Get Demo
Back to All Posts

The Future of IAM is…

BY: kkapadia@bloksec.com

Recap: The Future of IAM – NKST Panel Discussion

Missed our panel at the NKST IAM Summit? Don’t worry, we have summarized the high-stakes conversation for you. The overarching theme was clear: The perimeter hasn’t just moved; it has dissolved into a complex web of authority, AI, and human psychology.

Here is a quick recap of the shifts every identity leader needs to track.

1. From Access to Authority

We are moving beyond “Can this user log in?” to “What exactly are they authorized to do?” The panel agreed that if organizations don’t shift from managing access to managing authority, their governance models will break under the weight of dynamic, automated permissions.

2. Valid Access: The Modern Threat Model

Most breaches today don’t use “hacks”, they use valid credentials and MFA tokens.  Credentials that are stolen, sniffed, or phished; and MFA that is bypassed or Vished.  

  • The Underestimated Capability: Passwordless authentication leveraging strong cryptography and biometry enforcing zero trust principles.
  • The Reality: Organizations still do not effectively leverage modern authentication methods to deter misuse of trusted identities and securing the “front door” effectively.

3. Identity Proofing & The AI Challenge

In banking and healthcare, “knowing your user” is no longer a one-time event. Users are connecting to services dozens to hundreds of times a day. Especially in healthcare, that can also mean from various devices anywhere across a facility.  Imagine an ER doctor moving from room to room, patient to patient.  

  • Why it matters: Regulatory shifts and AI-driven fraud mean identity proofing must be advanced and continuous.
  • The AI Double-Edge: While AI helps verify identities, it also powers the deepfakes that target human trust. When technical authentication is bypassed by social engineering, our design must focus on “verifiable out-of-band” triggers along with authentication that cannot be forged and replayed.

4. The Rise of Non-Human Identities (NHI)

As AI agents begin to act with real authority, current IAM models are failing to scale. We need a fundamental shift in how we define trust and accountability for entities that do not have a heartbeat but have the power to move millions of dollars or delete databases. Organizations need to enforce just-in-time runtime authorization and move away from always on access for AI agents.

5. What Boards Still Misunderstand

The most dangerous myth? That IAM is “managed” just because you bought a tool. The Correction: Boards need to understand that Identity is not a project with a finish line; it is a continuous risk surface. Leaders must stop reporting on “how many users, applications and accounts are onboarded” and start reporting on “reduction in identity risks, identity risks mitigated, and mean time to revoke authority.”

6. Where Assumptions Fail: A Look Ahead

If we look 3–5 years out, the core assumption that “Identity is static” will fail first. 

  • The Pivot: If you were designing IAM from scratch today, the first thing to eliminate would be legacy authentication models (passwords and MFA) and long-lived static credentials. The One Decision to Rethink: Stop investing in password-complexity debt and start moving towards phishing-resistant, cryptographic proof of presence and runtime authorization for access.

The Bottom Line

The future of IAM is not about building better locks. It is about understanding authority in motion.

Who or what holds power right now.
What they are allowed to do in this moment.
And how fast that authority can be constrained or revoked when context changes.

Because of AI agents, frontline workers, deepfakes, and credential abuse, static identity models are already obsolete. Passwords, MFA prompts, and long-lived permissions were designed for a slower, simpler environment. That environment no longer exists.

The organizations that get this right will not be the ones with the most IAM tools. They will be the ones that redesign identity around cryptographic proof, real-time authorization, and continuous verification, treating identity as a live control system rather than a compliance checkbox.

The uncomfortable truth is this: if your security strategy still assumes identity is static, predictable, and human, then your breach is not a question of if, but when.

The future of IAM belongs to leaders willing to rethink identity from first principles, before attackers do it for them.

Recent Posts

When the Cloud Becomes Cover, MFA Fails: Why Identity Is the New Battleground

The Future of IAM is…

mortgage-security-failure

Mr. Cooper Data Breach: What Happened, What It Cost, and Why “Secure Login” Still Wasn’t Secure Enough

Phishing Attacks: The Path To Prevention

The Democratization of Identity – Part 1 – A Brief History of Passwords

3 ways passwordless authentication improves security and delights users

Products

Resources

About

Get Demo