Identity, the new strategic pillar of cybersecurity
Identity and Access Management (Identity and Access Management, or IAM) is undergoing profound change. What was yesterday purely a technical concern has become today a matter of corporate governance, regulatory compliance, and organizational competitiveness.
The predictions of Sunnykumar Kamani, Lead IAM Engineer specializing in IAM, PAM, and Zero Trust, outline a 2027 horizon radically different from the current state of the art. These seven structural predictions deserve in-depth analysis for any IT professional engaged in identity security.
Analysis Context
These predictions are part of a broader dynamic: according to the Verizon Data Breach Investigations Report 2024, more than 68% of data breaches involve a human factor or identity compromise. IAM is no longer optional.
Prediction 1 — The end of static RBAC: toward attribute-driven and policy-driven access
The Role-Based Access Control (RBAC) model has been the backbone of enterprise authorization systems for two decades. Its principle—granting access rights according to a predefined role—however presents a structural limitation: role proliferation.
This uncontrolled accumulation of redundant or overpowered roles constitutes a true IAM technical debt, exposing organizations to enlarged attack surfaces and regulatory non-compliance.
By 2027, the reference model will combine:
- ABAC (Attribute-Based Access Control): access decisions are based on contextual attributes (location, device, time, data sensitivity)
- Policy engines: dynamic rules evaluated in real-time, independent of fixed roles
- Risk scoring: each access request is weighted by a score calculated from the user's behavioral profile
Practical Recommendation
To anticipate this transition, audit your RBAC roles now with tools like Microsoft Entra ID Governance and identify candidates for ABAC redesign. Start with access to critical resources.
Prediction 2 — 100 non-human identities per 1 human identity
The rise of AI agents, microservices, CI/CD pipelines, and cloud workloads is driving an explosion of non-human identities (Non-Human Identities, NHI): service accounts, API tokens, certificates, managed identities, and application secrets.
The anticipated ratio—100 NHI for each human identity—illustrates the magnitude of the challenge. These entities are often created quickly, rarely revoked, and weakly supervised, making them preferred attack vectors.
NHI governance involves:
- Comprehensive and continuous inventory of machine identities
- Automated secret rotation (example: Azure Key Vault with automatic rotation)
- Least privilege policies applied to workloads
- Behavioral anomaly detection specific to non-human accounts
1# Example: list active Service Principals in Microsoft Entra ID2Connect-MgGraph -Scopes "Application.Read.All"3Get-MgServicePrincipal -All | Select-Object DisplayName, AppId, CreatedDateTime | Sort-Object CreatedDateTime -DescendingCaution
Ungoverned non-human identities are one of the most exploited blind spots by attackers. A compromise of an application secret can provide persistent lateral access undetectable for months.
Prediction 3 — The planned disappearance of passwords
Password authentication is condemned in the long term. Passkeys, based on the FIDO2/WebAuthn standard, are progressively becoming the default authentication mechanism, first for the general public (Apple, Google, Microsoft), then for enterprise IAM.
The FIDO2 standard eliminates traditional attack vectors:
- Credential phishing
- Credential stuffing
- Brute force attacks
- Network interception
| Method | Phishing Resistance | User Experience | Legacy Compatibility |
|---|---|---|---|
| Password | ❌ Weak | ⚠️ Average | ✅ Total |
| MFA (OTP/SMS) | ⚠️ Partial | ⚠️ Average | ✅ Broad |
| Passkey (FIDO2) | ✅ Total | ✅ Excellent | ⚠️ In Progress |
By 2027, password managers will reposition primarily around application secrets management and legacy environments, while FIDO2 will become the standard for interactive authentications.
Prediction 4 — The convergence of IGA, CIEM, and PAM toward unified platforms
Organizations have long operated with a heterogeneous stack of specialized solutions:
- IGA (Identity Governance and Administration): identity lifecycle, access certifications, provisioning
- CIEM (Cloud Infrastructure Entitlement Management): rights governance in multi-cloud environments
- PAM (Privileged Access Management): privileged account control, session recording
The strong trend is toward consolidating these disciplines within unified identity security platforms. This convergence responds to economic logic (reduced licensing and integration costs) and operational logic (correlating identity data across domains).
Market Reference
Gartner positions this convergence in its Magic Quadrant for Identity Governance and Administration. Publishers like SailPoint, CyberArk, or Microsoft Entra are progressively integrating these three dimensions.
Prediction 5 — Continuous Access Evaluation (CAE) as the new standard
Authentication tokens with long lifespans (8+ hours) have been an accepted risk for years. Continuous Access Evaluation (CAE) challenges this paradigm by introducing near real-time reassessment of access conditions.
Concretely, CAE enables immediate access revocation when:
- A user is disabled in the directory
- A session is deemed anomalous by risk policies
- Network location changes suspiciously
- A security event is detected (e.g., compromised password)
Microsoft Entra ID natively supports CAE for compatible applications. Configuration can be verified via Microsoft Graph:
1# Verify CAE configuration on a conditional access policy2Connect-MgGraph -Scopes "Policy.Read.All"3$policies = Get-MgIdentityConditionalAccessPolicy4$policies | Where-Object { $_.SessionControls -ne $null } | Select-Object DisplayName, SessionControlsTip
To enable CAE in Microsoft Entra ID, consult the official Microsoft documentation. Ensure your key applications support the CAE protocol before deployment.
Prediction 6 — Decision-making AI at the core of access authorizations
The integration of machine learning into IAM decision engines represents a major qualitative leap. Rather than applying static rules, AI-driven authorization systems continuously analyze:
- Behavioral patterns of each identity
- Access context (device, network, time, geolocation)
- Anomalies relative to habitual behaviors
- Aggregated risk scoring
This evolution implies a transformation of skills: today's policy engineers must master data analysis tools to exploit identity signals.
1# Simplified example: calculating an access risk score with pandas2import pandas as pd3 4# Load access logs5logs = pd.read_csv('access_logs.csv')6 7# Calculate risk score based on behavioral features8logs['risk_score'] = (9 (logs['hour'].apply(lambda h: 1 if h < 7 or h > 20 else 0)) * 30 +10 (logs['is_new_device'].astype(int)) * 40 +11 (logs['failed_attempts'] > 3).astype(int) * 3012)13 14# Identify high-risk accesses15high_risk = logs[logs['risk_score'] >= 70]16print(f"High-risk accesses detected: {len(high_risk)}")Prediction 7 — Identity as a board-level governance subject
The seventh prediction marks a symbolic milestone: identity security is no longer confined to IT teams. Regulators are progressively pushing IAM governance metrics into disclosure obligations (ESG reporting, NIS2, DORA, SEC Cybersecurity Rules).
This evolution translates concretely into:
- Identity KPIs reported to executive management (orphan account rate, MFA coverage, average revocation time)
- A functional realignment of IAM leaders toward the CISO reporting line
- Increased accountability of board members for identity-related incidents
Impact on IAM careers: what these predictions imply
These developments are reshaping the skills market in identity cybersecurity:
- Most sought role: Non-Human Identity Security Engineer — NHI governance, secrets management, AI workload security
- Best-paid specialty: combination of IAM + PAM + AI-driven access
- Valued certifications: cloud-focused (Azure, AWS) and AI security, at the expense of legacy certifications
- Growing consulting: organizations consolidating more than six IAM tools heavily employ external experts
- Salary progression: senior individual contributor IAM roles reach compensation levels comparable to $300,000 annually on the U.S. market
Summary: Anticipate IAM 2027 developments now
These seven predictions converge toward a structural transformation of the IAM discipline: more dynamic, more automated, more strategic, and more visible at the executive level. Organizations that anticipate these mutations—by adopting ABAC, CAE, FIDO2/passkeys, by structuring non-human identity governance, and by consolidating their platforms—will have a decisive competitive and security advantage.
To deepen these topics in the Microsoft 365 ecosystem, also consult our articles on Microsoft Entra ID Governance, workload identity management, and Zero Trust with Microsoft Security.



