2024 cemented Zero Standing Privilege and dynamic authorization as identity security essentials. But what’s next? The experts weigh in on AI-driven automation, real-time enforcement, and the rising risks of non-human identities.
Identity is not just a piece of your security puzzle - it’s the whole board. Breaches are on the rise, attackers are getting smarter, AI has made attacks more persistent and damaging, and the only thing standing between your systems and the next big headline is how you manage access.
At SGNL, we work with industry leaders to push the boundaries of what’s possible in identity and access management (IAM). This year, we saw incredible shifts. Zero-Standing Privilege (ZSP) became the best practice everyone’s aiming for, with dynamic authorization seen as critical, and enterprises getting serious about managing non-human identities.
But what’s next? Now that we’re firmly into 2025, we’re taking stock of what we’ve learned, listening to the industry’s brightest, and driving ahead to meet what’s coming.
In this blog we’ve pulled together some of the most resonant ideas and insights we received from identity and security industry heavyweights on how they see the industry moving forward. *And special thank you to Heather Flanagan for her help in herding all of the cats, and getting us all to the table to gather this insight.
From AI-driven automation to real-time policy enforcement, these are the trends shaping the future of IAM - and how you can get ahead:
In 2024, Zero Standing Privilege (ZSP) became the gold standard for securing critical systems. By ensuring users only have access when business needs demand it, ZSP reduced the risk of standing access being exploited in breaches.
As we noted in “ZSP vs Manual Privileges: Different Strategies, Vastly Different Outcomes”:
“Traditional standing privileges give attackers a window of opportunity. ZSP shuts that window - minimizing the attack surface without slowing down legitimate access.”
This principle resonated strongly in financial services and other highly regulated industries, where the stakes for identity-related breaches are particularly high.
Static, role-based models like RBAC fell further out of favor in 2024, replaced by dynamic, real-time authorization systems. As highlighted in “The Evolution of Authorization: From Static to Dynamic Access” and “How Identity Teams Can Start Adopting Centralized Authorization, Simply”, centralized, policy-driven systems proved critical for enabling just-in-time access.
Dynamic authorization also helped enterprises embrace multi-cloud environments without introducing unnecessary complexity. Dynamic systems don’t just make better decisions - they make faster ones, ensuring security keeps up with the speed of business.
Non-human identities (NHIs) - from APIs to GenAI agents - emerged as a major area of concern. Attackers increasingly targeted machine identities, exploiting weak secrets management practices to gain unauthorized access.
The explosion of NHIs has created new vulnerabilities, and attackers are taking note. Secrets management and real-time monitoring are no longer optional - they’re essential.
To understand what lies ahead for identity and access management (IAM), we asked a diverse group of industry experts to share their perspectives on the challenges, technologies, and strategies shaping 2025. Their insights reveal clear areas of consensus while also surfacing unique viewpoints that highlight the complexities of managing access in a rapidly changing environment.
The growing adoption of multi-cloud environments continues to present challenges for managing privileged access. Both Jeff Lombardo and Andrew Hindle emphasized the complexity of integrating permissions and controls across cloud platforms, with Lombardo specifically highlighting the issue of “islands of permissions expressed in non-homogeneous languages.” Hindle elaborated on the organizational challenges, noting:
“Managing the breadth of things - people and services - that need some level of privileged access, coupled with the shift towards zero-standing-privilege, will be a significant challenge.”
Atul Tulshibagwale offered a solution-focused perspective, stressing the need for enterprises to adopt Zero Standing Privilege (ZSP) as a core strategy. He explained:
“Adopting a zero standing privilege strategy can ensure even if credentials are compromised, they’re just a SOC event and don’t result in catastrophic breaches.”
Enterprises will need architectures that unify privilege management across cloud environments while enabling ZSP. Hindle also pointed out that achieving this will require substantial investment in systems, time, and organizational buy-in - a reminder that the technical hurdles are matched by cultural and operational ones.
Several respondents identified event-driven architectures as a key trend for 2025. Andrew Hindle sees these architectures as foundational for enabling real-time decisions, observing:
“Event-driven architectures will start to emerge, allowing for rapid, real-time decisions.”
Jeff Lombardo reinforced this by tying event-driven approaches to Zero Trust and ZSP, asserting that “policy-based access control with time-based conditions” is necessary to keep up with dynamic environments.
Atul Tulshibagwale highlighted the power of event-driven models for enforcement, emphasizing how they align with real-world business needs:
“Real-time policy enforcement doesn’t just improve security - it ensures access decisions are directly tied to what’s happening in your business at that moment.”
The convergence here reflects a shared belief that real-time enforcement will be essential for enterprises navigating modern security challenges. However, Joe Sullivan added a unique perspective by framing real-time enforcement as part of the broader push for “regaining a holistic perspective on the access granted to each employee,” especially in fragmented cloud environments.
There was near-unanimous agreement on the potential of AI to transform IAM workflows, though respondents were cautious about its readiness. Ian Glazer captured this tension, noting:
“AI hasn’t yet proven itself capable of fully managing IAM policies, but that day is approaching.”
Similarly, Andrew Hindle emphasized that while AI has a role to play, “human operators must be trained with the right skills to work with these systems effectively.” Jeff Lombardo contributed a forward-looking insight, predicting that GenAI agents will optimize non-human intervention and reduce attack surfaces by automating key security functions.
Atul Tulshibagwale agreed but emphasized the importance of focusing on practical applications of AI today:
“The data required to automate access granting and removal is already in your systems of record - AI can help leverage this data to reduce exposure and improve consistency.”
Joe Sullivan tied AI directly to role-based access controls (RBAC), stating:
“Modern technology allows deployment of much better model-based approaches, addressing the rigidity and inefficiency of traditional RBAC.”
While AI isn’t a silver bullet, its ability to enhance automation and refine policy enforcement is already reshaping IAM strategies. However, enterprises must address the skill gap to fully leverage these capabilities.
The proliferation of non-human identities - APIs, service accounts, and GenAI agents - was another recurring theme. Sebastian Rohr highlighted the risks posed by these entities, arguing that:
“GenAI agents and machine-to-machine interactions demand a rethink of identity security. Enterprises must move beyond human-centric frameworks to address the unique risks posed by non-human identities.”
Jeff Lombardo emphasized the need for automation in managing these identities, predicting that GenAI will optimize non-human interventions while reducing the risk of credential misuse. Atul Tulshibagwale connected this to ZSP, arguing that applying the same real-time enforcement principles to machine identities is critical for mitigating the blast radius of attacks.
Both analysts converge on the need for robust secrets management, credential rotation, and monitoring solutions tailored to non-human identities. Their insights underscore that managing machine identities is no longer a secondary consideration - it’s a frontline security challenge.
Evolving regulatory requirements were a key concern for Andrew Cameron, who noted:
“Most regulatory requirements will focus on validation of how access is governed - being able to demonstrate these processes with as few tools as possible will be critical.”
Ian Glazer echoed this, emphasizing the challenges posed by increasingly divergent compliance landscapes across geographies and sectors. While the general trend is toward higher standards, enterprises will need to balance the need for compliance with operational efficiency.
Joe Sullivan highlighted the growing expectation for “just-in-time authorization controls that are meaningful and strictly tied to business need,” framing this as a natural evolution of regulatory demands.
Atul Tulshibagwale added that real-time policy enforcement will not only meet compliance needs but also simplify audits, stating:
“Dynamic enforcement ensures that every access decision is logged, justified, and auditable in real time - this isn’t just a security win; it’s a compliance game-changer.”
Together, these perspectives suggest that compliance in 2025 will be about more than meeting static requirements. Enterprises will need systems capable of providing real-time visibility and auditability, especially as regulators focus on dynamic enforcement and process validation.
The insights from these seven respondents paint a picture of an IAM landscape in flux. Some trends - like the push for Zero Standing Privilege and event-driven architectures - are gaining broad acceptance. Others, like the role of AI and the challenges of managing non-human identities, reflect areas where the industry is still finding its footing.
As Ian Glazer aptly summarized,
“The future of identity isn’t just about managing access - it’s about enabling resilience.”
For enterprises preparing for 2025, get ready to embrace dynamic architectures, invest in automation, and build the expertise needed to thrive in an increasingly complex regulatory and technological environment.
Want more of the latest identity-first security topics and trends delivered to your inbox? Helpful and insightful content, no fluff.