Industry executives and experts share their predictions for 2025. Read them in this 17th annual VMblog.com series exclusive. By Paul Walker, field strategist and Theis
Nilsson, vice president global advisory practice, Omada
Managing identities has become increasingly complex and
challenging in our digital and remote world. Technology is racing to catch up -
particularly the application of AI to identity management. But it's not a
panacea, and organizations need to proceed with caution as they update and
streamline their processes while working to remain compliant and secure. Here's
what we're predicting 2025 will bring.
Prediction 1: Passwordless Authentication
Takes the Spotlight
We are on the precipice
of a shift from the longstanding practice of forced periodic password changes
as IT departments worldwide adopt guidance from major cybersecurity
authorities. The National Cyber Security Centre (NCSC), the European Union
Agency for Cybersecurity (ENISA) and the National Institute of Standards and
Technology (NIST) all recommend against mandatory password resets, citing
evidence that frequent changes often lead to weaker passwords and reduced
security. This shift could be a significant step forward in balancing security
with user experience.
Easy-to-use
enterprise-level alternatives to using passwords for operating systems such as
Windows 10/11 include innovative authentication methods such as the Fast
Identity Online (FIDO) standards. Windows Hello and Microsoft Edge have been
supported by FIDO since 2018, yet widespread adoption of physical (FIDO2) keys
in enterprise settings is still lagging due to cost barriers. We've seen the
adoption of mobile passkeys (FIDO2) that are claimed to be phishing-resistant
and are easy to use. Passkey usage means users no longer need to enter
usernames and passwords for authentication. The passkey uses device biometrics
to unlock their devices to sign into apps and websites. Expect the usage of
passkeys to continue to accelerate in 2025.
Prediction 2: Identity Management Sees an
Increase in AI-Human Augmented Decision-Making
In 2025, we expect to see
the first widespread implementation of AI-human augmented decision-making in
identity management. Not all organizations are ready to configure systems to
"just do it" - that is, allowing AI to make decisions without human intervention.
The industry will closely observe whether the human plus AI augmented
decision-making approach delivers value and can build trust. A key challenge to
full automation of decision-making will be the transparency of recommendations
and how humans can override automatically made decisions with feedback,
adjusting the recommendation engine for future decisions. Decision makers need
to feel confident that they can trust the recommendation and that their
feedback is effective, because they're still accountable to the business when
critical identity decisions are made without direct human oversight.
Prediction 3: GenAI Integration Produces
Proactive Security
Identity Governance and
Administration (IGA) products will likely evolve into more proactive security
tools. For example, offering real-time recommendations and insights to enhance
IT security operations and maintain identity/data hygiene. Another proactive
stance involves moving on from analysis of existing assigned permissions and
incorporating user behavior information as well, especially from cloud/SaaS
systems that can easily share these logs. Integrating generative AI will be a
key driver in this focus on greater proactivity. As an example, intelligent
notifications will use desktop collaboration tools to deliver daily "messages
of the day" with personalized suggestions to strengthen identity security
posture. Traditionally focused on prevention, IGA will shift toward
contributing to operational security and security hygiene posture. The adoption
of new, user-friendly interaction methods, such as the Generative AI-powered
natural language model, will drive this transformation.
Prediction 4: Faster Shared Signals Framework
Adoption
In 2025, we'll see
accelerated adoption of the OpenID Shared Signals Framework (SSF) from vendors
as organizations prioritize real-time communication between security tools to
enhance adaptive security postures. With the identity perimeter now central to
modern security strategies, more enterprises will integrate SSF to achieve
seamless data sharing across disparate systems, enabling a more resilient
defense against evolving threats. With its flexibility and scalability, the SSF
will lead to more collaborative security ecosystems, breaking down silos across
cloud providers, SaaS applications and security systems, thereby enhancing
security in an increasingly hybrid and complex environment.
Prediction 5: The Ascendancy of AI-Driven
Innovation and Cross-Platform Interoperability
The IGA sector will
continue to see rapid innovation spurred by AI/ML. As vendors consolidate,
interoperability will be key, with companies striving for seamless integration
across platforms. The winners in this space will be those who can harness
cross-domain capabilities and implement agile solutions for cloud application
management, enabling tasks like application onboarding in a matter of hours.
Prediction 6: Infrastructure Complexity Will
Bring Setbacks
The complexity of
infrastructure and system landscapes will continue to present challenges and
setbacks. Companies will need to navigate competing priorities, with
governance, risk and compliance investments often clashing with spending on
perimeter security and efficiency-driven AI/ML initiatives. Regulation will
play a crucial role in maintaining a balanced corporate focus amid these
competing demands.
Prediction 7: Balancing Security, Innovation
and Regulation
Regulation will continue
to shape IGA, with frameworks like the Network and Information Systems 2 (NIS2)
and the Digital Operational Resilience Act (DORA) in the EU reinforcing
compliance-driven initiatives. At the same time, a push toward corporate effectiveness
will highlight the efficiency benefits of automated and AI-supported IGA
solutions. In both instances, security will remain a priority, with principles
like "least privilege" becoming crucial to limit hacker access, aiming to
ensure that if an attacker gains entry, their ability to move across systems
and platforms is restricted, mitigating potential damage.
Another hot spot where
regulation and innovation are coming together is the EU AI Act. As AI is
offered in high-risk applications such as Identity and Access Management
(IAM)/IGA, there's plenty of analysis and preparation for vendors as well as
customers. The EU AI Act represents a landmark regulatory effort as it attempts
to balance safeguards to protect individuals from potential harm but not
restrict innovation.
Prediction 8: GenAI and ML Will Guide and
Support Identity Governance
GenAI and ML are likely
to play a more significant role in IGA by simplifying tasks like access
requests and approvals, where they can provide valuable guidance and support.
However, the effectiveness of GenAI and ML in the deepest aspects of IGA, such
as business logic analysis and role mining, may be limited due to bad data
hygiene. This often results from inconsistent governance and could skew
GenAI/ML insights. Nonetheless, AI/ML will be useful at a higher level,
potentially aligning regulatory requirements, business processes and
job-related permissions more effectively. The goal of this particular
innovation is that a user and chat assistant can accomplish their goal with a
time and cost reduction. We estimate that the cost per transaction of a user and
AI chat assistant will be a fraction of a help desk call price.
Though challenges remain, AI in its various forms will
prove to be an even more valuable ally to identity management in 2025. These
technologies will assist identity professionals with greater efficiency,
security and governance while leaving room for ongoing innovation.
##
ABOUT THE AUTHOR
Paul Walker, field strategist, Omada
Paul Walker is field strategist at Omada. A veteran within the identity
market, Walker is an expert with over two decades of experience in sales and
product leadership roles at renowned brands like Dell and Oracle. He works
closely with customers globally to ensure they are successful in leveraging
Omada's solutions to achieve improved compliance, efficiency and security. He
has deep deep understanding of the identity landscape garnered through
executive stints at Clear Skye and One Identity.
++
Theis Nilsson, vice president global advisory
practice, Omada
Theis Nilsson has held different consultancy and
management roles within Omada for more than 15 years. He began his career in
research and development in the area of network management security and holds a
master's degree in computer science from the Danish Technical University. He
has been working with organizational development and information technology for
more than three decades. His work with organizations includes a combination of
consulting and advisory roles, where process improvement, benefits realization
and organizational restructuring has played a key role.