Events identity

Trends and Insights from Identiverse 2025

Nat June 18, 2025 No Comments

Overview of Identiverse 2025

Identiverse 2025, held June 3–6, 2025 at Mandalay Bay in Las Vegas, brought together over 3,000 digital identity and security professionals for four days of keynotes, panels, and workshops 1. The conference buzzed with a renewed focus on identity as the foundation of modern cybersecurity, emphasising that identity is no longer just a tool for access but “the foundation of modern security and compliance”2. Attendees noted a strong sense of community and collaboration, with industry leaders and practitioners sharing real-world challenges, bold ideas, and hallway conversations that often proved as insightful as formal sessions3. Across various talks and expert panels, several key themes and emerging trends repeatedly surfaced – from the push for frictionless authentication to the rise of AI-driven identity challenges, the explosion of non-human identities, and the imperative of digital trust in an era of deepfakes. Below is a structured recap of the most prominent trends and insights discussed at Identiverse 2025, along with expert opinions and notable takeaways from speakers and attendees.

Frictionless and Passwordless Authentication

A major theme at Identiverse 2025 was the industry’s drive toward frictionless authentication – making logins seamless without sacrificing security4. Identity and Access Management (IAM) providers acknowledged that user experience had been neglected in favour of security, leading to what one report dubbed the “digital equivalent of airport security” for logins5. In response, vendors such as Cisco Duo, Radiant Logic, Saviynt, and others unveiled new approaches aimed at eliminating cumbersome login steps (passwords, one-time codes, multiple prompts) and delivering what was likened to a TSA “fast pass” experience for authentication6. “You walk into your office, you put your phone on the table, you open your laptop, and you’re logged in”, explained Matt Caulfield, VP of Identity at Cisco’s Duo, describing a new proximity-based login that requires no manual credential entry7. He emphasised their goal of an experience where “you don’t need to put in a username, a password…no passwords anywhere”, reflecting a broader industry push toward passwordless authentication8.

This push is backed by clear trends in adoption. Recent industry research shared at the event showed multi-factor authentication (MFA) usage is at an all-time high – for example, 66% of workforce users now use MFA (91% of admins) according to Okta’s 2024 report, with a growing preference for phishing-resistant methods9. Meanwhile, passkeys and passwordless methods are rapidly gaining traction, with one vendor observing a 400% increase in passkey usage in 202410. The global market for passwordless authentication is projected to quadruple over the next decade (from $19B in 2024 to $82.5B by 2034)11, underscoring the momentum behind this trend. The consensus at Identiverse was that reducing login friction can actually improve security – by removing incentives for users to find workarounds – and that invisible or low-friction login experiences (e.g. biometric or behavioral authentication running in the background) are becoming an expected feature of modern IAM solutions12.

Artificial Intelligence in Identity Security

AI’s impact on identity and security was front and centre in many discussions, with participants noting that “AI in IAM is here (and it’s not waiting for you to catch up)”13. Every major vendor showcased AI or machine learning-driven features: from behavioural analytics and risk scoring to AI-generated identity governance recommendations14. These practical use cases demonstrated real value, such as using machine learning to flag abnormal access patterns or to automate access reviews and approvals (reducing “review fatigue” for administrators)15. For example, Radiant Logic’s CEO described using generative AI to analyze identity data and recommend corrective actions via an “AI Data Assistant,” illustrating how AI can help manage complex identity environments16. At the same time, experts urged caution: the rise of AI also introduces new risks – adversaries are weaponizing AI through sophisticated phishing (leveraging large language models), deepfake voice or video impersonations, and automated attacks that can mimic legitimate users17. “Assume your voice, image, and behavior can be convincingly faked – and plan internal processes accordingly,” one CISO advised, highlighting the need for verification protocols and human oversight in an AI-driven world18.

A particularly hot topic was “Agentic AI” – autonomous AI agents acting on behalf of users or organisations. In a dedicated panel on Agentic AI and Non-Human Identities (NHIs), speakers noted that AI agents are still identities to be managed (they use credentials and access data), but “they behave differently” than traditional scripts or service accounts19. These agents are goal-driven, can operate across multiple systems, and may make decisions without direct human intervention20. Experts warned that within five years, many domain-specific AI agents might be running with no humans in the loop, and if identity teams don’t establish strict privilege boundaries and governance now, “post-incident discovery will be futile”21. In other words, AI systems could amplify the impact of weak identity controls. The urgent consensus was that the identity community must develop governance frameworks for AI-driven identities as quickly as the technology evolves22. This includes requiring every AI agent or bot to be credentialed, enforcing fine-grained authorization for what they can do, and maintaining audit trails – essentially treating them with the same (or greater) scrutiny as human users23. As one panellist put it, “We must distinguish [helpful bots], protect them, and ensure they act in our interest”, signalling that managing AI identities will be a key frontier for security professionals24.

Non-Human Identities (Machine and Service Accounts) in the Spotlight

Hand-in-hand with the AI discussion was a strong focus on Non-Human Identities (NHIs) – a term encompassing machine accounts, service identities, API keys, bots, and other digital identities not tied to a human user. NHIs emerged as one of the most urgent and widely discussed risks at Identiverse 202525. Multiple sessions highlighted the sheer scale of the issue: in many enterprises, machine and service identities now outnumber human identities by as much as 20:126. These non-person accounts often live outside traditional governance and IAM programs, creating massive blind spots in security27. One speaker likened the NHI landscape to an iceberg – most organisations only see the tip of their machine identities, with limited visibility into how many exist, what they’re used for, or who owns them28. “We’ve created digital entities that act without oversight, and most security teams still treat them as side quests,” one expert observed, pointing out that many companies don’t even start managing NHIs until after a breach has occurred29.

The risks of ignoring NHI governance were made starkly clear. A panel on “How Attackers Compromise NHIs” delivered the simple but chilling message that “Attackers aren’t breaking in, they’re logging in.”30 In other words, attackers often exploit poorly governed machine credentials rather than hacking in through vulnerabilities. According to Verizon’s Data Breach Investigations Report, 31% of breaches involve stolen credentials31 – and many of those are things like leaked API tokens, hardcoded secrets in code, or orphaned service account passwords. Conference demos showed how easily such credentials can be harvested (for example, from public Git repositories or CI/CD pipelines) and then used to move laterally within an environment32. Because NHIs typically lack the lifecycle management that human accounts have, these breaches can persist unnoticed for long periods33. Attendees noted that traditional defences (like endpoint security or MFA prompts) often don’t apply to these accounts, making them an attractive attack surface. The takeaway was loud and clear: organisations must bring NHIs into the fold of identity governance. As one recap put it, “Governance is mandatory” for machine identities – doing nothing is no longer an option34.

Improving NHI security was a recurring discussion topic, with experts sharing both challenges and best practices. A common refrain was “you can’t protect what you don’t understand,” meaning the first step is to discover and inventory all machine identities in use35. Practitioners stressed the need to track each NHI’s purpose, owner, and permissions – many noted that assigning clear ownership and accountability is critical, since “access reviews for machines are theatre unless we trim over-privileges and assign ownership”36. Another major recommendation was to eliminate static credentials in favour of short-lived, dynamic ones. In fact, an entire conversation revolved around making CI/CD pipelines “secretless”: replacing embedded passwords and API keys with ephemeral tokens or automated identity assertions37. “If you want to secure your production systems, you must secure your CI/CD pipelines…the fastest way to do this is to get rid of the secrets and adopt identities,” reported one blog, noting that “‘Secrets are not identities’ was a phrase heard more than once” at the conference38. New tools are emerging in this space to help continuously discover and manage NHIs39, and some organisations shared success stories. For instance, the security team at Grammarly outlined their strategy to get a handle on machine identities: inventory everything, map context to each identity, enforce least privilege (using scoped roles and short-lived creds), and establish automated remediation workflows – all while ensuring someone in the business “owns” each identity’s maintenance40. The overarching insight was that machine identities can no longer be treated as an afterthought. They require the same rigour in governance (if not more) as human identities, including lifecycle management, monitoring, and integration into Zero Trust security models.

Identity as Critical Infrastructure (Resilience and Recovery)

Another key insight from Identiverse 2025 was the idea that identity has become “Tier 0” infrastructure for organisations – as critical to protect and keep running as networks, databases, or cloud services41. Several talks and panels emphasised identity resilience and incident recovery, reflecting lessons from recent security incidents. The question posed was: if your Identity Provider (IdP) or IAM system went down or was compromised, how quickly could your organisation recover?42. Breaches and outages are no longer hypothetical, and identity systems can themselves be targets. As one speaker noted, if you can’t restore your identity layer quickly, your entire business may grind to a halt43. This marks a shift from viewing IAM purely in terms of prevention (keeping bad guys out) to also ensuring continuity (keeping the business running securely even when something goes wrong)44. “Identity resilience” – the ability to roll back or restore IAM functions after compromise – was front and centre this year45. In fact, identity backup and recovery capabilities were discussed as a board-level concern now, not just a technical detail46. One CISO speaker quipped that if your IdP goes down, so does your business, urging peers to treat the identity platform with the same investment in redundancy and disaster recovery as any mission-critical system47.

This trend goes hand in hand with treating identity as core infrastructure. The consensus among vendors and analysts was that IAM is no longer just a security checkbox or login gateway – it’s foundational to business operations, agility, and even compliance48. As such, outages in IAM effectively mean outages in business operations49. Attendees repeatedly underscored the need for “immutable identity backups, testable failover plans, and controls that work under pressure – not just under audit”50. In practical terms, this means investing in capabilities like read-only backup directories, secondary authentication servers, or cloud-redundant IDPs that can take over if the primary fails. It also means regularly simulating identity-centric incidents (e.g. what if an admin account is breached, or thousands of user credentials are reset) to ensure the organisation can respond and recover. One takeaway was that identity governance and administration (IGA) programs should incorporate resilience metrics – for example, how long would it take to lock down all credentials in a crisis, or to re-issue trusted identity tokens after an incident? Such questions are now being asked in boardrooms. In summary, the message was to treat IAM like the core infrastructure it is: invest in its reliability and recovery, just as you would for your cloud platforms or databases51. As a blogger summed up, “identity isn’t just an IT function or a security project – it’s the connective tissue of digital business”, and ensuring its resilience is now a strategic priority52.

Digital Trust and Verified Identity

Ping Identity CEO Andre Durand delivering a keynote on the importance of “Verified Trust” amid rising threats like deepfakes at Identiverse 2025 53.
Establishing and maintaining digital trust was a recurring high-level theme, powerfully articulated in the opening keynote by Ping Identity’s CEO, Andre Durand. He characterized the current landscape as one where “trust is being tested like never before” – misinformation, deepfakes, and digital impersonations are eroding the assumption of authenticity online54. “The real attack surface isn’t our infrastructure – it’s our assumptions,” Durand warned, meaning that attackers increasingly prey on the implicit trust we grant to what we see and who we think we’re interacting with55. From business email compromise to SIM swapping to supply chain attacks, criminals target our fundamental trust. In response, the keynote introduced the concept of “Verified Trust” as a new imperative for the industry56. “We must verify before we trust,” Durand urged, advocating for a shift to authentication and identity systems that are continuous, contextual, and invisible to the user by default57. This isn’t just about adding more MFA prompts or stronger passwords – it’s about using multiple signals (device posture, location, user behaviour, risk scoring) and verifiable credentials in the background to ensure every interaction is authentic58. The goal is to achieve high assurance with low friction, so users hardly notice the constant verification taking place.

Key tools enabling this “trust but continuously verify” model include behavioral biometrics, real-time risk analytics, and decentralized identity credentials that can be cryptographically proven59. For instance, an authenticated digital credential might attest to a user’s identity or attributes, which can be checked automatically before a transaction is allowed. Done right, these measures can make digital interactions “always verified by default” without turning the user experience into an interrogation60. The backdrop for this push is a world in which even our senses can’t be trusted – “today, we can’t even trust our eyes and ears – seeing is no longer believing,” as the keynote noted, referencing the rise of AI-generated fake content61. This has led to predictions that soon we’ll see “deepfake-resistant IDs” become legally required for certain online activities62. Durand even envisioned a future split between a “Verified” internet (with a trusted identity layer) and an unverified “wild west”, where anonymity might become a premium service people pay for63. These provocative ideas underscored a broad agreement at Identiverse: the industry must double down on verifying authenticity – of users, devices, and even data – to preserve digital trust. The rallying cry “We Are the Guardians of Authenticity” was shared as a call to arms for identity professionals64. In practical terms, this means building security solutions that can instantly detect imposters (e.g. spotting subtle signs of deepfakes or stolen tokens) and that make trust portable and transparent for users. Several demonstrations at the conference indeed showcased technologies like verified credentials and decentralized identity in action, which allow users to prove things about themselves (or their devices) without exposing raw personal data65. All of this feeds into the larger mission proclaimed at Identiverse 2025: to restore and enhance trust in the digital world by ensuring every access decision and transaction is backed by verification, not assumption.

Compliance Pressures and Identity Security Posture

Emerging cybersecurity regulations and standards also loomed large in the conversations, with many noting that compliance requirements are now a major driver of identity security upgrades. Frameworks such as the EU’s DORA and NIS2, the proposed U.S. Cybersecurity Resilience Act, and other guidelines are putting identity in the spotlight, effectively mandating practices like least-privilege access, strong authentication, and auditability of identity systems66. Internal auditors and regulators alike are asking organisations to prove that only the right people (or machines) have the right access at the right time67. The sentiment shared was that compliance is no longer a checkbox – it’s a forcing function for modernisation in IAM68. In other words, even organisations that might have been slow to adopt things like comprehensive identity governance or advanced authentication are being pressed into action by regulatory deadlines and fear of penalties. Speakers gave examples of companies scrambling to implement tighter entitlements review processes and automated access recertification to satisfy auditors69. The challenge, discussed in hallway chats, is to meet these compliance obligations without slowing down business operations – hence the interest in solutions that automate identity controls and continuously monitor for policy violations70.

One notable trend in this area is the rise of Identity Security Posture Management (ISPM) as a concept. Much like cloud security posture tools, ISPM tools aim to provide continuous assessment of an organisation’s identity configurations and policies across all systems71. Rather than point-in-time audits, they bridge the gap between security context and governance workflows, alerting teams to toxic combinations of privileges, inactive accounts, or policy drift in real time72. At Identiverse 2025, ISPM was highlighted as a “must-have” emerging capability for large enterprises, given the complexity of hybrid cloud environments and the speed at which access changes occur73. For example, if a highly privileged service account suddenly gains even broader access due to a misconfiguration, an ISPM solution could flag that immediately. Unlike traditional IGA (Identity Governance & Administration) tools that focus mainly on provisioning or certification campaigns, ISPM is about continuous enforcement of least privilege and adherence to security policy. This trend aligns with the broader push for real-time, event-driven access management: instead of reviewing access quarterly or reacting after an incident, companies want to adjust and revoke access in the moment, based on triggers like role changes, detected anomalies, or compliance rules74. The conference conveyed a sense of urgency here: staying compliant and secure will require more automation and intelligence in identity systems, and vendors in the IAM space are rapidly integrating these capabilities.

Inclusive Digital Identity and “Identity for All”

While much of Identiverse 2025 focused on cutting-edge technology and enterprise security, there was also attention on the human side of identity – specifically, making sure digital identity systems are inclusive and accessible to all. One notable session titled “Identity for All: Unlocking Economic Empowerment Through Inclusive ID” highlighted the sobering fact that over one billion people worldwide face barriers to establishing and verifying a digital identity75. Speaker Kay Chopard (Executive Director of the Kantara Initiative) discussed the far-reaching consequences of this identity gap: individuals without reliable IDs are often locked out of basic services like banking, e-commerce, and even the exercise of digital rights76. The session underscored that digital identity exclusion isn’t just a developing world problem – it affects vulnerable populations globally, from those lacking government IDs to those unable to navigate current identity verification processes. The economic repercussions are significant: without verifiable identity, people struggle to access jobs, education, healthcare, and financial services, perpetuating cycles of poverty and marginalization77.

Chopard and other experts called on businesses to build “inclusion by design” into identity products78. This means creating identity verification methods that account for people who may not have credit histories, smartphone access, or traditional Identity Documents. For example, solutions might leverage alternative attributes or community attestations to establish trust. The audience was reminded that expanding their customer base can go hand-in-hand with social impact: by designing services that welcome those currently excluded, companies can both “expand their reach” and empower new user segments79. Organizations like Women in Identity are working to address bias and accessibility in digital ID systems, ensuring that identity technologies serve diverse populations80. The takeaway is that inclusivity is an emerging pillar of digital identity discussions. Whether through government programs for national digital IDs or private-sector initiatives for age verification and accessibility, Identiverse made clear that “identity for all” is part of the future. After all, the effectiveness of digital identity solutions will ultimately be measured by how universally they can be adopted – and that means overcoming barriers of literacy, accessibility, and trust in underserved communities.

Cultural and Organisational Challenges

Finally, a candid undercurrent throughout Identiverse 2025 was the recognition that the hardest identity challenges are often not technical, but organisational. Experts repeatedly noted that deploying cutting-edge identity tech is only half the battle; “as experts it’s easy to focus on the technological solutions, but organisations are made up of people and departments,” one recap observed81. A recurring topic was internal friction and misalignment that can slow or even derail identity initiatives. Identity projects frequently span IT, security, HR, compliance, and beyond – and each stakeholder may have different priorities. It was noted that many IAM deployments struggle due to poor communication and change management, rather than flaws in the technology itself82. One speaker dryly remarked that in big companies, “multiple people are accountable, which means no one really is,” describing how lack of clear ownership can doom an Identity Governance and Administration (IGA) program83. This was illustrated by a case study of a fast-growing SaaS firm: despite obvious risks and a capable security team, their IGA efforts failed until a regulatory audit forced action – and even then, the initiative was treated like “incident response” rather than a sustainable program84. The lesson was that strong leadership support and defined responsibilities are critical for identity program success.

Another common insight was that new identity technologies will only succeed if they minimise disruption for end-users and IT teams85. If adopting a security measure creates excessive inconvenience or requires massive process changes, it will face internal resistance. Therefore, many speakers advised focusing on “quick wins” and incremental progress: for example, rolling out passwordless authentication to a pilot group, or automating a few high-risk access reviews first, to demonstrate value. One panel summed it up: identity solutions must solve real-world problems and fit into existing business processes, otherwise they won’t gain traction86. This pragmatic view was echoed by practitioners sharing hard-earned lessons. In essence, technology is only part of the equation – getting the humans (leadership, employees, developers) on board is equally important. The encouraging news shared at Identiverse is that the identity community is tightly knit and collaborative. Multiple attendees expressed that being among peers was a reminder “you are not alone” in facing these challenges87. The conference itself fostered this sense of shared mission: identity professionals can learn from each other’s failures and successes. By tackling organisational hurdles collectively – through community frameworks, best practices, and mentorship – the industry hopes to accelerate the adoption of the vital trends and innovations highlighted above, turning vision into reality.

Sources: The insights above were synthesised from Identiverse 2025 session coverage, expert blog recaps, and commentary by attendees and sponsors. Key references include SC Media’s on-site reporting scworld.comscworld.com, analysis from industry blogs like GitGuardian blog.gitguardian.comblog.gitguardian.com, SPIRL spirl.comspirl.com, and MightyID mightyid.commightyid.com, as well as the official Ping Identity keynote highlights pingidentity.compingidentity.com. These sources provide a comprehensive view of the prevailing themes – from frictionless security and AI’s growing role, to the critical importance of machine identity management, trust frameworks, and inclusive identity – that defined Identiverse 2025.

Footnotes

  1. blog.gitguardian.com
  2. linx.security
  3. spirl.commightyid.com
  4. scworld.comscworld.com
  5. scworld.com
  6. scworld.com
  7. scworld.com
  8. scworld.com
  9. scworld.com
  10. scworld.com
  11. scworld.com
  12. scworld.comscworld.com
  13. mightyid.com
  14. mightyid.com
  15. linx.security
  16. scworld.com
  17. mightyid.com
  18. mightyid.com
  19. blog.gitguardian.com
  20. blog.gitguardian.com
  21. blog.gitguardian.com
  22. blog.gitguardian.com
  23. spirl.com
  24. pingidentity.com
  25. blog.gitguardian.comblog.gitguardian.com
  26. linx.security
  27. linx.security
  28. spirl.com
  29. blog.gitguardian.comblog.gitguardian.com
  30. blog.gitguardian.com
  31. blog.gitguardian.com
  32. blog.gitguardian.com
  33. blog.gitguardian.com
  34. blog.gitguardian.com
  35. blog.gitguardian.com
  36. blog.gitguardian.com
  37. spirl.com
  38. spirl.com
  39. spirl.com
  40. blog.gitguardian.comblog.gitguardian.com
  41. mightyid.com
  42. mightyid.com
  43. mightyid.com
  44. mightyid.com
  45. mightyid.com
  46. mightyid.com
  47. mightyid.commightyid.com
  48. mightyid.commightyid.com
  49. mightyid.com
  50. mightyid.commightyid.com
  51. mightyid.com
  52. mightyid.commightyid.com
  53. https://www.pingidentity.com/en/resources/blog/post/identiverse-2025-highlights.html
  54. pingidentity.com
  55. pingidentity.com
  56. pingidentity.com
  57. pingidentity.com
  58. pingidentity.com
  59. pingidentity.com
  60. pingidentity.com
  61. pingidentity.com
  62. pingidentity.com
  63. pingidentity.com
  64. pingidentity.compingidentity.com
  65. pingidentity.com
  66. linx.security
  67. linx.security
  68. linx.security
  69. linx.security
  70. linx.security
  71. linx.security
  72. linx.security
  73. linx.security
  74. linx.security
  75. scworld.com
  76. scworld.com
  77. scworld.com
  78. scworld.com
  79. scworld.com
  80. scworld.comscworld.com
  81. spirl.com
  82. spirl.com
  83. blog.gitguardian.com
  84. blog.gitguardian.comblog.gitguardian.com
  85. spirl.com
  86. spirl.com
  87. spirl.com

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.