Identities and IAM Trends: Q&A With a Saviynt Identity Expert

Author: Ehud Amiri, SVP Product Management, Savyint

How will the threat to identities change over the coming year?

AI will be the most disruptive force, driving changes in both threats and opportunities. It’s already AI vs. AI, and this dynamic will only grow stronger.

Attackers are already using AI in a big way to automate and scale their attacks. In a recent report, 87% of security professionals say they have faced an AI-driven cyber-attack in the last year. Generative AI is making phishing more convincing, deepfakes more realistic, and account & credentials takeover more efficient. Additionally, machine identities, including AI agents, are creating a vast new attack surface. They now outnumber human identities 45 to 1 by some estimates. The AI landscape is evolving at an unprecedented pace, with agentic agents becoming increasingly common, interconnected, and autonomous. As this shift accelerates, we’re also seeing the emergence of new standards and frameworks, like the Model Context Protocol (MCP), which was a hot topic this past March. With that momentum, it’s easy to see that AI agents themselves are quickly becoming a primary target for attacks as well.

The biggest challenge with these changes is that traditional security models were built for humans, relying on controls like multi-factor authentication and user behavior monitoring, approaches that weren’t designed with autonomous AI-powered systems in mind. To stay ahead of emerging risks, organizations need to shift toward AI-powered cybersecurity solutions that were designed specifically to protect humans, machines, and AI across all facets of cybersecurity, including the emerging AI-powered identity governance, which continuously monitors and adjusts access based on evolving risk factors. The security industry is undergoing a massive transformation with AI, working in tandem with humans, becoming the new standard for any modern security tool.

Identity saw a large push for MFA (multifactor authentication) in 2024, but now that bad actors are stealing credentials, what’s next?

MFA is a prime example of how AI will enhance security. AI-driven MFA and session protection can detect deepfakes (already in use) and monitor user activities throughout authentication and authorization, triggering re-authentication when needed.

MFA has been an essential step in strengthening identity security, but attackers are getting more sophisticated. We’re seeing a rise in MFA fatigue attacks, session hijacking, and AI-assisted phishing that can bypass traditional authentication methods. What’s next is a move toward continuous, risk-based authentication that leverages AI to analyze behavioral patterns, device trust, and contextual risk signals in real time. Organizations need passwordless / secretless authentication, adaptive access controls, and AI-driven anomaly detection to stay ahead of these threats. Identity security can’t just be about a one-time check at login—it must be an ongoing, intelligent process that detects and mitigates risk dynamically.

Will the implementation of zero trust for identity change?

Yes. Zero trust for identity is evolving beyond static policies to AI-driven, adaptive security. Instead of relying on manual approvals and rigid access roles & rules, organizations are changing to smart, risk-based identity governance that continuously analyzes behavior and context.

Modern solutions provide AI-powered recommendations to make access requests and certifications smarter, automatically flagging high-risk entitlements while streamlining approvals for low-risk access. Identity Security Posture Management (ISPM) will help organizations stay ahead of threats by detecting misconfigurations and enforcing least-privilege access in near real time.

Zero trust isn’t just about verifying identity at login anymore—it’s about continuous, intelligent access decisions that make security stronger while reducing complexity. Companies that embrace this AI-driven approach will stay ahead in an era where identities are the new security perimeter.

How should companies be thinking about AI-powered identity security to stay ahead of attackers?

AI enables more sophisticated attacks, but it also provides the best defense when leveraged effectively. To stay ahead, organizations need to go on the offensive with AI-driven identity security. This means using AI to detect anomalies and identity-based threats before they escalate. Traditional legacy security tools are too slow and reactive to catch subtle behavioral deviations that signal an attack.

Automating identity governance and access controls is also critical, reducing human error and eliminating unnecessary access in real time. As attackers increasingly target machine identities and AI agents, securing these non-human entities is just as important as protecting human users. At the same time, AI models themselves must be governed with transparency—any system making access decisions needs to be explainable, ethical, and compliant. Companies that fail to adopt AI-powered identity security will inevitably fall behind, as AI-driven threats continue to evolve at a rapid pace.

What should enterprises be thinking about specifically related to NHI security?

We’ve already highlighted how machine identities now vastly outnumber human identities, a trend that will only accelerate with the rise of AI agents and the ongoing shift toward cloud-native, interconnected systems.

In the race to innovate with the use of AI agents, organizations often prioritize speed to market, which can sometimes lead to identity exposures. Attackers are increasingly targeting this vulnerability, looking to exploit the growing attack surface.

The traditional approach to identity management relies on slow discovery processes and labor-intensive efforts to assess security risks and resolve identity and access issues. This model is inadequate to address the rapid rise of non-human identities (NHIs), which are inherently more dynamic, decentralized, and scalable. As machines are constantly created and decommissioned, and developers generate identities directly in code, the need for organizations to adapt their identity management practices becomes even more critical. The ratio of machines to humans is only growing.

Moreover, while machines are increasingly pervasive, they are still tied to the people who own and govern their operations. The current generation of identity management tools wasn’t designed to handle this complexity, with some point solutions viewing NHIs in isolation from their human counterparts. This highlights the need for a new paradigm—one that connects people and machines seamlessly, powered by AI. By automating what can be automated and involving humans when necessary, this new approach can address the evolving identity landscape, ensuring both people and machines are protected in an increasingly connected world.

What are some of the first steps for organizations ready to modernize their identity security?

The first step is to assess the gaps in your current identity security strategy. Many companies are still relying on legacy, on-prem IAM systems that weren’t built for today’s cloud-based, AI-driven world. Organizations should focus on:

1. Transitioning to a cloud-based, AI-centric identity security platform that provides visibility, automation, and adaptive risk management.
2. Eliminating excessive and outdated access privileges through identity lifecycle automation and risk-based access controls.
3. Enhancing authentication beyond just MFA, incorporating behavioral analytics and continuous risk assessment.
4. Securing non-human identities, including AI agents, service accounts, and machine identities.
5. Implementing AI-powered identity governance that automates compliance, threat detection, and risk remediation.

Organizations need a single solution that reduces the noise, where AI automates most tasks, provides recommendations, and offers context for decisions that still require human input, enabling people to focus only on what truly matters.

Learn more about how Saviynt and GuidePoint can help you modernize your IAM strategy now–to reduce risk, improve efficiency, and build a more resilient security posture for the AI era.

Request a demo for Saviynt Identity Cloud