Martin Kuppinger’s 2040 IAM predictions are already becoming reality as zero standing privilege emerges as the clear path forward for modern enterprises.
Another European Identity Conference (EIC) has come and gone, and as usual, I find myself simultaneously exhausted and energized. Between the hallway conversations with fellow identity nerds, the inevitable late-night discussions over adult beverages, and the packed (I mean seriously packed) agenda of sessions, there’s a lot to process. But there was one session that crystallized what many of us have been thinking about for some time now, and I wanted to share some thoughts while they’re still fresh.
Martin’s keynote on the trends reshaping IAM struck me – not because it was surprising, but because it so clearly articulated where we’re heading and validated what many of us have been advocating for. It was downright validating for what our customers are saying and experiencing.
Tiny font notwithstanding, Martin summarized his thoughts well (as always.) And thanks to our handy dandy pocket computers, a photo of that slide has been circulating on the internet. Thanks Jim McDonald for sharing! Note the copyright on the slide… so now with all credit given, I assume we’re good to proceed. Let’s break it all down.
Image credit: Jim McDonald’s LinkedIn post, May 2025
Martin laid out seven fundamental trends that will reshape how we approach identity and access management by 2040 and beyond. While I don’t agree with all seven (buy me a beer and we’ll hash it out), there were a few that hit a home run. And what struck me most was how these trends aren’t some distant future; they’re already emerging in the most forward-thinking security organizations we have the pleasure of working with.
Let’s break down my favorites:
This isn’t just a checkbox feature; it’s a fundamental shift in how we approach access. The days of static roles and permanent entitlements are numbered. Instead, access decisions will be made in real-time based on a rich tapestry of contextual signals and data points, eventually moving beyond traditional policy constructs to AI-driven decisions.
And yes, I’ve been talking about this for a while, but seeing it at the center of Kuppinger’s vision validates what many of us have been saying: standing access is a liability, not an asset. It’s the risk multiplier that turns minor breaches into front-page catastrophes.
This shift to API-first, modular approaches means we’re finally moving away from monolithic IAM systems that try (and usually fail) to be all things to all people. The future belongs to composable systems that can be assembled and adapted to fit specific organizational needs.
Orchestration is the connective tissue that will bind our increasingly fragmented digital ecosystems. As Erik and I were discussing between sessions, this is the key to making zero standing privilege work at scale: you need something to coordinate all those real-time signals and turn them into coherent access decisions. The move to de-siloed identities will only enhance this capability.
This is where things get really interesting. Every piece of data about an identity, an access attempt, or system state becomes a signal that influences access decisions. This mirrors what we’ve been building at SGNL with our identity data fabric: leveraging signals across your security stack to drive smarter, more dynamic access decisions.
What caught my attention was Kuppinger’s point about signal strength versus signal noise. It’s not just about collecting more data points; it’s about how these signals reinforce each other to create a more confident decision framework. The more signals we have, the stronger our authentication and authorization decisions become.
Combine Signal sharing and Orchestration and you get the ability to bring identity controls to bear as conditions change. No longer do you have to wait for a joiner, mover, leaver event nor do you have to wait for someone to login to thwart misuse and abuse!
This final trend acknowledges that AI isn’t just a future tool for making access decisions. It’s already active in authentication today, and will soon transform authorization as well. The subtle but important distinction that “AI already helps in authentication decisions” reflects how far we’ve come, with behavioral biometrics and risk-based authentication already leveraging machine learning. This brings us full circle to my recent thoughts on agentic AI and the “on behalf of” problem.
What struck me most about these trends is how they all converge around a central idea: static, role-based access management can’t keep up with the complexity, speed, and risk landscape of modern enterprises.
The future of IAM is dynamic, contextual, and adaptive. It’s about replacing thousands of brittle roles with a handful of human-readable policies that can interpret the vast array of signals our systems generate to make real-time decisions.
This isn’t just a technical evolution. It represents a fundamental shift in how we think about security. The “assume breach” mentality now extends to identity: we must assume that any identity could be compromised at any time, which means we can’t rely on authentication alone. Instead, we need continuous validation based on behavior, context, and risk.
For IAM practitioners who’ve spent years battling role explosion, access certification fatigue, and the dreaded “but they need access to do their job” arguments, this vision offers hope. We’re moving toward systems that can say “yes” faster and more intelligently, rather than defaulting to “no” out of fear or “always yes” out of convenience.
Is this transformation going to be easy? No… but it also doesn’t have to be that painful. There are significant technical, organizational, and even cultural hurdles to overcome. But the direction is clear, and the pioneers (like the teams implementing zero standing privilege approaches) are already showing what’s possible. I expect many of those teams’ approaches to be on display at Identiverse 2025. A few such sessions to consider include:
As I flew home from Berlin, I couldn’t help but think about that slide with “IAM & Digital Identity 2040” at its center. The reality is, many of these changes aren’t waiting until 2040. They’re happening now for forward-thinking organizations. As Martin explained the reason why he chose 2040 was it was 2025 + 2 years to plan + 3 years to implement + 10 years to operate. Now I know of many organizations that have significant steps towards these same end goals a heck of a lot faster than 5+ years… in fact you can see some of them at IDV. The real question isn’t whether these trends will reshape IAM, but whether your organization will be leading the transformation or playing catch-up.
As an ex-analyst, I can sometimes find it hard to agree with other analysts. (I know, it’s a character flaw; I’m working on it.) But I am also ready, willing, and able to point out the great work other analysts do… and this is one of those cases. I think Martin really nailed it! I’d be curious if you agree… are you seeing a path towards the kinds of outcomes Martin called out? Lemme know in the comments!
Want more of the latest identity-first security topics and trends delivered to your inbox? Helpful and insightful content, no fluff.