I recently attended Identiverse in Las Vegas. This was my first time back at Identiverse since conference founder Ping Identity sold the conference in 2021. As identity related initiatives continue to dominate Forrester clients’ top priorities and initiatives, I felt impelled to share my perspectives and insights. Here are my five major conclusions and recommendations for security leaders from the conference:

  • Protecting NHIs is as critical as securing AI. My expectation at Identiverse was agentic AI would be everywhere. While there was ample AI and agentic content, it was overshadowed by non-human identities (NHI) content. While my colleague Geoff Cairns and I prefer machine identities over NHI, I am using NHI in this blog for simplicity’s sake. From the opening NHI workshop to the NHI Pavilion on the exhibit floor to other breakout sessions, you couldn’t escape NHI at Identiverse! This hype is driven by two factors: 1) the rapid increase in the number of NHIs (e.g., service accounts, API keys, secrets, and certificates and now ephemeral cloud workloads, and agentic) and 2) the increase in attacks against NHIs because of their elevated, often excessive, privileges. Many vendors are quickly working to address NHIs and organizations need to prioritize this and look to analytics and automation for governing NHIs going forward.
  • Interrogate vendor IAM product roadmaps for Shared Signals Framework support. Identiverse has always had a strong alignment with content around important identity standards, both established and emerging. Despite identity access management (IAM) being 20-plus years old, new standards are emerging to take their place alongside established standards like SAML and OIDC. While it’s always hard to handicap which standards are going to gain critical mass, the fact that there’s a healthy vendor base committed to advancing initiatives like the Shared Signals Framework and are working on standards, such as CAEP and IPSIE Working Group from the OpenID Foundation, shows that these new frameworks and standards are gaining momentum and will influence IAM product roadmaps and cybersecurity adjacencies throughout 2025–2026.
  • Hit pause on DDID if you primarily operate in the US. Distributed digital identity (DDID) has been a promising identity innovation for several years; and while there was some interesting sessions on verifiable credentials, I would characterize DDID interest at Identiverse as tepid (especially when compared to NHI and AI). This is unfortunate given the potential that DDID can deliver. The lower interest also likely reflects how DDID remains subject to the vagaries of the US political environment. Indeed, the recently revised White House Executive Order on cybersecurity confirms a deemphasis in DDID. While some pockets of DDID momentum may remain at the state and local level, Federal level DDID efforts will remain on hold for time being. IAM practitioners should look to Europe and other regions outside of US to track DDID developments.
  • Reinforce your workforce IDV capabilities. While customer identity verification (IDV) has received ample attention and investment in the last five years, growing concerns around attacks, such as the North Korean remote IT worker scam, is driving enterprise focus (and vendor investment) into workforce IDV. Several speakers noted they had been victimized by this attack, which only confirms that with remote interviewing and onboarding becoming the norm, the hiring journey has become an attack path. The interest in workforce IDV is also often engaging new internal buyers or influencers, like the HR or legal team, which are different buyers than traditional IDV customers.
  • Remember that cloud is king in IAM, but on-prem IAM still casts a long shadow. It’s expected that tech conferences will be cloud-first and cloud-centric in messaging and content, but this doesn’t mean that every organization has migrated their IAM stack 100% to the cloud. I am still struck by the slow pace of cloud migrations for orgs that deployed IAM pre-2010. Many of these deployments are so embedded into the organization’s workflow that a simple lift-and-shift cloud migration isn’t practical. This means many orgs (and IAM vendors) will need to prepare themselves to operate in a hybrid world where certain select on-prem apps will need to coexist with cloud-based offerings.

Let’s Connect

Have questions? Forrester clients should reach out to me to request a guidance session to discuss these topic further.