I recently attended Identiverse in Las Vegas. This was my first time back at Identiverse since conference founder Ping Identity sold the conference in 2021. As identity related initiatives continue to dominate Forrester’s clients’ top priorities and initiatives, I felt impelled to share my perspectives and insights. Here are my five major conclusions and recommendations for security leaders from the conference: 

  • Protecting non-human identities (NHI) is as critical as securing AI. My expectation at Identiverse was agentic AI would be everywhere. While there was ample AI and agentic content, it was overshadowed by non-human identities (NHI) content. While my colleague Geoff Cairns and I prefer machine identities over NHI, I am using NHI in this blog for simplicity’s sake. Between the opening NHI workshop to the NHI Pavilion on the exhibit floor to other breakout sessions, you couldn’t escape NHI at Identiverse! This hype is driven by two factors: 1) the rapid increase in the number of machine identities (e.g. service accounts, API keys, secrets, and certificates and now ephemeral cloud workloads, and agentic) and 2) the increase in attacks against machine identities because of their elevated, often excessive, privileges. Many vendors are quickly working to address machine identities and organizations need to prioritize this and look to analytics and automation to governing machine identities going forward. 
  • Interrogate vendor IAM product roadmaps for Shared Signals Framework (SSF) Support. Identiverse has always had a strong alignment with content around important identity standards, both established and emerging. Despite IAM being 20 plus years old, new standards are emerging to take their place alongside established standards like SAML and OIDC. While it is always hard to handicap which standards are going to gain critical mass, the fact that there is a healthy vendor base committed to advancing things like the Shared Signals Framework (SSF) and are working on standards like CAEP and IPSIE Working Group from the OpenID Foundation shows that these new frameworks and standards are gaining momentum and will influence IAM product roadmaps and cybersecurity adjacencies throughout 2025-2026.  
  • Hit pause on DDID if you primarily operate in the US. Distributed digital identity (DDID) has been a promising identity innovation for several years; and while there was some interesting sessions on verifiable credentials (VCs), I would characterize DDID interest at Identiverse as tepid (especially when compared to NHI and AI). This is unfortunate given the potential that DDID can deliver. The lower interest also likely reflects how DDID remains subject to the vagaries of the US political environment. Indeed, the recently revised White House Executive Order on cybersecurity confirms a de-emphasis in DDID. While some pockets of DDID momentum may remain at the state and local level, Federal level DDID efforts will remain on hold for time being. IAM practitioners should look to Europe and other regions outside of US to track DDID developments.  
  • Reinforce your Workforce Identity Verification (IDV) capabilities While customer identity verification (IDV) has received ample attention and investment in the last five years, growing concerns around attacks such as the North Korean remote IT worker scam is driving enterprise focus (and vendor investment) into workforce identity verification. Several speakers noted they had been victimized by this attack which only confirms that with remote interviewing and onboarding becoming the norm, the hiring journey has become an attack path. The interest in workforce IDV is also often engaging a new internal buyer or influencer like the HR or legal team which is a different buyer than traditional customer IDV so IDV vendors will have to adjust to engage with this new buyer type. 
  • Remember that cloud is king in IAM, but on-prem IAM still casts a long shadow. It is expected that tech conferences will be cloud-first and cloud-centric in messaging and content, but this doesn’t mean that every organization has migrated their IAM stack 100% to the cloud. I am still struck but the slow pace of cloud migrations for orgs that deployed IAM pre-2010. Many of these deployments are so embedded into the organization’s workflow that a simple lift and shift cloud migration is not practical. This means many orgs (and IAM vendors) will need to prepare themselves to operate in a hybrid world where certain select on-prem apps will need to co-exist with cloud-based offerings.  

Let’s Connect 

Have questions? Forrester clients should reach out to me to request a guidance session to discuss these topic further.