Passwordless authentication on the rise: Passwords have long been the weakest link in most security architectures.Many mobile phones and laptops already use biometrics for authentication, and the user experience is typically far better than typing a long and complex password into an interface.The growing uptake of passwordless authentication (FIDO2/passkeys, biometrics) is redefining the scope of many IAM projects.”Many enterprises are still in the early stages of deploying passkeys and FIDO2, and biometrics are often deployed as part of a broader MFA strategy, where hardware costs and management overhead remain barriers to widespread adoption,” says Conscia’s Hanagan.
Regulations shake up IAM architectures: The regulatory environment has evolved from a tick-box exercise in compliance toward governance and continuous testing to demonstrate corporate adherence to regulations. That shift, according to Conscia’s Hanagan, is actively reshaping how organizations architect their IAM programs.”There is a significant amount of regulatory work under way,” he says. “GDPR, NIS2, DORA, PCI DSS 4.0, and sector-specific frameworks all focus on who accesses what, when, and why.”Hanagan adds: “The EU often takes a different approach to the UK, eIDAS 2.0, for example, is driving digital identity wallet adoption across Europe, which makes compliance particularly difficult for multinational enterprises spanning multiple regions.”
Sovereign IAM and eIDAS 2.0 decentralize identity: With the introduction of the European Digital Identity (EUDI) Wallet, companies are looking at decentralized identity architectures.”Instead of storing user data, European firms are becoming ‘relying parties,’ verifying identities through cryptographic proof via government-backed digital wallets to reduce PII [personally identifiable information] liability and comply with the EU Data Act, particularly regarding data minimization,” Context’s Turner says.
Managed IAM services make their pitch: Issues such as the cybersecurity workforce gap and the technical complexity of IAM in the modern enterprise are impacting both CISOs’ identity and access strategies and the direction of the IAM market.”Most organizations are running hybrid estates alongside SaaS sprawl, and the identity surface is fragmented across multiple directories, legacy apps, and inconsistent entitlement models,” 1Password’s Lewis says.To bridge the challenges posed by this complexity in the face of talent shortages, many organizations are turning to managed IAM services, according to Conscia’s Hanagan.”Modern IAM solutions are complex to set up and require deep knowledge and expertise,” he says. “When this is coupled with the fear that AI may displace roles, which discourages new entrants into the profession, and tightening regulation, it takes its toll on why modern IAM projects struggle to progress at pace.”
The IAM industry consolidates: The IAM market is going through a period of consolidation as vendors vie to build the most comprehensive platforms while tackling the problem of managing machine identities and AI agents.Notable IAM M&A activity over recent months include:
Last July, Palo Alto Networks acquired privileged access management firm CyberArk for $25 billion.Delinea announced plans to acquire universal access management firm StrongDM in March. StrongDM provides “just-in-time” access for DevOps and AI agents, moving Delinea from offering static password management to offering a platform for dynamic, runtime authorization. Financial terms of the deal were not disclosed.CrowdStrike has announced deals to acquire identity security startup SGNL for $740 million and browser security startup Seraphic Security for $420 million in January 2026. SGNL provides the ability to grant access based on real-time context (e.g., “Allow this dev to see the database only while they have an active Jira ticket.”)Zscaler snapped up SquareX in February 2026, allowing it to acquire browser security technology that can detect identity-based attacks on unmanaged devices.Sophos is buying Arco Cyber in a deal focused on bringing AI-powered governance to the midmarket. “It [the deal] targets those 50- to 500-seat companies that lack a full-time CISO but need to meet the new UK Cyber Security Bill requirements,” Context’s Turner says.See also:
How cybersecurity leaders can defend against the spur of AI-driven NHIAgentic AI already hinting at cybersecurity’s pending identity crisisYour passwordless future may never fully arriveWhat are non-human identities and why do they matter?Always-on privileged access is pervasive, and fraught with risksRedefining multifactor authentication: Why we need passkeys
Managed IAM services make their pitch: Issues such as the cybersecurity workforce gap and the technical complexity of IAM in the modern enterprise are impacting both CISOs’ identity and access strategies and the direction of the IAM market.”Most organizations are running hybrid estates alongside SaaS sprawl, and the identity surface is fragmented across multiple directories, legacy apps, and inconsistent entitlement models,” 1Password’s Lewis says.To bridge the challenges posed by this complexity in the face of talent shortages, many organizations are turning to managed IAM services, according to Conscia’s Hanagan.”Modern IAM solutions are complex to set up and require deep knowledge and expertise,” he says. “When this is coupled with the fear that AI may displace roles, which discourages new entrants into the profession, and tightening regulation, it takes its toll on why modern IAM projects struggle to progress at pace.”
The IAM industry consolidates: The IAM market is going through a period of consolidation as vendors vie to build the most comprehensive platforms while tackling the problem of managing machine identities and AI agents.Notable IAM M&A activity over recent months include:
Last July, Palo Alto Networks acquired privileged access management firm CyberArk for $25 billion.Delinea announced plans to acquire universal access management firm StrongDM in March. StrongDM provides “just-in-time” access for DevOps and AI agents, moving Delinea from offering static password management to offering a platform for dynamic, runtime authorization. Financial terms of the deal were not disclosed.CrowdStrike has announced deals to acquire identity security startup SGNL for $740 million and browser security startup Seraphic Security for $420 million in January 2026. SGNL provides the ability to grant access based on real-time context (e.g., “Allow this dev to see the database only while they have an active Jira ticket.”)Zscaler snapped up SquareX in February 2026, allowing it to acquire browser security technology that can detect identity-based attacks on unmanaged devices.Sophos is buying Arco Cyber in a deal focused on bringing AI-powered governance to the midmarket. “It [the deal] targets those 50- to 500-seat companies that lack a full-time CISO but need to meet the new UK Cyber Security Bill requirements,” Context’s Turner says.See also:
How cybersecurity leaders can defend against the spur of AI-driven NHIAgentic AI already hinting at cybersecurity’s pending identity crisisYour passwordless future may never fully arriveWhat are non-human identities and why do they matter?Always-on privileged access is pervasive, and fraught with risksRedefining multifactor authentication: Why we need passkeys
Last July, Palo Alto Networks acquired privileged access management firm CyberArk for $25 billion.Delinea announced plans to acquire universal access management firm StrongDM in March. StrongDM provides “just-in-time” access for DevOps and AI agents, moving Delinea from offering static password management to offering a platform for dynamic, runtime authorization. Financial terms of the deal were not disclosed.CrowdStrike has announced deals to acquire identity security startup SGNL for $740 million and browser security startup Seraphic Security for $420 million in January 2026. SGNL provides the ability to grant access based on real-time context (e.g., “Allow this dev to see the database only while they have an active Jira ticket.”)Zscaler snapped up SquareX in February 2026, allowing it to acquire browser security technology that can detect identity-based attacks on unmanaged devices.Sophos is buying Arco Cyber in a deal focused on bringing AI-powered governance to the midmarket. “It [the deal] targets those 50- to 500-seat companies that lack a full-time CISO but need to meet the new UK Cyber Security Bill requirements,” Context’s Turner says.See also:
How cybersecurity leaders can defend against the spur of AI-driven NHIAgentic AI already hinting at cybersecurity’s pending identity crisisYour passwordless future may never fully arriveWhat are non-human identities and why do they matter?Always-on privileged access is pervasive, and fraught with risksRedefining multifactor authentication: Why we need passkeys
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4148282/6-key-trends-reshaping-the-iam-market.html
