Duncan Greatwood, the CEO of Xage Security, examines how AI agents and zero-trust security are shaping a new identity paradigm. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Agentic AI is 2025’s hottest tech topic—and yet AI agents are being held back by the risks. Fears of rogue behavior abound, with cautionary tales such as a Replit agent deleting a customer’s entire codebase, leaving businesses hesitant to trust agent-based AI with critical tasks. Human leaders are understandably reluctant to put themselves in a position where they must answer for AI’s costly mistakes.

At the same time, ignoring agentic AI would be short-sighted. Well-governed agents that deftly accomplish their tasks promise significant efficiency gains and enable new ways of working. This presents CISOs and CIOs with a pressing problem. Agents need clear controls that keep them on track and restrict deviations that may have disastrous ripple effects. Current methods, such as prompt guardrails, are insufficient, as they can be easily bypassed by deliberate or accidental “jailbreak” inputs. Zero-trust identity-based controls can provide the necessary jailbreak-proof protections—provided they are extended to operate in the agent-based era.

Controlling AI Agents

Agents need to have identities applied to them, much like human users and machines do, but the controls placed on those identities should be tailored to meet the unique challenges that agents present. The paradigm needs to be built around both what makes agentic AI similar to existing entities and what makes it different from them.

What are the specific requirements for an agentic Zero Trust approach?

1. Agent identity for each agent, such as is provided in the A2A protocol/OpenAPI card
2. Authentication and entitlement management for agents
3. Enforcement of what agents can do with identity-based, jailbreak-proof, granular controls
4. Multihop entitlement delegation for user-to-agent and agent-to-agent controls
5. Least-privilege entitlements, delegating only what’s needed for the task at hand

Implementing these requirements stops attackers from gaining control over critical systems by using agents to escalate their privileges. It creates accountability, so it is always clear who is ultimately responsible for initiating an action. It stops rogue AI agent behavior by avoiding excessive entitlement delegation to autonomous agents. It also prevents data leakage by enforcing identity-based control over data retrieval and transmission.

With properly implemented Zero Trust for AI agents, each agent operates in a focused, controlled, and task-appropriate manner, avoiding the potentially catastrophic risks associated with unmanaged AI privileges.

Examples to Learn From

The Replit incident may be the most notorious example of rogue agent activity to date, but it’s just one example of misbehavior uncovered by prominent AI research. September findings from OpenAI and Apollo Research revealed that many leading AI models are capable of scheming, or concealing their behaviors to achieve alternative goals. They even detect when they’re being watched, and act accordingly.

It’s therefore irresponsible to give agents anything more than least-privilege access to operational systems—their controls need to consider and block every rogue possibility and ensure that efficiency gains don’t come at the expense of security and predictability.

Why Zero Trust is the Answer

Zero-trust principles, grounded in time-bound, identity-based access controls, are ideal for agents. Their missions are focused in scope and clearly defined, making them prime candidates for management with granular, identity-based access controls. It’s a framework that’s proven to be effective in both preventing and mitigating the effects of breaches.

Recent incidents, such as the $2.5 billion breach that affected Jaguar Land Rover, have served as reminders of how wide-reaching and tangible the effects of external cyber-attacks can be. Internal disruptions like agent misbehavior and data leakage can be just as costly, though, and applying the same Zero Trust safeguards to employees, chatbots, agents, and external parties is the best way to protect organizations from missteps (intentional or not) that cause compounding damage.

AI agents are both a critical innovation for businesses to employ and a new point of vulnerability where protective measures are urgently needed. Securing them needs to ensure both convenience and resilience, allowing agents to operate as efficiently as intended while also holding them accountable to their goals and restrictions. Zero Trust is a tried-and-true framework that enables organizations to do just that, leaving room to root new security measures in identity-centric principles that stop rogue behavior and abuse before it starts.

The post AI Agents, Zero Trust, and the New Identity Paradigm appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services.

For National Insider Threat Awareness Month 2025, the editors at Solutions Review have compiled a list of comments from some of the leading industry experts.

As part of this year’s National Insider Threat Awareness Month, we called for the industry’s best and brightest in Identity and Access Management and the broader cybersecurity market to share best practices, predictions, and personal anecdotes. The experts featured represent some of the top influencers, consultants, and solution providers with experience in these marketplaces, and each quote has been vetted for relevance and ability to add business value.

National Insider Threat Awareness Month Quotes from Industry Experts in 2025

Jake Bell, Engineer Team Lead at Object First

“This National Insider Threat Awareness month is a reminder that one of the biggest risks to an organization’s data often can come from within the company. Whether through malicious intent or simple human error, insiders can inadvertently open the door to catastrophic breaches. The most dangerous mindset for any organization is believing ‘it won’t happen to us.’ In today’s threat landscape, leaders must operate under the assumption that a breach is inevitable. This means that secure, tested, and adaptable backup strategies are a non-negotiable.

“This month, IT teams should ensure Zero Trust Disaster Resilience (ZTDR) practices are incorporated into their storage infrastructure. With ZTDR, admins can truly harden their data protection architectures by segmenting backup software and storage, creating resilience zones, and leveraging immutable backups as the final line of defense when attackers slip past defenses. Whether through shadow IT, evolving AI tools, or the click of an unsuspecting employee, with immutable backups and ZTDR principles in place, organizations ensure recovery remains possible even in worst-case insider threat scenarios. Awareness is important, but resilience is essential.”

Patrick Harding, Chief Architect at Ping Identity

“Insider threats have long been a security risk for organizations, but the attack surface is expanding into new territory: AI agents can now act like internal users with their own access and behavior patterns. With 79 percent of senior executives reporting that AI agents are already being adopted in their companies, we’re facing a very stark reality where determining human behavior from bot behavior might be the difference between securing your organization and falling victim to a nefarious attacker.

“Whether it’s a malicious insider, a negligent employee, or an ungoverned AI agent behaving unexpectedly, the fallout from insider threats can be disastrous and long-lasting. That’s why early detection, including identifying unusual patterns like unexpected login attempts or unusual data access, is critical. However, detection alone isn’t enough. Real‑time risk assessment is essential to immediately identify and prioritize the most urgent threats. Finally, decisive actions, including escalating to security operations or enforcing stricter policies, must follow. This month is an important reminder to recognize that every identity, human or AI, needs to be treated with the same level of caution and verification.”

Pete Luban, Field CISO at AttackIQ

“Insider threats, whether from disgruntled employees or compromised credentials, are challenging to detect and prevent with traditional security measures. Insider Awareness Month serves as a reminder to security teams about the importance of simulating real-world insider attack scenarios to assess the effectiveness of their security controls and response protocols.

“Recent spikes in shadow AI usage and a lack of proper cyber hygiene increase the likelihood of insider threats. Using unauthorized tools or platforms can unknowingly expose sensitive data or create exploitable vulnerabilities, as well as poor security practices, like maintaining outdated software or weak passwords.

“By integrating techniques, such as adversarial emulation, into the security lifecycle, organizations can uncover gaps in their detection and mitigation strategies before a real attack occurs. Simulated, continuous testing can ensure that security teams can mitigate attacks before insider threats sidestep defenses and steal valuable company data.”

Joshua Roback, Principal Security Solution Architect at Swimlane

“Insider threats have always been one of the hardest challenges for security teams because they originate from people with legitimate access. Unlike external adversaries, they don’t have to find a way in. They already have the keys. That makes their actions harder to spot and far more damaging when they turn malicious or careless.

“It’s up to organizations to ensure their security systems are well-protected, starting with determining who has access to which systems. Poorly managed access controls can create an environment for insider threats to sprout and thrive. Implementing a mature identity access management solution is the most powerful weapon in mitigating insider threat risks. User behavioural analytics (UBA) can provide proactive detection of anomalous user behaviors, giving security teams a leg up against unannounced attackers.

“The rise of insider threats has resulted in the development of security measures that can ensure that threats are monitored, analyzed, and neutralized before they escalate into catastrophic breaches. Building resilience has required organizations to combine continuous monitoring, automated response, and a strong security culture to reduce the window of opportunity for insider abuse.”

Bojan Simic, Co-Founder and CEO at HYPR

September marks Insider Threat Awareness Month, and this year’s theme, ‘Partnering for Progress,’ cuts to the core of what’s failing in enterprise security today.

“Insider threat mitigation is not an isolated security problem. It’s a company-wide imperative—and it starts with identity. Whether posed by a malicious actor or an employee simply making a user error, insider threats consistently compromise organizations by exploiting gaps in how users are verified at sign-in and throughout a session.

“Identity is rightly regarded as the new perimeter, yet it remains one of the most vulnerable points of access. This is because static credentials, one-time authentication, and siloed access controls leave too much room for misuse. Most systems validate an identity once and then blindly assume that risk has been mitigated. It hasn’t.

“But technology is only half the battle. True ‘Partnering for Progress’ means aligning IT, security, HR, and compliance. Without identity assurance embedded across these functions, insider threats will inevitably slip through. The companies that are preventing breaches are not just reacting to threats; they are proactively integrating identity into every strategic decision. They are the ones who are building a resilient, security-first culture from the inside out.”

Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka

“Insider Threat Awareness Month is a critical initiative for raising awareness about the unique security risks posed by internal actors. There have been several examples of insider threats wreaking havoc on major corporations, with Elon Musk’s X being the most prominent recent example.

“A malicious insider is a significant cybersecurity risk, as such individuals can steal intellectual property, exfiltrate confidential information, sabotage systems, or manipulate business operations for personal gain or in collusion with outside threats. The impact can range from financial losses and reputational damage to regulatory penalties and national security risks.

“Awareness about malicious insider activities is crucial because employees and stakeholders must understand the importance of safeguarding credentials and the necessity of reporting suspicious activity. By teaching employees to recognize the signs of suspicious behavior and reinforcing the importance of strict access controls and reporting protocols, organizations can transform their entire workforce into a crucial line of defense against internal threats. Employees’ role in this is not just important: it’s indispensable. They are the first line of defense, and their commitment to this cause will keep organizations secure.”

Steve Wilson, Chief AI and Product Officer at Exabeam

“The danger from insider threats continues to grow in the modern cyber landscape, particularly as AI accelerates their speed, stealth, and sophistication. With 64 percent of cybersecurity professionals now viewing insiders as a greater risk than external actors, Insider Threat Awareness Month is a critical opportunity to emphasize proactive defense strategies.

“While 88 percent of organizations have insider threat programs, many lack behavioral analytics needed to detect AI-enhanced attacks that exploit trusted access and mimic legitimate user behavior. As threats intensify across sectors like government, healthcare, and manufacturing, this initiative provides an opportunity to call for stronger governance, cross-functional collaboration, and real-time detection capabilities to stay ahead of both human and AI-driven insider risks.”

Mark Wojtasiak, VP of Product Research and Strategy at Vectra AI

“Insider Threat Awareness Month is a reminder that the challenge isn’t just at the perimeter; it’s inside organizations, where identities, networks, and everyday user behavior are constantly at play. Security teams are inundated with thousands of alerts daily, yet only a small fraction represent real threats. This noise leaves many analysts unable to review more than a third of alerts, and the fear of missing an attack is a weekly reality for most SOC professionals. Ultimately, this noise drowns out the signal that matters most—the activity rooted in how identities are used and how they traverse the network.

“Compounding this, recent industry research shows that insider threats, particularly non-privileged users whose accounts are compromised or misused, are now the most prevalent attacker profile. Nearly two out of five prioritized threats are tied to insider behaviors. The reality is that user and identity misuse is inevitable in today’s complex networks and environments. That’s why security leaders need to focus on detection and response strategies that look beyond the perimeter and zero in on how accounts, identities, networks, and data are actually being used. Reducing noise while elevating the signal that matters most is critical to empowering SOC teams to catch what could otherwise slip through the cracks.”

Want more insights like these? Register for Insight Jam, Solutions Review’s enterprise tech community, which enables human conversation on AI. You can gain access for free here!

The post National Insider Threat Awareness Month Quotes and Commentary from Industry Experts in 2025 appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services.

Chase Doelling, a Principal Strategist at JumpCloud, explains how mid-market companies can achieve security compliance. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Our current landscape of security threats has exacerbated the need for sweeping cybersecurity regulation. While these standards are designed to safeguard sensitive information and hold organizations accountable, they also present a unique challenge for mid-market businesses.

Unlike large enterprises with dedicated compliance teams and deep pockets, mid-sized companies are expected to meet the same requirements, often with far fewer resources at their disposal. This creates a success paradox: as these businesses grow from small to mid-market, they face increased scrutiny, more complex IT environments, and a broader array of security risks that they don’t yet have the resources to keep up with.

Yet, despite these hurdles, mid-market organizations are still achieving compliance and robust security practices. By embracing scalable strategies tailored to their needs, they can protect their data and satisfy regulatory requirements without breaking the bank.

The Compliance Challenge for Mid-Market Businesses 

A recent report found that 68 percent of small and medium-sized enterprises experienced at least one cyber-attack in the past year. Ransomware remains a constant threat, and the rise of AI-driven attacks is accelerating. This creates new security risks that are difficult for organizations of any size.

As our world continues to evolve, regulators are tightening requirements to keep pace with emerging threats. For mid-market businesses, the stakes are high: non-compliance can result in hefty fines, reputational damage, and even operational shutdowns. The cost of a single data breach is devastating, especially for organizations that don’t have the same financial backing as larger enterprises. While enterprises can rely on specialized compliance teams and advanced security tools, mid-sized organizations operate with smaller IT departments and limited funding. This resource gap makes it challenging to keep up with evolving regulations and implement comprehensive security measures.

There is also a tendency to underestimate the complexity and scope of regulatory requirements, leading to a “checkbox” approach where compliance is treated as a one-time task rather than an ongoing process. This mindset not only increases risk but can also leave organizations vulnerable to both cyber threats and regulatory scrutiny. To overcome these challenges, mid-market companies must adopt smarter, more sustainable approaches to compliance that align with their unique constraints.

Top Regulatory and Security Stakes Facing Mid-Market Companies

Mid-market businesses have to navigate a maze of complex regulations. The General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA) in the United States, and the EU’s Network and Information Security Directive (NIS2) are just a few of the most prominent frameworks shaping the compliance landscape.

In the current environment, treating compliance as an afterthought is a financial gamble few businesses can afford to take. GDPR, CCPA, and NIS2 are far more than legal formalities—they’re financial minefields with severe consequences for non-compliance. Major companies like Meta and Google have faced record-breaking fines, and smaller businesses aren’t immune to the penalties. The numbers are stark: GDPR fines can reach up to €20 million or 4 percent of global revenue, and CCPA violations can cost $7,500 per incident with no cap.

Cost-Effective Compliance Strategies

Investing in compliance may seem costly, but it’s a fraction of what non-compliance can cost down the line. Proactive companies can save millions by avoiding fines, lawsuits, and customer churn, while those who cut corners face mounting regulatory scrutiny. These industry standards demand more transparency to ensure robust data security, and the requirements are only getting stricter.

So, how do mid-size companies bridge the gap? Implementing strong access controls, automating security policies, and taking a unified approach to endpoint management can keep compliance costs manageable and scalable as the company grows.

Practical IAM (Identity and Access Management) Implementations

While compliance involves a mix of people, processes, and technology, one of the most effective ways to address these requirements is through cloud-based identity and access management (IAM). Cloud IAM platforms provide a standardized, scalable way to control who can access critical systems, applications, and data, making it easier for IT admins to meet regulatory demands without the limitations of legacy, on-premises solutions.

Modern cloud identity management solutions enable organizations to securely connect users to a wide range of IT resources, from cloud and on-prem servers to applications and networks. These platforms offer granular control over user access and enforce security policies like multi-factor authentication and password complexity to help ensure that only authorized personnel can access sensitive information.

By centralizing and automating access controls, cloud IAM streamlines compliance efforts and enhances organizations’ overall security posture. As compliance requirements continue to expand, leveraging cloud identity management allows organizations to stay ahead of regulatory changes and protect their data and reputation.

Achieving Compliance Without Overwhelming Your Team 

Embracing automation further streamlines compliance processes and minimises manual workloads. Automated tools can handle routine tasks like user provisioning, policy enforcement, and audit reporting, freeing IT teams to focus on higher-value initiatives. At the same time, building a culture of security through ongoing employee training and awareness programs helps ensure that compliance isn’t just an IT responsibility, but a company-wide priority.

Finally, partnering with trusted vendors and managed service providers can provide access to specialized expertise and support, helping mid-market organizations stay ahead of evolving regulations without needing a large in-house compliance team. By combining smart resource allocation, technology, and a security-first mindset, businesses can achieve robust compliance without breaking the bank.

The post How Mid-Market Businesses Can Achieve Security Compliance Efficiently appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services.

To help companies remain competitive amidst changing markets, the Solutions Review editors are exploring how companies can improve the AI readiness of their identity security processes and technologies.

The continued convergence of artificial intelligence and identity security represents one of the most significant paradigm shifts in cybersecurity since the advent of zero-trust architecture. Yet most organizations remain trapped in legacy thinking, often treating AI as another tool to bolt onto existing identity frameworks instead of recognizing it as a fundamental reimagining of how identity verification, authentication, and access control must evolve.

Consider the asymmetric threat environment we now inhabit: while security teams manually review access logs and conduct quarterly access audits, AI-powered attackers can execute thousands of credential stuffing attempts per second, synthesize convincing deepfake authentication, and adapt their attack strategies in real-time. The results from CrowdStrike’s 2025 Global Threat Report confirm this by showing that 79 percent of detections were malware-free, which indicates that valid credentials were used for unauthorized entry. Organizations that fail to prioritize AI readiness in their identity security posture won’t just fall behind, but find themselves incompatible with the emerging threat landscape.

Avoiding that disaster will require more than incremental improvements to existing systems. There’s too much at stake for that level of patience, and threat actors won’t wait while your company gradually bolsters its defenses. Organizations that recognize this imperative and act decisively will create compounding advantages that become insurmountable over time. With that in mind, the Solutions Review editors have compiled a few ways companies of all sizes can prioritize the AI readiness of their identity security strategies.

1) Implement Continuous Behavioral Biometrics with Multimodal AI Fusion

Traditional multi-factor authentication is already becoming obsolete in an AI-dominated threat environment, and with over 90 percent of companies experiencing identity-related incidents on an annual basis, the need for stronger human and non-human identity security has never been higher.

One alternative to MFA is continuous behavioral biometrics powered by multimodal AI systems, which can create dynamic identity signatures that combine keystroke dynamics, mouse movement patterns, gait analysis from mobile sensors, voice stress analysis, and micro-facial expression detection. This approach isn’t about improving accuracy in individual biometric modalities, but about deploying AI models that excel at detecting anomalies in the relationships between modalities. For example, even if a sophisticated attacker can replicate your typing pattern, they can’t also replicate the micro-correlations between your typing rhythm and subtle head movements while concentrating.

Additionally, the technical imperative requires moving from simple rule-based systems to deep learning architectures capable of understanding the complex interplay between different behavioral modalities. Organizations must build federated learning networks that allow behavioral models to improve themselves without exposing raw biometric data. This creates a competitive moat while addressing privacy concerns that will become increasingly important as regulatory frameworks evolve.

2) Deploy Adversarial Identity Intelligence with Predictive Threat Modeling

Most identity security systems are still reactive, capable only of responding to threats after they’ve penetrated initial defenses. This approach is not only inadequate in the current threat landscape but actively counterproductive. When AI-powered attacks are evolving faster than human security teams can adapt, they need technology to help them catch up, and, for the most part, the tools available to them are coming up short. If a company wants to future-proof its identity security, it must double down on AI readiness. This means shifting from a defensive posture to an offensive one that deploys AI systems that can model potential attack vectors against their specific identity infrastructure, simulate thousands of attack scenarios daily, and identify vulnerabilities before adversaries do.

The reality is that traditional penetration testing has become counterproductive, as human-led security assessments cannot match the speed and creativity of AI-powered attacks. Organizations should transition to AI vs. AI security validation, where adversarial neural networks continuously probe defenses while defensive AI systems adapt in real-time. This requires creating “digital twins” of identity ecosystems that run parallel to production environments, executing AI-generated attack simulations alongside machine learning models that analyze results to predict where real attacks are most likely to succeed.

According to research from EY, AI has become part of 59 percent of all cyber patents, making it the primary technology explored in cyber-centric research since 2017. That’s an encouraging statistic, but keeping threat actors at bay will take more than researching AI-enabled tools and defenses. The war is ongoing, and companies that haven’t already outfitted themselves with these defenses must make it their top priority.

3) Architect Zero-Knowledge Identity Verification with Homomorphic Authentication

The traditional model of centralized identity stores often creates points of failure that become increasingly vulnerable as AI-powered attacks grow more sophisticated. Thankfully, that traditional model is no longer the only option available. AI-ready identity security programs represent a significant paradigm shift from password-based or even biometric-based authentication to proof-based authentication, which requires users to demonstrate knowledge or possession of specific cryptographic secrets that change with each interaction, all without exposing underlying identity data to any single system or actor.

Implementing homomorphic encryption schemes allows AI systems to perform authentication and authorization operations on encrypted identity data without decrypting it. More than ever, corporations must embrace this shift, deploy verifiable credential systems based on zero-knowledge proofs, and empower their AI systems to make access decisions based on cryptographically verified claims without accessing raw identity information. That last bit is crucial, as it reinforces the company’s data security efforts and reassures its human employees that their information remains secure from threat actors.

4) Establish Autonomous Identity Governance with Self-Healing Access Controls

AI readiness is no longer a “nice-to-have” feature for modern companies; it’s an essential pillar for success. Unfortunately, as you can probably expect, current identity governance toolsets are struggling to keep up, inadvertently providing AI-powered attackers with a vulnerability they can exploit. To combat this, organizations can implement autonomous governance systems that optimize access controls without human intervention, treating access control as a continuous optimization problem rather than a periodic administrative task.

The autonomy imperative demands deploying reinforcement learning systems that automatically adjust permissions based on real-time risk assessments, business context, and behavioral patterns while maintaining least-privilege principles. This requires implementing multi-agent AI systems where different agents specialize in various aspects of identity governance. With a team of these AI agents, companies can rest easier knowing they’re maintaining an optimal security posture while also developing self-healing capabilities that automatically respond to identity-based attacks without disrupting legitimate business operations.

5) Create Adaptive Context-Aware Authentication with Ambient Intelligence

Static authentication requirements cannot address the dynamic risk profiles of modern work environments, especially with threat levels that fluctuate based on countless contextual variables that human analysts cannot process at scale. AI-ready identity security demands adaptive authentication systems capable of continuously adjusting security requirements based on contextual intelligence gathered from the entire digital and physical environment.

To stay relevant in this “context revolution,” teams should deploy ambient intelligence networks that gather contextual signals from IoT devices, network sensors, application logs, and environmental data, creating comprehensive risk profiles informing real-time authentication decisions. For example, advanced sensor fusion allows AI systems to correlate seemingly unrelated environmental factors to detect sophisticated attacks, unusual building access patterns, network anomalies, or user behavior changes that can indicate coordinated insider threats.

The post 5 Strategies for Improving AI Readiness in Identity Security appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services.

Eric Olden, CEO of Strata Identity, provides a six-step plan companies can use to achieve identity continuity throughout their enterprise. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Downtime is more than just an inconvenience—look no further than last year’s CrowdStrike outage for a reminder of how disruptive it can be to businesses of every size and sector. From stalled sales transactions to inaccessible internal systems, the consequences can ripple far beyond IT. Yet, many organizations continue to underestimate the severity of identity infrastructure failures. Identity systems don’t merely perform authentication; they’re foundational to ensuring continuous access to critical applications, services, and operations.

When identity fails, the cascading effects can be crippling. Healthcare providers can lose access to electronic health records and other patient-care applications. Retailers may be unable to process transactions during peak shopping periods. Manufacturers can be forced to pause production because they can’t access industrial control systems. These disruptions extend beyond technical risks—they directly impact revenue, customer satisfaction, regulatory compliance, and even public safety.

Understanding the True Cost of Identity Downtime

Quantifying the business impact of identity outages is a vital first step toward achieving identity resilience. While revenue loss from unplanned downtime is a clear concern—especially in time-sensitive industries like e-commerce, financial services, and healthcare—these incidents often trigger a chain reaction of negative consequences. Lost productivity, missed service-level agreements (SLAs), customer attrition, and incident response costs can all add up quickly.

Moreover, downtime does more than just disrupt operations. It erodes customer trust, diminishes brand reputation, and opens the door to regulatory scrutiny. In some cases, compliance failures triggered by prolonged outages can result in substantial fines. Even brief disruptions of SaaS-based identity and access management (IAM) tools can cripple a business, highlighting just how fragile digital operations become when identity systems are not available.

Beyond financial and reputational harm, identity-related disruptions can inadvertently create windows of vulnerability. During a crisis, security teams may be spread thin, and routine monitoring could lag—conditions that attackers are quick to exploit. Malicious actors know that identity is often the gatekeeper to systems and data, making outages an opportune time to strike. That’s why identity continuity isn’t just a technical consideration—it’s a strategic imperative that supports operational resilience and business continuity.

Implementing Identity Continuity

Organizations that want to reduce risk and build long-term resilience need a robust strategy for maintaining identity continuity. This involves more than just traditional high-availability configurations. It requires a thoughtful, layered approach that spans risk analysis, technical architecture, and cross-functional collaboration. Here’s a practical six-step framework for developing an effective plan:

1) Identify Critical Identity Dependencies

Start with a comprehensive assessment of your identity infrastructure. Identify all components—cloud identity providers (IDPs), on-premises systems, user directories, and API integrations—that are essential to your authentication and authorization workflows. Pay particular attention to legacy systems that may lack modern failover capabilities but still support vital operations. Map out which identity services support mission-critical applications and understand the downstream systems they affect.

2) Quantify Business Impact

With dependencies mapped, partner with stakeholders across finance, operations, compliance, and customer support to quantify the business cost of identity outages. Go beyond technical metrics—evaluate the financial exposure, brand impact, and regulatory risks associated with losing access. This exercise enables leaders to prioritize identity investments based on risk, rather than guesswork.

3) Architect for Intelligent Failover

Redundancy alone isn’t enough. Identity continuity requires intelligent failover mechanisms that can detect disruptions and dynamically route traffic to alternative providers. Leverage identity orchestration to support failover across hybrid environments—bridging cloud and on-prem systems. This includes monitoring IDP health in real-time, synchronizing user data between environments, and ensuring users can continue to authenticate seamlessly even during transitions or disruptions.

4) Continuity-Focused Identity Testing

Testing is critical, yet often overlooked. Run simulation exercises that mimic identity system failures under realistic conditions. Test not just the failover process, but the full recovery workflow—from detection to failback. Include edge cases, such as geographic outages or third-party provider failures. These exercises should mirror the rigor of disaster recovery drills and inform iterative improvements to your continuity plan.

5) Policy-Driven Access Management

During outages, access controls must adapt. Implement dynamic identity policies that automatically adjust based on the severity and scope of the incident. For example, grant emergency access to IT recovery teams while restricting non-essential user access. Integrate these policies into your orchestration layer to ensure they can be enforced automatically in real-time, avoiding manual bottlenecks that delay recovery.

6) Continuous Improvement and Compliance Alignment

An identity continuity plan is not a one-and-done document. As your business evolves and threats change, your plan should too. Regularly revisit your assumptions, test your response processes, and refine your tooling. Align your strategy with regulatory standards such as NIST CSF, DORA, ISO 27001, and industry-specific mandates. This ensures compliance and assures auditors, partners, and customers that your organization is prepared to withstand disruptions.

While identity continuity planning is essential for minimizing operational risk, its true value lies in enabling long-term IAM resilience. By ensuring uninterrupted access to critical systems, it safeguards customer trust, protects competitive advantage, and positions the business for sustained success that can withstand unexpected and inevitable system failures.

The post Beyond Downtime: A Six-Step Plan to Achieving Identity Continuity appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services.

Phil Brass, Senior Evangelist and Technical Advisement professional at DirectDefense, explains why the end user license agreement might be the reason your company got hacked. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Most products sold in the United States come with an implicit warranty, whether one is written or not. This includes a “warranty of merchantability,” which means that the product is fit for ordinary use and meets the standards expected for that type of product. And it consists of a “warranty of fitness for a particular purpose,” for example, if you let the seller guide you in choosing the product to buy for your purpose, then by default, there is a warranty that the product you purchased should actually be fit for that purpose. You could argue that these warranties are part of what makes American manufacturing so great.

You can only get out of these warranties if you sell the product “as-is,” explicitly denying warranty, stating that the product is not suitable for any particular use, or better yet if you don’t sell the product at all, you sell a license to use the product (which is still unsuitable for any particular use and comes as-is with all faults and no warranties). Oh, and also, you can’t test the product in any way or tell anyone else the results if you do test it. Every piece of software you buy has an End User License Agreement that contains all kinds of disclaimers like this. The software is not fit for any particular purpose. There is no warranty. The manufacturer will not be liable for any damages caused by this software.

Before he passed away in 2024, Ross Anderson wrote three editions of an amazing book called Security Engineering, which I absolutely love. You can download all the chapters for free and watch some lecture videos here. My favorite chapter is always the chapter on Economics. Ross explains that there is a fundamental problem in buying systems with some security built in by the manufacturer. If the manufacturer has to foot the bill for building security, but the consumer is the one who gets hosed if the security fails, what exactly is the manufacturer’s incentive to spend a bunch of money making the product secure? Governments have long recognized this problem, and the answer to the “what is the manufacturer’s incentive to make things secure” question is “warranties and liability.”

What we see in industries where warranties and liability are enforced, like automobiles, for example, is a constant research effort across the manufacturing spectrum from materials science, which has us producing better rubber for tires, safety glass for windows, stronger, lighter metals and composites for frames, to specific safety devices like radar, lane departure warnings, blind spot sensors, seat belts and air bags, to social artifacts like speed limits and stop signs and crash tests and safety ratings.

Making companies and industries pay for their mistakes drives research that makes mistakes less likely. As we get better at making tires, all consumers get access to this technology. We all benefit from research into metallurgy, composites, rubber, and glass. Improved technology becomes expected, and eventually even mandatory, and society as a whole benefits.

When we allow construction and growth of an industry, such as software, around the persistent avoidance of accountability, liability, and responsibility via End User License Agreements, we reduce the time and money spent on this type of broad-spectrum research. Nobody needs to figure out the technologies and techniques required to make actually secure software, because there’s no penalty or accountability if you don’t. And eventually, everybody gets used to the idea that all software is vulnerable and just kind of… accepts it.

In the software world, the material software is made of operating systems, software development kits, programming languages, application programming interfaces, frameworks, and application code. In the sixty years since IBM sold its first mainframe, we have seen very little effort by software manufacturers towards the kind of material science research that would make it easier to build secure applications from these materials. Academia does a lot of research in this area, but the software industry is reluctant to take that research and apply it due to the cost.

There are a lot of costs involved in developing and using better materials to make software, and because they have no liability if they don’t do these things, there is no incentive to make these improvements. Major software components like browsers and operating systems continue to be manufactured from materials like the C programming language, a language that makes it notoriously easy to create vulnerable programs.

Why is Windows still a bunch of C and C++ code? Because there has been no liability incentive strong enough to make Microsoft rewrite it. There are no giant research programs focused on making consumer software more secure. It is in their best interest to come up with low-cost low-effectiveness “software security” methodologies and lifecycles, to create the appearance of providing secure software, to declare that we are not to worry, the manufacturers with no liability or accountability will absolutely solve the insecure software problem, they are the only people who can do it. But Microsoft still patches 100+ vulnerabilities every month.

At some point, the software industry needs to grow up. It needs to be accountable and held liable for its failures. When this happens, we will finally see the drastic improvements in the materials software is made of, in how applications are developed, and in all the improvements we need, as an industry, to start producing software that isn’t constantly vulnerable.

There are positive signs on the horizon. The European Union’s Product Liability Directive (PLD) has been updated to explicitly include software. If software causes harm, its manufacturers can be held liable. This includes security vulnerabilities, so it is conceivable that if a vulnerable SSL VPN, for example, allows an attacker to gain access to a company’s network and encrypt all their data, the SSL VPN manufacturer could be held liable for some of the damages.

Time will tell how robust enforcement of the PLD against software manufacturers will be in the EU, and more importantly for this author, whether any hint of accountability will ever be applied to software firms here in America. But one thing is certain. The software exploitability crisis will never get better until stronger warranties and liabilities are enforced on software manufacturers, and we as an industry do the basic “materials science” type research and development on the technological basis of software.

The post The End User License Agreement Is Why You Got Hacked appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services.

To help companies remain competitive amidst changing markets, the Solutions Review editors are exploring how an empathy-first approach to AI risk management can transform a company’s ability to adopt and utilize AI technology successfully.

Implementing artificial intelligence (AI) into your company is as much about integrating the technology itself as managing the potential ripple effects it could have on the business. As the National Institute of Standards and Technology (NIST) explains, as many benefits as AI can provide—economic growth, improved productivity, boosted agility, etc.—it can also “pose risks that can negatively impact individuals, groups, organizations, communities, society, the environment, and the planet.” That’s where the value of an AI Risk Management Framework comes into play.

If these frameworks aim “to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems,” as the NIST says, empathy must be an essential part of any risk management strategy. With that in mind, this article will examine the crucial role AI risk management plays in today’s evolving world, specifically focusing on how valuable an empathetic AI (EAI) policy is to an AI risk management framework.

Addressing the Empathy Gap in Current AI Risk Frameworks

If you didn’t already know, the most widely adopted and recognized AI risk framework is the NIST AI Risk Management Framework (AI RMF), released in January 2023. However, much has changed in the years since, as few as they are. According to a report McKinsey & Company released in 2025, “78 percent of respondents say their organizations use AI in at least one business function, up from 72 percent in early 2024 and 55 percent a year earlier.” That’s a significant increase since the NIST released their AI RMF, and the landscape has changed.

While the NIST’s AI RMF remains the standard, and rightfully so, public perception of what it means to have a risk management strategy for AI adoption seems to lack the proper focus on empathy. Most AI risk management frameworks being deployed treat risks as quantifiable variables that can be addressed through technical controls and governance processes. That approach makes sense, since companies require a methodology that can be replicated and deployed as easily as possible. However, it can also create what you might call an “empathy gap,” resulting in AI systems failing to account for the emotional, contextual, and relational dimensions of human decision-making.

Consider the case of AI-powered customer service systems that function correctly but cause brand damage by failing to deliver the correct tone during customer interactions. While these systems could technically pass a traditional risk assessment, they fail in practice, harming consumers, users, and the company. There have been studies done on AI’s ability (or lack thereof) to utilize empathy in various settings, including medical care, for example, and most of the findings demonstrate that, despite AI’s growing capabilities, it cannot replicate the experienced empathy humans use on a daily basis.

Consequently, empathy must be a top priority in developing or deploying an AI risk management framework. With an EAI mindset, we believe companies can transform how they create and use AI technologies to maximize business potential and support their human workers. It’s like the NIST’s framework says: “AI risks–and benefits–can emerge from the interplay of technical aspects combined with societal factors related to how a system is used, its interactions with other AI systems, who operates it, and the social context in which it is deployed.”

The Business Case for Empathetic AI Risk Management

Unlike traditional AI metrics that focus on speed or accuracy, empathetic AI focuses on sticky, differentiated value propositions that are inherently difficult for competitors to replicate because they require deep integration of emotional intelligence, cultural sensitivity, and contextual awareness across entire product ecosystems. To get specific, the business case for empathetic AI in risk management rests on the premise that traditional risk frameworks catastrophically underestimate human-centric failure modes by treating users as rational actors rather than complex emotional beings.

An EAI-centric risk management strategy recognizes that the most disruptive AI failures often emerge not from technical malfunctions but from misaligned human-AI interactions where systems fail to understand user emotional states, cultural contexts, or unstated needs. By shifting to an empathy-first approach, companies can move their risk assessment from purely probabilistic models toward dynamic, relationship-aware frameworks that can predict and even prevent the social and reputational damages that emerge when AI systems inadvertently cross a line.

A study from 2021 explains, “AI lacks a helping intention towards another person as the basis of its attentional selection, because it does not have the appropriate motivational and inferential structure.” That lack does not mean AI is incapable of being helpful or acting empathetically. However, it does necessitate that humans adopt an empathy-first mindset when designing AI or giving it directions. Failing to do so can result in empathy failures that generate negative publicity that affects market capitalization, far exceeding the technical infrastructure investments.

EAI risk management can help your brand avoid that negativity by providing early warning systems that the technology and its users identify by continuously monitoring emotional sentiment, cultural alignment, and relationship quality metrics that traditional risk systems ignore entirely.

These AI risk management frameworks take time and investment, requiring companies to collect extensive training data about human emotional states, cultural norms, and psychological vulnerabilities—information that presents massive privacy and security risks. Yet, even with the complexity, an EAI risk management strategy is still worth exploring, especially since it means getting in “on the ground floor” for an emerging methodology already sending ripples throughout the enterprise technology marketplace.

The post Empathetic AI is the Key to a Successful AI Risk Management Framework appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services.

The editors at Solutions Review summarize some of the most significant ways AI has impacted cybersecurity jobs, hiring, skillsets, and more.

Regardless of your job title or industry, artificial intelligence (AI) has likely impacted your company’s internal and external processes. This can be especially true for cybersecurity professionals, as AI has changed how threat actors plan and execute attacks and introduced new ways to combat potential and active threats. What is less clear is the specific impact AI has had on cybersecurity and whether these professionals have cause for concern.

As AI is integrated into cybersecurity operations at unprecedented levels, the form and function of a company’s cyber team will continue to undergo rapid changes. To keep track of those changes, the Solutions Review editors have outlined some of the primary ways AI has changed cybersecurity, what professionals can do to remain agile during those evolutions, and what the future may hold for them and the technologies they use.

Note: These insights were informed through web research using advanced scraping techniques and generative AI tools. Solutions Review editors use a unique multi-prompt approach to extract targeted knowledge and optimize content for relevance and utility.

How Has AI Changed the Cybersecurity Workforce?

In just a few years, the impact of AI on cybersecurity has dramatically restructured the industry’s roles, responsibilities, and required skill sets. This transformation has been freeing for many, as AI technologies have streamlined user workloads and empowered teams to focus on more specialized, high-value tasks and projects. For comparison’s sake, consider how the global market for AI in cybersecurity is estimated to reach a market value of USD 133.8 billion by 2030, compared to its reported USD 14.9 billion in 2021. These technologies are exploding, and they’re not going anywhere.

However, it’s not uncommon for cybersecurity professionals to feel uneasy about the rapid adoption of these technologies, as they have already proven capable of rendering some tasks and roles nearly obsolete. Here are some of the job roles and processes that have been impacted the most by AI:

AI-Powered Automation and Analysis

AI is reshaping how cybersecurity analysis happens by expanding its scope and compressing its cognitive overhead. Traditionally, analysis involved hours of log inspection, correlation of alerts, and cross-referencing of threat intel feeds. However, with AI, especially those using machine learning (ML) and natural language processing (NLP), companies can automate those time-consuming processes to reduce alert fatigue and allow analysts to focus on the highest-risk threats.

For example, consider how leading cybersecurity platforms like Microsoft Defender XDR or IBM QRadar use ML models to correlate log entries and contextualize hundreds of alerts into real-time attack narratives. These streamlined analyses can dramatically reduce workloads by streamlining the process of identifying probable causes, unlocking cross-functional insights, and deploying that data to defend against future threats.

AI might be evolving what “analysis” looks like in cybersecurity, but it’s not ready to fully replace the necessity of human intervention. With AI handling the workload of detecting and aggregating information, human analysts will commit their time and expertise to interpretation, intent modeling, and escalation decision-making.

Threat Hunting and Adversarial Behavior Modeling

For years, traditional threat hunting has been hypothesis-driven: an analyst suspects that a particular tactic—e.g., credential stuffing or lateral movement—is occurring and searches logs or telemetry for artifacts that confirm or debunk that suspicion. However, this process is often narrow and human-biased, which is where AI can help. With its unsupervised learning and clustering capabilities, AI can identify and track patterns without preconceptions.

AI has essentially made “continuous hunting” possible. Some of the leading cybersecurity tools already use AI and behavioral models to proactively surface deviations, such as beaconing new domains or unusual SMB shares accessed at odd hours. Since AI can run 24/7, threat hunts no longer have to be ad hoc. It also adds a new data engineering dimension to threat hunting, as cybersecurity professionals are now encouraged (if not outright expected) to have AI-specific skills around curating telemetry, labeling behavior, and tuning features.

There’s no denying that AI is a double-edged sword for cybersecurity—cyber-criminals launched 36,000 malicious scans per second in 2024, according to Fortinet, and there’s been a 1,200 percent surge in phishing attacks since the rise of GenAI in late 2022. However, if companies want to keep up with the volume of attacks, they need the support that AI-boosted cybersecurity tools provide.

The Emergence of AI-Centric Cybersecurity Roles

The rise of AI in cybersecurity has not only affected existing workflows—it has spawned entirely new job categories, restructuring the profession around data-centric and model-centric competencies. These AI-centric cybersecurity roles represent a convergence of disciplines: traditional security, data science, ML operations (MLOps), and even behavioral psychology. Other roles like “blue team analysts” or “SOC engineers” are supplemented or outright replaced by titles like AI Threat Analyst, ML Security Engineer, and Adversarial ML Red Teamer.

It’s also possible that the future of cybersecurity jobs will start to resemble AI safety roles more than traditional InfoSec. This would involve an increased focus on validating agent boundaries, applying RLHF to constrain behavior, and building sandboxed testbeds for threat simulations. While there’s potential in that future, active and aspiring professionals should be wary, as that trend could result in a skills bar that leaves traditional network defenders behind unless they retrain aggressively.

The meta-trend here is becoming clear: Cybersecurity is evolving into a data science problem, and the workforce is shifting accordingly. The people who can reason statistically, build or probe AI systems, and think adversarially will define the next generation of cybersecurity leadership. Conventional roles will likely persist but may increasingly resemble operational support for AI-first tooling. Regardless, like LinkedIn’s Skills on the Rise report says, AI literacy will continue to be the skill that “professionals are prioritizing and companies are increasingly hiring for.”

Upskilling for the Future

AI isn’t a new technology, but it’s hitting the cybersecurity job market fast and hard. According to Cybersecurity Ventures, there will be 3.5 million unfilled jobs in the cybersecurity industry through 2025, a 350 percent growth from the one million open positions reported in 2013. If professionals want to keep their jobs—or future-proof themselves from potential displacement—they must equip themselves with AI-centric skills as soon as possible.

To reinforce that urgency, look at IBM’s Cost of a Data Breach Report, which shows that half of the organizations encountering security breaches also face high security staffing shortages. Even with 1 in 5 organizations using some form of generative AI, that skills gap remains a real challenge. Companies across industries need professionals fluent in adversarial and algorithmic logic, as that expertise will empower them to stay relevant regardless of the future. Mike Arrowsmith, the Chief Trust Officer at NinjaOne, puts it like this: “The best way to rein in AI risks is with more employee training. People have to know what to look out for, especially as AI technology evolves.”

One area professionals can focus on is soft skills. A recent study by Skiilify demonstrated that 94 percent of tech leaders believe soft skills—like curiosity, resilience, tolerance of ambiguity, perspective-taking, relationship-building, and humility—are more critical than ever. Soft skills can also help cybersecurity professionals understand how models can fail, how attackers exploit statistical assumptions, and how to wrap AI systems in resilient human oversight.

With Gartner predicting that, by 2028, “the adoption of GenAI will collapse the skills gap, removing the need for specialized education from 50 percent of entry-level cybersecurity positions,” it’s more crucial than ever for cybersecurity professionals to find and refine the skills that make them unique.

Will AI Replace Cybersecurity Professionals?

“AI won’t replace cybersecurity professionals, but it will transform the profession,” says Chris Dimitriadis, the Chief Global Strategy Officer at ISACA. The cybersecurity marketplace is already changing in response to AI tools and threats, but the transformation is far from finished. Even if the profession itself doesn’t go away, there’s a chance that current cybersecurity practitioners will be left behind as their job evolves into something they’re no longer equipped for.

In the longer term, AI will likely reshape cybersecurity professionals into decision supervisors. Their responsibilities will be less focused on making decisions and instead emphasize overseeing, calibrating, and intervening in AI-driven decision-making as necessary. It’s a subtler shift, but if the current workforce doesn’t upskill themselves in preparation, they may find that their expertise isn’t quite as valuable as it used to.

According to Sam Hector, Senior Strategy Leader at IBM Security, AI will “fundamentally shift the skills we require. Humans will focus more on strategy, analytics, and program improvements. This will necessitate continuous skills development of existing staff to pivot their roles around the evolving capabilities of AI.” The future of cybersecurity will be charted by practitioners who expand their perspective, prioritize their professional growth, engage with their peers, and collectively learn how to improve their AI-centric skills and literacy.

Want more insights like this? Register for Insight Jam, Solutions Review’s enterprise tech community, which enables human conversation on AI. You can gain access for free here!

The post What Will the AI Impact on Cybersecurity Jobs Look Like in 2025? appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services.

For World Password Day 2025, the editors at Solutions Review have compiled a list of comments from some of the leading industry experts.

As part of this year’s World Password Day, we called for the industry’s best and brightest in Identity and Access Management and the broader cybersecurity market to share best practices, predictions for the future of passwords, and personal anecdotes. The experts featured represent some of the top influencers, consultants, and solution providers with experience in these marketplaces, and each projection has been vetted for relevance and ability to add business value. The list is organized alphabetically by company name.

World Password Day Quotes from Industry Experts in 2025

Tim Eades, CEO and Co-Founder at Anetac

Arun Shrestha, CEO and Co-Founder at BeyondID

“Passwords are old news, and World Password Day—once a reminder of cybersecurity best practices—now underscores the importance of phasing out the very authentication method it once championed. With stolen credentials topping the breach origin charts and phishing attacks up 4,151 percent since the launch of ChatGPT, it’s clear that traditional passwords are no longer sufficient. Modern threats call for passwordless authentication—not just for stronger security, but for a frictionless user experience. It’s time to answer the phone.”

Read on for more.

“For decades, passwords have been the weak link in cybersecurity–outdated, overused, and increasingly ineffective. But now, organizations are making a clear shift. Multi-factor authentication and sign-in links have emerged as the primary methods for user authentication across the US, UK, and globally, overtaking passwords.

“This step change comes as over half of business and IT decision-makers report higher fraud attempts with username and password alone compared to other methods. We’re at a cybersecurity inflection point: passwords are no longer sufficient. Modern, layered authentication methods, such as facial biometrics, device recognition, or generated codes, are stepping in.

“Rather than forcing users to create longer, more complex passwords, it’s time for organizations to embrace a passwordless future where customers and employees can prove their identity conveniently and securely using their biometrics. This approach reduces risk, streamlines access, and meets the expectations of today’s digital-first users.”

Joel Burleson-Davis, Chief Technology Officer at Imprivata

“This World Password Day, it seems appropriate to shift the discussion from securing and managing passwords to the demise of the password. Passwords have served us well (sort of), and we’ve been long talking about ditching the traditional, complex password because of their burden and unintentional insecurity. However, with every second mattering in critical work, now more than ever, passwordless authentication has become business-critical.

“There are signs of good adoption of both passwordless strategies and shunning our old password-burdened ways in mobile devices, which are built with and extensively leverage facial recognition for security purposes, but some of our most critical technologies in our most critical sectors have been reluctant to implement similar solutions in their operations. As life- and mission-critical industries like healthcare and manufacturing cope with staffing challenges while being increasingly targeted, it’s time they reconsider access management and their relationship with the password paradigm.

“In healthcare, for example, and in particular, the delivery of health care, where a 17-character password is not practical for clinicians who are treating patients who need rapid and frequent access to Electronic Health Records (EHRs) in all kinds of situations. Entering a complex password for these users only creates barriers that delay patient care, eats up clinician time, and exacerbate burnout.

“Passwordless solutions, particularly biometrics-based ones, offer a tailored and frictionless experience that enables everyone from healthcare providers to manufacturing operators to maintain the highest security standards while empowering them to deliver timely, critical work without unnecessary barriers. I look forward to a World Password Day in the future that is full of cheering and celebration because we’ve finally released ourselves from the burden of putting memorized, complex strings into a little prompt box for the sake of security.”

Stephanie Schneider, Cyber Threat Intelligence Analyst at LastPass

“World Password Day is a great reminder for every organization that identity access management is the foundation of effective company security. Abusing legitimate credentials is one of the easiest and most common ways hackers gain unauthorized access to systems. Given the rise of infostealers over the last few years, which frequently target credentials and other sensitive data to resell on underground marketplaces, acquiring these is easier than ever. Credentials and session cookies stolen from employees’ personal devices can be used to breach corporate networks.

“A key aspect of stealers is their heavy reliance on the ‘spray-and-prey’ tactic, rather than directly targeting corporate networks, they’re counting on individuals having weaker security on their personal devices and using their work credentials on personal devices. The time from infection via stealer malware to the time that information is posted to the dark web can be speedy, especially with automation tools. Organizations must monitor for exposed credentials and change credentials as quickly as possible to disrupt breaches and attacks before they can occur. In a world where hybrid work has blurred the lines between personal and professional devices, businesses can’t afford to be casual about credential management.

“Using strong, unique passwords is just the tip of the iceberg when protecting your identity access. Reusing passwords across services is still one of the most common mistakes employees make—and one of the easiest ways for attackers to gain access. Requiring multi-factor authentication (MFA) should be standard for every business account, and it is a good idea for personal accounts, too.

“This World Password Day, take a look at your access policies. Are you protecting your company or making it easier for someone else to break in?”

“Leverage passkeys as the primary authentication method whenever possible. While passkeys are not immune to cyber-attacks, they are significantly more secure and phishing-resistant because they are linked to a device or leverage biometric authentication. Plus, they’re a whole lot easier to manage than constantly juggling new password combinations.”

Anthony Cusimano, Solutions Director at Object First

“I believe the death of the password is just around the corner. Passwords are no longer a secure method of authentication and should not be treated as secure. So, I’ll share the advice I have taken up in the last year: use a password manager, app-based or browser-based (either works!).

“Password managers securely store your passwords in a locked vault and come with convenient browser extensions that autofill logins. They can also generate unique, complex passwords for every account. Many of these tools allow you to customize password requirements according to your preferences, including specifying length and incorporating symbols, numbers, and mixed case. Additionally, password managers can alert you to duplicate or weak passwords and often suggest optimal times for changes.

“The password alone is NOT a secure authentication method; that’s why I have given up trying to maximize their security and left the brainwork to someone else. It’s 2025—let an app do the password legwork for you, and here’s to hoping that passwords become a thing of the past sooner rather than later.”

Nicolas Fort, Director of Product Management at One Identity

“Passwords have come a long way, from punch-tape reels in 1961 to the world of multi-factor authentication and fingerprint identification we inhabit today. The next leap is already happening—passkeys tied to devices, one-time AI-generated tokens, and even blockchain-backed session receipts. It’s no accident that password technology is constantly evolving.

“Cyber-attacks are more frequent, threat actors have more sophisticated tools at their disposal, and as businesses continue to store more and more sensitive data online, regulators are rightly demanding that they keep up. The EU’s NIS2, the UK’s Cyber Resilience Act, DORA, HIPAA, and countless other rules and regulations now demand rock-solid control over user accounts at every touchpoint. That means audited sessions, behavioral analytics, rotating passwords, and just-in-time credentials—so that no matter how hard attackers try, there’s simply nothing there to steal.”

Drew Perry, Chief Innovation Officer at Ontinue

“As positive a day as World Password Day is, I look forward to the day it no longer exists or is at least renamed! With the rise of passkey support across major platforms and devices, we’re finally seeing a shift towards more secure and user-friendly authentication. Passkeys are cryptographic credentials that eliminate the need for passwords entirely, offering phishing-resistant, biometric-based access. It’s time we moved beyond passwords, which are too often reused, weak, or compromised. Simpler identity protection is needed so we, as humans, don’t just pick a random string of characters that we will never remember!”

“We have come a long way. Password manager adoption is rising, multi-factor authentication is available for most critical online services, and people are reusing the same passwords less. But still, hackers are succeeding in their attacks. We have been saying since the early 2010s that “hackers don’t hack in, they log in,” and as time goes on, it becomes even more true.

“Stolen credentials overtook email phishing as the second most frequently observed initial infection vector in 2024 during intrusions into businesses. At Ontinue, we have witnessed first-hand the rise of sophisticated infostealer malware, which captures passwords as they are entered by users during login. This enables attackers to simply log in if no other secondary authentication methods are enabled, which, sadly, is often the case.

“Awareness is key. Enable passkeys where possible. I suggest we lay the password to rest and embrace the passwordless future.”

“World Password Day serves as an annual reminder of a universal truth: passwords are a pain. Despite being a cornerstone of our digital lives, they consistently fall short. From the widespread practice of password reuse—a virtual invitation to cyber-criminals—to the ease with which they can be compromised through social engineering or simple guessing, the inherent weaknesses of password-based authentication are undeniable.

The post World Password Day Quotes from Industry Experts in 2025 appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services.

Arun Shrestha, the CEO and Co-Founder of BeyondID, shares his thoughts on why it might be time to replace World Password Day. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

Passwords are old news, and World Password Day—once a reminder of cybersecurity best practices—now underscores the importance of phasing out the very authentication method it once championed. With stolen credentials topping the breach origin charts and phishing attacks up 4,151 percent since the launch of ChatGPT, it’s clear that traditional passwords are no longer sufficient. Modern threats call for passwordless authentication—not just for stronger security, but for a frictionless user experience. It’s time to answer the phone. “Everyone, everywhere will be hacked at some point…identity security isn’t just about stopping bad actors—it’s about making sure you’re not making their job easier.”

The Problem with Passwords

Back in 2013, World Password Day was a pretty good idea. Changing your password every 90 days was a solid security strategy, after all. But 12 years later, World Password Day is a relic of a bygone era…and passwords aren’t the answer anymore—they’re the problem.

Relying on passwords in 2025 is like locking your front door and leaving the key under the mat. According to Verizon’s Data Breach Investigations Report, 77 percent of basic web application attacks involve stolen credentials. Even more alarming, fewer than half of organizations have adopted multi-factor authentication (MFA), leaving accounts vulnerable to credential stuffing and brute-force attacks.

Real-World Risks of Password Reliance

Passwords don’t just fail in theory—they fail in the real world. Reused logins, weak policies, and predictable patterns give attackers easy access to sensitive data. Social engineering and phishing have evolved, too, boosted by AI-generated deepfakes that mimic voices, craft convincing emails, and outsmart human judgment.

A Harvard Kennedy School and Avant Research Group study found that AI-generated phishing emails had a 54 percent click-through rate in 2024, making them as effective, if not more, than those crafted by humans.

MFA Isn’t Always Enough

Despite widespread support—and even mandates from agencies like the Cybersecurity and Infrastructure Security Agency (CISA)—MFA adoption remains inconsistent at best. But even when implemented, it’s not a silver bullet. Common methods like SMS codes and push notifications are still vulnerable to push fatigue and attacks like SIM swapping.

In early 2024, Cisco Duo’s AI and Security Research team reported that nearly half of security incidents involved MFA bypass attempts. Around the same time, Microsoft’s MFA was found vulnerable to a flaw dubbed AuthQuake, which allowed attackers to bypass MFA protections in minutes through token manipulation, highlighting how quickly poorly configured systems can be exploited.

To stay ahead, organizations need something stronger: phishing-resistant authentication. Think passkeys, FIDO2, and device-bound biometrics. These methods eliminate the weakest link: the user-generated password.

The Case for Going Passwordless

Passwordless authentication isn’t just better than its predecessors—it’s simpler. Users log in with a fingerprint, face scan, or one-time passcode. There are no passwords to remember or credentials to steal—just a seamless, secure experience—and the benefits are measurable.

Gartner estimates that 20-50 percent of IT help desk calls are password resets. That’s a lot of wasted time and money. Passwordless reduces that burden, and with built-in risk detection like device fingerprinting and behavioral biometrics, it also bolsters fraud prevention. Better UX, stronger security, and more resilient systems—this is what passwordless has to offer.

A Better Way to Celebrate Security

Let’s face it: it’s time to retire World Password Day.

Passwords no longer represent best practices, and modern threats demand more than reminders to “update your login.” It’s time to shift focus to strategies that actually work, like phishing-resistant authentication and secure-by-design identity frameworks.

We’ve seen firsthand how this shift occurs in complex, high-risk environments like healthcare. One regional provider recently replaced manual access management with an automated identity integration between their EHR and workforce directory. The result? Stronger compliance, fewer access gaps, and a major boost in operational efficiency. That’s the real-world impact of leaving outdated authentication behind.

Maybe it’s time for Identity-First Access Day. Or Phishing-Resistant Authentication Week. Whatever we call it, the message should be clear: it’s time to celebrate the future of cybersecurity.

The post Why It’s Time to Ditch World Password Day appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services.