Gartner IAM 2025

Another Gartner IAM in the books. I spent my time at Gaylord Grapevine as I usually do – working at the booth, talking to folks, and showing off some cool tech. What’s not to love? And in talking to folks, I get to learn about what’s going on in Identity right now, and where the new horizons lurk. Good deal all around.

Well, mostly a good deal. I will say, conference food is conference food. Somebody please remind them that it’s not necessary to remove all flavour. Yeesh.

OK, so what did we learn in this year’s conference?

NHIs

First, Non-Human Identities are everywhere. Apparently. Certainly, judging by the number of new companies entering this space it’s clear that people care about AI. And AI is hard. Just so.

It has been a fascinating experience, watching Machine Learning catch fire and take off and provide answers to so many questions. I started my career in Artificial Intelligence and Machine Learning many moons ago and never lost my appreciation for the power of math brought to scale. And it’s clearly being used to try to solve all kinds of problems. You can’t search for something or even open a browser without being asked to try some new AI feature that’s sure to change your world. And many companies are clearly adopting AI tools.

What is less clear is what they’re doing to govern those tools. In the worst case, you’ve let loose a hallucinating all-powerful genie into your enterprise with no controls over what they do or what data they access. Furthermore, we’ve been told that AI works better with more data, so you’re probably feeding it a ton of valuable information in the expectation that this will make them smarter and less prone to hit the delete all button by accident. Companies are being told that without AI they’re being left behind, and anything that slows that process down can be terrifying to an executive who wants to make sure they aren’t going to be on the losing side of the AI revolution.

However, those of us who’ve been around a while have seen this song and dance before. Automation is not new to the enterprise. We know that it requires service accounts, user credentials, the occasional security token, governance, oversight, logging…we’ve learned each of these lessons the hard way. Hopefully common sense rears its head here so that while we’re giving our gremlins water, we’re also putting them in the appropriate cages with the appropriate oversight. Otherwise, those companies are going to end up on the right side of the AI revolution but the wrong side of data breaches, deleted infrastructure, and worse.

As an aside, if you really want to see this author on a rant, ask him about the difference between AI and ML and the power of marketing. Especially if it’s after the show and he’s had one or two wobbly pops. But I digress.

Connectivity is Bad

Connectivity is actually awesome, but the state of connectivity in the wider market is clearly still very bad.

When someone buys an IGA, they buy a governance product. This seems tautologically true. However, in that honeymoon phase of “Governance. Finally!” they also often think they’ve bought a PAM solution, a single sign-on solution, an automation solution, a provisioning solution, an AI solution, a consumer identity solution, a connectivity solution, and a unicorn solution all in one. Maybe not the unicorn. And the governance vendors are occasionally guilty of leading them on and telling them that this is true. As we all know, it is not.

I have skin in this game; I work for a company that is focusing on connectivity. This is a symptom, however, and not a cause. When I say that I believe the single biggest problem facing identity is connectivity, I mean it. This is why we’re focusing on connectivity, and not the other way round. We can automate anything, and we choose to automate connections to identity because that’s where the pain is. And it’s clear from talking to folks that this is still the case.

AI solutions, PAM solutions, IGA solutions, Provisioning solutions, SSO solutions – they’re all an important part of identity. The one thing they are all starving for is a way to get connected to the applications that matter to them. And when people tell me that they’ve had an IGA for 3 years, they’ve got 12 applications connected, and now they’re looking to connect 200 more…well, this is what I’m talking about. This isn’t IGA’s fault. Heck, it isn’t even IGA’s job. To do connectivity right, you need a dedicated connectivity solution. We know this because with the best tech and the best partners and the best implementation specialists you’re seeing an average of 14% connectivity. And the reason it’s not anyone’s fault really is something you’ve heard me say before: applications are terrible. Built one lately? How many times do you say, “the first priority is providing an interface so people can programmatically control who has access to my app”? Zero. So, connectivity problems are still out there, and it’s taking some clever folks (not all of whom are working with me! Lots of competition out there and that’s good to see!) to take a stab at it.

The Unknown Unknowns

Lastly, let’s give ourselves something to chew on as we look beyond 2025 and maybe even beyond 2026. This is a concept I had the pleasure of discussing this year with a couple of long-time SailPoint folks smarter than me. Outcome of the discussion: we need to start looking beyond what we know and think about how we’ll find the stuff we don’t.

The known knowns are applications that are known – they need to be governed – and have a known interface or way to connect. This is what the industry has been focusing on since inception, a way to get the known applications into their identity solutions in a known way.

Some companies are focusing on the known unknowns. These kinds of companies come in two kinds. Some are looking for ways to find new ways to connect to apps, so they have more known knowns. Others are looking at ways to know about more apps whether they’re connectable in a known way or not. Both are important steps to making us govern the targets we need.

The unknown unknowns however represent a huge amount of risk. The governance team doesn’t know about them and even if they did there’s no clear way to connect them. They’re also risky because this is where the attackers are living. The known knowns are protected. They’ve got their shields up. And there are scouts looking for the known unknowns. But out in the dark, there’s a bunch of apps with user information in them connected to who knows what, with fewer protections in place to detect bad actors within them. The companies that identify this gap and buy solutions to close them are going to be the ones making attackers look to other companies for easy targets. Compliance teams beware.

Conclusion

And that’s a wrap. NHIs, connectivity, unknown unknowns…lots to do this year. Let’s wrestle some AIs into submission, connect them to governance, and clear out some of the ruffians hanging out in spots they think we don’t know about. Sounds like a good year to come.

Happy holidays everyone!