in significance to enterprises.
“Identity access management has been a resource drain for both IT and Cyber organizations over the past three decades, largely due to the premise that enterprises must add administrators as the business volume grows. This is ‘old-school’ thinking that drives up operating costs with a minimal increase in business value. With the large majority of cybersecurity incidents involving credential compromise today, enterprises are now starting to think of identity as a core security function (rather than an IT function) that looks more like how a Security Operations Center (SOC) operates.”
Data science is foundational for cybersecurity.
“CISOs are beginning to attract and develop data scientists that want to learn cybersecurity principally to help design security controls using behavioral analytics applied to streaming data. Risk mitigation that previously required human involvement in transactions can now be enabled with models providing risk scores based on behavioral patterns that trigger automated workflow. The result is higher resilience at a lower operating cost while talent development evolves roles into more fulfilling work.”
John Paul Cunningham, the Chief Information Security Officer at Silverfort
Identity-Based Attacks Will Redefine Cyber Insurance in 2025
“With the sheer volume of identity-based attacks in 2024—such as Change Healthcare, the Midnight Blizzard breach of Microsoft, Snowflake, and Ticketmaster—we’re already seeing insurance providers crackdowns. The questions insurers will ask prospective policyholders in 2025 will no longer be simple hygienic questions such as whether your organization has implemented multi-factor authentication (MFA), but rather what those MFA tools are truly protecting, are you successfully achieving least privilege, and can you stop lateral movement.
“We’ll see insurers evolve their approach, shifting from checkbox-style assessments to probing the effectiveness and implementation of security measures. Deeper scrutiny will push businesses to prioritize identity solutions that go beyond management to real-time protection. As cyber insurance premiums continue to climb, organizations will likely factor these costs into their security budgets, treating insurance as both a financial safeguard and a driver for improved security postures. This dynamic will create a future where organizations that implement better security practices earlier on have lower risks and, therefore, lower insurance policies and pricing.”
By 2025, AI Will Continue to Drive Innovation and Expose Major Security Gaps
“AI has had a profound impact on the way businesses operate and the speed at which they are able to innovate. By 2025, the continued rapid adoption of AI will spark an unprecedented wave of innovation, but it will also expose glaring gaps in security that have been left untouched—specifically when it comes to identity, which accounts for 80 percent of all data breaches. Rapid AI integration has occurred across industries; however, organizations are not considering the need for comprehensive security controls, leaving organizations vulnerable to sophisticated threats.
“As we approach the new year, leaders must shift their focus from merely educating teams about AI risks to actively detecting and preventing attacks. One way we’ll see organizations start to do this is by investing in end-to-end identity security platforms that break down the silos between identity providers and provide holistic security controls across all on-prem, cloud, and hybrid environments and doubling down on protecting identities. With the rapid pace of AI adoption and manipulation, siloed identity management tools and traditional MFA tools are no longer enough. Identity was misunderstood and unloved for so many years; it’s finally getting the attention it needs. It’s gone from a help desk ticketing thing where we provisioned to being mission-critical for a good cybersecurity program. Identities need to be checked continuously, especially amid the rise of sophisticated threats and DarkAI.”
Charles Ruffino, Fellow, Cloud Architecture at SoftIron
Post-quantum encryption will become mission-critical by 2027.
“Post-quantum cryptography isn’t just the next tech upgrade—it’s a digital survival strategy. Between 2026 and 2031, current encryption will start looking like a rotary phone in a 5G world. As quantum computing transforms from a theoretical threat to a practical reality, organizations face a critical migration path that’s part technological evolution, part strategic warfare.
“The market won’t just adopt post-quantum encryption; it will demand it with the urgency of a CISO watching their vulnerability dashboard turn blood-red. New cryptographic solutions will emerge rapidly, driven by an existential imperative: dramatically reduce enterprise vulnerabilities before they become catastrophic breaches.
“Think of it like upgrading from wooden castle walls to reinforced titanium—those who delay will find themselves digitally exposed, facing potential ransom demands, PR nightmares, and reputational damage that no cybersecurity insurance can fully mitigate. The encryption revolution is coming, and it’s bringing quantum-grade padlocks.”
Ravi Bindra, CISO of SoftwareOne
Quantum Computing
“Despite the benefits quantum computing will bring to businesses, it will also enable a wave of new attack vectors. Current cryptography methodology will inevitably be ‘debunked’ as quantum becomes available at scale, and ‘quantum-capable’ threats will start to rise as the technology becomes more accessible. We are already seeing evidence of nation-states and threat actors adopting ‘store it now, crack it later’ strategies, gathering sensitive encrypted data passed across the internet to be decrypted once quantum technology becomes viable in the next five to 10 years. So, although quantum computing sounds like a problem for the future, it needs to be a security concern now. As such, organizations must make data quantum-resistant, and cloud providers have a big role to play here. Over the next one to two years, cloud providers must begin offering post-quantum services to customers in high-security industries, future-proofing data today that will be difficult to crack in five years’ time. ”
“Additionally, organizations will need flexible, crypto-agile infrastructure for a system to adapt its mechanisms and algorithms in line with technology advancement as new post-quantum algorithms and protocols emerge. However, cloud organizations can’t help to protect industries alone. To combat the rise in actors using quantum computing to pose a threat themselves, we need to see greater collaboration between different industries across cloud and cyber as well as the involvement of government to share knowledge and deal with threats efficiently.”
Sohrob Kazerounian, Distinguished AI Researcher at Vectra AI
Threat actors will focus on AI productivity gains in 2024, but malicious agentic AI is unlikely to be seen in the wild.
“In the near term, attackers will focus on refining and optimizing their use of AI. This means using Gen AI to research targets and carry out spear phishing attacks at scale. Furthermore, attackers, like everyone else, will increasingly use GenAI to save time on their own tedious and repetitive actions. Rote tasks, from coding to answering straightforward security questions, will be offloaded to LLMs whenever possible.
“But the really interesting stuff will start happening in the background as threat actors begin experimenting with how to use LLMs to deploy their own malicious AI agents capable of end-to-end autonomous attacks. While threat actors are already in the experimental phase, testing how far agents can carry out complete attacks without requiring human intervention, we are still a few years away from seeing these types of agents being reliably deployed and trusted to carry out actual attacks.
“While such a capability would be hugely profitable in terms of time and cost of attacking at scale, autonomous agents of this sort would be too error-prone to trust on their own. Nevertheless, in the future, we expect threat actors will create Gen AI agents for various aspects of an attack–from research and reconnaissance, flagging and collecting sensitive data, to autonomously exfiltrating that data without the need for human guidance. Once this happens, without signs of a malicious human on the other end, the industry will need to transform how it spots the signs of an attack.”
A certain future: Agentic AI will carve out a place in cybersecurity
“As GenAI hype begins to wane, the security industry will turn its attention to agentic AI models in 2025 as the primary means of creating robust, production-grade AI systems that are ready for customer scrutiny. Unlike early approaches to working with large language models (LLMs), agentic approaches will increasingly use LLM ‘agents’ that have been prompted, fine-tuned, and given access to only the necessary tools to achieve a well-defined and particular goal rather than being tasked with a complete end-to-end mission.
“However, we shouldn’t overly anthropomorphize these agents. Think about instructing a person to solve a complex task in a single shot without breaking it down into any of the sub-tasks required to achieve it. Instead, the agentic model breaks high-level objectives into well-defined sub-tasks and defines and equips individual agents with the ability to execute each of these sub-goals. By allowing the agents to interact, scrutinize one another, and so on, they can collaborate with each in a manner that ultimately improves the accuracy and robustness of Gen AI models.”
Dave Lewis, the Global Advisory CISO at 1Password
Identity-Based Attacks
“The growth of identity-based attacks will take center stage in 2025 as cyber-criminals increasingly target identity systems to exploit vulnerabilities. Misconfigurations in Identity and Access Management (IAM) solutions, combined with the widespread use of compromised credentials, will provide attackers with unauthorized access to critical systems and sensitive data. As organizations adopt more complex identity ecosystems, including multi-cloud environments and federated access models, these threats will become harder to detect and mitigate. Strengthening IAM configurations, implementing zero-trust principles, and securing the entire identity lifecycle will be critical to defending against this rising wave of attacks.”
Deepfake technology and AI
“In 2025, the expansion of deepfake technology and AI-generated impersonations will usher in a new era of sophisticated social engineering attacks. Cyber-criminals will leverage these tools to create convincing imitations of trusted individuals, such as executives, colleagues, or family members, to manipulate victims into divulging sensitive information or authorizing fraudulent transactions. This trend undermines traditional verification methods like voice or video authentication, rendering them increasingly unreliable. To counteract these threats, organizations will need to adopt multi-layered security measures, such as advanced AI detection tools, robust behavioral analytics, and enhanced education to help individuals identify and resist such deceptive tactics.”