Identity And Access Management

We Asked 7 Identity & Access Management Experts What Security Leaders Should Prioritize In 2025

How should you prioritise IAM planning in 2025?

Identity & Access Management Advice For 2025

Having the right Identity and Access Management (IAM) strategy is integral for safeguarding sensitive assets against unauthorized access.

In 2025, how can CISOs streamline IAM processes, enhance user authentication, and mitigate risks associated with identity theft and data breaches?  

We asked seven Identity and Access Management experts for their advice: 

Alex Simons, Corporate Vice President, Identity & Network Access Program Management at Microsoft: It’s time to urgently test and deploy unphishable authentication methods at scale as they are the only way to protect your organization from increasingly indistinguishable AI-based phishing attacks. Continue to follow a Zero Trust architectural model, including developing plans to create and automatically govern a “least privileges” approach to access. Begin experimenting with the use of next GenAI-based automation and analysis to enable your security and identity professionals to scale in the world of increasing attack volumes. Read the full Q&A 


Arnab Bose, Chief Product Officer at Okta: We’re seeing a rise of AI agents that are currently making their way into the enterprise, but questions remain about how organizations plan to secure these agents. How can they ensure the correct – and least privileged – access to sensitive customer information? How do they build and implement human-in-the-loop processes for a trustworthy foundation? How do they implement security controls for Service Accounts and non-human identities? Security leaders need to start thinking about how to protect customer interactions with generative AI agents and how development teams can safely build AI agents into their apps. Read the full Q&A 


Wes Gyure, Executive Director of Security Product Management at IBM: Organizations’ top priority should be taming the chaos and mitigating the associated risk caused by a proliferation of multi-cloud environments and scattered identity solutions. Also, organizations should ensure their IAM security fundamentals don’t atrophy. Organizations should be vigilant about implementing “least-privilege” principals and multifactor authentication mandates. Read the full Q&A 


François Amigorena, Founder and CEO of IS Decisions: A top priority is implementing solutions that support a zero-trust approach to minimize the risk of unauthorized access. Organizations should also prioritize strengthening MFA deployment, regular audits and compliance checks, and user education and awareness. Read the full Q&A 


Jay Reddy, Senior Technology Evangelist at ManageEngine: Planning for 2025 requires organizations to reimagine identity security. IAM hygiene is evolving into identity ecosystem health, moving beyond account management to self-healing environments that detect decay, predict vulnerabilities, and initiate remediation proactively… Organizations should aim for autonomous identity operations—self-evolving ecosystems that adapt to emerging attack patterns and maintain optimal security posture autonomously, balancing efficiency with human oversight. Read the full Q&A 


Duncan Godfrey, Chief Information Security Officer, Rippling: IAM priorities depend on where you are in your maturity model. Planning for contingencies, for example ransomware attacks, impersonation, or other crises, involves creating IAM protocols that ensure operational continuity even under degraded conditions…Moving away from a “one size fits all” approach to security, organizations should tailor access rules, conditional access policies, SSO, and MFA based on user attributes like role and department. Read the full Q&A 


Brook Lovatt, Chief Product Officer, SecureAuth: Make sure that you’re set up to quickly and easily adopt new MFA technologies as they arise. The choices will become more vast and more powerful. It’s critical to have a flexible access management system in place that knows when and why to invoke these methods. This setup shouldn’t cost a lot of time and money to modify with each MFA change. Maintaining this flexibility will be essential to keep your business safe and competitive. Read the full Q&A


Further reading: