Danny de Vreeze | Vice President, Identity & Access Management
More About This Author >
Danny de Vreeze | Vice President, Identity & Access Management
More About This Author >
As we look toward 2025, the lessons of 2024 serve as a stark reminder of the rapidly evolving identity and access management (IAM) landscape. The numbers tell the story: The latest Identity Theft Resource Center report indicates that consumers experienced a 21-percentage-point rise in identity crime victimization between July 2023 and June 2024. Meanwhile, the Thales 2024 Data Threat Report highlights the challenge of securely managing third-party and contractor access, a figure expected to rise as ecosystems grow evermore interconnected.
In parallel, the rapid adoption of generative AI technologies brought not only unprecedented productivity gains but also complex risks, with only 11% of businesses admitting they have implemented proper safeguards for AI-driven systems. These trends make it clear: in 2025, IAM is no longer a back-office concern—it's the linchpin of digital trust, business resilience, and innovation.
Security leaders will tackle B2B identities
Enterprises, both public and private, are working far more with third parties—from suppliers to contractors to corporate customers and more. These identities will soon outnumber internal employee identities by 3:1. Meanwhile, supply chain attacks are also on the rise, with many instances resulting from third-party attacks that cascade across customers.
Increasingly visible supply chain attacks prove the need to understand better Business-to-Business (B2B) identities, an area that historically hasn’t fit into the conventional workforce identity use cases. With security leaders continuing to oversee a growing number of external identities within more digital processes, including access to their internal data and applications, securing B2B identities will become a top priority in 2025.
2025 will bring the passkey adoption ripple effect
The ongoing conversations around a passwordless future have dominated the industry for a long time. However, over the last year, major companies, including Microsoft most recently, announced their plans to introduce passkey support to eliminate passwords completely. Passkeys are already gaining momentum, with 30% of consumers implementing this passwordless authentication method.
In 2025, we will see a ripple effect in the use of passkeys, primarily visible in the banking industry, due to growing use within mobile banking applications such as Apple Pay. Passkeys offer banking-grade authentication, allowing FinServ organizations to meet regulatory compliance while enhancing the end-user experience. This continued demand will further drive passkey adoption elsewhere, meaning 2025 will be the year passkey talk starts to walk the walk.
Data privacy conversations will take the main stage in the US
The US needs to catch up with other countries in establishing federal-level regulation around data privacy; typically, this has been dealt with on a state-by-state basis, with some, like California, introducing their own flavor of privacy acts. In 2024, we saw the introduction of the American Privacy Rights Act (APRA), which is still awaiting approval, bringing the federal regulation closer to a reality.
The future of APRA is currently uncertain, and while it’s not possible to predict how emerging regulations may unfold, we expect APRA and data privacy to remain central to discussions in the year ahead in the US. This will force data privacy further into the spotlight and bring into question how data dynamics may change for companies, from how they store, share, and look at their data under the lens of privacy. In turn, it impacts IAM requirements as they are forced to shift with changing legislation and continually adapt methods to cater to new requirements.
Deepfake risks will drive IAM adoption in 2025
We are already witnessing increased use of AI tools that quickly generate synthetic content, including images and videos. These tools also gather personal identity data that goes beyond basic identification, encompassing preferences, lifestyle information, and social data. However, these tools also lead to ever more realistic identity fakes that fraudulently open new accounts. This is of particular concern to financial services, which have a mandated requirement to combat and eliminate this fraud.
In 2025, we will witness a growing adoption of digital identity wallets, as well as AI and machine learning-powered document verification, and biometric identity verification within the financial services industry. This trend will respond to the rising use of deepfakes by fraudsters who attempt to open new accounts using stolen or completely fabricated identities. As physical identity documents become digitized, methods for verifying credentials will continue to gain popularity, especially with the support of regulations like eIDAS 2.0 in the EU, which will drive this transformation.
The Future of IAM
The identity and access management landscape must adapt or perish in today’s complex web of technologies, services, cloud identities, and kaleidoscopic compliance regulations.
Because of their intersection with fallible human tendencies, identities are a coveted target among threat actors looking for easier ways to compromise well-secured networks. As detection and response tools have elevated the level of sophistication required for a successful attack, the area in which human error, weakness, and judgment still play a pivotal role – the creation and execution of our own credential-based access – is attracting ever more attention from malicious outsiders.
The far-flung third parties and productivity tools meant to bring closeness and convenience to modern work also leave organizations on the brink of peril as speedy progress threatens to outstrip security yet again. On the other hand, the growing prominence of security in public consciousness has brought about positive changes like increased privacy legislation and the need to ditch vulnerable credentials for something humans can’t mess up – at least, not that easily.
The Verizon 2024 DBIR notes that one in two data breaches can be traced back to poor identity and access management capabilities (“compromised credentials”). The security trends on the IAM horizon suggest that this next year, those numbers have the potential to change for the better. Although given the strength of force-multiplying entities like AI-driven productivity suites and hyperconnected supply chains, it won’t be without a fight.