Blog
Cybersecurity Consolidation and Platformization: Strategic Insights for CISOs
Read More
Every December, Gartner hosts its Identity & Access Management (IAM) Conference—an event that is growing significantly as Identity is no longer a niche security discipline. It has become the foundation upon which Zero Trust, cloud security, and emerging AI initiatives either succeed or stall.
Across keynotes, breakout sessions, and analyst discussions, several themes emerged clearly and repeatedly. These themes point to a fundamental shift in how identity must be designed, governed, and operationalized moving forward. What follows are the most important takeaways from the conference—and why they matter now.
One of the strongest and most consistent messages from the conference was the need to rethink how we conceptualize identity. Gartner emphasized that IAM should be viewed not as a standalone platform or point solution, but as a system of systems—a tightly integrated ecosystem of controls working together to reduce risk and enable the business.
Too often, organizations approach identity tactically. MFA is implemented here. A directory is upgraded there. Privileged access is handled by a separate team using different tools and processes. While each investment may make sense on its own, the result is a fragmented identity landscape full of silos, inconsistencies, and blind spots.
To address this, Gartner introduced a layered identity fabric model, designed to help identityprofessionals speak a common language—much like the OSI model did for networking.
Rather than treating access management, identity governance, and privileged access as independent domains, the identity fabric approach recognizes them as interdependent layers:
• Access Management: How users, machines, and applications authenticate and access systems
• Identity Governance & Administration (IGA): How identities are provisioned, modified, reviewed, and deprovisioned
• Privileged Access Management (PAM): How elevated access and credentials are controlled and monitored
The key message here is alignment. Identity controls must be designed to work together, not compete for ownership or visibility. Mature IAM programs don’t bolt tools together—they architect identity intentionally across the enterprise.
Building on this idea, Gartner spent significant time discussing the evolution of the identity fabric—an architectural framework that unifies identity data, policy, and enforcement across the organization.
The identity fabric is not a product. It’s a way of thinking about identity holistically, bringing together:
• Human users
• Machine and application identities
• Identity data and telemetry
• Enforcement points
• Risk and visibility layers
At the heart of the fabric is the concept that every identity—human or non-human—must be understood, classified, and governed. This includes machines, services, applications, containers, APIs, and increasingly, AI agents.
Several newer categories of identity technology received attention as part of this fabric:
• Identity Visibility and Intelligence Platforms (IVIP) to provide continuous insight into identity risk
• Web Access Management (WAM), especially as identity expands beyond humans and browsers
• PKI and certificate lifecycle management, which are becoming central to machine identity governance
The takeaway for organizations is clear: no identity component should exist in isolation. Strong IAM programs emerge when identity data flows freely across systems, enabling consistent policy enforcement and meaningful risk reduction.
Another recurring theme was the need to remove IAM silos. Many organizations still manage identity in disconnected domains:
• MFA policies applied inconsistently across environments
• Credential rotation handled by individual teams
• Account removal processes that vary by system
• Separate policies for human and non-human identities
This fragmentation creates gaps attackers can exploit—and operational friction that slows the business.
Gartner’s guidance emphasized the importance of developing a long-term IAM strategy, rather than chasing tactical fixes. Organizations that align identity investments to future business needs—cloud adoption, M&A activity, AI initiatives, Zero Trust—are far better positioned to prioritize the right gaps and mature over time.
Identity maturity is not about checking boxes. It’s about building a cohesive roadmap that recognizes identity as foundational infrastructure.
Perhaps the most urgent set of conversations at the conference centered on non-human identities—and the speed at which they are proliferating.
Many organizations are still struggling to manage basic user identities tied to employees and contractors. At the same time, non-human identities are exploding in number and complexity:
• Service accounts
• Application identities
• Cloud workloads
• Containers and Kubernetes clusters
• APIs and integrations
• IoT devices
One statistic shared during the conference was particularly striking: machine identities now outnumber humans by more than 80 to 1 in many environments. For every user ID, there may be dozens—or hundreds—of machine identities accessing systems behind the scenes.
This growth is being accelerated by cloud-native architectures, DevOps pipelines, and the rapid adoption of AI-driven systems. According to Gartner data referenced at the conference, 94% of organizations report an increase in machine identities, driven largely by automation and scale.
Yet many of these identities remain:
• Poorly inventoried
• Over-privileged
• Long-lived
• Protected by static secrets or unmanaged certificates
From a risk perspective, non-human identities now represent one of the largest—and least controlled—attack surfaces in the enterprise.
The rise of agentic AI adds a new layer of urgency to identity management challenges.
AI agents don’t behave like traditional users—or even traditional applications. They operate autonomously, interact with multiple systems, and often make decisions at machine speed. That creates an entirely new category of identity risk.
A particularly sobering insight shared at the conference was this: By 2028, 50% of AI initiatives are expected to stall or fail due to identity management challenges.
This isn’t a failure of AI models or compute—it’s a failure of identity governance.
At the same time, Gartner highlighted that 50% of organizations are actively developing strategies to engage with machine customers and AI agents. That includes external non-human identities interacting with websites, APIs, and digital services—well beyond traditional IAM boundaries.
The implication is clear: identity programs must expand to account for autonomous actors, both internal and external. Organizations that don’t adapt will find identity becoming the bottleneck that limits innovation.
One point worth emphasizing is the inextricable link between identity and Zero Trust.
If an organization has a Zero Trust initiative underway, identity is not just one component of the strategy—it is the core. Without strong identity controls, Zero Trust remains theoretical.
Zero Trust requires:
• Accurate identity verification
• Continuous authentication and authorization
• Strong governance over access rights
• Visibility into all identities—human and non-human
Until identity is under control, Zero Trust architectures cannot function as intended. Identity is the control plane upon which Zero Trust policies operate.
Another practical thread running through the conference was the question: Are organizations getting the most value from the IAM tools they already own?
Whether it’s Microsoft, SailPoint, Okta, Ping, CyberArk, or others, many organizations have made significant investments in IAM technology but haven’t fully operationalized or integrated those platforms.
Common challenges include:
• Incomplete deployments
• Limited cross-platform integration
• Underutilized features
• Manual processes layered on top of automated tools
The message from Gartner was not “buy more tools,” but rather mature what you already have. That includes improving governance, aligning processes, and integrating identity controls into broader security and business workflows.
The Gartner IAM Conference made one thing unmistakably clear: identity is no longer a supporting security function. It is strategic infrastructure.
From Zero Trust to AI, from cloud to automation, identity sits at the center of nearly every major technology initiative. Organizations that treat it as such—building cohesive identity fabrics, addressing non-human identity risk, and aligning IAM strategy to business outcomes—will be far better positioned for what’s coming.
And for those just getting started, the message is equally important: you don’t have to solve everything at once. But you do need a clear direction.
Because in today’s environment, no security strategy—and no digital transformation—succeeds without identity at the core.
If you are interested in learning more about IAM within the enterprise, contact us! hello@sayers.com
