More complexity, more non-human IDs and shifting strategies -- identity predictions for 2025
Identity is at the root of most cyberattacks, but although we're seeing greater adoption of things like biometrics we still rely heavily on passwords.
There's added complication in the form of soaring numbers of machine identities too. Here's what some industry leaders think the identity landscape has in store for 2025.
Elia Zaitsev, CTO at CrowdStrike, sees no slowing down in identity-based attacks:
Identity-based attacks continue to rise -- 75 percent of attacks to gain initial access are now malware-free. As adversaries become more skilled at exploiting stolen credentials, they will increasingly target interconnected domains within a victim’s architecture -- identity, cloud, endpoint, data and AI models. These attacks leave minimal footprints in each domain, appearing as isolated events, much like separate pieces of a puzzle -- making them difficult to detect.
In 2025, security leaders must integrate unified visibility across the entire kill chain, enabling cross-domain threat hunting to detect deviations from normal user behavior and catch anomalies before they escalate into breaches. While a strong focus on identity protection will be key to early detection, organizations cannot rely on automation alone to safeguard all areas of enterprise risk. Solving the cross-domain puzzle requires a combination of advanced technology, irreplaceable human expertise, and cutting-edge telemetry to inform proactive decision-making.
Tim Eades, CEO and co-founder at Anetac sees a blurring of the lines between human and machine identities. "The evolving identity security landscape will force regulators to abandon the traditional separation between human and machine identities. At Anetac, we're seeing a stark reality: for every human account, there are 40 connected non-human accounts. Soon, tokens, service accounts, and APIs will be treated as part of a single identity entity requiring unified protection. This shift mirrors the evolution of automotive safety -- while seatbelts existed in the 1950s, mandating them came much later. We're at that inflection point for identity security, and venture capitalists are already positioning their investments accordingly."
Ev Kontsevoy, CEO of Teleport, thinks the same. "Tools for managing identities in computing infrastructure have always operated on the assumption that the user is a human or machine. But that distinction will stop making sense in 2025 because these tools were never built for AI agents that straddle the line between human and machine. These agents will be subject not just to malware but also identity-based attacks at the same time. I don't think the cybersecurity community is prepared for the enormous ramifications of the risks these agents pose. Many AI deployments were implemented in 2024 under the assumption that AI would function as conventional software, without a dedicated framework to define what AI agents can or cannot do. But AI agents aren't conventional software. They behave in non-determistic ways like humans, and like humans, AI agents can be deceived. Researchers have already successfully manipulated AI assistants before into extracting sensitive user data by convincing it to adopt a 'data pirate' persona."
Danny Brickman, CEO and co-founder at Oasis Security, believes better solutions are needed for managing non-human identities. "While every organization requires a solution to manage and secure its non-human identities (NHIs), in highly-regulated industries, the need for a dedicated NHI management solution is paramount. Financial institutions, for example, have access to vast amounts of sensitive data, and as such are highly regulated and frequently audited."
Sam Peters, chief product officer at ISMS.online, thinks added complexity will lead to challenges. "As digital identities become more complex, a rise in synthetic identity fraud could pose an unexpected challenge. In these attacks, threat actors combine real and fake data to create entirely new digital personas that pass as legitimate. This could become a significant issue in finance, healthcare, and even social media, where identity verification processes are often automated and could be easily tricked. AI tools to detect anomalies in identity behaviors will be crucial to mitigating this trend."
Mona Ghadiri, senior director of product management at BlueVoyant thinks policies will need to change in the face of AI threats. "The threats to come in 2025 will also target identity and will probably use AI to do its job. Things like clamping down on conditional access policies and considering whether that BYOD policy is worth the risk are good ways to prepare."
Deepak Taneja, CEO and co-founder of Zilla Security, echoes this:
In 2025, identity security will reach an inflection point as attackers focus on exploiting overlooked dependencies in identity ecosystems, such as interlinked machine identities that create excessive entitlements. While organizations have made strides in managing secrets like credentials and certificates, the rapid growth of interconnected systems will present new vulnerabilities. Attackers are now targeting overlooked configurations and shared resources to bypass traditional defenses.
CISOs must shift their strategies from simply managing secrets to actively identifying dependencies that create excessive entitlements, leveraging AI to ease the management and monitoring of identity entitlements to pre-empt attacks, and developing playbooks for quickly remediating stolen secrets. The future of identity security will depend on not just controlling credentials and managing entitlements, but anticipating where attackers will strike next.
Blair Cohen, founder and president of AuthenticID, sees a continued move away from passwords as a means of verifying identity. "We are witnessing a significant shift from traditional passwords to biometric and AI-driven identity verification methods as we approach 2025. These technologies are not just about security; they enhance the user experience and build greater confidence among businesses and their customers. Reauthentication is a crucial aspect of this evolution, which requires users to provide additional verification to maintain access to their accounts. This extra layer of security protects sensitive information by ensuring users are continuously validated, making it increasingly difficult for unauthorized individuals to gain access. By embracing biometric authentication and implementing regular re-authentication practices, organizations can greatly strengthen their security posture and mitigate the risk of identity-related fraud."
Geethika Cooray, vice president and general manager, IAM Business Unit, at WSO2 says:
In 2024, we witnessed IAM solutions maturing in areas of access control, transforming into enablers of exceptional digital experiences. The rapid adoption of passwordless authentication, decentralized identity, and AI-driven capabilities has redefined how organizations safeguard both security and user convenience.
Looking ahead to 2025, we anticipate further innovation as digital ecosystems expand. The convergence of identity and customer experience will push enterprises to embrace Customer Identity and Access Management (CIAM) platforms that deliver seamless, secure journeys, converging areas such as access management, identity verification and customer data platforms.
Regulatory shifts will also drive organizations to adopt privacy-first IAM frameworks, aligning with growing consumer demands for transparency and control. In this landscape, IAM will no longer be a backend process -- it will be a strategic advantage, directly influencing brand trust and loyalty.
Ofer Regev, CTO at Faddom, believes we'll see an expansion of zero trust into identity verification. "Zero Trust will expand beyond devices and networks to include identity verification frameworks for all digital interactions. With the surge of remote work and decentralized systems, traditional identity models will fall short. This will demand tools capable of tracking and validating user and system behaviors across dynamic IT landscapes."
Image credit: chachar/depositphotos.com