If you were at the Gartner Identity & Access Management Summit in London this week, you already know: It wasn’t about the latest new acronym. It was about making identity work in the real world. Between packed sessions, hallway chats, and some very lively interop demos, there was a clear shift in tone. Identity is recognized as a strategic foundation. And everyone, analysts to system integrators to large enterprises, seems to agree we need to rethink the way we’re doing it.
Here’s a quick recap of what stood out, what got people talking, and where the industry seems to be headed.
Identity-first security vs. identity security
The keynote kicked off with “Identity-first security” as the main theme. The message was clear: identity is no longer just a supporting player in security architecture; it is the main character, but with that recognition comes scrutiny. Gartner defines identity-first security as “an approach that makes identity-based controls the foundational element of an organization’s cybersecurity architecture.” This shift is bringing identity to the forefront of many CISOs’ priorities.
“Identity Security,” on the other hand, was panned as hype and a term that every vendor in all identity disciplines seems to deliver. Felix Gaehtgen’s take during one of the sessions said it best: “Identity Security is like love, hard to describe, but you know it when you feel it, one thing that you know is that it cannot be bought." (Not quite poetry, but memorable.) At the end of the day, it’s just semantics, but I do think it helps organizations and practitioners narrow their focus to a key point: Identity is critical to your organization’s security and now is the time to move towards being an identity-first business.
Standards interop sessions were a success —and the right people showed up
On Monday morning, SGNL’s own Atul Tulshibagwale presented with Gartner on the value of “Building a Trust Fabric With The OpenID Shared Signals Framework.” The session was well attended, and soon after, the CAEP interop session featuring eleven vendor demos began. There was an immediate crowd that dwindled over the afternoon, but in all, I estimate 150+ attendees swung by to see interop demos and ask some great questions. It was clear that practitioners and architects are very interested in moving towards continuous access evaluation across their identity and security services.
On Tuesday, the AuthZen interop was equally as successful, with thirteen vendor demos and again, 150+ attendees excited to see what the standards working group has delivered. What I took away was that the promise of AuthZen is real and is appreciated. Customers, specifically practitioners and developers, have long desired a standard way to externalize a policy decision, so their code and configurations don’t need to know the exact format or APIs of each solution they may have in their environment. “Prevent vendor lock-in” was also uttered a lot.
Representatives from large companies in energy, financial services, healthcare, media, and retail all stopped by, and several wanted to continue the conversation. Whether our discussions turned into near-term action or not, the engagement was real.
Zero Standing Privilege (ZSP) Is landing
Identity conversations can get abstract fast. What actually landed in the hallway chats and happy hours was something much simpler:
- The old model—manual requests, approvals, and access reviews— is complicated, cumbersome and has not delivered on its promise of efficiently retiring risk.
- Customers are looking for a better solution where no one has access by default. True ZSP.
- Access is granted automatically based on what you’re working on, and it’s removed the moment the task is done.
- Modern access decisions must include business and security context from systems you already use: ticketing, HR, PagerDuty, and CrowdStrike.
Everyone’s tired of access requests, approvals, and reviews that consume a ton of resources and don’t actually reduce risk. The idea of replacing those with policy-driven, task-based access? That felt like a breath of fresh air to a lot of folks.
The future is in the fabric
In many of the Gartner presentations, the Identity Fabric slide appeared. It’s a graphical masterpiece reflective of the rings of an old tree filled with a honeycomb of acronyms. At first glance, it’s a lot - but it’s a very complex topic that requires a visual, and theirs does a great job. They define Identity Fabric as “an evolution of an organization’s IAM infrastructure that is architected to enable identity-first security.” In other words, they are suggesting that now is the time for a mind-shift in your identity strategy, one you need to bring to your security leaders and executive team.
When I first heard the term Identity Fabric, my brain initially went straight to a centralized view of all identities, like an Identity Data Lake where you could finally understand who has access to what, what are they doing with it, and how can we use that data to improve our controls and reduce our risk. Gartner did mention this, but only as a part of a long-term Identity Fabric approach.
A key point that I personally hammered home with all the analysts I spoke with is that in a true, identity-first business, you need a lot more than just identity data. You also need correlated business data and security signals to properly control access. Who has access to what isn’t good enough anymore. Contextual access must include data like security group memberships, open service tickets, on-call schedules, clearance levels, business object/asset relationships, etc., which happens to be exactly what the SGNL Identity Data Fabric provides.
Final thought
If one theme ran through the whole event, it’s this: IAM can’t keep relying on legacy mindsets to solve modern problems. Whether it’s Zero Standing Privilege, better signals for real-time decisions, or more usable automation, the bar is being raised.