Artificial intelligence promises to reshape how we build products, make decisions, and operate entire businesses. Yet the foundations of modern AI are, to put it mildly, problematic. Most models were trained on data gathered through uncontrolled, often unethical, and in many cases outright illegal means. Large models were trained by scraping everything they could find on the public internet with little regard for copyright, accuracy, or the authenticity of sources.

We are now living with the consequences. Many of the answers people receive from today’s AI systems trace back not to vetted knowledge or licensed materials, but to random Reddit threads, satirical posts on X, or copyrighted content never attributed to its owners. This is the definition of garbage in, garbage out. Unfortunately, now the garbage is global, automated, and piped straight into decision-making processes.

We have accepted AI slop as a normal part of online life, but the real question is whether we want the same quality standards applied to critical business decisions. So far, the industry still behaves as if the answer was “yes”. Regulators, however, are beginning to think differently.

Why Logging Cannot Explain What Your AI Just Did

The classical approach to governance is built on logs, audit trails, and deterministic processes. Unfortunately, AI systems are none of these things. Training converts data into weights and tokens that cannot be reconstructed. Inference produces outputs that may differ every time the same prompt is used. Retrieval pipelines and agentic workflows bring in external data at runtime, often without any consistent record of what was used or why.

The result is an audit trail with gaps at every critical step. You can often track the inputs and the outputs, but the reasoning chain in between remains hidden. This is why traditional auditability is not the same as provenance. Provenance means being able to demonstrate where the data came from, how it was processed, how it influenced a model, and how that model produced a particular conclusion. Without it, organizations are left with decisions they cannot justify, even if the outcomes appear correct.

And without it, regulators cannot verify whether a model respects copyright or complies with industry rules. The friction between operational expectations and legal requirements is growing, and AI is now part of the software supply chain. That means your model vendor’s training data becomes your compliance risk.

The Regulatory Pressure Behind Provenance

Regulators did not start with explainability or algorithmic fairness. They started with copyright, because it is the most obvious and easiest to verify. Copyright owners have already demonstrated that training on protected content without permission is a violation, regardless of how useful the resulting model may be. This alone is driving the first round of regulatory intervention.

But copyright is only the beginning. Industries that rely on strong governance, including identity management and cybersecurity, face an even more fundamental problem. If the data feeding AI-driven decisions is incomplete, inaccurate, or unverifiable, those decisions become unreliable. For example, an access control recommendation based on a hallucination or a low-quality data source is not simply incorrect but a potential breach in the making.

This is why data provenance will evolve into the next major compliance requirement. The industry went through the same shift with privacy, culminating in GDPR and other similar frameworks. AI data provenance must follow the same path. Not because regulators enjoy making life difficult, but because the alternative is a world where critical infrastructure depends on unverifiable decisions made by systems that no one can fully trust.

What Organizations Should Do Now

No enterprise can solve the provenance challenge overnight. You cannot simply bolt another governance tool onto an AI system after it has been deployed. Provenance must be embedded across the entire lifecycle, from training and data preparation to inference and downstream actions. Still, there are practical steps you can take today.

Start with your data: A living data catalog is essential. If you cannot identify where your data is stored, how it is classified, and how it flows into your AI systems, you cannot demonstrate compliance or ensure quality.

Work from risk: Identify the decisions where AI poses the greatest operational risk. Prioritize governance there. Not every use case requires the same level of scrutiny.

Use the controls you already have: Many data security and governance tools already support lineage, classification, and monitoring. These remain valid. The challenge is extending them consistently to the entire AI layer, not replacing everything with untested solutions.

Demand transparency from vendors: Ask for training data disclosures. Ask how they track provenance internally. Ask what mechanisms they offer to trace inference data, external calls, and agent actions. Marketing assurances are not proof.

Prepare for explainability: If you cannot explain how an AI reached its conclusion, you cannot defend it during an audit or investigation. Explainability is becoming a baseline requirement, not a luxury.

The industry is beginning to converge on the idea of a unified governance fabric that spans data, models, and operational context. Data provenance will be a core part of that fabric. It is early, fragmented, and evolving quickly, but ignoring it will only make future regulatory pressure more difficult and more expensive.

AI will continue to shape digital businesses. The real question is whether it will do so transparently and responsibly or continue to rely on invisible data pipelines and unverifiable decisions. Keeping the entire chain under consistent governance is the foundation that separates reliable and trustworthy AI from slop, and it will soon be a fundamental part of compliance for every organization building or deploying AI systems.

A practical way forward begins with establishing a baseline of provenance capabilities that every enterprise can realistically implement today. At a minimum, this means knowing where your data comes from, documenting how it is cleaned, transformed, and used during model training, and maintaining enough visibility to trace which inputs and external calls influenced a particular inference.

None of this requires full interpretability or revealing a model’s internal mechanics. What it does provide is the ability to justify decisions, survive audits, and defend your AI processes when questions arise. With this foundation in place, organizations can adopt AI with more confidence while preparing for the regulatory expectations that are already taking shape.

Apple has introduced support for digital IDs within its Wallet. This has attracted immediate attention, not because the concept is new, but because Apple’s scale reliably shifts discussions from specialist circles into the public domain. This alone will influence the trajectory of digital ID adoption. Yet the question remains whether this is a strategic breakthrough or a narrowly scoped convenience feature. 

Visibility Without the Full Vision 

Apple’s involvement undeniably increases visibility. For years, the potential of reusable digital identities, verifiable credentials, and decentralized identity models has been explored largely within technical and policy communities. Now the subject appears in a mainstream consumer product. 

However, visibility should not be mistaken for completeness. Apple is not introducing a digital identity in the architectural sense. The Wallet simply stores a digital representation of an existing, state-issued document. This mirrors the physical-world model where a wallet contains various ID cards. It does not reflect the larger objective of building a reusable, attribute-rich identity framework composed of verifiable credentials. 

Modern digital identity initiatives aim to support extensive, controlled sets of attributes, enabling automation, reducing friction, and supporting cross-organizational processes. Against this backdrop, the current Apple approach remains narrow. 

Limited Use Cases, Limited Impact 

The supported use cases such as age verification or presenting a mobile driver’s license are legitimate and practically useful. Selective disclosure, such as demonstrating legal age without exposing full personal data, is a relevant improvement for privacy. 

Yet these use cases represent only a small fraction of the potential. Employee onboarding, automated access governance in partner ecosystems, and streamlined KYC/AML processes in financial services require significantly richer sets of verifiable credentials. These scenarios are where the substantial business value lies. Apple’s implementation does not currently demonstrate readiness for such broader application. 

In that sense, the initiative is a step forward, but far from the digital identity model needed for scalable enterprise or governmental processes. 

The Constraint of Device-Bound Identities 

A structural limitation lies in the device-centric approach. A digital identity designed for serious, cross-context use cannot depend exclusively on a single hardware device. Users operate across multiple devices in both personal and professional contexts. Financial processes, workforce onboarding, and corporate interactions demand flexibility and device independence. 

The wallet must be able to roam with the user, not remain bound to a specific device. This requirement applies not only to Apple; several wallet initiatives face the same challenge. A sustainable identity architecture must be decentralized, portable, and independent of specific hardware vendors. 

Standards Are Present, but Ambition Must Match 

Apple relies on established standards such as mDoc, ISO specifications, and FIDO. This is beneficial and provides a foundation for interoperability. However, standards alone do not ensure that the implementation aligns with the broader strategic intent of reusable digital identities. 

The long-term model resembles a distributed catalogue of verifiable credentials rather than a small collection of digital ID cards. Not all credentials can reside in secure elements. Many attributes must be retrieved, validated, and combined dynamically across different identity sources. 

This complexity underpins the automation potential that enterprises seek: reducing manual checks, accelerating decision-making, and improving assurance levels. Apple’s current implementation is not positioned to deliver on this. 

A Multi-Wallet Reality 

Enterprises will not be able to rely on a single wallet. Apple’s ecosystem is large, but it is not universal. The EU’s EUDI Wallet, Android-based wallets, and emerging identity solutions from other major platforms will coexist. Cross-border use cases reinforce this reality. 

Organizations must therefore prepare for a multi-wallet environment. They will need abstraction layers capable of integrating with numerous wallet providers rather than building point solutions for individual ecosystems. Apple’s initiative reinforces the urgency of this architectural consideration. 

Moving From Standards Work to Real Use 

Despite the limitations, the development is significant because it shifts digital identity from a standards-driven discourse toward practical, observable use. Early implementations in ecosystems such as Microsoft’s LinkedIn Verified identity show that multiple players are moving, and actual deployments are beginning to surface. 

At upcoming industry events such as EIC, these developments will be central: how interoperable, standards-based identity ecosystems can be established; how wallets can interoperate; and how organizations should architect their identity fabrics in anticipation of multiple wallet types. 

Apple’s announcement contributes to this momentum. It is a practical step, not yet a strategic transformation. The broader journey toward scalable, reusable, verifiable digital identities continues. It will require a far more comprehensive approach than what Apple currently delivers. 

Modern attacks usually start somewhere unexpected, such as a forgotten asset, an inherited domain from an old acquisition, or a misconfigured VPN gateway. All of these are part of your attack surface. And attackers are already mapping it. The question is whether you are doing a good job as they are. In this blog, I will explain why systematic attack surface mapping is essential to your cybersecurity strategy, how it improves vulnerability prioritization and contextualization, how MITRE ATT&CK mapping fits into this, and how CyCognito approaches this concept.

At a basic level, your attack surface is the sum of all the points where an attacker could try to interact with your systems:

• Internet-facing assets
• IP ranges, domains, and certificates tied to your brand or subsidiaries
• Cloud services and external SaaS dependencies
• VPNs, remote access gateways, email infrastructure
• IoT and OT/ICS equipment reachable from outside

Cybersecurity regulations and standards are increasingly explicit about this. ENISA, for example, highlights attack surface minimization as a core design principle in its work on cybersecurity standards, and notes that the size of the attack surface is a key factor for security analysis and assurance.

My observation on this matter is simple. As an organization, if you do not have a reliable map of what could actually be exposed, everything between vulnerability management and incident response is built on guesswork. Good attack surface mapping is not just a nice asset inventory; it should shift the starting question from “What do we think we own?” to “What can an attacker actually see and reach?”

Properly executed attack surface mapping bridges organizational blind spots by incorporating subsidiaries, acquisitions, third-party infrastructure, temporary projects, and retired brands with live DNS records or certificate footprints. It normalizes and enriches data by pulling in DNS, WHOIS, certificates, banners, screenshots, and ownership relationships. Then, it connects those dots to create a map of your real business structure. It also keeps up with what is changing. Cloud deployments, mergers, outsourcing, and shadow IT constantly redraw your attack surface. A yearly CMDB review simply cannot keep up with that pace.

ENISA’s work on sectoral cybersecurity assessment notes that the dimension of the attack surface is also an indicator of the effort required for vulnerability analysis. The bigger and more fragmented your exposed estate, the more you need automation that thinks like a recon team rather than a static catalog. This is exactly why our recent research on attack surface management (ASM) emphasize continuous, ownership-aware discovery rather than one-time scans or questionnaires.

Once you have a reasonably accurate map, you no longer ask “Which Common Vulnerabilities and Exposures (CVEs) are high severity?” but instead “Which of these issues actually matter in this environment, on this asset, given this exposure and business role?” That is where attack surface mapping feeds directly into prioritization and contextualization.

In theory, organizations already know that risk is a function of likelihood and impact. ENISA summarizes this clearly. To manage cyber risk, you have to identify the appearance of risks, accurately assess the impact and likelihood of these risks, and aggressively determine how to treat individual risks.

Attack surface mapping gives you three key ingredients for turning raw vulnerability data into meaningful risk:

1. Exposure context

• Is the asset directly internet-facing, behind a VPN, or accessible only from a partner network?
• Is it located on a shared cloud platform with other critical services?
• Are there obvious attack paths from this asset into more sensitive segments?

2. Business context

• Which business unit owns it?
• Does it process payment transactions or healthcare data?
• Would downtime be a regulatory incident?

3. Technical context

• How discoverable is it from the outside?
• How attractive is the asset from an attacker’s perspective?

A CVE with a “medium” base score is fundamentally different from the same CVE on an internet-facing customer portal with privileged access. Without mapping, both may appear as similar tickets in your vulnerability list. With mapping, one becomes a top-priority issue, and the other is something you can schedule more calmly. Modern ASM solutions reflect this shift. Rather than simply adding vulnerabilities to an already overloaded queue, they cluster findings around assets and attack paths, not just CVE IDs. They also overlay external threat intelligence to highlight where exploitation is already happening in the wild and use risk scores that incorporate discoverability, attractiveness, exploitability, and business impact, not just CVSS.

That is the direction the industry is moving anyway. Our recent analyses of the ASM market point out that in 2025, ASM is no longer just about visibility but about context, prioritization, and remediation, with continuous discovery as the baseline.

What MITRE ATT&CK mapping actually is and why it matters?

MITRE is an independent, US-based non-profit that runs Federally Funded Research and Development Centers (FFRDCs) and works across government, academia, and industry. Among other things, it maintains the MITRE ATT&CK framework. MITRE describes attack as a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It is essentially a structured catalog of how attackers behave during real intrusions, from initial access all the way through lateral movement, credential theft, data exfiltration, and impact. According to MITRE, the ATT&CK knowledge base is used as a foundation for developing threat models and methodologies across the private sector, government, and the cybersecurity community.

When we talk about MITRE ATT&CK mapping in the context of ASM, we are usually referring to three things:

• Linking assets and vulnerabilities to likely techniques
• Assessing coverage of controls and detections (e.g., Do we have detections, guidelines, or playbooks for these specific behaviors?)
• Aligning threat intelligence and incidents with your attack surface

The result is much more than an attractive matrix on a slide. It becomes a practical mechanism for prioritizing remediation when multiple techniques target the same asset or entry point. It is also a shared language that aligns red teams, blue teams, and management when discussing risk. Additionally, it is a measurable way to track progress over time. Rather than focusing solely on the number of closed vulnerabilities, organizations can monitor the percentage of MITRE ATT&CK techniques to which their internet-facing assets remain exposed, creating a clearer picture of real-world risk.

In short, MITRE ATT&CK help you move from “We know we have vulnerabilities” to “We know which entry points map to real attacker behaviors, and we know what to fix first.”

How CyCognito approaches attack surface mapping and risk

CyCognito is a cybersecurity vendor that specializes in the proactive management of attack surfaces and automated security testing. The company emphasizes seeing organizational assets the way an external attacker would.

One recurring problem in ASM is that many tools still begin with a customer-provided seed list of domains, IP ranges, or asset inventories. While this is useful, it also incorporates your blind spots. CyCognito’s approach is explicitly seedless for external discovery. According to them, seedless discovery is designed to reveal your attack surface just like attackers do, without requiring asset lists or extensive setup. This method can identify significantly more vulnerabilities than traditional approaches.

Behind the scenes, the platform uses large-scale reconnaissance techniques, open-source intelligence (OSINT), natural language processing (NLP), and graph-based mapping to create a dynamic inventory of assets and link them to the organization’s actual business structure. This approach makes forgotten or inherited assets, such as old subsidiaries, retired brands, or third-party hosted systems, visible again. It treats all internet-facing assets as unknown until confirmed, which more closely aligns with how attackers view an organization than any CMDB-driven process does. The platform also incorporates ownership attribution directly into the mapping process, making it easier to route remediation to the right teams. CyCognito’s exploit intelligence module pulls data from a mix of surface web, social media, dark and deep web sources, supported by human analysts and automated algorithms. It categorizes threats using MITRE ATT&CK and correlates findings back to specific assets that need remediation.

In our last Leadership Compass on ASM, we found that CyCognito’s risk scoring merges several layers of risk insight. It incorporates results from active security testing and vulnerability scanning, combines both external and internal threat intelligence, and evaluates asset-level factors such as discoverability, attractiveness, potential impact, and business importance. It also includes practical considerations like remediation complexity. This type of risk scoring aligns well with what regulators and agencies are asking for: shifting from one-dimensional views of severity to risk factors that consider likelihood, impact, and exposure. When combined with MITRE ATT&CK mapping, you can see not only how severe a vulnerability is, but also which attacker techniques it enables on a given asset and how discoverable that asset is.

Mapping the attack surface is not a one-time task that can be fully outsourced to annual penetration tests. It is the foundation on which vulnerability management, incident response, threat hunting, and compliance rely. With an accurate, continuously updated map, you can enrich the risk context of every vulnerability detected, speak a shared language about attacker behaviors via MITRE ATT&CK, and focus on issues that may have a greater impact on your organization.

At the end of the day, you either own your attack surface map, or attackers will draw it for you. And they will not be prioritizing in your favor.

They get into the risks of attempting to retrofit governance after AI systems are already deployed and explain why provenance must be built directly into data and model workflows.

 Key Topics Covered:
✅ AI data provenance is a new and urgent issue.
✅ Low-quality data leads to poor AI outcomes.
✅ Auditing and compliance are essential for AI systems.
✅ Organizations must establish governance for AI data.
✅ Data catalogs and traceability are foundational.
✅ Prepare for AI regulations like GDPR.
✅ Start small and apply a risk-based approach.
✅ Never trust, always verify your data sources.

Credentials and secrets are being stolen faster than evera nd legacy PAM simply wasn’t built for machine identities, containerized workloads or hybrid infrastructures. The new standard is agile, converged platforms that combine PAM with IGA and EPM, using AI and behavioral analytics to close the gaps vaults can’t.

Modern PAM must go beyond vaults to focus on usability, scalability, and real-world applicability, such as detecting shadow IT accounts, mitigating insider threats, and securing third-party access. As competition and innovation accelerate, converged PAM platforms are redefining how enterprises protect their most critical assets and maintain trust in an interconnected world.

Alejandro Leal, Senior Analyst at KuppingerCole, will provide a strategic perspective on the state of PAM today. He will discuss why many existing solutions fall short, highlight the key attributes of a modern PAM platform, and outline how convergence across PAM, IGA, and EPM creates an integrated identity security fabric for digital enterprises.

Pranay Bhatia, Head of Privilege Access Management at ARCON, and Siddharth Venkataraman, Identity Security Head and SME at Mastek, will share real-world insights from customer journeys. Together, they’ll discuss how organizations are tackling key challenges such as secrets management, secure DevOps, and passwordless access. They’ll also present ARCON’s vision for converged identity platforms and highlight the capabilities enterprises should expect from next-generation PAM solutions.

Legacy identity programs were built for people and service accounts, not autonomous systems. Pretending AI is “just another user” is a dangerous simplification. To survive the AI gold rush, enterprises must classify AI as a distinct identity type, subject it to strict governance, and enforce controls as strong or stronger than those applied to human employees.

Nitish Deshpande, Research Analyst at KuppingerCole will challenge conventional thinking around AI governance. They will highlight why legacy IAM frameworks fail when faced with autonomous decision-makers, discuss the ethical and regulatory blind spots most organizations ignore, and argue that AI identities require a radically different trust model.

Simon Gooch, Field CIO at Saviynt, will share insights from his extensive experience leading global IT and security transformations. He will discuss how Saviynt Identity Cloud enables organizations to secure all identities, human, machine, and AI, and will highlight real-world use cases where enterprises have achieved measurable outcomes by consolidating and modernizing their identity platforms.

We are certainly living in interesting times. Some call it a Chinese curse; I prefer to think of it as a confusing but exciting transition period where every digital ambition is suddenly possible and every mistake can become catastrophic. The world we once knew with strong network perimeters and a handful of enterprise systems has evolved into a sprawling mesh of clouds, devices, SaaS platforms, partners, agents, and applications we barely control. Anything in that mesh can be the weak point. And when it is, everything connected to it feels the impact.

The most ironic part is that the weakest points are often the places we still treat as plumbing. APIs were once simple connectors, but today they are more like the circulatory system for your entire business. They carry your data, your workflows, your customer interactions, your partner integrations, and increasingly your AI-driven automation. If APIs stop working, the business stops breathing.

And breathing is the operative word here, because data is no longer oil, gold, or crown jewels - it is the new air. You cannot put it into a safe. If your scuba gear leaks, you do not lose profit, you suffocate and drown. APIs are that scuba gear because they keep your digital business alive. In other words, they are the new critical infrastructure.

APIs as lifelines, not endpoints

For years, we at KuppingerCole tried to explain that APIs are business interfaces, not developer conveniences. Progress was slow until generative AI arrived and made every organization rethink itself as an API provider. You cannot have an AI strategy without APIs. You cannot participate in modern ecosystems without APIs. Everything now talks to everything else through APIs, often with little oversight or governance. One can even say that, perhaps, too many things now come with an API.

This rapid expansion has created the most eclectic environment imaginable. REST next to GraphQL next to gRPC next to Kafka streams next to some forgotten SOAP service running in the basement because nobody dares turn it off. Hybrid deployments, multi-cloud regions, edge nodes, legacy monoliths… Shadow APIs that were never documented. Zombie APIs that should have been retired years ago. It is no longer a fortress but a gothic fantasy castle of Escherian architecture, complete with hidden passages and impossible trapdoors.

If you want a framing that boards actually respond to, stop talking about endpoints and start presenting products. Products have clear ownership, documentation, onboarding, metrics, customer support, and a lifecycle. Products can be marketed, improved, and sometimes monetized. Treating APIs as products is what turns a fragile ecosystem into something you can manage at scale.

Think of what Netflix did to movie piracy. They didn’t stop people from copying; they built a better experience with easy access, fair pricing, and built-in copyright protection. Every company today faces the same choice. Being “the Netflix of your digital assets” is not about hype, it is about beating the pirates. If you do not make your data easy to find, use, and trust, someone else will happily scrape it, resell it, or use it to train a model you will never benefit from.

Stronger gates, not higher walls

Once you recognize that APIs are delivering your air supply, the security discussion changes. Old perimeter thinking has no place in this world. The API has become the perimeter. And like any perimeter worth having, it needs gates, not walls.

Security that focuses on shutting things down is outdated. Security that ensures business processes work correctly is what accelerates growth. Preventing business logic abuse is far more important than blocking generic traffic. Demonstrating prevented fraud and avoided downtime is far more compelling than talking about compliance. Good API security lets you onboard partners faster, expose products more effectively, and operate across ecosystems without fear.

This is where identity becomes unavoidable. There has never been API security without identity. Not the old version with passwords and brittle login forms, but identity that spans devices, partners, contractors, customers, and now AI agents. Identity is what turns an exposed interface into a trusted business relationship. Continuous authorization, passwordless access, verifiable credentials, and unified identity fabrics. These are no longer optional because they are the trust layer for the entire API economy.

The supply chain you did not know you were running

APIs have become the new supply chain. If your partner is compromised, your business may be the one that makes the headlines. If your API is misconfigured, you might be the backdoor into someone else’s environment. Studies consistently show that API breaches cost far more than traditional data breaches because they reverberate across ecosystems.

In medieval terms, your enterprise is not a standalone castle anymore. It is now a part of a long chain of fortifications, and if one link breaks, everything collapses. The strongest fortresses are not the ones that build thicker walls; they are the ones with smarter gates where trusted allies can pass without exposing the whole kingdom.

That is the mindset shift the API economy demands. Not more tools or dashboards. You need real product thinking, real identity-centric security, and real governance. APIs are already where your business logic flows. They are already carrying your air. The question is whether you treat them as accidental plumbing or as the digital products that determine your competitiveness.

Because in these interesting times, only the latter has a future.

Together, they unpack:

✅ What IT governance really is — and how it bridges strategy and operations
✅ The differences (and overlaps) between strategy, governance, and compliance
✅ Why the “1.5 line of defense” model helps close crucial gaps
✅ The role of target operating models in making governance work at scale
✅ How to bring stakeholders, processes, and tools together effectively
✅ Practical steps to start improving governance today — without boiling the ocean

Whether you’re shaping governance for a large enterprise or just beginning to formalize your processes, this conversation delivers real-world insights from active advisory work with end-user organizations.

The good news: there is a way forward. Identity and Access Management (IAM), when coupled with API infrastructure, turns fragile endpoints into robust platforms. Treat APIs as real products with documentation, developer portals, and self-service onboarding, and adoption becomes a growth engine rather than a governance problem. IAM ensures every transaction, partner integration, and mobile app remains under control, even when your ecosystem starts to resemble a small country.

In this webinar, you will hear from three perspectives:

• Alexei Balaganski, Lead Analyst at KuppingerCole, will set the stage with market dynamics, emerging security trends, and why “just exposing APIs” is not a strategy.
• Jacob Ideskog, CTO at Curity, will explain how modern identity solutions enable secure and scalable API adoption, sharing best practices such as continuous authorization, passwordless authentication, and verifiable credentials.
• Elisabeth Falck, Head of Digital Business Enablers at If P&C Insurance, will share first-hand insights on how her organization successfully turned APIs into a true platform strategy.

This webinar is designed for IT leaders, architects, security professionals, and developers who want to build secure, scalable, and business-driven API platforms, and who are ready to move beyond the myth that “just publish an API” is enough.

The cybersecurity services market continues to evolve, driven by technology advancements, the emergence of new specialist providers, and consolidation among major players. KuppingerCole Analysts’ Research shows that the role of pure-play Identity and Access Management (IAM) specialists continues to adapt, as they navigate an evolving market shaped by both consolidation and diversification.

Two Disciplines, One Objective

IAM and cybersecurity share the same objective: protecting digital assets. Yet they differ in focus.

Cybersecurity services center primarily around protecting systems against threats and managing security incidents, typically through highly standardized processes and methodologies, utilizing technologies such as SIEM and XDR in the SOC.

IAM services, in contrast, primarily focus on the management of identities, related user accounts, and access entitlements. IAM is closely tied to business processes and governance, integrating deeply with HR systems, enterprise applications, and compliance frameworks, to enable secure access for everyone and everything to every service and application.

This deep integration with business processes and enterprise applications has kept IAM a distinct discipline within the broader security ecosystem. While cybersecurity service providers have expanded into identity-related service offerings, a distinction remains between standardized services and bespoke services that are tailored to the specific needs of individual enterprises. The more comprehensive aspects of enterprise identity governance and lifecycle components continue to rely on specialists’ domain expertise that is typically built over years of working in this field.

Complexity as a Differentiator

The complexity of IAM continues to create demand for specialized expertise. Enterprise IAM programs often require onboarding large numbers of systems, documenting and redefining application-level access models, and aligning controls with regulatory requirements such as DORA (EU Digital Operations Resilience Act), NIS2 (Network and Information Security Directive 2), or SOX (Sarbanes-Oxley Act).

Delivering these programs involves close collaboration with business stakeholders and a nuanced understanding of regional and operational context. Large enterprises often face differences across subsidiaries, countries, and regulatory environments. These elements cannot easily be standardized or offshored.

Global system integrators and managed security service providers commonly operate with centralized delivery models designed for efficiency and scale. IAM implementations, however, tend to be more bespoke, reflecting each organization’s business and technical environment. This distinction helps explain why generalist cybersecurity providers still rely on specialized IAM partners for implementation and operational support.

An Evolving Market creates Opportunities

The identity and cybersecurity markets are continuously evolving, shaped by both consolidation and diversification. On one hand, platform vendors are expanding their portfolios through acquisitions, for example Palo Alto Networks’ move into identity security through its (in-progress) acquisition of CyberArk.

At the same time diversification continues as new vendors and start-ups emerge in areas such as Non-human Identity Management (NHI Management), Identity Visibility and Intelligence Platforms (IVIP), Identity Threat Detection and Response (ITDR), and many more. These developments increase the overall complexity of the ecosystem.

Organizations need experienced system integrators who can maintain control over identities and access entitlements across diverse architectures and governance models. For IAM specialists, this development presents an opportunity: as the environment becomes more complex, market entry barriers for generalist service providers rise, further reinforcing the value of deep specialized expertise.

The Emerging Bridge: Identity Threat Detection & Response (ITDR)

ITDR has emerged as a logical connection between IAM and Cybersecurity. Unlike Extended Detection and Response (XDR), which focuses on event correlation and anomaly detection, ITDR requires a higher level of specialization. It integrates identity signals and telemetry with contextual information about entitlements, roles, and even business processes to detect credential misuse, privilege abuse, and unusual access behavior.

For IAM specialists, this represents a natural extension into cybersecurity operations while remaining close to their core domain. Furthermore, ITDR provides a way to meet customer expectations for continuous monitoring and identity-centric security operations

By combining IAM’s understanding of users and entitlements with real-time threat visibility, ITDR connects access control with incident detection and response, effectively linking identity management with security operations.

IAM Service Specialization remains Attractive

Our research indicates that IAM-focused providers continue to hold a strong, defensible position in the market. As evolution shapes the broader cybersecurity landscape, identity-focused system integrators and service providers stand out for their unique position in the identity security services market. Various factors underpin this position:

1. Regulatory alignment: Organizations in highly regulated industries prefer partners who understand regional compliance frameworks and audit requirements. Knowledge of regulations helps ensure that identity solutions meet legal and business needs.
2. Local and regional presence: Customers value partners who understand local and regional conditions, language, and influencing factors, such as local regulations, as well as the ability to collaborate on-site when needed. This proximity builds mutual understanding, and enables faster, more effective project execution.
3. Vendor specialization: IAM system integrators differentiate themselves through deep experience and technical expertise with selected vendors and their complex solutions, supported by strong integration capabilities across platforms.
4. Skills shortage: The limited global pool of experienced IAM professionals continues to drive demand for specialized expertise, reinforcing the market relevance and defensibility of established IAM specialists.

These factors can create lasting client relationships and recurring service models. IAM solutions are typically tailored to the needs of each organization and include client-specific customization, which makes standardized and scalable managed services difficult to realize. Still, long-running implementation projects and continuous operational support naturally foster longer-term customer relationships and sustained revenue streams.

Outlook: Defensibility in an Evolving Market

The relationship between identity and cybersecurity is close. As organizations move toward identity-centric security architectures, the boundaries between these disciplines will continue to blur.

Despite this evolution, IAM specialists are likely to remain well positioned. The growing complexity of identity environments, driven by developments such as Policy-Based Access Management (PBAM), Identity Threat Detection & Response (ITDR), and Non-Human Identity (NHI) Management, continues to require deep domain expertise that might not easily be standardized or automated. Regulatory and geopolitical factors, including EU-Sovereignty trends and data residency requirements, further reinforce the value of regional knowledge and delivery expertise.

As identity is moving towards becoming the control point for access and risk-based decision-making, IAM specialists have an opportunity to shape what identity-security looks like in practice. The future lies not in being absorbed into the larger ecosystem, but in making the ecosystem function by connecting its many parts through identity.

They unpack:

✅ Why cyberattacks surge during holidays
✅ How to close your organization’s biggest security gaps
✅ The importance of automated responses and real-time monitoring
✅ Why good backups (and tested restores!) still matter
✅ How a “cyber health check” can save your business from disaster

📈 Whether you’re a security professional or a business leader, these insights will help you strengthen your defenses during the holidays and beyond.

In this episode, Matthias Reinwarth and Warwick Ashford explore IPSIE (Interoperability Profiling for Secure Identity in the Enterprise), how it improves interoperability, enforces secure defaults, and provides measurable maturity levels for enterprise identity management.

Key Topics Covered:

✅ What IPSIE is and why it matters for enterprise identity 🧠
✅ How fragmentation of SaaS and cloud identity systems increases risk
✅ Opinionated profiles and secure, consistent standard implementation
✅ Maturity levels for session lifecycle, account lifecycle, and entitlements
✅ How IPSIE fits into the broader Identity Fabric strategy
✅ Current limitations: focus on human identities and next steps for non-human accounts

IPSIE doesn’t reinvent identity standards, it helps organizations implement what they already have consistently and securely, creating a foundation for stronger enterprise security.

Once again, I recently found myself in Las Vegas attending Oracle’s flagship conference, now rebranded as Oracle AI World. The new name alone invites a debate. Was it a bold statement of intent or simply a sign that the world’s AI fever has reached its final stage? After all, recent studies suggest that the majority of corporate AI initiatives never make it past the pilot phase, and hype fatigue is already setting in across many businesses. Oracle, interestingly, does not even build its own AI models. So why double down on this branding so aggressively?

From Cloud to Context: Oracle’s Grand AI Vision

That question lingered with me as I remembered my earlier visit to the Red Bull Racing factory in England (incidentally, the team is currently competing as Oracle Red Bull Racing, but my visit wasn’t related to that fact at all). I’m not a Formula 1 enthusiast by any measure, but that experience was a revelation. The success of a race, I learned, isn’t determined solely by having the best driver or the most powerful engine. Behind every victory lies a huge ecosystem extending way beyond their HQ in Milton Keynes: engineers, data analysts, designers, pit crews, and hundreds of other specialists working in perfect sync.

And the team doesn’t even manufacture its engines, yet it wins because it excels at orchestrating every other part of the system. That, I realized, was precisely what Oracle was trying to say with its new AI story.

As usual, Larry Ellison’s keynote dominated the entire event and set the tone for many discussions. It was long, visionary, and occasionally meandering, but behind the surface was a surprisingly strong argument. Ellison believes that the next frontier of AI isn’t model creation, but data contextualization. The companies building massive language models may make headlines, but the real value lies in connecting those models to the right data: private, high-value, business-critical enterprise information.

That is where Oracle comes into the competition. Most of the world’s critical data already lives in Oracle databases, and the company’s mission now is to make that data accessible to AI models without ever losing control of it. For the rest of the world’s enterprise data, the company is now offering an open, standard-based data platform to bring it into a single, governed foundation.

Rather than entering the overcrowded race to build yet another large model, Oracle is betting that the real winners will be those who provide safe access to intelligence, allowing any model to reason on enterprise data while preserving privacy, sovereignty, and compliance.

Oracle AI Database: Where Data and Intelligence Meet

At the heart of this strategy is the new Oracle AI Database 26ai, which represents a fundamental architectural principle for the company. Rather than treating AI as an external workload, Oracle now embeds AI capabilities directly into the database engine. This eliminates the need to move sensitive data between systems, reducing latency and exposure while all security and access controls remain consistent at the data layer.

A central new feature, AI Vector Search, enables semantic understanding and similarity search across documents, images, and structured data. Unified retrieval across relational and vector data using familiar SQL allows enterprises to use techniques such as retrieval-augmented generation (RAG), where large language models can query the database for precise, contextual information before generating responses.

Oracle has also introduced in-database AI agents, autonomous components capable of executing reasoning tasks natively within the database, inheriting its transactionality, governance, and auditability. Specialized AI assistants for management, diagnostics, security, and knowledge retrieval make the database more accessible to both DBAs and less technically inclined users.

Security, privacy, and compliance are deeply woven into this architecture. The database now supports Trusted Data APIs to strictly control what information AI models can access, significantly reducing the risk of unintentional data leaks or prompt injections. AI-specific controls limit what large models can consume or produce and prevent sensitive data from leaving its controlled environment. Oracle has even gone a step further by implementing NIST-approved quantum-resistant algorithms, giving the platform cryptographic agility against emerging post-quantum threats.

The Lakehouse for the Age of Open AI

One of Oracle’s most substantial announcements at AI World was the new Autonomous AI Lakehouse, designed to bring a new level of openness and intelligence into the company’s data architecture. Integrating natively the open Apache Iceberg data format into Autonomous AI Database makes Oracle’s analytical and AI capabilities fully interoperable with the broader ecosystem, allowing data to be shared across Databricks, Snowflake, and other Iceberg-compatible platforms without conversion or lock-in.

The system automatically caches frequently accessed data in Oracle Exadata flash storage while maintaining transactional consistency, bridging the gap between data lakes and traditional databases. Existing users of Oracle Autonomous Data Warehouse are automatically upgraded into AI Lakehouse without any effort.

A Federated Catalog of Catalogs adds another layer of openness, enabling seamless discovery and query federation across multiple Iceberg catalogs. Finally, integrated GoldenGate replication supports real-time movement of operational data into open AI Lakehouse formats so that analytics and AI workloads always operate on current information.

Altogether, the Autonomous AI Lakehouse represents Oracle’s pragmatic shift toward open, federated data infrastructure that treats interoperability not as a concession but as a competitive advantage. Further demonstrating openness, Autonomous AI Lake House is a multicloud lakehouse to the fullest extent, available on OCI and within AWS, Azure, and Google Cloud data centers.

Building a Unified Foundation for Enterprise AI

Complementing its Oracle AI Database and Autonomous AI Lakehouse innovations, Oracle also unveiled the Oracle AI Data Platform: a unified environment for developing, deploying, and operating AI and analytics workloads at scale. While the Autonomous AI Lakehouse focuses on open data architecture on any cloud, the AI Data Platform brings Autonomous AI Lakehouse, GenAI models, Open Source engines and frameworks together into a cohesive, enterprise-ready foundation built on OCI and designed to work with data from anywhere.

The platform consolidates structured, unstructured, historical, and real-time data into a single governed environment. A Unified Catalog manages all data assets, AI models, and agents across the organization, providing consistent security, lineage, and compliance. Built-in support for open-source engines like Spark and Flink allows teams to combine Oracle’s high-performance Autonomous AI Database with widely used data processing frameworks.

A Developer Workbench provides a single workspace for data engineering, model training, and agent development, with AI-assisted notebooks supporting multiple languages and seamless integration with Git for version control. The Workbench also includes no-code and pro-code experiences for defining and deploying intelligent agents that can orchestrate data workflows, trigger business processes, and deliver insights through natural-language interfaces. 

Next year, the Agent Hub will offer a unified conversational interface for business users across departments and systems. It abstracts the complexity of navigating many agents, interprets requests, invokes the right agents, presents recommendations and enables immediate action. Together, these layers form an end-to-end environment for turning enterprise data into trusted, actionable AI-powered intelligence, open in architecture but tightly integrated in governance and security.

The Real AI Race: Agility Over Size

I believe it is increasingly clear that the industry’s obsession with comparing model sizes and parameter counts is becoming irrelevant. The pace of AI innovation is so ferocious that the “largest model in the world” rarely stays on top for more than a few months. Eventually, enterprises will shift their attention to other priorities: sustainability, efficiency, sovereignty, and, above all, adaptability. The ability to reconfigure architectures, replace components, and scale responsibly will define the next generation of AI leaders.

This is where Oracle’s strategy feels pragmatic. By focusing on AI agility rather than model supremacy, the company is investing in an ecosystem that can evolve as fast as the technology itself. Oracle doesn’t need to build its own AI models; it needs to integrate the best components from an open ecosystem, tune the infrastructure, and design it so that everything, from the cloud to the data layer, is optimized to deliver performance, reliability, and trust.

Whether we are still climbing the “peak of inflated expectations” or already sliding down the “trough of disillusionment,” one thing is certain: AI will continue to reshape how data is managed, protected, and monetized. When the dust settles, enterprises will rediscover that intelligence without integrity is a liability, and that agility, openness, and trust will matter far more than model size or GPU count.

In his closing statement, Ellison said, “If AWS won the cloud wars by democratizing compute, Oracle now aims to win the AI wars by democratizing intelligence.” It’s an ambitious claim, but also a realistic one. The company isn’t trying to build the brain of AI, but the circulatory system that keeps it alive. And perhaps that’s the real lesson from Oracle AI World: you don’t have to build the engine to win the race. Instead, you need to design the track where intelligence runs best.

Continuous authentication and ITDR flip the model: from static checkpoints to continuous proof of identity and intent. Behavioral biometrics, context-aware access, and identity telemetry expose compromised users just like compromised devices. The silos must break. IAM and SOC must unite around the human.

Alejandro Leal, Senior Analyst at KuppingerCole will provide a strategic perspective on the shortcomings of traditional IAM and Zero Trust architectures. He will highlight how fragmented stacks leave the human endpoint unprotected, discuss the role of continuous authentication and ITDR in mitigating this risk, and share best practices for integrating identity intelligence into SOC operations.

Alex Coco, Global Solutions Architect at Veridium will explain how VeridiumID addresses these challenges with a unified solution. He will illustrate how behavioral biometrics, continuous checks, and human endpoint detection create actionable visibility for both IAM and SOC teams. Concrete use cases will demonstrate how enterprises can strengthen assurance without increasing friction for users.

This webinar is ideal for security leaders, SOC and IAM professionals, and IT decision-makers who want to close Zero Trust gaps and protect the human endpoint with continuous authentication and ITDR. As phishing-resistant bypasses, session hijacking, and insider threats continue to evade static defenses, organizations need to evolve from one-time authentication to continuous proof of identity and intent. By uniting IAM and SOC practices through continuous authentication, behavioral biometrics, and ITDR, participants will learn how to detect compromised users in real time and close the critical blind spot attackers exploit.

Oded Hareven, CEO & Co-Founder at Akeyless will show how enterprises are already making this leap. He will present how Akeyless’ SecretlessAI solution dismantles the dependency on static secrets, enabling organizations to cut risk, simplify operations, and secure AI workloads without slowing down innovation. Oded will share real-world insights from enterprises that dared to go Secretless.

SOC teams are drowning in events and alerts coming from their various underlying threat and vulnerability detection systems. In many SOCs this volume far outstrips their triage and investigative capacity. Many surveys show that alerts are so numerous that the majority are strategically ignored to stop infinite queue growth. One report found that SOC teams receive 3,832 alerts per day on average, with 62% of those ignored. That’s a key operational gap SOAR is meant to close.

What SOAR is in 2025

SOAR—Security Orchestration, Automation, and Response—transforms detections to understanding, decisions, and actions. SOAR systems ingest events and alerts, enriches them with context, supports analysis, orchestrates cross-tool/cross-team workflows, and drives incident response to resolution. The SOAR category of security solutions emerged in the 2014/2015 timeframe and has worn many labels along the way (TRO, IRAP, CRA, SecOps automation, and others) but I’ll use SOAR throughout for clarity.

Why SOAR remains a high priority

You can’t scale a 24×7 SOC function with headcount alone; even well-staffed enterprises run out of people. For enterprises with more than 5K employees, a “typical” in-house SOC has approximately 11-25 people already. It is not reasonable to expect to get more people to throw at this problem.

In today’s enterprise, made up of on-premises, cloud and SaaS applications, remote and hybrid staff, thousands or even millions of identities, and the recent explosive rise of AI, this growing attack surface keeps pushing threats and thus security events and alerts up.

The result is that defenders need smart(er) automation to keep pace while also improving detection and response efficacy. In my conversations, I hear the same goals: shrink MTTR, cut false positives while not increasing false negatives, keep approvals and audit trails tight, and make playbooks creatable and maintainable by more than one “hero” automation engineer. Enterprises confirm they simply “can’t throw people at the problem” anymore.

The SOAR market has matured over these past 10 years. There are now dozens of offerings and vendor go-to-market strategies, reflecting the age-old buyer decision conundrum of “best of breed” or “integrated security platform”. But there is also an ongoing twist to this historically binary choice, with some vendors (and independent managed service providers) providing outsourced SOC services as managed detection and response (MDR) services. With some SOAR/MDR providers also enabling 3rd-party MDR providers with their SOAR and broader security stack. The bottom line is that there are many automation solution options from which enterprises can choose!

Thus, a key enterprise buying decision for 2025 and beyond, select a SOAR that is:

• Best-of-breed
• Part of a broader security platform
• Delivered as part of an outsourced, SOAR-enabled MDR service?

This is one question I plan to help answer as part of my in-process research.

The basic capabilities of SOAR have stabilized—but how they provide them is evolving

Across all SOAR products, three pillars of core capabilities show up consistently:

• Event/alert collection, correlation, enrichment, and analysis
• Orchestration and automation across security and IT systems and organizations
• Case management and incident response/mitigation (both automated and human-in-the-loop)

What is changing is how teams deliver these capabilities, as AI quickly enters the SOAR realm.

AI in SOAR: assistive now, more autonomous later?

On the defender side, chat interfaces and task-specific agents are becoming common tools for analysts and responders. What will AI ultimately enable? Perhaps faster enrichment, triage, and summarization, smarter next-step suggestions, more reliable alert prioritization, and safer automation with/without human involvement. But how to do this safely with non-deterministic, black box AI systems?

What I’m researching now (and how to weigh in)

Over the coming months, I’m building an updated KuppingerCole Leadership Compass on SOAR to publish in early 2026. In this Leadership Compass, I will assess:

• The operating models that work and for whom (standalone, embedded, hybrid, MDR/outsourced led)
• How playbook and workflow authoring and maintenance scales (versioning, testing, drift control)
• Integration coverage, functionality, and ease of expansion.
• Evidence, auditability, and reporting that prove improvement and value
• Where AI helps today—and how far down the AI-based automation road SOCs can go in the near future.

If you have a SOAR product, customer stories, hard metrics, or a contrarian view, I’d love to hear it. SOAR vendors with a dog in this fight: please reach out and take part.

Matthew Gardiner is a Fellow Analyst at KuppingerCole covering security operations, identity, and the intersection of AI and automation. This article kicks off a series leading to the 2026 Leadership Compass on SOAR.

Composable, cloud-native CIAM turns identity from a bottleneck into a growth driver. Modular identity services let organizations adapt quickly to new business models, support internet-scale demand, and align identity with evolving compliance and technology needs—all while future-proofing for AI-driven and agentic use cases.

In this session, John Tolbert, Director of Research and Lead Analyst at KuppingerCole, will chart the evolution of CIAM as a business enabler. He’ll show how composable architectures give enterprises the flexibility to adapt to increasing complexity—across business requirements, compliance, and tech stacks—and why forward-looking organizations are using identity to prepare for the next wave of innovation.

Jeff Hickman, Head of Customer Engineering at Ory, will share how OpenAI scaled identity to hundreds of millions of weekly users and how Axel Springer achieved a 10x jump in registrations. He’ll also give practical guidance on modernizing CIAM with Ory’s ecosystem and deployment models—enabling enterprises to stay agile and aligned with long-term growth.

In this episode, Matthias Reinwarth and Martin Kuppinger explore how organizations can design future-ready identity fabrics, avoid tool sprawl, and build the platformized IAM architectures needed to thrive in a fast-changing digital landscape.

Key Topics Covered:

✅ What the “Identity Fabric 2040” means for IAM strategies 🧠
✅ The rise of orchestration, signals & API-first design
✅ Avoiding IAM tool sprawl and capability duplication
✅ Platformization vs. best-of-breed: what really works?
✅ Why outcome-driven IAM is the only sustainable approach
✅ How signals redefine authentication, authorization & user experience

💡 Your IAM decisions today shape the next 15 years. Are you building for 2040—or already falling behind?

The discussion highlights how even well-established organizations can become targets of sophisticated, long-term attacks — and what this means for the future of software supply chain security.

Together, Matthias and Jonathan examine how incidents like this can happen, what lessons can be learned across the industry, and how companies can strengthen resilience, transparency, and response capabilities in their own environments.

Key topics covered:

✅ Understanding the dynamics of modern supply chain attacks ⚠️
✅ Why detection and dwell time remain a major industry challenge
✅ The growing importance of vendor risk and software transparency
✅ Lessons learned for CISOs and IT leaders
✅ Practical measures to improve visibility and response
✅ Why collaboration and information sharing are key to resilience

🕸️ Even trusted systems can hide a few ghosts — are you ready to uncover yours?

ASM includes four core areas: 1) External Attack Surface Management (EASM), which identifies internet-facing assets such as domains, IP addresses, and applications; 2) Cyber Asset Attack Surface Management (CAASM), which focuses on internal and external assets, as well as cloud resources and misconfigurations; 3) Third-Party Risk Management (TPRM), which examines supply chain risks inherited from vendors, partners, and subsidiaries; and 4) Digital Risk Protection (DRP), which tracks external threats, such as phishing domains, social media impersonation, leaked credentials, and brand abuse. Together, these capabilities provide security teams with an attacker's view of their environment and help them understand their vulnerabilities and prioritize issues proactively.

In 2025, ASM is no longer just about visibility. Organizations need solutions that provide context, prioritization, and remediation to stay ahead of emerging threats. This webinar explores why continuous, ownership-aware discovery is becoming a baseline requirement and how industry trends are pushing cybersecurity strategies toward risk-based, attacker-perspective approaches.

Osman Celik, Research Analyst at KuppingerCole, will share key insights from the latest Leadership Compass on ASM. He will discuss how the market is evolving and what sets leaders in this field apart. Additionally, he will explain why risk mapping is becoming a key capability for vendors and how it contributes to effective remediation strategies.

Rob Gurzeev, Co-Founder and CEO at CyCognito, will share the company’s perspective as one of the leaders in the KuppingerCole Leadership Compass. He will outline how continuous, ownership-aware discovery helps close blind spots, why surface scans fall short, and how attacker-first strategies shape the future of ASM. He will also highlight why CyCognito is recognized as one of the most innovative vendors in the ASM market and demonstrate the capabilities that set it apart.

If you’ve ever chuckled at a meme about a “stupid AI,” you’re not alone. They’re everywhere - and most of them completely miss the point. What they usually show isn’t the failure of artificial intelligence, but the failure of humans to give it the right guidance.

The real problem isn’t that AI can’t think; it’s that we keep expecting it to.

The illusion of intelligence without supervision

Artificial intelligence remains a creature of its data and design. It’s excellent at spotting anomalies - but has no clue what those anomalies actually mean. Take enterprise systems such as SAP: an AI might flag the spike of end-of-year transactions in finance as a suspicious deviation, while any human accountant would instantly recognize it as standard procedure.

This is precisely where today’s Security Operations Centers (SOCs) reach their limits. AI systems are flooded with countless alerts and “risk signals,” often stripped of the context that gives them meaning. Correlation across systems is still far from perfect. As a result, it is (or should be) up to human analysts to fill in the blanks - adding the missing context, interpreting intent, and reconstructing what’s really happening.

The challenge: until there is enough contextual understanding, increasing the degree of correlation may actually make things worse. It can lead to misleading results, simply because the growing volume of data makes it harder to extract meaning. And if only limited human feedback is available, AI will start to generalize everything in that narrow frame - interpreting unrelated signals as if they were, for instance, end-of-year financial activities - until the next wave of contextual learning comes along, such as operational changes during a summer factory shutdown. In essence, there is a widening gap between massive data volumes and scarce human feedback, a gap that cannot be bridged at scale.

In this environment, human analysts play a crucial role - not only by providing context, but by continuously refining and adjusting rules, integrating domain knowledge, and offering the qualitative insight that AI systems still lack. Over time, these efforts enable the models to deliver more meaningful and accurate responses. The outcome is not necessarily fewer human tasks, but more complex and more valuable ones, as they provide the understanding AI still depends on to make the right decisions.

To fix this, we don’t need “smarter” AI. We need better-trained AI - systems that are not just fed with data but guided with context. Supervised learning, refined through ongoing human feedback, allows AI to slowly grasp why certain anomalies are harmless while others are worth an alarm. It’s not the size of the dataset that determines success, but the depth of understanding built into it.

The limits of shared learning in a world built on context

Some argue that massive datasets - like those collected by large security vendors - will eventually solve this problem. That approach only works in areas where the data itself carries meaning, such as network telemetry or known threat patterns. Once business context enters the picture, everything changes - and it inevitably has to. The point is simple: the moment you want to work in a truly risk-based way, business context must become part of the equation.

Every enterprise has its own logic, processes, and operational rhythms. Much may look similar across organizations, yet the willingness to share business context quickly fades once questions of sensitivity arise. It is difficult to draw a clear line between what counts as generic context and what constitutes confidential, strategic, or competitive information that must remain internal. As a result, cross-enterprise AI learning - while effective in areas like network security - largely fails when it comes to domains shaped by business context.

The human in the loop is here to stay

The real takeaway is that AI does not - and will not - replace human expertise in domains that depend on understanding nuance, context, and intent. Its task is to learn continuously and, over time, to narrow the range of situations that still require human judgement. In security operations, for instance, AI should aim to eliminate false negatives, minimize false positives, and deliver only those alerts or events to analysts where human insight truly makes the difference.

Looking at this from a broader perspective, the myth of a “fully automated workforce” dissolves quickly. AI can execute rules, but it cannot create them without instruction. Future human jobs will therefore not vanish - they will evolve. One of their most valuable forms will be continuously teaching AI the complex rules of the real world- something only genuine, experience-based human expertise can provide - translating human expertise into structured knowledge that machines can actually use.

When bad input meets bad output

The many laughable AI-generated phishing and spam attempts flooding inboxes today are living proof of this. Contrary to many expectations, they aren’t better or more convincing – they are just differently bad. And it hardly helps to counter bad AI from attackers with equally bad AI on the defenders’ side. The reason remains the same as before: poor training data, weak supervision, and a lack of domain-specific refinement - this time in the worlds of fraud and social engineering.

AI is only as intelligent as the human effort invested in shaping it. Until we stop treating it as an oracle and start treating it as an apprentice, the memes will keep writing themselves - and the real stupidity will remain entirely human.

In this speaker spotlight, Kashif reveals why protecting identity means protecting everything — and how psychology, deepfakes, and synthetic identities are redefining what “trust” means in the digital age.

You’ll learn:
✅ Why identity is the “crown jewel” of security — and what happens when attackers steal it
✅ The biggest identity challenge in global financial services today
✅ How social engineering and psychology fuel the most effective cyberattacks
✅ Why deepfakes and synthetic identities are the next major frontier in fraud
✅ How small daily habits — not just technology — help build lasting digital trust

📌 Don’t miss Kashif’s session at Identity-Centric Cybersecurity Impact Day 2025, where he’ll share how financial institutions like Nomura protect identity, combat emerging threats, and preserve trust in an AI-driven world.

Osman Celik, Research Analyst at KuppingerCole, will share insights from his latest Leadership Compass on WAAP and its growing importance in modern cybersecurity strategies. He will discuss the transition from WAF to WAAP, the essential capabilities, and the latest updates from the market. The session will also cover vendor differentiators and innovations shaping the WAAP market.

How Organizations Bounce Back from Cyber Incidents

“Everyone has a plan until they get punched in the face.” — Mike Tyson

The same is true for cyber incidents. Having a response plan is essential, but the real test comes when your organization is hit by a cyber-attack. Organizations that have invested in cyber resilience are the ones that stay standing when the punch lands.

In October the UK National Cyber Security Centre (NCSC) published its annual report. This makes for uncomfortable reading, reporting an increasing number of nationally significant cyber-attacks this year. These include attacks on the major retailers Marks & Spencer (M&S), and the Co-op Group, as well as the motor manufacturer Jaguar Land Rover (JLR) which have resulted in major disruptions and significant financial costs.

Most of the commentary around cyber incidents dwells on their impact, the cancelled orders, disrupted manufacturing, and even bankruptcy. But in this blog, I will describe how organizations bounced back when an incident occurred. It will focus on resilience, what real organizations have done right, and the lessons others can take away.

Cyber Resilience

Cyber resilience is about more than just stopping attacks — it is about bouncing back from them. It is the ability of an organization to keep operating, recover quickly, and adapt when faced with disruption. True resilience blends technology, people, and process: strong defenses, well-rehearsed recovery plans, clear communication, and a culture that learns from every incident to come back stronger.

While organizations often invest heavily in cyber protection processes and technologies official statistics show less investment in resilience.

• According to the UK government cyber security breaches survey 2024 only 22% of UK businesses have a formal incident response plan in place (rising to 73% for large firms). Even basic IR processes (clear roles, reporting guidance) sit at ~30–37% adoption.
• The European Court of Auditors found preparedness across EU institutions “not commensurate with the threats,” with key controls not implemented and “a number of EUIBAs clearly underspending on cybersecurity.”

According to the 2025 IBM Cost of a Data Breach report “Among the organizations that had fully recovered, 76% said the recovery took longer than 100 days”. This illustrates the need for improved cyber resilience.

Business Process Resilience

As business processes have become digitized the way they were done before is often forgotten. Having another way to perform the most important business processes in the event of a cyber incident is a key element of resilience.

• When the aluminum smelter Norsk Hydro was hit by a ransomware attack in 2019, they were able to keep the production processes operating using the knowledge of retirees and former employees using a paper-based system.
• During the 2025 cyber-attack on M&S, they were able to keep their stores open by moving some of their processes and systems offline.

Data Resilience

Data backup, often seen as the last line of defense against cyber-attacks, takes on a strategic role in this context. A well-planned backup strategy, whether to a cloud or physical location, provides your organization with resilience against not only cyber threats but also other risks to your business continuity.

• In October 2023, The British Library was hit by the Rhysida ransomware group, leading to extensive server encryption, data exfiltration, and a full lockout of many networked systems. While many systems were down, non-IT/onsite services (events, exhibitions) continued in degraded or offline mode, showing that they had fallback arrangements. According to the report into the incident, they were able to identify viable sources of backups from which data could be recovered.
• In another example, reported by Bandicoot, in August 2025, a medium-sized UK trading company suffered a ransomware attack. The attack encrypted multiple user computers and the main server, leaving critical files inaccessible. Immutable backups prevented major data loss, and business downtime was minimized.

Prepare and Practice Incident Response

Proper preparation and practice prevent problems from getting worse. Your organization needs a well-prepared incident response plan with clearly defined people, processes and responsibilities. You may also need to have set up arrangements with cyber-incident response specialists to help.

• Microsoft published an example case study of how their incident response teams helped a customer following a ransomware attack in November 2024.
• In the UK, Gloucester City Council published a report on their recovery from an incident that was due to a single spear phishing email that was inserted into an existing email chain with a supplier. More on this later.

Pen and Paper

The UK NCSC recommends that organizations have a cyber incident plan on paper because, when a cyber incident occurs, you cannot depend on access to your systems. This includes email, messaging, and internet-based phones. You must have access to your plan and have prepared how you will communicate in advance.

• In 2021 Health Services Executive (HSE) was hit by Conti Ransomware. The PwC / HSE Independent Review reports that “Normal communication channels, both at HSE’s national center and within operational services were also immediately lost… Staff switched to communicating using mobile and analogue phones; fax; and face to face meetings.
• In March 2025, the Polish Space Agency (POLSA) suffered a cyber-attack and, according to reports “staff are being told to use phones for communication instead of email”.

Out with the Old

Most organizations have an archeology of IT systems. These legacy systems may still work but the software may not be supported, and replacement parts may be difficult to obtain. Another complexity when a cyber-incident occurs is personalization. Bespoke configurations of commercial off the shelf software can be difficult to recover.

• The report into the incident at the British Library identified that their reliance on legacy infrastructure was the primary contributor to the length of time that the it took to recover from the attack.
• One of the lessons learned by Gloucester City Council in the report on their cyber incident was “the danger of customizing applications to fit local needs as this caused ongoing compatibility issues between off-the-shelf versions and backed-up files”.

Clean Rooms and Cloud

One of the major problems when recovering from a cyber-attack is to be sure that you have removed all the malware. This has led to vendors offering “clean room” recovery services. These are usually hosted in a cloud and replicate the customer’s clean applications.

• In the Gloucester City cyber-incident, the council was running a hybrid system. The cloud-hosted applications were not affected except where they interfaced with data held on the council’s own server.
• Data backup to cloud also provides an air gap as well as immutable storage that helps to ensure clean restoration and recovery.

Learn and Improve

In all the examples where organizations have recovered from a cyber-incident, they report that they have learnt from the experience. Most commonly they learned that their organization is a target. Many previously did not think they were significant enough to be one. Every organization took steps to improve their cyber defense capabilities as well as their incident response plans.

Opinion

Organizations now face a constant barrage of cyber-attacks. It is essential that they not only invest in strong protection against these threats but also build cyber resilience into their business systems. Cyber resilience is different from high availability; cyber resilience builds rapid recovery from failure into the design and implementation of critical business systems. In this blog I have touched on the lessons that can be learnt from organizations that have recovered from cyber-attacks.

By learning from these examples your organization can strengthen business continuity and resilience against cyber-threats. To explore best practices in cyber resilience, join us at Identity-Centric Cybersecurity Impact Day 2025 in Frankfurt November 6th, 2025.

Today, Martin shares how leaders can strengthen their cybersecurity posture by integrating identity deeply into their security frameworks — and what lessons IKEA learned while rolling out large-scale identity programs across the globe.

You’ll learn:
✅ Why attackers increasingly target identity — and how AI-driven phishing amplifies the threat
✅ How to build a resilient, defense-in-depth strategy that anticipates inevitable compromises
✅ The importance of change management in global identity rollouts
✅ Where organizations often struggle when aligning IAM and cybersecurity teams
✅ Practical steps to make life harder for attackers — while keeping employees on board

📌 Don’t miss Martin’s session at Identity-Centric Cybersecurity Impact Day 2025, where he’ll share real-world lessons from IKEA’s journey and how to turn identity into a true enabler of security.

Enterprises can no longer assume fraud looks like bots hammering login forms. They must prioritize intent-based detection, explainable risk engines and low-friction defenses that address account takeover, policy abuse and sophisticated merchant fraud across the digital journey.

John Tolbert, Director of Research and Lead Analyst at KuppingerCole Analysts will share insights from the 2025 Leadership Compass on FRIP platforms. He will cover major market shifts such as fraud spreading beyond finance, the growing use of AI in scams and the rising importance of governance. John will also outline which FRIP capabilities leaders should prioritize to stay prepared for the agent era.

David Mahdi, Chief Identity Officer at Transmit Security will explain how enterprises can respond with a new fraud playbook. He will introduce Transmit Security’s Mosaic Platform and Predictive AI, designed to counter GenAI threats with real-time intent scoring, policy-abuse detectionand fraud-first CIAM integration. David will also share real-world results showing reduced fraud, lower costs, and better customer experiences.

The future of governance is not about more policies but about embedding technology into accountability. Automation, continuous monitoring, and integrated risk dashboards turn governance from a checkbox activity into a living framework. By linking compliance, strategy, and daily IT operations, companies can create models that are measurable, transparent, and adaptable to disruption.

Kai Boschert, Senior Advisor & Deputy CISO at KuppingerCole challenges common misconceptions around IT governance. He exposes why traditional approaches fail, demonstrate how to balance regulatory requirements with business agility, and outline methods to make governance an enabler rather than a bottleneck. Kai also shares case insights on scalable, real-world governance practices.

Modern technology allows a modular “buy and build” strategy: leveraging best-in-class components for core security like API protection while building the remaining stack around existing identity infrastructure. This hybrid model helps balance control, compliance, and performance.

Alejandro Leal, Senior Analyst at KuppingerCole will provide an industry analyst’s perspective on the challenges enterprises face in authorization modernization. He will discuss current trends, regulatory drivers, and best practices for balancing security, interoperability, and business agility. He will illustrate how a modular strategy enables greater control over identity, enhanced user experience, and more sustainable compliance across API-heavy environments.

Ali Adnan, Co-founder of Authlete, and Zulfiqar Ahmed, Vice President of Product at Authlete, will share how organizations are applying the buy-and-build model. They will present real-world examples from financial services and media, including Nubank and DPG Media, and explain how to seamlessly integrate API-first authorization into existing architectures without sacrificing control or security.

The fractured state of enterprise identity

Identity continues to be the biggest vulnerability in enterprise security. The majority of breaches still involve compromised credentials, yet most organizations wrestle with fragmented and inconsistent identity systems. Enterprises depend on multiple Software as a Service (SaaS) applications, each with its own approach to Single Sign-On (SSO), provisioning, and session management. Developers often face a patchwork of protocols, optional features, and provider-specific requirements that make integration error-prone and governance difficult. This complexity fuels identity sprawl, increases operational overhead, and leaves dangerous gaps in access control.

Why standardization is needed now

The absence of a common framework for identity security has long been a weakness. Protocols such as Security Assertion Markup Language (SAML), OpenID Connect (OIDC), and System for Cross-domain Identity Management (SCIM) provide the building blocks, but their flexibility is a double-edged sword. Too much optionality means implementations diverge, creating interoperability issues and security blind spots. Enterprises struggle to achieve consistent outcomes such as secure provisioning, predictable session lifecycles, and reliable signal sharing. Developers face repeated work to adapt to each integration, while security teams face uncertainty about whether controls are being enforced in practice.

Against this backdrop, an OpenID Foundation working group aims to provide a unifying standard. Backed by Okta, Microsoft, Ping Identity, Beyond Identity, SGNL, Capital One, Cisco’s Duo Security division and others, the initiative promises to simplify and harden enterprise identity security.

What IPSIE is and why it matters

The OIDF Interoperability Profiling for Secure Identity in the Enterprise (IPSIE) working group develops profiles of existing standards to reduce complexity and guarantee interoperability. Rather than inventing new protocols, IPSIE delivers opinionated specifications that strip away optionality and enforce secure defaults. Its goal is to make identity standards easier to implement, test, and certify.

Key areas of focus include:

• SSO: Centralizing login and ensuring secure session handling
• Account Lifecycle (AL): Automating user provisioning and deprovisioning to prevent orphaned accounts
• Entitlements: Enforcing least privilege and supporting role synchronization across systems
• Risk Signal Sharing: Exchanging alerts about threats or device posture to improve response
• Session Termination and Token Revocation: Ensuring compromised sessions are cut off immediately

IPSIE introduces maturity levels to define what secure implementations look like in practice. For example, Session Lifecycle Level 1 (SL1) requires compliance with US National Institute of Standards and Technology (NIST) Special Publication 800-63-4 at Federation Assurance Level 2 (FAL2), enforcing Multifactor Authentication (MFA) and requiring applications (relying parties) to set their session duration based on the validity period defined in the federation assertion. Higher levels add capabilities such as session state communication between apps and identity providers. Similarly, AL levels progress from basic user provisioning (AL1) to full synchronization of application roles and entitlements (AL3).

The first draft profile is already in circulation, with OIDC SL1 serving as an early demonstration of how IPSIE maps existing protocols to concrete operational behaviors.

This structured approach brings clarity where today there is ambiguity. Instead of vague requirements like “support SSO,” IPSIE provides measurable, testable criteria. With conformance testing and certification, enterprises will be able to trust that applications meet consistent security expectations.

The promise and the limits of IPSIE

IPSIE addresses real and persistent challenges. By narrowing choices and enforcing secure defaults, it reduces the likelihood of weak or inconsistent implementations. Enterprises benefit from better visibility and stronger controls. SaaS providers benefit from a common standard that makes integration predictable and reduces costly one-off engineering.

But IPSIE’s scope is clearly human-centric. Its focus is SaaS identity flows tied to workforce users, including authentication, lifecycle, entitlements, and logout. Missing from the IPSIE charter are non-human identities: service accounts, CI/CD tokens, API keys, IoT device credentials, and machine-to-machine workloads. These identities are proliferating rapidly, often unmanaged, and present one of the largest attack surfaces today. If IPSIE does not extend its model to include them, the NHI problem will remain largely unresolved.

Some observers have also cautioned that IPSIE risks being too broad, trying to cover everything from login to entitlements to logout in one sweep. Others compare it to the early days of the FIDO Alliance, where progress came by focusing on a narrow, well-defined problem before expanding. IPSIE’s long-term success will depend on whether it can balance ambition with pragmatism and secure adoption across vendors.

A step toward solving the NHI challenge

IPSIE is not the complete answer to non-human identity governance, but it is an important step. Standardized, interoperable, secure-by-default profiles for SaaS identity will reduce identity sprawl and strengthen enterprise controls. Yet without extending its scope to machine identities, IPSIE risks addressing only part of the problem. For a full solution, enterprises will still need lifecycle governance, automated secrets rotation, least-privilege enforcement, and continuous discovery across all identities, human and non-human.

How KuppingerCole can help

KuppingerCole Analysts can help organizations make sense of this evolving space. Our research on identity fabrics, Zero Trust strategies, and machine identity management provides a framework for addressing both human and non-human identity challenges. We have published Advisory Notes on non-human identity governance and Leadership Compass reports on Privileged Access Management that highlight the importance of consistent lifecycle controls for machine identities.

IPSIE represents progress. By bringing clarity and interoperability to enterprise SaaS identity, it addresses a pressing security gap. But the wider challenge of non-human identity still looms large. Organizations should welcome IPSIE as part of the solution, while recognizing that much work remains to be done.

Attendees will:

• Gain an understanding of the evolving fraud threat landscape in financial services, including how FRIP solutions mitigate sophisticated attack vectors such as synthetic identities, mule accounts, and real-time social engineering.
• Learn how leading FRIP platforms operationalize risk signals—such as device intelligence, credential reputation, and behavioral analytics—to enable faster and more accurate fraud decisioning.
• Explore integration strategies for FRIP within fraud operations workflows, including orchestration with IDV services and AML/KYC systems.
• Understand the KuppingerCole Leadership Compass methodology and evaluation criteria
• Get an exclusive preview of the latest Leadership Compass results, highlighting how FRIP vendors compare in terms of capabilities, innovation, and relevance to fraud prevention in finance.

John shares practical insights from recent research on FRIP for Finance, highlighting how operations teams can use risk signals to make faster, more accurate decisions. He discusses emerging scam tactics that bypass traditional controls, and how fraud teams can adapt. Attendees will hear how to evaluate vendor capabilities, prioritize integration points, and align platform selection with both operational demands and strategic risk objectives—grounded in the latest Leadership Compass findings.

For more than two decades, security professionals have repeated the mantra that identity is the new perimeter. Yet only now are IAM practices catching up with this truth. The reason is simple: passwords. They have been the default method of authentication since the early days of the Internet, and they have stubbornly resisted replacement. Despite endless warnings about their weaknesses, organizations have clung to them because they were easy to deploy, familiar to users, and supported everywhere. The result has been decades of breaches where attackers used stolen or guessed credentials as their means of entry.  

Passwords and One-Time Authentication Keep Failing 

The problem with passwords is not only that they can be stolen, reused, or phished, but that they also represent a static, one-time event. Authenticate once, and you may enjoy unfettered access for hours or days. Attackers know this. High-profile incidents such as the cyberattack on MGM Resorts in 2024 show how attackers exploit legitimate credentials to gain footholds, then pivot deeper into networks. Even when multifactor authentication is in place, if it relies on Short Message Service (SMS) codes or push notifications, attackers have learned to bypass these or bully users into granting access. The bottom line is that static credentials and static trust result in exposure. 

Zero Trust and Passwordless Belong Together 

The industry response has been Zero Trust, which dictates that no user or device should be trusted by default. But Zero Trust on its own is a philosophy, not a solution. To make it practical, enterprises need authentication methods that do not rely on outdated passwords. This is where passwordless access comes in. By eliminating the password altogether and replacing it with strong cryptographic keys, biometrics, or device-based authenticators, organizations can remove one of the weakest links in security. 

Yet even Zero Trust plus passwordless is not enough. Identity must be verified not just at the point of entry but continuously. This is why many experts argue that continuous authentication is a more precise term. It reflects the idea that trust is never static but must be continuously validated or at least confirmed at every stage of a user’s session. 

Why Continuous Authentication Matters 

Continuous authentication builds on passwordless by turning identity into a constant assurance rather than a single checkpoint. Instead of trusting a session indefinitely once it begins, organizations can evaluate ongoing signals such as user behavior, device posture, geolocation, and time of day. If something changes, such as a user suddenly connects from another country or attempts to access sensitive data after hours, the system can demand step-up verification or cut off access. 

Passwordless authentication makes this possible because it lowers friction. Removing passwords means users are not burdened with repeated prompts. Instead, cryptographic keys and biometrics can be invoked invisibly in the background to confirm identity without disrupting work. The combination of passwordless and continuous authentication transforms identity from a static perimeter into a dynamic risk signal. 

The Benefits and the Challenges 

The advantages of this shift are compelling. Security improves dramatically because attackers cannot simply steal a password or trick a user once. Costs come down because helpdesk calls for password resets disappear. User experience improves as workers no longer have to remember dozens of complex credentials. Risk signals can be applied in real time, allowing security teams to block threats before they escalate. 

But challenges remain. Interoperability is a real issue. Enterprises run a patchwork of legacy systems, cloud services, and mobile platforms that do not always support new standards such as Fast Identity Online 2 (FIDO2) or Web Authentication (WebAuthn). Recovery processes must be carefully designed. If users lose their devices or biometrics fail, they must still regain access securely without falling back to the same old password model. Change management is another barrier, as organizations need to educate users and executives alike that Zero Trust and passwordless are not single products but ongoing journeys. 

Identity-Centric Security in Practice 

The good news is that adoption is accelerating. Apple, Google, and Microsoft are all pushing passkeys, while leading enterprise vendors such as Cisco, CyberArk, Microsoft, Okta, and Ping Identity are building passwordless and continuous authentication into their platforms. Regulators are also turning up the pressure. Guidance from the US government and Europe’s regulations like the Digital Operational Resilience Act call for strong authentication and identity-centric access controls. 

Identity is now firmly at the center of cybersecurity strategy. But for it to serve as the true perimeter, it must be dynamic, continuous, and passwordless. Static trust models belong to a bygone era. 

For organizations seeking to understand how to make this shift from principle to practice, KuppingerCole’s Identity-Centric Cybersecurity Impact Day 2025 in Frankfurt on 6 November will provide practical insights from real-world implementations.  

To avoid becoming the next cautionary tale, now is the time to learn how to make “identity is the perimeter” more than just a slogan. It is time to make it real. 

Technology alone does not solve the problem unless it is designed for integration and intelligence. Nexis takes a different approach by embedding Identity Visibility and Intelligence (IVIP) directly into the Identity Fabric. Instead of adding yet another tool, it connects IGA, PAM, and IDPs into a risk-aware system that not only identifies gaps but also drives remediation and measurable governance outcomes.

Martin Kuppinger, Co-Founder and Principal Analyst at KuppingerCole, will argue that current IAM strategies fall short because they treat identity as a technical silo rather than a governance backbone. He will show why enterprises must move beyond fragmented tools and embrace Identity Fabrics as enablers of transparency, trust, and strategic decision-making.

Dr. Heiko Klarl, CEO at Nexis, will demonstrate how Nexis challenges the status quo by eliminating manual IAM processes and exposing hidden risks. He will explain how Nexis unifies authorization governance, delivers automated compliance evidence, and integrates IAM into GRC and Enterprise Risk Management. His perspective will illustrate how IAM can shift from being a cost center to a driver of trust and efficiency.

Within Identity and Access Management (IAM), Identity Visibility and Intelligence Platforms (IVIP) have emerged and gained quite some attention. They promise a unified view of diverse identity activities, consolidating insights across ecosystems. Nevertheless, a fundamental transition is needed early-on. It's time for thinking about IVOP - Identity Visibility and Observability Platforms - to take the reins. IVIP, in its current form, misses the mark of a true 'platform,' serving more as an amalgamation of capabilities rather than a robust, integrative solution.

Why IVIP isn’t enough

The nomenclature of 'platform' usually refers to a foundational structure upon which various services are built, a hub that integrates and powers a suite of related functionalities. By this definition, IVIP, for all its benefits, falls short. Rather than constructing an integrative ecosystem, it predominantly focuses on collection and representation of insights through graphs and data visualization.

These capabilities, while useful, largely extend existing functionalities found in IAM systems. They add new layers by depicting identity relationships using identity graphs. However, they remain centered around human identities, hardly venturing into the demanding sphere of non-human identities (NHI) which increasingly dominate the identity space. For a future-focused solution, the scope must widen significantly.

What Observability really means

The pressing need today is not merely visibility but observability. While visibility provides data, observability transforms it into actionable insights, allowing for real-time reactions and adjustments. It is not enough to simply surface data; we require actionable intelligence to understand the nuances of identity behaviors and mitigate identity- and access-related risks across vast landscapes of both human and non-human entities.

IVIP, as it stands, is often limited to surfacing activities through reports and graphs. The leap to observability, however, involves continuous monitoring and analytic insights that drive immediate, automated responses. This evolution necessitates the integration of Identity Threat Detection and Response (ITDR) capabilities.

Enhancing the Role of AI

Thus, the role of Artificial Intelligence (AI) must expand beyond mere analysis of static privileges or proposing roles within organizations. Its true power lies in interpreting the concrete usage patterns of entitlements, focusing not only on who accesses what, but when and how often.

This dynamic analysis allows both for detective measures, identifying potentially malicious usage patterns, and preventative strategies by retiring unused entitlements or issuing temporary privileges. Such an approach will better align security efforts with actual business needs, promoting efficiency while reducing risk disproportionately.

A Call for Integration and Action

Markets today demand solutions that do more than offer insights; they seek for platforms that initiate actions. The 'P' in IVIP should symbolize an integrative platform where actions are not merely suggested but triggered, ensuring swift, decisive responses across all identity types and entitlements, precisely where IVOP comes into play.

The fully realized IVOP should integrate seamlessly with IGA, PAM, ITDR, and beyond, embracing multi-faceted identity realms and evolving towards continuous, real-time feedback loops.

Beyond IVIP to IVOP

In summary, while IVIP has provided foundational visibility, the identity landscape demands platforms that do more. The pivot to IVOP represents a future where identities are not just seen, but understood and managed dynamically across the digital spectrum. By firmly embedding observability, the next generation of identity solutions will not just safeguard but enhance digital ecosystems - a shift organizations should embrace to stay at the forefront of IAM innovation. Without observability, IVIP delivers visibility but denies organizations the control they urgently need.

They explore how a Target Operating Model (TOM) helps define why and how your IAM should work before deciding on technology. Patrick shares insights from real projects, explaining how to align business goals, processes, and governance to achieve long-term success.

Key Topics Covered:

✅ Why IAM projects often fail due to tool-first thinking
✅ How a Target Operating Model sets the foundation for IAM success
✅ The role of governance, people, and processes in effective IAM
✅ Real-world examples of aligning strategy and technology
✅ How to evaluate tools after defining your IAM capabilities

In today's digital landscape, the effective management of Non-Human Identities (NHIs) is indispensable for organizations striving for robust cybersecurity and operational excellence. NHIs—encompassing devices, workloads, service accounts, and AI agents—demand distinct management strategies that align with their unique characteristics and roles within our IT infrastructures.

Our latest advisory note delves into the strategic framework necessary to achieve comprehensive governance of NHIs. By leveraging a refined Capability Maturity Model (CMM) approach, organizations can navigate their way from foundational practices to advanced identity management. This model emphasizes the integration of key lifecycle stages such as provisioning, rotation, and decommissioning with continuous monitoring and compliance checks.

To actualize this framework, robust technological integration is paramount. Deploying specialized NHI management solutions, alongside Enterprise Secrets Management tools, PAM, and CIEM solutions, establishes a fortified foundation for identity governance. Moreover, the seamless integration with Identity Governance and Administration (IGA) systems and CI/CD pipelines ensures that security measures are inherently embedded within development and operational workflows.

Empowering organizations with the right blend of organizational structure, policies, processes, and advanced tools facilitates not only the secure management of NHIs but also drives operational agility and compliance. Exploring the full potential of NHI governance enables enterprises to confidently secure their digital environments while fostering innovation and growth in a rapidly evolving technological landscape.

We invite you to explore our comprehensive advisory note to uncover detailed insights and actionable steps towards mastering NHI governance in your enterprise.

Excessive administrative access across tenants creates risk vectors ripe for human error, insider misuse, and compliance failure. As hybrid work accelerates and insider threats surge by 44% year-over-year, the urgency to enforce least privilege across the Microsoft cloud stack has never been greater.

Emerging technologies and automated policy enforcement now make it possible to implement precision access controls in Microsoft 365 and Entra. By segmenting responsibilities and limiting access to just enough, organizations can dramatically reduce attack surfaces while maintaining productivity.

Functional access models offer a proven path to replace standing privileges with secure, task-specific automation that eliminates human error and reduces blast radius.

Jonathan Care, Lead Analyst at KuppingerCole brings over 15 years of enterprise security analysis to explore the broader implications of privilege mismanagement in the modern enterprise. He discusses how identity-based attacks exploit privilege sprawl, highlight emerging trends in insider threat evolution, and explain why automation and governance must underpin any zero-trust privilege strategy.

Rob Edmondson, Senior Director of Product Marketing at CoreView, and Siam Rochanavichit, Solutions Architect demonstrate practical applications of least privilege principles. They show how to replace privileged access with task-specific automation, virtually segment tenants, remove excessive permissions, build a sustainable privilege management program that scales across complex cloud environments, and provide a hands-on demo of these principles in action.

This webinar will explore how PBAM supports centralized policy control, and compliance alignment. While legacy integration remains an issue, PBAM is becoming essential in Zero Trust strategies and modern enterprise authorization frameworks.

Key Take aways:

• PBAM provides a scalable, flexible approach to modern access control challenges.
• Real-time policy enforcement enhances security and reduces static dependency.
• Organizations benefit from PBAM's centralized management system across platforms.
• Implementing PBAM allows for adaptive access decisions through attributes.
• The PBAM market supports hybrid, multi-cloud, and legacy integrations, critical for modernization.

In this webinar, Nitish Deshpande, Research Analyst at KuppingerCole Analysts will identify the key use cases, challenges, and required capabilities in modern authorization platforms. He will also dive deeper into difference between cloud native and traditional policy models, and the importance of multi-speed approach. Nitish will also provide an overview of the results from the latest Leadership Compass on Policy Based Access Management.

They explore how autonomous AI systems could fill the cyber skills gap, automate incident response, and even act as digital coworkers in SOC environments. But how far can we trust them—and will humans still have a place in the loop?

Key topics covered:

✅ What AI agents really are—and how they differ from traditional automation
✅ The role of AI in SOCs, incident response, and threat detection
✅ Can AI agents help close the cybersecurity skills gap?
✅ Risks of rogue or “hallucinating” AI systems
✅ Why access governance and identity management are critical for AI agents
✅ The future of cybersecurity jobs in the age of automation

Modern IAM leverages AI and machine learning to automate onboarding, detect anomalies and enforce adaptive authentication. By integrating AI-driven decisioning, businesses can secure APIs, streamline partner access, and future-proof their identity infrastructure.

John Tolbert, Director of Research and a Lead Analyst at KuppingerCole, will explore how AI is redefining IAM paradigms. He’ll analyze emerging threats, ethical considerations, and architectural best practices for resilient B2B identity frameworks.

Jacob Ideskog, CTO at Curity, will showcase how Curity’s identity platform is applying AI to streamline onboarding, strengthen policy enforcement, and intelligently manage access across complex B2B environments. He’ll share real-world implementations, discuss lessons learned, and offer a vision for how AI can empower enterprises to scale trust securely and efficiently.

In this webinar, Alejandro Leal explores the transformative shifts in the identity verification market, sharing insights from KuppingerCole's latest Leadership Compass. Drawing on vendor evaluations and industry use cases, he highlights how identity verification supports secure onboarding, fraud prevention, and compliance across diverse industries. We also discuss the road ahead, as organizations prepare for the paradigm shift to decentralized, user-held digital identities.

Key Takeaways:

• Learn how remote identity verification combats modern fraud
• Understand the latest AI-powered document and biometric technologies
• Discover how digital onboarding aligns with evolving compliance mandates
• Explore market trends toward user-held digital identities
• Gain insights into vendor selection for global identity verification strategies

How SSPM Could Have Prevented Three Recent Incidents 

As Software as a Service (SaaS) security incidents surge, from token theft to data leakage and phishing attacks, organizations need SaaS Security Posture Management (SSPM) to detect misconfigurations, prevent unauthorized access, and reduce third-party integration risks. In this blog I will examine three cybersecurity incidents that occurred in 2025 and based on published information, I will explore how SSPM tools could have helped SaaS user organizations to reduce their impact or prevent them altogether. 

Using SaaS applications has introduced new risks, many of which stem not from advanced malware or state-sponsored actors, but from poorly managed SaaS configurations, excessive permissions, and the absence of visibility. SSPM solutions do not replace good cyber security practices, however they do support their enforcement and provide visibility into weaknesses in their implementation. 

Commvault Metallic & Microsoft 365 Secret Leakage 

Incident Overview

According to the US CISA, in May 2025, attackers exploited a zero-day vulnerability (CVE-2025-3928) in Commvault’s web server, allowing attackers to extract OAuth tokens and client secrets used to access customer Microsoft 365 tenants via Commvault's SaaS backup offering, Metallic. 

The breach originated from Commvault’s infrastructure, but the stolen credentials were used to access Microsoft 365 data from within the affected customer environments. This made the blast radius dependent on how the customers had configured M365 and governed their integrations. 

How Customer-Side SSPM Could Have Helped 

SSPM could not have blocked the original server-side vulnerability in Commvault’s infrastructure. It also would not detect token theft occurring within the Commvault environment (that would be Commvault’s responsibility). But once the stolen secrets were used against the customer’s own SaaS estate, SSPM becomes the last line of defense.  

• SSPM provides visibility into third-party SaaS integrations. This includes backup providers like Metallic.  
• It surfaces the scope of granted OAuth permissions and alerts if the scope is too broad or inconsistent with organizational policy. It tracks and analyzes API calls made using OAuth tokens (including those made on behalf of sanctioned apps) and detects suspicious behavior patterns.  
• It also identifies Non-Human Identities (NHIs) with high privilege, orphaned apps (for example an app no longer managed by any admin), overprivileged apps relative to their actual activity and apps with excessive delegated permissions. 

Zapier Code Repository Breach

Incident Overview

According to the Verge, in February 2025 an unauthorized user accessed internal Zapier code repositories containing debugging artifacts, some of which included sensitive customer data. Although core production systems were unaffected, the presence of regulated data in developer environments, and a lack of segmentation or Data Leak Prevention (DLP) controls presented a significant data exposure risk. This is an example where SSPM could detect and control insecure handling and storage of sensitive data within dev pipelines (CI/CD, version control, and SaaS-based code management tools). 

How Customer-Side SSPM Could Have Helped 

SSPM would not prevent Zapier’s own internal failure to segment its customer data from its dev environments, which is a vendor-side DevSecOps issue. However, if an organization were storing its own customer data in SaaS-based developer tools, SSPM could help catch that before a breach occurs. 

• SSPM includes DLP capabilities that can help to prevent customer data from being stored in dev or test environments, even if accidentally included in debugging logs or payload samples.  
• DLP can also identify and remove shadow data and data residues in places not covered by standard data governance controls.  
• It provides visibility into which SaaS services are used by developers, including those that may not be officially sanctioned. It also scans the configurations of SaaS Dev apps like GitHub for lack of 2FA or SSO as well as for overprivileged accounts. 

ShinyHunters & Salesforce Data Loader Phishing 

Incident Overview 

According to the FBI, since October 2024, threat actors from the group UNC6040 (ShinyHunters) have been executing a voice phishing (vishing) campaign impersonating internal IT support. They trick users into downloading and installing a “trojan” version of Salesforce Data Loader, a legitimate Salesforce tool used for mass importing and exporting CRM data. This malicious version gives attackers access to large volumes of sensitive data, including customer records and account information. 

How Customer-Side SSPM Could Have Helped 

SSPM cannot stop social engineering, particularly when attackers impersonate internal IT staff through phone calls or emails and convince users to take malicious actions (e.g., installing a compromised Data Loader). While the attack vector was social engineering, the damage was enabled by weak access controls and lack of oversight within the Salesforce environment. This is where SSPM can help. 

• SSPM detection of abnormal data export activity. Even if the malicious data loader were installed, SSPM could have detected suspicious API behavior and triggered real-time alerts or automated responses (via SOAR). 
• Control over SaaS administrative tools and permissions. This can help to prevent users from having unnecessary access to tools that can extract large datasets. 
• Third-party tool and OAuth app risk governance can alert security teams if a new or modified version of data loader is used, especially one that deviates from normal behavior or permission scope.
• Policy-based restrictions for high-risk operations can force administrative oversight or MFA re-verification before mass exports.

Opinion

Each of these incidents illustrates a common problem: an absence of continuous, risk-aware oversight of SaaS configurations, identities, and data flows. SSPM bridges this gap by delivering cross-cloud policy enforcement, entitlement risk detection, data protection, app governance, and threat detection.

Organizations using SaaS applications for business purposes must ensure that these are deployed and used in a way that meets their cyber risk appetite and regulatory obligations. Organizations must set appropriate cyber-security policies around the use of SaaS and implement good cyber hygiene.  SSPM solutions provide capabilities to measure and improve the achievement of these objectives across multi-cloud SaaS applications.

Our Buyers Compass SaaS Security Posture Management provides guidance to help organizations select the SSPM solution that is most appropriate for their use cases.

To explore best practices in SaaS and Cloud security, join us at Identity-Centric Cybersecurity Impact Day 2025 in Frankfurt November 6^th, 2025.

The path forward demands rethinking how we manage external identities. Seamless onboarding, adaptive authentication, and immediate access revocation are the baseline for trust. Companies that fail to modernize their third-party identity practices risk losing not just efficiency, but credibility in the digital ecosystem.

John Tolbert, Director of Research and Lead Analyst at KuppingerCole Analysts, will reveal findings from the 2025 Digital Trust Index – Third-Party Edition. He will spotlight the most fragile points in the identity lifecycle, challenge outdated practices, and share data-backed recommendations on how organizations can rebuild confidence through consistency and accountability.

Jose Caso, Product Marketing Manager at Thales and Marco Venuti, B2B IAM Business Owner will show how the OneWelcome Identity Platform turns these principles into practice. They will discuss how delegated user management, adaptive access control, and externalized authorization eliminate friction while strengthening security, and why organizations that don’t adopt these measures risk falling behind in trust-driven ecosystems.

Breaches are everywhere, data is constantly being leaked, and GDPR fines haven’t stopped surveillance capitalism or shady data brokers. In this episode of the Analyst Chat, Matthias Reinwarth is joined by Mike Small and Jonathan Care to explore whether privacy still has meaning — or if resilience and risk management are the only ways forward.

They debate:

✅ Is privacy truly dead, or just evolving?
✅Why regulations like GDPR often miss the mark ⚖️
✅How cyber resilience is becoming more critical than “traditional” privacy
✅The personal, societal, and legal dimensions of privacy
✅What organizations (and individuals) can still do to protect data

By adopting an attacker’s mindset, you stop waiting for the breach and start finding your own weak spots before they do. Attack Surface Management not only identifies what is exposed but also provides a dynamic and continuously updated view of your digital footprint, highlighting exploitable paths and unknown assets.

Think like the enemy, move like the enemy, and neutralize them before they even find you.

Osman Celik, a Research Analyst at KuppingerCole, is the author of the ASM Leadership Compass. He has been working on why proactive cybersecurity solutions and strategies must replace reactive ones. He will share his insights on how ASM solutions help you stay one step ahead of cybercriminals. He will also explain why threat intelligence is essential to an ASM solution.

Tabatha von Koelichen, Regional Sales Director for DACH and Central Europe and Harald Roeder, Senior Solutions Engineer at Censys and will show exactly how to operationalize attacker-first thinking using Censys’ global Internet intelligence. He will dissect real breaches to reveal where defenders missed their chance, demonstrate live threat hunting techniques, and walk through how Censys uncovers assets you didn’t even know existed because if you don’t know about them, attackers already do.

Executive Summary 

The recent cyberattack affecting major European airports through a third-party check-in provider serves as a stark reminder of our interconnected digital dependencies. When Brussels, Berlin, and Heathrow airports experienced simultaneous disruptions, the root cause wasn't a direct attack on their infrastructure—it was a single point of failure in their shared supply chain. This incident provides a perfect template for organizations to stress-test their own third-party risk response capabilities through a focused 60-minute tabletop exercise. 

The Wake-Up Call: When Suppliers Become Single Points of Failure 

The airport incident follows a disturbingly familiar pattern: a critical third-party platform experiences a cyber-related outage, and every downstream organization scrambles to maintain operations. The cascading impact forces manual workarounds, degrades service quality, and triggers a complex web of communication challenges across vendors, partners, and customers. 

This scenario isn't unique to aviation. Every organization relying on SaaS platforms, managed service providers, or cloud infrastructure faces similar exposure. The question isn't whether such an incident could affect your organization—it's whether you're prepared to respond effectively when it does. 

A Practical Tabletop Exercise Framework 

Based on the European airport incident, here's a structured tabletop exercise that any organization can deploy to test their third-party incident response capabilities. 

Scenario Foundation 

Core Premise: A critical third-party platform essential to your operations experiences a major outage with unknown recovery timeline. Initial indicators suggest a cyber-related disruption, potentially ransomware, at the provider level. 

Threat Actor Profile: Attribution remains pending, but operational indicators align with criminal ransomware groups targeting high-value service providers for maximum downstream impact. The vendor confirms a "cyber-related disruption" but provides limited technical details due to ongoing investigation. 

Exercise Objectives 

1. Rapid Crisis Activation: Test the speed and effectiveness of incident and crisis management protocols, including establishment of joint vendor coordination bridges 
2. Operational Resilience: Evaluate ability to maintain critical services in degraded mode while managing capacity constraints 
3. Stakeholder Management: Assess regulatory reporting readiness and crisis communication coordination across multiple stakeholders 

Three-Phase Exercise Structure 

Phase 1: Detection, Activation, and Escalation (Minutes 0-20) 

Scenario Injects: 

• 08:10: Vendor status page switches to "major outage affecting all regions" 
• 08:15: Support tickets triple as downstream impacts cascade 
• 08:25: Partner organization executive extends invitation to vendor's emergency cross-company coordination bridge 

Critical Decision Points: 

• Who has authority to declare a crisis, and what specific triggers mandate escalation? 
• Who owns the vendor relationship during crisis mode, and how do they balance information gathering with operational response? 
• What immediate decisions must be made before full situational awareness is achieved? 

Success Metrics: 

• Time from detection to crisis declaration 
• Time to establish unified command structure 
• Clarity of initial resource allocation decisions 

Phase 2: Continuity of Critical Processes (Minutes 20-40) 

Scenario Injects: 

• Manual workaround procedures sustain only 35% of normal throughput 
• Contractual SLA breach projected within 90 minutes without prioritization 
• Vendor offers partial service restoration with acknowledged stability risks 

Critical Decision Points: 

• What constitutes the minimum viable capacity for each critical business process? 
• Which offline procedures or alternate workflows exist, and who can authorize their activation? 
• How will extended operations be staffed to prevent team burnout during multi-day incidents? 

Success Metrics: 

• Documented minimum viable capacity thresholds 
• Time to activate alternative processes 
• Resource sustainability planning for extended incidents 

Phase 3: Reporting and Communications (Minutes 40-60) 

Scenario Injects: 

• Regulatory early warning notification deadline approaches 
• Key customers demand detailed explanations and mitigation timelines 
• Social media speculation incorrectly attributes outage to your systems rather than the vendor 

Critical Decision Points: 

• What specific thresholds and timers govern regulatory notifications, and who provides final approval? 
• What single-paragraph external statement accurately explains the situation while maintaining stakeholder confidence? 
• How do we ensure message alignment across vendor, partners, and our own communications? 

Success Metrics: 

• Regulatory notification decision timeline 
• Message consistency across channels 
• Speed of social media misconception correction 

Key Takeaways and Implementation Guidance 

This tabletop exercise addresses the three fundamental questions leadership needs answered before any third-party incident: 

1. Who would we call? Clear escalation paths and vendor crisis contacts must be pre-established, not discovered during an incident. 
2. How do we keep serving? Degraded mode operations and manual workarounds require advance planning and regular testing. 
3. What do we say? Pre-drafted communication templates and clear approval chains prevent messaging delays when minutes matter. 

Scheduling for Success 

Run this exercise during normal business hours with key stakeholders present. The 60-minute investment will reveal critical gaps in third-party incident response capabilities before they're exposed during an actual crisis. Consider conducting this exercise quarterly, rotating through different critical vendors to build comprehensive response capabilities. 

Beyond the Tabletop 

While this exercise provides valuable insights, organizations should complement it with: 

• Regular updates to vendor dependency mapping 
• Contractual reviews ensuring appropriate incident notification requirements 
• Technical controls monitoring third-party service health 
• Regular communication drills with critical vendors 

Ready or not, Take-off time approaches 

The European airport incident shows that third-party risks aren't just theoretical; they're real operational challenges that need practical preparation. This tabletop exercise turns a recent real-world event into concrete steps for better readiness. Organizations that spend 60 minutes on this exercise today may avoid hours or even days of chaos when their critical supplier faces inevitable disruptions tomorrow. 

The question for every CISO, risk manager, and business continuity professional is simple: Will you be ready when your vendor's status page turns red? 

In this session, Paul Fisher will walk through the key findings from the CIEM Leadership Compass 2025, including why CIEM is fast becoming essential for modern cloud security strategies. He will highlight standout vendors and what makes them leaders across product innovation, automation, and integration. Expect a deep dive into trends like ephemeral access, non-human identity control, and how AI is reshaping entitlement management. Whether you’re evaluating vendors or planning your next move, this will give you a critical head start.

Modern SOAR is no longer just about incident response. With the infusion of generative AI and hyperautomation, SOAR has the potential to drive business-wide efficiency, extend beyond IT, and become a central nervous system for the modern Security Operations Center (SOC). But how do you distinguish real innovation from marketing hype?

Alejandro Leal, Senior Analyst at KuppingerCole, will provide a strategic perspective on SOAR trends, including where AI is making a tangible impact, what hyperautomation really means in a SOC context, and how SOAR is evolving beyond cybersecurity use cases. He will also highlight what buyers should look for in a modern solution.

Kevin Faulkner, Product Marketing Director at Fortinet, will explore how FortiSOAR fits into this shifting landscape. He will share real-world customer profiles, explain key use cases, and outline FortiSOAR’s value for managed service providers. Expect insights on embedded vs. stand-alone automation and where SOAR is headed next.

Ghost tapping is rapidly emerging as a stealthy attack vector that poses a serious challenge to digital identity and payment security. Originally observed among Chinese-speaking threat actors by security researchers at Threat Fabric who coined the term, this technique exploits Near Field Communication (NFC) relay methods to commit retail fraud using stolen payment card credentials loaded into mobile wallets such as Apple Pay and Google Pay. While the mechanics are highly technical, the consequences are straightforward: unauthorized transactions, physical goods stolen, and illicit funds laundered across borders.

How Ghost Tapping Works

At its core, ghost tapping is NFC relay fraud. Cybercriminals obtain stolen payment card data, often via phishing or malware, link it to burner phones, and transmit the NFC signal to mules who conduct in-person purchases at retail stores or withdraw cash from ATMs. Software created and controlled by cybercriminals enables remote management of these cards, making the operation scalable and difficult to detect. The syndicate model amplifies the threat. Cybercriminals handle the digital side while syndicates recruit mules, coordinate logistics, and resell goods for cash or cryptocurrency. In practice, this means a victim’s card is silently added to a mobile wallet like Apple Pay or Google Pay and then relayed in real time to a mule’s phone, letting them “tap” at the point of sale as if they were the rightful cardholder. The stolen goods are quickly moved, resold, and turned into profit, completing the cycle.

Implications for Businesses

The rise of ghost tapping has far-reaching implications for digital identity governance and cyber risk management. For banks and payment providers, it exposes weaknesses in mobile wallet provisioning, one-time password (OTP) verification, and device authentication. For retailers, it highlights gaps in in-person verification and transaction monitoring. For insurers and regulators, it raises questions about liability for losses tied to NFC relay fraud. The cross-border nature of these campaigns, spanning Southeast Asia, China, and potentially beyond, means that no organization operating in mobile payment ecosystems can afford complacency.

Why Organizations Should Be Concerned

Ghost tapping demonstrates how identity compromise is no longer confined to digital environments. A stolen credential can be converted into physical goods, laundered through mules, and monetized across borders with minimal detection. Automated linking of compromised cards to mobile wallets further accelerates the fraud lifecycle, eroding trust in digital payment systems and threatening operational resilience. Businesses relying on mobile payments and contactless systems are now exposed not only to financial loss but also to reputational and regulatory risk.

Mitigating the Risk

Defending against ghost tapping requires a layered approach to identity security.

Banks and payment providers should enforce stronger authentication for adding cards to wallets, move beyond SMS-based OTPs, and use machine learning to flag anomalous wallet activity or geographically improbable transactions.

Retailers must implement robust transaction monitoring and identity verification procedures for in-person purchases.

Consumers should remain vigilant, never share OTPs, monitor card activity, and limit exposure to untrusted apps or websites.

Law enforcement and regulators need to track evolving NFC relay fraud trends, collaborate internationally, and disrupt syndicate operations.

Looking Ahead

Ghost tapping provides an important lesson. Identity compromise can now bridge the digital and physical worlds, converting stolen credentials into tangible assets. With cybercriminals adapting rapidly and globalized syndicates exploiting Telegram-based marketplaces, organizations must elevate identity governance from an IT function to a strategic risk priority. Strong authentication, continuous monitoring, and integrated identity controls are no longer optional. They are essential defenses against a threat that moves as quickly as the digital wallets it targets.

This is not just a payments problem; it’s a wake-up call for identity security across every interaction in the digital economy.

For expert guidance on combating identity fraud and emerging threats like ghost tapping, KuppingerCole’s Advisory Team is ready to help. Organizations can also explore KuppingerCole’s Leadership Compass Reports on Fraud Reduction Intelligence Platforms for Finance and eCommerce, offering practical insights into selecting the right solutions to mitigate these risks.

When it comes to securing digital wallets and strengthening identity governance, proactive defense is the best strategy.

Key Topics Covered:

• KPIs vs KRIs in IAM: what they are and how they differ
• Aligning IAM metrics with business goals and governance
• Onboarding & offboarding metrics for efficiency and risk reduction
• MFA adoption and help desk tickets as signals of IAM maturity
• Developer enablement and API adoption as success factors
• Mapping IAM indicators to risk frameworks and security posture
• Adapting KPIs/KRIs for non-human identities (NHI)

If you’re working in IAM, identity governance, MFA strategy, or security architecture, this discussion will help you build meaningful metrics that prove value and strengthen your identity program.

Language Models and Agentic AI systems now interact with IT environments almost exclusively via APIs. That makes every exposed endpoint a potential channel for misuse, exfiltration, or supply chain compromise. Securing the model is no longer enough - you must secure the interface.

This webinar explores how top vendors are approaching this challenge, based on research from KuppingerCole’s latest Leadership Compass on API Security and Management. Learn how modern API security platforms are evolving to cover the AI attack surface with adaptive, protocol-aware, and context-driven controls.

From Privacy Breaches to Denial of Business

Last December Cohesity and Veritas merged, now 10 months on, the impact of this merger can be seen through the announcements at the Cohesity Catalyst.

These announcements could not be timelier. Recent cyber incidents at Marks & Spencer (M&S) and Jaguar Land Rover (JLR) in 2025 illustrate the direct impact of cybersecurity failures on business operations, revenue, and reputation. These illustrate how cyber incidents are moving from privacy related data breaches to business disruption.

_{Figure 1: Cyber Hygiene is the Foundation of Digital Resilience}

Cyber hygiene is the foundation for digital resilience, however it is not enough to protect and prevent, to be resilient your organization must be able to respond to and recover from cyber incidents. Since today’s digital business depends upon data, digital resilience is based on data resilience.

While delivering digital services ultimately requires physical infrastructure – resilience of the services involves more than just physical replication. Digital services depend upon the availability of the business data. In addition, applications and their Infrastructure as Code (IaC) services are defined by data. No data means no service, and service restoration needs more than recovering the database.

Cohesity’s Catalyst 2025 event highlights how its new capabilities address this need—moving beyond backup to provide an integrated platform for comprehensive cyber resilience.

Cohesity Catalyst announcements

Planning and Preparation

Digital resilience starts with planning and preparation. You need to know what data you have and identify the core systems that are essential to keep your business running.

Cohesity’s partnership with CYERA provides DSPM capabilities to help organizations to understand what data is at risk and how well it is protected. Cohesity CERT – provides cyber resilience consulting services to help prepare, as well as to respond when an incident occurs.

Disaster planning involves more than data backup. It includes team building and setting up out of band communications.

Extended range of Protected Data Sources

May organizations have a wide range of legacy data sources as well as the new ones used by GenAI. It is essential that an organization can protect all their data.

Cohesity, collaborating with their colleagues from Veritas, announced over 40 new and enhanced workload connectors. These cover data sources in AWS, Google Cloud, Azure, Oracle, Nutanix and VMware.

Recovering legacy systems is often very complex, involving more than data restoration.

Secure and Uncorrupted Data

Cyber resilience depends upon Secure and uncorrupted data: Recovery depends on having trustworthy, immutable backups.

Cohesity’s Fort Knox vaulting provides isolation through immutability and air-gapping. Immutable backup storage and object lock ensure data cannot be tampered with, even during a ransomware attack. Cohesity announced a self-managed option for organizations that need physical control over their data.

While Cohesity’s Fort Knox is a strong solution it is not free and needs to be managed carefully in relation to compliance obligations such as the EU right to erasure.

Protecting the Protection

The backup data and processes are a prime target for threat actors and so it is essential to protect these.

Cohesity announced their intention to extend the threat monitoring of their backup services. These are anticipated to include hash-based threat hunting to find Indicators of Compromise (IoC) within your backup data, as well as integration with Google Threat Intelligence.

This is a statement of intention and customers should monitor its implementation.

Protecting the Identity Store

Your organization’s identity store is fundamental to all your business services, often including access to buildings.

Cohesity’s partnership with Semperis will help organizations to protect their Active Directory. It allows them to automate backup of the AD application to immutable storage, without needing to backup the whole host which may have been infected with malware. It also enables automated recovery.

Active Directory recovery often involves intricate dependencies with applications, networking, and hybrid cloud, it is important that customers rehearse to validate recovery scenarios.

Recovery and Restoration

Your organization’s cyber resilience depends upon being able to recover from a cyber incident and restore your business operation.

Cohesity announced the availability of the Cohesity Recovery Agent. This helps organizations to automate and orchestrate their recover processes using a combination of human and AI interactions. It supports testing and rehearsing the recovery and restoration processes and provides documentation in auditor ready form to assist with compliance.

Automated recovery orchestration promises speed, yet successful recovery still depends on disciplined testing and clear runbooks.

Virtual Backup Data Lake

Backup data is a potential source of data for use by GenAI

Cohesity GAIA can expose backup data as virtual data for exploitation by GenAI or other applications.  Cohesity says it provides multi language query support as well as capabilities to redact sensitive information.

Exposing this data provides new opportunities but will need careful controls.

Opinion

The recent incidents at Marks and Spenser and Jaguar Land Rover show that cyber resilience is a business imperative. Investments in cyber resilience should be viewed as core to operational resilience as part of complete business strategy.

The union of Cohesity and Veritas was a transformative moment for the data protection and cyber resilience market. As the largest player in the market, the combined company has the power to set new standards, influence industry trends, and drive the next wave of innovation. For customers, this means access to unparalleled technology and expertise.

The announcements from Cohesity show welcome progress towards this vision through integration of products and engineering teams.

However, the proof or the pudding is always in the eating. Cohesity will need to show customer examples that illustrate the power of their solutions to recover not only the digital systems but also business operation following an incident.

Cohesity is not the only vendor in this market, you can find a detailed evaluation of this and other vendors in our Leadership Compass Cloud Backup for AI Enabled Cyber Resilience. 

To explore best practices in data protection and compliance, join us at Identity-Centric Cybersecurity Impact Day 2025 in Frankfurt, on November 6, 2025. 

Organizations increasingly look to Identity and Access Management (IAM) to strengthen security, streamline compliance, and ensure reliable operations. Identity Visibility and Intelligence Platforms (IVIP) have surfaced as a much-discussed enhancement in this domain, promising an integrated view across various IAM systems. But what does IVIP genuinely offer beyond the capabilities of existing IAM solutions? And how should organizations embark on integrating such a platform?

IVIP leverages data from key IAM facets—Identity Governance and Administration (IGA), Privileged Access Management (PAM), and Identity Threat Detection and Response (ITDR) — creating a centralized dashboard of identity activities both for human and non-human identities. This aggregation aims to transition identity management from basic visibility to comprehensive observability, opening avenues for actionable insights and informed decision-making. However, the notion of IVIP as a standalone platform warrants scrutiny. It is perhaps better seen as an augmentation rather than a disruptor, building on pre-existing strengths within IAM infrastructures.

Central to the IVIP proposition is its potential to enhance risk management by providing prioritized insights and enabling dynamic compliance monitoring. Yet its integration is not without challenges. Differing system entitlements and complex data landscapes necessitate a mature and well-planned approach, focused on harmonizing software and systematic data integration through APIs.

Critically, as vendors reposition existing offerings under the IVIP banner, there is a risk of redundancy. Organizations must wisely evaluate how IVIP fits into their IAM strategy, ensuring it enriches rather than duplicates existing capabilities. Particularly for those at earlier stages in their IAM journey, IVIP offers a strategic entry point to refine and level-up their identity management strategies.

In summary, while IVIP carries the potential to integrate and enhance IAM operations, its true value lies in its deployment strategy and alignment with the existing Identity Fabric. With detailed planning and cautious implementation, IVIP can indeed serve as a catalyst for improved IAM practices, offering measured insights and enhanced operational resilience.

For those interested in a deeper dive, including strategic recommendations for IVIP integration within your organization, we invite you to read our comprehensive Advisory Note on this topic.

Key Takeaways:

• Understand the evolution from WAM to cloud-native IDaaS
• Learn how to bridge on-prem and cloud identity ecosystems
• Explore best practices for managing machine identities
• Discover how to deliver consistent user experiences across platforms and environments
• Gain insights into the future of AI-powered access management

In this live session, Alejandro Leal will unpack key insights from KuppingerCole's latest Leadership Compass on Access Management — giving you a clear view of the top vendors, emerging architectures, and what’s next for the industry. Discover how leading organizations are modernizing authentication, securing AI agents and non-human identities, and seamlessly connecting legacy and cloud systems. From ITDR to passwordless adoption and hybrid deployment models, you’ll gain practical strategies to strengthen security, ensure compliance, and keep your organization ahead of the curve.

Modern enterprises can no longer treat Identity and Access Management (IAM) and Data Security Posture Management (DSPM) as separate disciplines. Integrating identity context into DSPM and DLP strategies enhances visibility, limits blast radius, and makes prevention and response more intelligent and dynamic. This webinar will explore how this integrated approach reshapes proactive defense.

John Tolbert, Director of Research and a Lead Analyst at KuppingerCole, will outline the latest research on identity-first security. They will explore how IAM and DSPM together address emerging threats, highlight real-world identity attack vectors, and explain why identity posture must be part of any data-centric security architecture.

Matt Lock, Field CTO at Varonis, will provide a deep dive into how Varonis’ Data Security Platform applies AI-driven automation to discover critical data, enforce least-privilege access, and stop insider and external threats. He’ll showcase practical examples of integrating identity fabric with DSPM and illustrate how to quantify risk and reduce blast radius across cloud environments.

A couple of months ago, I wrote the first article in this deepfake blog series and received positive feedback from readers in various industries. The initial post focused on the current state of deepfake threats and the extent to which detection tools can keep up. Today, I would like to shift our attention to how cybercriminals build deepfake campaigns. While statistics show that older people often lose more money and younger people are more susceptible to certain scams, recent incidents reveal attackers tricking older victims into believing they are speaking with relatives. At the same time, executives are being impersonated to pressure employees into making urgent transfers. Understanding how these attacks are crafted provides insight into why they are so effective and are spreading so quickly.

Their beginning point is always data. Publicly available material such as social media videos, podcasts, interviews, casual voice notes, serves as the basis for generating synthetic media. Attackers no longer need extensive or high-quality recordings. Modern voice-cloning tools can reproduce someone’s tone and style with just a few seconds of audio. For visuals, a few photographs or short video clips are enough to train face-swap or lip-sync models that produce convincing enough outputs to fool many observers.

After gathering that material, the fraudsters compose scenarios that exploit the target’s trust. A voice impersonation alone is weak unless embedded in a storyline, perhaps a family emergency or a sudden financial crisis, where urgency is emphasized. The synthetic media then acts as the evidence of that story. Victims are not only hearing or seeing something familiar but are also pressured by time or fear, which reduces the chance they will question what they perceive. Europol’s 2025 Internet Organised Crime Threat Assessment (IOCTA) reports that criminals are increasingly using generative tools to impersonate persons of trust in multi-lingual messages or voice-cloned calls, and these schemes are causing growing financial and reputational damage across both people and organizations.

Technical setup is refined to hide obvious signs. Attackers lower resolution, compress video, insert ambient noise, or slightly distort visuals so that detectors or human perception are misled. Recent research shows that detection tools that perform very well in controlled environments lose substantial accuracy when faced with content compressed by social platforms or in less ideal lighting. The Deepfake-Eval-2024 benchmark, for example, collected in-the-wild media (44 hours of video, 56.5 hours of audio, nearly 2,000 images from dozens of languages and websites) and found that open-source state-of-the-art detectors drop in performance by around 50% for video detection, 48% for audio, and 45% for image detection compared to their scores on older academic datasets.

Meanwhile, attackers also scale up. Deepfake-as-a-service platforms allow clients with little technical skill to order impersonations services. GPU time is rented, pre-trained models are shared, and simple applications enable custom synthetic voice or facial content. Thus, what once required expert work now becomes available to less-sophisticated cybercriminals. The result is that attacks are increasingly widespread, not only targeting high-profile individuals but regular people, small firms, and non-profit organizations.

To make the scam feel real, victims receive messages, calls, or fake visuals that seem familiar, mixed with emotional or urgent pressure that pushes them to act quickly. Even when doubts emerge, the presence of synthetic “proof” makes hesitation difficult. This entire process is not accidental but assembled by design: collecting authentic materials, crafting synthetic replicas, embedding them in persuasive narratives, and delivering them via channels the victim believes are reliable.

These campaigns have been successful lately because they exploit both the blind spots in detection technologies and the mental shortcuts people often rely on under pressure. Comprehending this complex design is necessary for creating defenses that are meaningful, whether through more stringent verification methods, better employee awareness training, or improvements in detection technologies. In the next blog, I will discuss these practical measures such as better verification, awareness training, and advanced detection tools that organizations and individuals can use to counter these threats.

Key Topics Covered:

• What IVIP actually is and how it fits into IAM
• The connection between IVIP and the Identity Fabric approach
• Risks of marketing buzzwords in identity management
• When a new platform really brings value—and when it doesn’t
• What organizations should focus on instead of chasing hype

If you’re working in identity, access governance, ITDR, IGA, or security architecture, this conversation will help you decide whether IVIP deserves a place in your roadmap—or if it’s just hype.

Moderne Technologieplattformen bieten bewährte Ansätze für die Integration komplexer SAP-Landschaften in IGA-Systeme. Von automatisierten Berechtigungsmodellen über nahtloses Benutzer- und Rollenmanagement bis zu umfassendem Monitoring – neue Tools adressieren vielfältige Anforderungen und ermöglichen einen reibungslosen Migrationsprozess.

Matthias Reinwarth, IAM Practice Director, wird auf die strategischen Auswirkungen der SAP-IDM-Abkündigung eingehen. Er zeigt auf, welche technischen und organisatorischen Weichen nun gestellt werden müssen, und welche Optionen Unternehmen haben, um ihre Identitätsarchitektur zukunftssicher und compliance-gerecht zu transformieren.

Klaus Hild, Manager Solution Engineering bei SailPoint, wird praxisnahe Beispiele liefern, wie moderne IGA-Lösungen SAP-Umgebungen optimal unterstützen. Er beleuchtet konkrete Projekte, technische Integrationswege und die Effizienzsteigerung durch Automatisierung.

Tim Lipphardt, Head of Consulting bei amiconsult, berichtet aus Projekten zur Ablösung von SAP IDM, benennt Erfolgsfaktoren für die SAP-IGA-Integration und zeigt auf, wie sich technische Anforderungen mit strategischen IAM-Zielen in Einklang bringen lassen.

You’ll learn:

• Why the next generation of Identity Fabric focuses on who can access what data
• The biggest challenges in managing data access across systems and databases
• How dynamic, data-aware policies enable fine-grained, context-driven access control
• The evolving role of roles in a data-driven identity model
• How rethinking identity & access management (IAM) can turn it from a bottleneck into a business enabler

Don’t miss Julian’s keynote at Identity Fabric Impact Day 2025, where he’ll show how to take IAM to the next level with a data-centric perspective.

How to evolve from legacy systems to a future-proof IAM strategy without breaking existing operations? Why interoperability matters? What are the most common pitfalls organizations face when trying to modernize IAM? Find the answer to these questions and more in this episode!

Key Topics Covered:

• Identity Fabric explained through a powerful “airport” analogy ✈️
• How to design IAM programs in brownfield environments (no rip & replace)
• Capability-driven approach vs. tool-driven decisions
• Risk-based prioritization: quick wins, big wins & roadmaps
• Common pitfalls to avoid when modernizing IAM

Whether you’re just starting your IAM journey or looking to operationalize interoperability at scale, this episode is packed with practical strategies and lessons learned.

In the shadows of server rooms and behind lines of code, a silent war is being waged for the heart of democracy itself. 

Picture this: It's election night. Millions of votes pour in through sleek electronic machines across the country. Results flash across screens in real-time, and by midnight, the winner is declared. But what if those results were wrong? What if, somewhere in the digital darkness, malicious actors had already decided the outcome before the first ballot was cast? 

This isn't the plot of a political thriller—it's the reality election security experts lose sleep over every night. As democracies worldwide rush to embrace digital voting technologies, they're opening doors that some would prefer to keep locked forever. 

The New Battlefield 

Gone are the days when stealing an election required stuffing physical ballot boxes or intimidating voters at polling stations. Today's threats come from sophisticated actors—state-sponsored groups, organized cybercriminals, and rogue insiders—who can potentially flip thousands of votes with a few keystrokes rather than paying off a handful of officials. 

Electronic voting systems promise a utopian vision: faster results, fewer human errors, and greater accessibility for voters with disabilities. But they also create something that has never existed before in human history—the ability to alter an election outcome at massive scale while leaving virtually no trace. 

The stakes couldn't be higher. When citizens lose faith in the integrity of their elections, democracy itself begins to crumble. We've already seen how allegations of election manipulation can tear societies apart, regardless of whether those allegations are true. 

Digital Weapons of Mass Deception 

The Invisible Hand 

The most terrifying attacks are the ones you never see coming. Imagine malware so sophisticated it only activates on election day, so subtle it changes just enough votes to flip outcomes without triggering suspicion. Unlike traditional election fraud—which requires conspiracies of people who might eventually confess—digital manipulation can be executed by a single skilled attacker working alone. 

Security researchers have demonstrated attacks that sound like science fiction but work in reality: 

• Stealth viruses that hibernate in voting machines for months before awakening to alter results 
• Logic bombs that trigger during vote counting, flipping victories to defeats 
• Ghost voters created through manipulation of electronic poll books 

The Puppet Master's Toolkit 

Modern attackers have an arsenal that would make Cold War spies envious: 

Remote Infiltration: Why break into a building when you can hack into the network? Voting systems connected to the internet—even briefly—become potential gateways for attackers operating from anywhere in the world. 

Supply Chain Sabotage: The most elegant attacks happen before election day. Malicious code inserted during manufacturing could lie dormant for years before striking at the perfect moment. 

Social Engineering: Sometimes the weakest link isn't the technology—it's the humans who operate it. A well-crafted phishing email targeting election officials could open doors that no amount of encryption can close. 

The Identity Game 

In the digital realm, proving you are who you say you are becomes a high-stakes game of cat and mouse: 

The Authentication Paradox: Electronic systems must verify voter identity without creating a digital trail that connects citizens to their votes. Get this wrong, and you either enable fraud or destroy ballot secrecy—both fatal to democracy. 

Data Goldmines: Voter registration databases contain treasure troves of personal information. In the wrong hands, this data becomes ammunition for targeted disinformation campaigns or large-scale identity theft. 

The Remote Voting Trap: Online voting sounds convenient until you realize there's no way to ensure the person casting the ballot is actually the registered voter—or that they're not being coerced by someone looking over their shoulder. 

When Systems Fail 

Real-world incidents read like cautionary tales from a digital dystopia. Security researchers have found vulnerabilities in widely-used voting systems that would make cybersecurity professionals weep. In controlled demonstrations, experts have: 

• Installed vote-changing malware in under two minutes 
• Accessed sensitive voter data through unsecured wireless connections 
• Demonstrated how a single infected machine could spread malware to an entire network 

Meanwhile, technical failures during actual elections have caused chaos even without malicious intent: systems crashing on election morning, vote counts mysteriously disappearing, and results that don't add up forcing emergency paper ballot procedures. 

Each incident erodes public trust a little more, creating exactly the chaos that hostile actors seek to achieve. 

Fighting Back: The Digital Defenders 

But this isn't a story without heroes. Across the world, election security experts are building digital fortresses designed to protect democracy itself. 

Building Unbreachable Walls 

Defense in Depth: Modern election security operates like a medieval castle—multiple walls, each designed to stop different types of attacks. If attackers breach the outer defenses, they face layer after layer of additional protections. 

The Air Gap Strategy: The most secure systems are completely disconnected from any network. No internet, no wireless, no remote access—just isolated machines that can only be compromised through physical access. 

Cryptographic Shields: Advanced mathematics becomes the guardian of democracy through encryption that would take centuries to break and digital signatures that make tampering immediately obvious. 

The Paper Trail Revolution 

Perhaps the most elegant solution to digital voting vulnerabilities is refreshingly analog: paper. Voter-verified paper audit trails (VVPAT) create a physical backup of every electronic vote. These paper records enable meaningful audits and recounts when questions arise. 

Risk-Limiting Audits: Statistical sampling techniques borrowed from quality control manufacturing allow election officials to verify results by manually checking just a small percentage of paper ballots—but enough to detect outcome-changing errors with mathematical certainty. 

Identity Without Surveillance 

Cutting-edge cryptographic techniques are solving the authentication paradox: 

Zero-Knowledge Proofs: Voters can prove their eligibility without revealing any personal information, like showing you have a valid ID without actually showing the ID itself. 

Multi-Factor Verification: Combining something you know (personal information), something you have (ID documents), and something you are (biometric data) creates robust authentication while maintaining privacy. 

The Human Element 

Technology alone cannot save democracy—people must be part of the solution: 

The Insider Threat: Election systems are only as secure as the people who operate them. Multi-person integrity controls ensure that no single individual can compromise election results, while comprehensive background checks and ongoing monitoring help identify potential threats. 

Training the Guardians: Election workers receive cybersecurity training that would impress corporate IT departments, learning to spot phishing attempts, secure sensitive data, and respond to potential attacks. 

Transparency as a Weapon: Public testing events allow security researchers to probe voting systems for vulnerabilities, turning the entire cybersecurity community into volunteer guardians of democracy. 

The Path Forward: Reclaiming Democracy 

The future of election security lies not in choosing between digital efficiency and democratic integrity, but in proving they can coexist. This requires: 

Continuous Vigilance: Election security is not a problem to be solved once but an ongoing arms race requiring constant adaptation and improvement. 

Public-Private Partnerships: Government agencies, private companies, academic researchers, and citizen advocates must work together to stay ahead of evolving threats. 

International Cooperation: Cyber attacks on elections are often transnational, requiring coordinated responses that transcend borders. 

Citizen Engagement: Democracy belongs to the people, and the people must demand transparency, accountability, and security from their election systems. 

The Stakes of Victory 

Every election is now a test of our digital defenses. The goal isn't to eliminate all risk—an impossible task in any human endeavor—but to make our systems so robust, transparent, and verifiable that public confidence remains unshakeable. 

The alternative is too terrible to contemplate: a world where citizens no longer trust their own elections, where democracy withers not from external invasion but from internal doubt about the integrity of the most fundamental democratic act. 

This is our challenge and our opportunity. The technology exists to secure our elections. The knowledge exists to implement it correctly. What remains is the will to treat election security with the urgency and resources it deserves. 

Democracy has survived kings and dictators, wars and revolutions. Now it must survive the digital age. The outcome of this hidden battle will determine whether future generations inherit a democracy strengthened by technology or one corrupted by it. 

The choice, quite literally, is ours to make. But we must make it now, before the next election becomes a demonstration of our failures rather than a celebration of our freedoms. 

The war for democracy's future is being fought in code and cryptography, in server rooms and security protocols. It's a war we cannot afford to lose. 

You’ll learn:

• What DDoS attacks are and how they work across layers 3, 4, and 7
• Why Layer 7 (application-layer) attacks are the fastest-growing and hardest to detect
• How attackers are building massive botnets (millions of compromised devices)
• Real-world DDoS incidents hitting FinTech, e-commerce, and media sectors
• The differences between scrubbing capacity and PoP proximity in mitigation
• How QRator Labs approaches DDoS protection with scrubbing, anti-bot, and WAF solutions

With Layer 7 attacks rising by 74% year-over-year and record-breaking volumetric attacks now lasting weeks, no industry can afford to ignore this threat.

Watch now to understand how to protect your business from DDoS, botnets, and evolving cyber threats.

Identity and Access Management (IAM) is far more complex than many people assume. While it is omnipresent in organizations, it is still frequently treated as a hidden infrastructure service which just needs to “work” in the background. As a result, IAM is often underestimated, underfunded, and under-strategized. Yet IAM is not simply infrastructure. It is a security service that can enable business growth, digital transformation, and secure collaboration across ecosystems. Without a clear plan, however, IAM quickly becomes an operational burden rather than a strategic advantage. 

Identity Fabric – from concept to practice 

Over the past years, the Identity Fabric has become a widely recognized foundation for modern IAM. It is no longer an abstract concept, but a strategic framework embraced by vendors, service providers, and enterprises alike. The core idea is straightforward but powerful: Provide seamless, controlled, and secure access for everyone and everything, from any location to any service. 

Figure 1: KuppingerCole Identity Fabric (Version 2025) 

The Identity Fabric illustrates how different identity types such as employees, customers, partners, devices, and services can interact with target systems. This access is enabled through functional capabilities. These capabilities are bundled into services, and these services are mapped to specific tool categories. In other words, the Identity Fabric turns the abstract question “how do we manage access for everyone to everything?” into a structured model. 

Figure 2: The KuppingerCole IAM Reference Architecture (Version 2025) 

The Reference Architecture as capability map 

The KuppingerCole Reference Architecture provides the necessary level of detail to bring the Identity Fabric to life. It is organized as a capability matrix along five functional layers and four domains which are the well-known “4 A’s.” By breaking IAM into clearly defined functional capabilities, the Reference Architecture helps organizations avoid the trap of viewing IAM only as products or tools. Instead, it establishes a structured view of what IAM must achieve and how these achievements fit into a business-aligned security ecosystem. 

This structured approach is not an academic exercise. It is the foundation for achieving a cohesive, adaptable, and future-proof IAM environment. Diving into the Reference Architecture is therefore essential, not only for strategy development but also for handling daily operational demands. 

Three ways of operationalization 

At EIC 2025, KuppingerCole presented the updated version of the Identity Fabric in a workshop and demonstrated three distinct approaches to operationalization: 

• Flexible Reference Architectures 
  This part highlighted how the Reference Architecture can be used to flexibly change the scope of the Identity Fabric. One major takeaway was the presentation of the new draft version of the CIAM Reference Architecture, showing how customer-specific requirements can be mapped consistently into the same structured approach. 
  
  
• Strategic Development 
  Here, KuppingerCole demonstrated how the frameworks can be used to assess an organization’s IAM landscape and derive a strategic roadmap in five steps: 
• Maturity assessment, 
• Definition of the target state, 
• Gap analysis, 
• Identification of action items,  
• Roadmap creation. 

This structured sequence helps organizations move beyond buzzwords and develop a practical, measurable plan for improvement. 

• Operational Development 
  Finally, the third chapter focused on daily IAM challenges and how do you resolve recurring operational issues with a structured, hands-on mentality. The Identity Fabric and Reference Architecture offer a common language to classify problems, highlight dependencies, and provide a structured pathway toward resolution. 

The feedback from this workshop was remarkably positive. Many attendees emphasized that this workshop had helped them greatly by showing them how to translate these frameworks into concrete steps for strategy and operations. 

The next step: Maturity as foundation 

While many organizations confidently state that they already have an IAM strategy, reality often tells a different story. Without a solid understanding of their own current state, these strategies remain vague and aspirational. At EIC 2025, the focus was on showing how to move forward in five steps. At the upcoming Identity Fabric Impact Day (IFID) on September 18, 2025, in Munich, the spotlight will shift to the very first step: The maturity assessment. 

A well-executed maturity assessment provides a structured overview of an organization’s functional capabilities. It helps build a common understanding across departments, prevents misunderstandings, and establishes a baseline for measuring progress. It also enables benchmarking against industry leaders transforming subjective assumptions into objective evaluations. 

Why maturity matters 

A maturity assessment is not simply about scoring an organization on a scale. It is about enabling clarity: 

• Which IAM capabilities exist, and how well are they implemented? 
• Where are the strengths, weaknesses andgaps? 
• How do different levels of maturity interact and depend on each other? 
• What is realistic to achieve as the next step? 

Without this clarity, organizations risk investing in the wrong initiatives or trying to adopt trends like Zero Trust or CIAM without having established the operational excellence to support them. The maturity assessment ensures that ambitions are matched with the current reality. 

What to expect in Munich 

At IFID, KuppingerCole will present a five-level maturity assessment model based on the Identity Fabric and the Reference Architecture. The event will provide concrete answers to key questions: 

• How many maturity levels are really required? 
• Which criteria are important to assess IAM capabilities? 
• How exactly are the levels and criteria defined? 
• How do the different levels relate to each other? 
• Which possibilities exist to improve maturity step by step? 

In addition, participants will have the chance to meet directly with KuppingerCole experts, discuss their own challenges, and receive advice on applying these insights in their organizations. 

From frameworks to real progress 

The operationalization of the Identity Fabric and Reference Architecture is not a theoretical exercise. It is about providing clarity, structure, and practical guidance in a complex area that too often suffers from misunderstanding. Focusing on the maturity assessment is the next step and will help organizations establish a transparent foundation for strategic development and operational excellence. 

Join us in Munich on September 18, 2025, to see how KuppingerCole's frameworks can be transformed into actionable insights and how maturity can become the starting point for real progress in IAM. 

• What orphaned accounts are and why they’re so dangerous
• Real-world examples of ghost accounts inside payment and production systems
• How orphaned and shared accounts create identity management challenges
• Best practices for cleanup using Active Directory, MFA, and PAM (Privileged Access Management)
• Why compliance regulations like NIS2 and DORA make orphaned account management more urgent than ever

If your organization is serious about identity and access management (IAM), it’s time to address orphaned accounts before they turn into the next breach headline.

Learn how to gain visibility, strengthen access control, and protect against hidden threats.

Cloud Sovereignty Risks and Data Backup Strategies: How to Protect Business Continuity

Learn how data backup strategies can protect against cloud sovereignty risks—including legal, operational, and geopolitical threats to business continuity.

Cloud services are now at the core of modern businesses, powering everything from real-time customer engagement to AI-driven analytics. However, beneath the promise of speed and scalability lies a geopolitical fault line: cloud sovereignty. For organizations that rely on non-sovereign cloud providers, especially those based in jurisdictions with far-reaching legal powers, this is more than a compliance headache. It is a direct threat to operational continuity, and business resilience as well as data confidentiality.

Figure 1: How digital sovereignty risks impact data backup strategies.

Data backup, often seen as the last line of defense against cyber-attacks, takes on a strategic role in this context, it is the critical defense needed to survive the digital impact of geopolitical shocks. In this blog I will compare two scenarios for data backup in this context, based on the four sovereignty risks: data sovereignty, operational sovereignty, infrastructure sovereignty, and technology sovereignty.

Risks of Storing Backup Data in a Non-Sovereign Cloud

In this scenario, backups of data in systems on premises, at the edge or in a sovereign cloud are stored in a non-sovereign cloud. For example, an organization is using a US owned cloud service to hold backups containing personal data relating to EU residents. This is common scenario since hyperscale cloud services are delivered from multiple locations and provide levels of availability, making them ideal for storing backup data.

Foreign laws, such as the US CLOUD Act, may compel a non-sovereign cloud provider to disclose the data, even if it is stored outside the cloud provider's home country. The European Data Protection Board (EDPB) supplementary measures describe in detail the controls needed to protect EU personal data in this case.  These measures are also useful to protect all forms of sensitive data against legal but unauthorized access by a cloud service provider.

Technical Controls

• Encryption – strong state of the art encryption can provide adequate protection providing the keys are managed correctly.
• Pseudonymization – as opposed to anonymization, is explicitly allowed providing the additional data needed to reconstitute the data is adequately protected.
• The customer retains the encryption keys within their sovereign jurisdiction.
• Split-key or Shamir Secret Sharing and other secret management techniques can provide extra protection for the keys.
• Other confidential computing techniques must be used to protect backup data that is processed within the non-sovereign cloud.

Residual Risks

• Geopolitical conflicts, sanctions, or government actions could disrupt access to backup data.
• Proprietary formats, APIs, and services can make it difficult to restore data from backups if the cloud backup service provider ceases operations or services.

Using Sovereign Backups to Reduce Cloud Sovereignty Risks

In this scenario, an organization uses a non-sovereign cloud to store and process data. For example, an EU organization is using a US owned cloud service to deliver business critical applications. This exposes the organization to four major risks as I outlined in my blog “Why US Isolationism is Now a Global Cloud Risk.” In the section above I described how to mitigate data confidentiality risks, here are some examples of how data backup can help to mitigate the other risks.

Infrastructure Sovereignty Risk: Denial of Access

In times of political conflict or sanctions, governments could seize, disable, or restrict access to the cloud infrastructure, disrupting or severing access to critical business operations.

Technical Controls

• Sovereign backup - storing a backup of your organization’s data in a sovereign cloud or physical location within your sovereign jurisdiction ensures that you have an accessible copy. This is particularly important for organizations subject to strategic export controls or operating in politically sensitive sectors.
• Infrastructure as code backup - application infrastructure is defined by data, and the backup must also protect this data.
• Continuous backup - In a dynamic DevOps environment this infrastructure changes as the application evolves. The backup process must be able to capture these changes and support restoring not just the application data but also the virtual infrastructure that it needs.

Residual Risk

• The time to rebuild workloads in sovereign infrastructure depends on your recovery plan. If this includes migrating the application components to a different technology this may be complex and cause prolonged downtime.

Technology Sovereignty Risk: Lock-In Becomes Lock-Out

Cloud services are “software defined” and depend upon a complex technology stack. This involves proprietary hardware and software to deliver a proprietary user environment. While the basic capabilities of networking, storage and computing may support open standards, the user interfaces, tools, and APIs provided by the services are proprietary.

If a non-sovereign government were to legally oblige the cloud service provider to cease providing that service in certain geographies it would be difficult for organizations in those to maintain business continuity.

Technical Controls

• Use international and open standards when architecting and implementing business critical applications to reduce the risk of technology lock-out.
• Standard backup formats - backups of your environment in open, portable formats in your sovereign environment would allow you to restore your workloads to alternative platforms without relying on the provider’s proprietary tools.

Residual Risk

• Some workloads rely on proprietary features such as managed databases, AI models, or analytics pipelines that cannot be fully replicated outside of the proprietary cloud environment. Even with portable data formats, migrating applications integrations may require substantial reengineering, which can extend recovery timelines.

Conclusion

Cloud sovereignty risks are no longer abstract, hypothetical threats, they are unfolding in real time as global politics, trade policies, and jurisdictional power plays increasingly intersect with digital infrastructure. For organisations depending upon non-sovereign cloud services, the question is not whether sovereignty-related disruptions might happen, but when and how well prepared your organization will be when they do.

A well-planned backup strategy, whether to a sovereign cloud or physical location, acts as both a safety net and an enabler of digital independence. It provides your organization with resilience against not only cyber threats but also digital sovereignty risks.

By integrating sovereign cloud backups into your data backup strategy, your organization can strengthen business continuity and resilience against cloud sovereignty risks. To explore best practices in data protection and compliance, join us at Identity-Centric Cybersecurity Impact Day 2025 in Frankfurt November 6^th, 2025.

Together, they gothrough the buzzwords to reveal what’s real, what’s hype, and how organizations should approach these fast-evolving areas of IAM. From visibility vs. observability, to governance challenges and the future of machine identity management, this episode delivers sharp insights and practical recommendations from three IAM veterans.

So tell us — are ITDR and NHI just marketing buzzwords, or essential must-haves for modern identity security?

Key topics covered:

• ITDR explained: buzzword or meaningful evolution in IAM?
• Why visibility and observability are not the same
• The missing “R” in detection & response
• IAM vs. SOC responsibilities for ITDR
• Machine identities: terminology, challenges, and governance
• Ephemeral vs. static machine identities
• How IAM teams can prepare for the future of identity security

KuppingerCole’s Leadership Compass: Identity Fabrics 2025 offers deep insights into the technologies, trends, and vendors shaping the future of identity architectures. It defines what matters most in a modern IAM architecture: orchestration, signal-driven decisions, and seamless integration across systems and identities.

Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, will present key findings from the latest Leadership Compass, highlighting critical requirements for Identity Fabric and offering a detailed perspective on the vendor landscape. He will explain how orchestration and signals are redefining identity decisions and how organizations can evolve from legacy IAM to future-ready infrastructure.

This session is essential for IT leaders seeking to benchmark their current IAM strategies, explore technology options, and align their long-term identity roadmap with market direction.