The theme at the Gartner IAM Summit conference this year was clear: identity is no longer adjacent to the business. It is core to the business.
That idea showed up in the opening keynote, analyst sessions, hallway conversations, and especially in the gap between how IAM is supposed to work and how it actually works inside most organizations. After a week of listening closely, a few takeaways rose above the noise. We did not see many buzzwords or grand predictions. Just the things that IAM leaders genuinely need to address now.
Identity is the core – the Control Plane - not a layer.
Gartner framed identity as the core of the enterprise, and for once, it did not feel aspirational. It felt overdue. Identity is the control plane that governs access, trust, and risk across humans, machines, workloads, and now AI agents. This is where the idea of an identity fabric stops being theoretical and starts being practical. When identity systems are fragmented, everything downstream breaks. When they are connected, security and agility work in sync to prevent gaps and ensure efficiency.
What brought identity fabric to life was the maturity reality check. Most organizations are still early in their IAM journey, even after years of investment. Tools exist. A cohesive fabric does not. The message was simple: the way to fix fragmentation is by approaching identity as a connected system.
AI is powerful, fallible, and already taking up space everywhere.
AI was everywhere at the Summit, but the tone was refreshingly grounded, especially compared to last year where AI was the main topic stealing the show.
Yes, AI is improving detection, analytics, and response. It is helping teams see patterns they could not see before. But the double-edged sword with AI is that it is also being used by attackers, often more creatively and at greater scale than defenders expect.
Gartner kept coming back to the same tension. AI adds real value, but it cannot be trusted without governance. And governance itself increasingly requires AI to function at speed and scale.
As AI agents begin to act more independently inside organizations, the question is whether those identities are governed with the same rigor as human ones.
If an AI agent can act, it can create risk. And if it can create risk, it needs controls.
Non-Human Identities (NHIs) are no longer the edge case
For years, machine identities have been treated as a secondary problem. That era is over. We’re in our NHI era. NHIs now outnumber human identities by 80:1 – a sobering statistic we heard at the event.
Machine identities, service accounts, workloads, APIs, and AI agents are now driving both scale and complexity in IAM environments. Gartner was clear that this trend is accelerating, not stabilizing. Autonomous agents are here and are multiplying as new uses are developed and new value is created..
Traditional IAM models were never designed for identities that appear dynamically, act continuously, and disappear without notice. But those identities still need least privileged account management, lifecycle management, and threat detection. IAM programs that only focus on humans are already behind. The center of gravity has shifted. Using the IAM apple analogy, Privileged Account Management (PAM) is at the core of the core.
Quantum risk is real and closer than most think.
A newer topic this year had groundswell. Post quantum cryptography did not get the loudest reactions, but it may have been the most sobering topic of the week.
The concern is not that quantum computing will suddenly break everything tomorrow. The concern is that adversaries are already collecting encrypted data today with the expectation of decrypting it later. Harvest now, decrypt later is not a theory; it is a strategy.
The takeaway was not panic, but it was about preparation. Know where cryptography is used. Build agility into credential and key management. Assume that change is inevitable and ongoing. IAM leaders do not need all the answers yet. They do need to acknowledge that the clock is running.
The biggest challenges are adoption and maturity.
One statistic kept resurfacing and it explains a lot. Most organizations use less than half of their IAM capabilities. That reality showed up in conversations with practitioners who are still wrestling with broken directories, manual processes, and access chaos. They are not asking for more features. They are asking for simplicity, integration, and outcomes.
The opportunity in IAM is to help organizations actually go deeper in using what they already have in a way that reduces risk and operational friction.
Maturity is the real differentiator. Companies that offer the best support and customer success teams will be able to help their customers realize value and deepen adoption. (Check out One Identity’s top ratings in Support and great customer reviews – backed by the Gartner PAM Magic Quadrant in the ‘Strengths’ section).
In short, we didn’t see any dramatic new directions introduced at the Gartner IAM Summit. It confirmed convergence and encouraged going deeper into initiatives of what many are already doing.
- Identity is foundational.
- AI must be governed as carefully as it is embraced.
- Non-human identities are increasing exponentially.
- Cryptographic change is coming.
- And the gap between deployment and value is still wide.
The organizations that treat identity as a living, connected fabric will be the ones that move faster and break less as the next wave hits. And that wave is already forming.
We’d love to show you how to realize more value from your IAM investments. Set up a call.
