After exploring zero-trust implementation and IAM approaches created with security by design, we will now take a deep dive into future trends. Check out our previous IAM-focused article to learn more about the implementation process of an Identity and Access Management solution.

IAM developments show clear trends: authentication moving beyond passwords, AI integration moves fast, Zero Trust adoption facing real-world implementation challenges, and quantum-resistant preparation is starting to get urgent.

Current developments

Authentication moving beyond passwords and traditional MFA

As noted in our prior analysis, passkeys and enhanced MFA have moved from emerging technologies to practical implementations across major platforms. Overall, passkeys are gaining a lot of traction, with major platforms like Google, Microsoft, and Apple driving adoption. In December 2024, the FIDO Alliance reported that passkey availability doubled in 2024, with support for over 15 billion online accounts. This trend of increased adoption of safer sign-ins is not showing any signs of stopping this year.

Another growing trend in authentication is dynamically combining multiple verification methods based on the risk context. For example, when an administrator executes a bulk command to edit or remove data, a second or third authentication method might appear, granting temporary elevated privileges.

Continuous authentication, which monitors user interaction rather than just login, has become so widespread recently that it’s difficult to consider it a future trend. However, traction is necessary in other critical domains; currently, financial institutions deploy transaction-specific authentication methods that adjust based on payment amounts and recipient trust levels.

AI integration in Identity Operations

Machine learning applications in IAM have advanced significantly in recent years, transitioning from experimental pilots to production environments. IBM Verify was among the first to pave the way, using IAM functionality that requires eight sessions to establish behavioural baselines and then provides real-time risk scoring.

However, there are AI risks. In any machine learning integration, there is also the need to evaluate and implement AI-specific security controls as well.

Here, we can note several takeaways from the SANS Institute, with their Critical AI Security Guidelines:

• Secure AI by using multiple layers of security.

• Secure against model poisoning, prompt injection, and adversarial attacks.

• Establish governance structures responsive to AI progress.

Emerging IAM vulnerabilities

In October 2024, MITRE ATT&CK, the industry standard for mapping adversary tactics and techniques, released v16, where cloud identity providers were integrated into the platform framework. 203 enterprise techniques and 453 sub-techniques were updated. The framework culminates with 159 threat groups and 710 software pieces.

For IAM, this means that the attack patterns have expanded, alongside an increase in sophistication.

Cloud-based IAM solutions face provider-specific risks like OAuth abuse and cross-tenant exploitation.

Another important event is OWASP’s release of its inaugural Non-Human Identity (NHI) Top 10 for 2025, which recognises that non-human identities now outnumber human identities by a ratio of 100:1. Notable risks from NHI Top 10 are: Improper offboarding (NHI1:2025), secret leakage in repositories (NHI2:2025), and vulnerable third-party integrations (NHI3:2025).

Just as with the OWASP Top 10 for web applications, there are several complex risks. However, there are also risks that are relatively easy to address but hard to prevent, such as the leakage of sensitive data like API keys, typically hard-coded in plaintext.

Improper offboarding happens when service accounts, API keys, and certificates stay active after apps are decommissioned or developers leave, effectively creating unwanted backdoors that can stay hidden for years.

Granting indefinite access to shared resources, neglecting security patch updates, or blindly installing malicious security patches can create vulnerable third-party integrations that enable supply chain attacks to spread that are hard to detect, usually after a breach.

Here is a list of notable CVEs:

• The vulnerability CVE-2024-55591 is being actively exploited, allowing attackers to bypass authentication on Fortinet FortiOS/FortiProxy systems by sending manipulated WebSocket requests. The vulnerability is critical (CVSS 9.6), granting super-admin privileges, and has been under active exploitation since November 2024.

• CVE-2025-21293 allows privilege escalation in Windows Server environments due to registry permission issues, affecting all current versions.

• CVE-2024-8698, a Keycloak SAML authentication bypass, and CVE-2024-55949, a MinIO IAM privilege escalation, point to systemic flaws in contemporary IAM platforms. These cases highlight the importance of strict patch management and security testing for identity infrastructure.

• CVE-2024-55591 shows evidence of being actively exploited, targeting Fortinet FortiOS/FortiProxy systems vulnerable to authentication bypass via specially crafted WebSocket requests. This critical vulnerability (CVSS 9.6) allows super-admin privileges, and attackers have actively exploited it since November 2024.

• CVE-2025-21293 exposes Windows Server environments to privilege escalation through registry permission misconfigurations, affecting all current Windows Server versions.

Zero Trust implementation gains traction

Previously, we discussed in detail zero trust in IAM. And currently, the major roadblock is the difficulty in redesigning existing solutions for zero trust.

Though technical challenges persist:

• Healthcare organisations implementing zero trust report substantial reductions in unauthorised access to patient records.

• Financial services show a reduced data breach probability.

Emerging trends

Quantum-resistant cryptography requirements

In August 2024, NIST completed its work on three post-quantum encryption standards:

• FIPS 203 (ML-KEM),

• FIPS 204 (ML-DSA)

• FIPS 205 (SLH-DSA)

In March 2025, NIST selected HQC as a backup encryption algorithm, demonstrating continued standards development, but more specifically, it’s signalling that even the new standards need redundancy planning.

Why is this important?

With quantum computing, we already understand that future technology will break current encryption methods, even if we cannot predict exactly when that technology will mature.

The mathematics behind quantum computing attacks is usurpingly complex. Widely used encryption algorithms should fall into two categories: those that quantum computers can break easily, and those that remain relatively secure.

RSA encryption, which secures most HTTPS web browsing, SSH connections, email encryption, VPNs, digital certificates, and software licensing, becomes completely vulnerable to quantum attacks. Similarly, Elliptic Curve Cryptography, like Curve25519, commonly found in messaging apps (Signal, WhatsApp), VPN protocols, secure boot processes, and cryptocurrency transactions, offers no protection against quantum computers.

However, symmetric encryption algorithms like AES-256 and hash functions like SHA-256 remain relatively secure, requiring only key size increases to maintain protection against future threats.

According to the White House, the federal government will require an estimated $7.1 billion to transition its cryptography between 2025 and 2035. Quantum-resistant algorithms need significantly more computing power and bigger encryption keys, which in turn affects how well identity management systems work.

Future vulnerabilities emerge from current technology trends

Passkey synchronisation across multiple devices and mediums creates shared vulnerability points where compromising one device can grant access to all accounts. As passkey adoption increases to a larger scale, new security vulnerabilities will definitely appear.

AI-integrated IAM systems will face constant threats and sophisticated adversarial attacks. Attackers will either leverage AI or existing vulnerabilities within the new systems to take over accounts.

Deepfake authentication bypass represents one of the urgent threats, due to how fast synthetic media generation is becoming accessible. Without improvements in deepfake detection for current biometric systems, attackers exploiting AI-generated content to defeat multi-factor authentication will become the norm. Additionally, deepfake generation in real-time during video calls might jeopardise live identity checks.

Want to see some examples of real-life IAM projects? Take a look at our results implementing Identity and Access Management solutions in the Manufacturing industry and in Financial Services.