[Gartner SRM Summit 2025] Outlook for Identity and Access Management (IAM)
- Pyo Kwon
- Jun 13
- 5 min read
On Day 2 of the Gartner Security and Risk Management Summit 2025, Akif Khan highlighted Identity and Access Management as the backbone of modern cybersecurity. He warned that rapid advances in artificial intelligence, the explosive rise of Machine IDs, and ever more complex and distributed IT environments are shaking IAM’s foundations and called for a fundamental change in approach.
In his session “Outlook for Identity and Access Management,” Khan argued that leaders must move beyond merely predicting or reacting to incremental change. They must see themselves not as system or feature managers but as strategic security leaders. Although the IAM role may not exist independently in every region, his three key prescriptions apply everywhere: grasp how AI and IAM interact, tackle the untamed risks of growing Machine IDs, and establish governance across scattered environments.
AI and Machine IDs
The session began by exploring the technical challenges causing the greatest upheaval in IAM environments. Khan identified three urgent areas demanding immediate attention:
Three dimensions of AI in IAM
AI is more than a mere tool. It represents a new environment and an enabler. Every IAM professional must grasp these three critical factors:
AI for IAM - Organizations can harness AI to bolster security by assessing protection gaps, speeding investigations, automating reporting and simplifying application onboarding. Generative AI assistants can drive these improvements and boost IAM efficiency.
IAM for AI - As companies deploy AI applications, agents and large language models, the need for dedicated identities for these systems has grown. IAM must now grant proper authentication and permissions to AI agents and protect against prompt injection, misuse and data scraping.
IAM versus AI - Threat actors already weaponize AI to craft sophisticated deepfakes for social engineering bypass biometric controls and launch automated API attacks. IAM serves as the frontline defense against these AI driven threats.
“A Major Headache” Machine IDs
While AI introduces complex challenges, Khan warned of an even more pressing risk – the uncontrolled surge of Machine IDs. These are workload identities assigned to virtual machines, containers, services and other software processes. Their numbers are skyrocketing and now far exceed the count of human user accounts in most organizations.
The statistics Khan cited in his session are striking:
Most organizations now have 45 times more Machine IDs than user IDs.
Recent studies show that 25 percent of security incidents originate from unmanaged Machine IDs.
At PAGO we’ve also observed a high proportion of attacks leveraging “valid accounts.” For example:
B2B or B2C accounts issued and later never revoked were used to infiltrate corporate systems.
Corporate IDs assigned to unmanaged assets were compromised, and the stolen credentials were used to send bulk spam that damaged brand reputation.
Khan emphasized that protecting and managing Machine IDs often falls outside the scope of typical IAM projects. He explained that tackling this issue requires essential cross-department collaboration—development, infrastructure and operations must work together to define policies, assign ownership and build the necessary capabilities.
Escaping “Peter Pan Syndrome”
The session also delved into the professional and cultural growth that IAM leaders must embrace. Khan labeled the tendency for IAM practitioners to view themselves merely as system administrators “Peter Pan Syndrome.” He argued this mindset is dangerously outdated. In today’s boundary-less world, identities represent both the prime target and the primary control mechanism. Consequently, the role of the IAM leader must fundamentally evolve from gatekeeper to strategic security champion.
To support this new role, Khan introduced two core concepts:
ID-First Security “3 Cs” - A proactive mindset for building a resilient IAM infrastructure based on three principles:
Consistency - Enforce uniform, centrally defined access policies across all distributed assets.
Contextual Awareness - Leverage every available endpoint signal, sucha as time, location and user or system behavior to make dynamic, risk-based access decisions.
Continuousness - Apply security checks not only at login but throughout the entire session, following standards such as the Continuous Access Evaluation Protocol (CAEP).
Identity Threat Detection and Response (ITDR): Khan clarified that ITDR is not a separate market but a set of processes for detecting and responding to attacks against the IAM infrastructure itself. More importantly, he described ITDR as a catalyst for collaboration. By pursuing ITDR, IAM teams break out of their silos and work directly with SOC, infrastructure security, operations and service departments. This collaboration becomes the vital link needed for a truly integrated security posture.
Practical Governance for Distributed IAM
The final core topic covered the operational reality of modern IAM. Since IAM tasks - ranging from cloud account provisioning to Machine ID creation - are carried out continuously by teams across the organization without central oversight, a lack of visibility, auditing and policy leads to dormant accounts, excessive access permissions and unmanaged identities that create Shadow IT and other hidden risks.
To put governance in place that empowers rather than hinders work, Khan proposed a clear, multi-faceted approach:
Establish Ownership:The first step is to formally designate risk owners. Each team performing an IAM task must be held accountable for that task, moving from ambiguity to clear responsibility.
Define Guardrails:Set high-level policies—such as “all new applications must use single sign-on” or “all privileged accounts require multifactor authentication”—and then translate them into specific, actionable rules tailored to your environment, leaving no room for misinterpretation.
Build Visibility:Clear ownership and guardrails naturally drive greater visibility. To manage risk, you first need to see it. That means surfacing the “invisible threats” that form your actual attack surface.
To operationalize this approach, Khan introduced the VIA model:
Visibility: Gain a complete view of your entire IAM environment
Intelligence: Use that visibility to prioritize risks and create a risk heatmap
Action: Execute concrete steps, such as removing stale accounts or adjusting permissions based on the intelligence gathered
The effectiveness of these actions depends entirely on the quality of the intelligence, which in turn relies on how much visibility you’ve achieved. This entire process must be systematized so that progress and value can be measured and reported to business leaders.
Actionable Recommendations for Security Professionals
Based on Khan’s session, IAM leaders and cybersecurity experts should take the following steps:
Develop a Three-Dimensional AI Strategy: Immediately plan for AI in three dimensions - AI for IAM, IAM for AI, and IAM versus AI - so you understand AI’s impact and leverage it effectively.
Suppress Machine ID Sprawl: Form an interdepartmental task force to identify Machine ID proliferation, define a management strategy, and implement controls.
Launch Governance Initiatives: Formalize responsibilities and guardrails for distributed IAM activities. Clarify who does what and where to make hidden risks visible.
Operate the VIA Model: Turn visibility into actionable intelligence and use it to drive specific risk-reduction measures.
Akif Khan’s presentation offered a compelling blueprint for the future of identity and access management. His message was clear: the era of passive, administrative IAM is over. While addressing AI integration and Machine ID management may seem daunting, these challenges present a prime opportunity to cement IAM’s role as the very foundation of corporate security. Use the insights from this session to sharpen your defenses and protect your infrastructure against emerging threats.
Author - Pyo Kwon, CPTO | PAGO Networks
