Top 10 Identity Security Insights from Forrester’s 2025 Security & Risk Summit
Bottom line: Identity security stands at an unprecedented crossroads, with machine identities creating greater complexity and potential chaos every security professional needs to plan for.
At Forrester’s 2025 Security & Risk Summit, Merritt Maxim, VP and Research Director at Forrester, delivered critical insights highlighting the escalating threats shaping identity security’s evolution. CISOs and security leaders find themselves navigating surging threats driven by generative AI, the rapid proliferation of non-human identities, and outdated IAM infrastructures originally designed solely for compliance. Maxim emphasized a pressing urgency: identity strategies must adapt or risk catastrophic breaches and compliance failures.
Here’s a detailed breakdown of the top 10 insights from Forrester’s Summit, including the specific slides from Maxim’s presentation and deeper insights from Forrester’s latest data:
1. Identity Security Budgets Accelerate Toward $27.5B by 2029
IAM investment is growing explosively, set to nearly double from $13.4 billion in 2024 to $27.5 billion by 2029, driven by the escalating complexity and severity of identity-related threats such as AI-driven deepfakes, sophisticated supply-chain attacks, and rampant cloud misconfigurations. This positions IAM as cybersecurity’s third fastest-growing segment, underscoring identity security as a business-critical imperative.
2. Hybrid IAM Still Dominates—77% Keep On-Premise Components
Despite the relentless push to the cloud, 77% of organizations continue relying on hybrid IAM deployments due to legacy infrastructure and regulatory constraints. Fully cloud-based identity management remains a distant reality, with only 9% fully transitioned. Maxim stressed hybrid IAM’s persistence, highlighting the necessity for seamless integration capabilities between on-premises systems and cloud IAM platforms.
3. Third-party Risk Matches Compliance as a Top IAM Driver
Forrester revealed a pivotal shift: managing third-party identities (32%) is now equally critical as regulatory compliance (32%) in driving IAM investments. High-profile breaches at Okta and CyberArk underscore vulnerabilities introduced by third-party identities, necessitating robust governance models that go beyond basic compliance checklists.
4. Static Entitlements Are Obsolete; Zero Standing Privilege Is Now Mandatory
The static entitlement model—assigning privileges during onboarding—is officially outdated. Forrester highlighted Zero Standing Privilege (ZSP) architectures as the definitive new standard, utilizing the Continuous Access Evaluation Protocol (CAEP) to dynamically assign permissions at runtime. This strategy mitigates rampant privilege sprawl, dramatically reducing attack surfaces.
5. Identity Management Converges Across Security, Marketing, and CX
Enterprises are rapidly integrating fragmented identity management systems across marketing, customer experience (CX), fraud prevention, and security. Maxim emphasized that businesses consolidating these functions significantly improve detection speed, minimize breaches, and enhance end-user experience. Leveraging customer preference and security data together is becoming a strategic advantage.
6. Vendor Consolidation Radically Reshapes IAM Markets
IAM vendor consolidation accelerated significantly, highlighted by major moves such as Palo Alto Networks acquiring CyberArk, Ping Identity merging with ForgeRock, and CrowdStrike purchasing Adaptive Shield. Enterprises increasingly demand integrated identity platforms combining PAM, IGA, and Identity Threat Detection & Response (ITDR), driving these high-profile acquisitions.
7. Generative AI Exacerbates Identity Threats but Offers Transformational Defenses
Generative AI escalates identity threats dramatically through enhanced phishing and sophisticated deepfake impersonations. Conversely, GenAI’s defensive capabilities are equally transformative, enabling automated identity threat detection, rapid response, and real-time entitlement adjustments. Maxim described these dual dynamics as essential to future IAM strategies.
8. Machine Identities Are a Critical Emerging Attack Vector
The explosive growth in non-human identities (IoT, APIs, AI agents) vastly expands attack surfaces. Enterprises urgently need automated platforms from vendors like CyberArk, Venafi, and HashiCorp to manage this surge. Forrester highlighted machine identities as a rapidly intensifying risk requiring immediate attention and robust governance.
9. Phishing-Resistant MFA Is Dangerously Under-Deployed
Alarmingly, only 21% of companies deploy phishing-resistant MFA after breaches, despite the increasing sophistication of MFA-bypass attacks. Forrester insists enterprises must urgently adopt solutions like FIDO2 and WebAuthn. Maxim warned that neglecting these standards leaves companies dangerously exposed to credential-based compromises.
10. Context-Aware IAM Becomes a Real-time Security Necessity
Static IAM fails against machine-speed threats. Context-aware IAM, powered by dynamic authorization, continuously assesses real-time user behavior, device posture, and threat intel. Forrester identifies this adaptive approach as critical, turning identity from a passive gatekeeper to a proactive defender, which is essential for stopping attacks before damage occurs
Bottom Line: Adaptive identity security defines enterprise survival
Identity security has become synonymous with enterprise survival. Merritt Maxim’s compelling insights from Forrester’s 2025 Security & Risk Summit underscore a new identity imperative: convergence, consolidation, and context must drive strategic identity transformations. Following Forrester’s lead, enterprises must prioritize investment in dynamic Zero Standing Privilege architectures, integrated identity platforms, generative AI-enabled threat response, robust machine identity management, and phishing-resistant MFA immediately. The future of enterprise resilience hinges directly on evolving identity security today.
