Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Identity Providers Must Evolve (Part 4 of 5)

IAM risks becoming infrastructure plumbing in a larger security stack
Written by
Mark Batchelor
Published on
May 8, 2025

Identity and Access Management (IAM) platforms have historically held a position of strategic importance: they are the gatekeepers. They control who gets in, under what conditions, and to what extent. But that influence is starting to wane.

In a world where attackers can use valid credentials, valid sessions, and valid devices to operate inside the perimeter, access control is only part of the equation. Security is no longer just about who is allowed in—it's about what happens next.

Authentication is No Longer Enough

The majority of identity providers focus on authentication, federation, and authorization. They mint tokens, issue assertions, enforce policy checks at login, and pass off trust to downstream applications. But once access is granted, most identity systems go dark.

This binary model—"authenticate or deny"—is outdated. Threats today are dynamic and continuous. An identity that looks safe at 9:00 AM could be compromised by 9:15. A token issued based on valid credentials could be replayed in another session.

Without ongoing context, traditional identity systems become enablers of adversaries, not protectors against them.

Relegation to Plumbing

If identity providers don't evolve, they risk becoming undifferentiated infrastructure: the plumbing layer beneath a broader, smarter security stack. This trend is already happening. EDR, XDR, and SIEM platforms are increasingly ingesting identity signals, scoring session risk, and triggering automated responses.

If identity vendors continue to limit their role to authentication and provisioning, they will:

  • Lose visibility into post-authentication behavior
  • Be bypassed during threat response
  • Depend on other systems to enforce adaptive policies

In short, they will lose strategic influence.

What Identity Providers Need to Do

To remain a critical part of modern security strategy, identity platforms must:

  • Embrace continuous evaluation: Move from point-in-time access control to real-time trust assessment.
  • Integrate behavioral analytics: Understand when legitimate users start acting abnormally.
  • Collaborate with EDR/XDR tools: Share signals and act on them through automation.
  • Detect session misuse: Flag token anomalies, unauthorized replay, and post-login threats.
  • Support identity threat detection natively: Expand beyond governance and policy to include runtime threat visibility.

This isn't just a roadmap—it's a requirement for survival in a post-authentication threat landscape.

What's Next

In the final article of the series, we'll look ahead. What does a truly converged identity + endpoint defense architecture look like? What principles and technologies are required to unify detection and response across both domains?

------------

This the 4th article in a 5-part series.

Read: Part 1Part 2 | Part 3 | Part 4 | Part 5

Subscribe to Our Newsletter
No spam. Just the latest releases and tips, interesting articles, industry news and event updates delivered to your inbox.
Mark Batchelor

As the CTO and co-founder of Verosint, Mark leads with a contagious passion for cybersecurity and team building. Before coming to Verosint, Mark served as the VP of Business Development at Chainalysis enabling partners and building strategic alliances for the company. Prior to Chainalysis, he served on the executive team at Ping Identity as the Chief Solution Architect for the global sales engineering team and leading the Innovation Lab initiatives.