Identity and access management’s (IAM) evolution: From gatekeeper to open door

The explosion of cloud applications, systems and data has made identity security more complex and critical than ever before. Today, the average enterprise manages multiple cloud environments and around 1,000 applications, creating a highly fragmented landscape, which attackers are actively capitalising on. In fact, IBM’s 2025 Threat Intelligence Index  found that most of the cyber attacks investigated last year were caused by cybercriminals using stolen employee credentials to breach corporate networks.

With AI-driven attacks set to make this problem even worse, identity abuse shows no signs of a slowdown. Large language models (LLMs) can automate spear-phishing campaigns and scrape billions of exposed credentials to fuel automated identity attacks. With AI enabling attackers to scale their tactics, the transition away from credential-based security must become a priority for businesses.

Beyond credentials: Letting technology handle authentication

The future of secure modern authentication requires reducing the user burden from the identity paradigm by moving away from passwords and knowledge-based authentication.

Passwordless authentication, based on the FIDO (Fast Identity Online) standard replaces traditional passwords with cryptography keys bound to a user’s account on an application or website. Instead of choosing and remembering a password, users authenticate with biometrics or a hardware-backed credential, this is typically provided by the device (laptop or mobile device) and their operating system. These credentials (passkeys) are protected by the operating systems, browsers and password managers, significantly reducing the risk of phishing attacks and stolen credentials.  A modern way to authenticate, passkeys are phishing resistant, offer a better user experience and improve security posture.

While not a new or novel concept, passwordless is slow to gain traction because of perceived complexity and lack of clear migration paths. However, the FIDO alliance announced in late 2024 new resources that are set to help accelerate the adoption of passkeys by making them easier for organizations and consumers to use. For example, FIDO’s new proposed specifications enable organisations to securely move passkeys and other credentials from one provider to another. This helps provide flexibility to organisations by removing vendor lock-in.

Digital credentials are another technology that helps remove the burden of security decisions from users. While passwordless authentication provides a secure way to access resources, digital credentials (sometimes referred to as verifiable credentials) provide a secure way to share private data. Digital credentials – such as digital employee badges or mobile driver’s licences – allow organisations to validate users without exposing unnecessary or sensitive personal data.

For example, a digital driver’s licence lets users prove their age for restricted purchases without revealing unnecessary personal information like their home address or even their actual birthday. Similarly, digital paystubs allow users to confirm salary requirements for a loan without disclosing their actual salary. This solution also helps put the power of data sharing back into the users’ hands – allowing them to choose what type of information is provided, to who and when.

Defending identity in the AI era

The move towards passwordless and digital credentials is not just about stopping today’s attackers – it’s about preparing for what’s next.

• AI-powered attacks: Attackers are already using generative AI (GAI) to create phishing campaigns that are nearly as effective as human-generated ones, automate social engineering at scale, and bypass traditional security controls. Passwordless eliminates one of the most common attack vectors – phishable credentials – making AI driven attacks much harder to execute.
• Non-human Identities – As agentic AI advances and takes on more roles in the enterprise – whether in software design or IT automation – identity security must evolve in tandem. Digital credentials allow organisations to authenticate NHIs with the same level of cryptographic security as human users, ensuring that AI agents interacting with corporate systems are verifiable and authorised.  

Organisations must start preparing now for what lies ahead. While passwordless and digital credentials are not the only steps that should be taken to combat the surge in identity attacks, by deploying these technologies organisations can modernize a strained model – removing security decisions from users, enhancing the user experience and ultimately helping IAM take back its role as gatekeeper.

Patrick Wardrop is executive director of product, engineering and design for the Verify IAM product portfolio at IBM Software.