Identity security is poised to be the cornerstone of cybersecurity in 2025, as artificial intelligence (AI) and machine identities dramatically reshape the threat landscape, say experts.
With non-human identities outnumbering human ones, attackers are increasingly targeting identity-based vulnerabilities to breach systems, access sensitive data, and move laterally across networks.
To combat these escalating threats, experts emphasize the adoption of passwordless solutions, multi-factor verification, and machine identity security programs. These proactive measures will define the next phase of digital defense and ensure organizations maintain trust in an era of evolving cyber risks.
SC Media heard from a groundswell of cybersecurity experts on the topic of identity security in 2025. What follows is a wide range of identity insights on the year ahead. For insights from SC Media's Paul Wagenseil also caught up with identity and access management company Okta that also shared its security predictions for 2025.
[For more 2025 cybersecurity insights see: Cybersecurity regulations in 2025: Key insights from top industry experts and 2025 Forecast: AI to supercharge attacks, quantum threats grow, SaaS security woes]
Protecting identities in 2025
Passkeys will drive the future of data privacy, says Luke Gebb, EVP and head of American Express’ Digital Labs team:
The transition from traditional passwords to passkey technology will accelerate across industries, from telecom to fintech to major tech platforms. Passkey adoption will flourish as a secure solution for protecting sensitive data and combating the ongoing and increasing impact of security breaches throughout the financial industry and beyond. This passwordless future will elevate data privacy as a key priority for companies seeking to maintain customer trust while ensuring ethical data protection.
How enterprises think about identity will continue to transform in the wake of hybrid cloud and app modernization initiatives, says Wes Gyure, IBM security product management executive director:
Recognizing that identity has become the new security perimeter, enterprises will continue their shift to an Identity-First strategy, managing and securing access to applications and critical data including GenAI models. In 2025, a fundamental component for this strategy is to build an effective identity fabric, a product-agnostic integrated set of identity tools and services. When done right, this will be a welcome relief to security professionals, taming the chaos and risk caused by a proliferation of multi-cloud environments and scattered identity solutions.
Identities will increasingly come under attack, says Glenn Chisholm, Obsidian chief product officer:
Historically, attackers gained initial access to networks through the endpoint; the sheer amount and diversity of these devices made them a prime target. But, that’s not where the data is anymore. I expect identities to represent an increasingly frequent point of attack as these threat actors evolve their efforts and attention to where the biggest payout is: the data within cloud-based SaaS and PaaS applications.
There have been more SaaS breaches in the last six months than the prior two years combined; and these compromises are generally identity-based attacks. With single sign-on (SSO), once an identity is compromised, attackers can use that one credential and its privileges to move laterally and access additional data through connected services. That is a massive haul, making every identity an attacker can obtain that much more valuable.
The key takeaway is that the next wave of threats will be targeted at your SaaS identities, since they — combined with SSO — make lateral movement free.
Agencies will acknowledge their data identity-crisis, says Jim Coyle, Lookout U.S. public sector CTO:
The government is currently facing an identity crisis. Agencies are struggling with understanding what sensitive data they have, where it resides, who has access to it and what security controls are protecting it. 2025 will see guidance released from defense and federal CIOs directing agencies on best practices based on the new information and security controls they have.
Continued education about the security risks associated with mobile identity will also lead to a more comprehensive understanding within government overall. Unfortunately, there are still pockets in government that believe if mobile workloads are sandboxed, nothing will be affected if breached. In reality, traditional commercial surveillance won't stop things such as screenshots, data exfiltration or an employee's mobile device from being compromised.
Companies will pressure more vendors to adopt passwordless authentication, says Richard Marcus, AuditBoard CISO:
In light of recent software supply chain breaches, security leaders will begin moving third-party vendors to passwordless authentication in an effort to reduce risk during 2025. We’re already seeing passwordless authentication adoption grow in consumer spaces like banking and social media, but enterprises have yet to make the move. Now, we have an array of technologies to make it easy for them – FIDO2-compliant passkeys, biometric authentication (such as face recognition and fingerprints), and of course, secure single sign-on (SSO). These methods will start to become the standard for all business-to-business interactions. This shift will mean less password theft and greater integration with tools used within the supply chain and vendor ecosystems.
Regulations will redefine identity, says Tim Eades, Anetac CEO and co-founder:
The evolving identity security landscape will force regulators to abandon the traditional separation between human and machine identities. At Anetac, we're seeing a stark reality: for every human account, there are 40 connected non-human accounts. Soon, tokens, service accounts, and APIs will be treated as part of a single identity entity requiring unified protection. This shift mirrors the evolution of automotive safety — while seatbelts existed in the 1950s, mandating them came much later. We're at that inflection point for identity security, and venture capitalists are already positioning their investments accordingly.
Organizations need to advance their identity verification and security strategies will continue into 2025 (and beyond), says Bojan Simic, HYPR CEO and co-founder:
As organizations face a more perilous digital landscape, the call to innovate, adapt and strengthen identity security has never been more urgent. The growing sophistication of cyber threats demands robust and comprehensive identity assurance solutions that include multi-factor authentication, risk monitoring and adaptive verification — collectively forming multi-factor verification (MFV).
MFV’s critical advantage lies in its ability to authenticate the person, not just the account. As a leading method for safeguarding organizations and their customers, MFV is swiftly gaining market traction. For instance, we believe companies will continue to adopt “Know Your Employee” approaches to recruiting and hiring that extends from the interview stage through to onboarding, ensuring that new hires are truly who they claim to be.
We predict that the era of passwords will further decline as credential misuse rises with AI both aiding and challenging cybersecurity efforts. Our research reveals a stark reality: 69% of breaches are rooted in inadequate authentication methods and a staggering 78% of organizations have been targeted by identity-based attacks. This alarming trend underscores the inadequacy of current identity-based tools in protecting against new-age sophisticated attacks. Consolidating platforms and adopting passkeys and biometric verification are essential.
As cybersecurity concerns grow, trust becomes paramount. It’s imperative for companies to adopt multi-factor verification, adaptive authentication and identity proofing approaches to ensure identity protection.
Machine identities come under attack
Attackers will target non-human identities (NHI), says Bar Kaduri, Orca Security cloud threat research team leader:
NHIs play an essential role in cloud computing. They help power critical applications and efficient operations by enabling digital identities to gain the machine-to-machine access and permissions they need within cloud environments. NHIs come in several forms, including IAM entities, API keys, tokens, and credentials. They enable cloud operations like provisioning resources, accessing sensitive data, and interacting with third-party APIs. In 2025, attackers will make NHIs a prime focus, searching for leaked identities or trying to manipulate known and supply chain services to compromise NHIs.
Machine identities give attackers more opportunities to exploit weaknesses, says Sitaram Iyer, Venafi VP of emerging technologies:
Machines — from IoT devices to servers, and even the workloads that run on them — all require unique identities that, like human credentials, can be hacked to expose critical information. Machine identities now outnumber human identities by 45 to 1 [cyberark.com], and this gap is expected to widen, set to reach 100 to 1 soon. The risk of exploitation grows if these identities aren’t consistently protected across environments — giving attackers more opportunities to exploit weak points.
For instance, compromising a single service account — which relies on machine identities — can grant direct entry into sensitive resources, often with privileged access that allows attackers to move laterally across cloud infrastructures. As we move into next year, this ability to exploit machine identities for unauthorized access will drive adversaries to focus more intently on cloud native environments. Successfully targeting machine identities gives attackers a clear pathway to admin-level control, that can enable everything from data theft to taking over — or shutting down — critical business services.
Machine Identity Security teams become the norm for forward thinking enterprises in 2025, says Kevin Bocek, Venafi chief innovation officer:
Next year, machine identity security will emerge as its own defined category, rather than being lumped into broader identity programs. CISOs now understand that there are human and machine identity programs required, and now people and organizations will change.
This shift is being driven by several factors. Attackers are increasingly zeroing-in on machine identities, particularly in cloud native and development environments. For instance, groups such as IntelBroker recently claimed to be selling stolen machine identities and developer assets from both Cisco and Nokia. Meanwhile, the rapid adoption of cloud-native technologies and AI are fueling the growing complexity and speed at which identities like TLS and SPIFFE are being created and deployed to critical systems.
At the same time, the machine identity landscape is shifting. Shortening lifecycles for machine identities are making management more demanding, while the rise of quantum encryption is pushing organizations to consider their post-quantum readiness. Compounding the challenge is sheer volume: machine identities now outnumber human identities by 45 to 1. And this gap is expected to widen, set to reach 100 to 1 soon.
To manage these changes, forward-looking companies have already formalized their response by creating dedicated Machine Identity Security Programs. As these challenges become more acute, we will see more companies follow suit, to develop comprehensive, automated Machine Identity Security Programs to better position themselves to get ahead of the challenges of today and tomorrow. Those that don’t will witness daily outages and security incidents as the machine identity landscape becomes more turbulent.
Data protection increasingly important
The supply chain will collide with unfiltered data access, propelling businesses to prioritize addressing risks, new and old, says Sanjeev Verma, PreVeil co-founder:
Supply chain collides with unfiltered data access, propelling businesses to prioritize addressing risks, new and old. In the next few years, we’ll see more supply chain-related compromises around critical infrastructure, likely led by small third party IT or OT vendor product compromises. Threat actors are evolving their tactics to swim upstream from smaller partner vendors, and businesses need to keep an eye on emerging leverage and pressure points that introduce wider attack surfaces. While data access seems like a simple point to defend, the reality is risk vectors are constantly changing and require the right data security strategies and policies to protect. In 2025 and beyond, data access will resurface as a top business priority to defend.
Another major data breach will highlight the critical need for end-to-end encryption: Following the devastating Salt Typhoon telecom breach, another major breach will expose the limitations of legacy security systems in protecting controlled unclassified information (CUI). This incident will establish end-to-end encryption as a critical selection criterion for security solutions across government and private industry, accelerating the shift away from traditional perimeter-based security approaches.
Data security will be at the heart of generative AI adoption, says Arvind Nithrakashyap, Rubrik co-founder and CTO:
As we look towards 2025, one critical element stands out in the discourse around the adoption and evolution of generative artificial intelligence (AI): data security. As generative AI models require vast amounts of data to learn and generate content, ensuring this data's privacy, confidentiality, and integrity becomes paramount. Companies that can offer robust data security measures will gain a competitive edge, fostering greater trust among users and partners. This trust translates into market share, as businesses and consumers are more likely to engage with AI solutions that prioritize data protection, aligning with stringent regulations like the EU AI Act, GDPR, or CCPA.
Data security, therefore, isn't just a hurdle for generative AI; it's becoming its driving force. As businesses and consumers alike demand more from AI in terms of capability and security, generative AI's future looks increasingly intertwined with advancements in data protection. By 2025, we predict that data security will not only be a benchmark for success in the AI industry but a deciding factor for trust and broad-scale AI adoption by industry and consumers.
[For more 2025 cybersecurity insights see: Cybersecurity regulations in 2025: Key insights from top industry experts and 2025 Forecast: AI to supercharge attacks, quantum threats grow, SaaS security woes]
