The identity and access management (IAM) market has shifted its focus from traditional “login and MFA” mechanisms toward treating identity as a security control plane.
Buyers are prioritizing phishing-resistant authentication, including passkeys, and the management of non-human identities, according to an array of experts quizzed on developments in the market by CSO.
“Workforce access is still the anchor, but more programs now pull in governance, privileged access, and controls for non-human identities because those gaps are where attackers and auditors keep finding leverage,” says Dave Lewis, global advisory CISO at password management tools vendor 1Password.
While the overall European cybersecurity market grew by 7.5% in 2025, IAM surged by 10.8%, according to industry analysts Context.
As of January 2026, the market has accelerated even further, showing a 24% year-over-year (YoY) increase in the first month alone.
Joe Turner, global director of research and business development at Context, says the market growth reflects how “securing the user” has become a spending priority in many enterprise security programs.
Agentic AI shakes up IAM’s future
The increased need to manage non-human identities — machine identities, AI agents, secrets — is one vector shaping the evolution of IAM, as both a technology and a market.
“Non-human identities — service accounts, API keys, AI agents, and IoT devices — are rising significantly, and in most enterprises they already outnumber human users by around three to one,” says Paul Hanagan, CTO of Conscia UK, a provider of secure and complex digital infrastructures.
The IT industry is moving past the introduction of AI technologies toward agentic AI, where autonomous agents act on behalf of users with increasing autonomy. This transformation requires a rethink in how security controls manage identities and access to resources.
“The volume and independence of these [AI] entities demands careful monitoring, with least-privilege enforcement and secret keys rotated regularly to ensure non-human identities are secure,” Hanagan says. “Hackers are increasingly targeting non-human identities to gain access, so these services must be secured with the same rigor as human accounts.”
AI should play a big role in behavior analytics, entitlement management, and configuration management by helping to build an identity fabric that bridges security and governance.
“To work effectively, AI agents will need continuous access to all sorts of data, which will lead to rapid behavioral changes,” says Jon Oltsik, analyst in residence at SiliconAngle and theCUBE. “We’ll need policies and guardrails here.”
Passwordless authentication on the rise
Passwords have long been the weakest link in most security architectures.
Many mobile phones and laptops already use biometrics for authentication, and the user experience is typically far better than typing a long and complex password into an interface.
The growing uptake of passwordless authentication (FIDO2/passkeys, biometrics) is redefining the scope of many IAM projects.
“Many enterprises are still in the early stages of deploying passkeys and FIDO2, and biometrics are often deployed as part of a broader MFA strategy, where hardware costs and management overhead remain barriers to widespread adoption,” says Conscia’s Hanagan.
Regulations shake up IAM architectures
The regulatory environment has evolved from a tick-box exercise in compliance toward governance and continuous testing to demonstrate corporate adherence to regulations. That shift, according to Conscia’s Hanagan, is actively reshaping how organizations architect their IAM programs.
“There is a significant amount of regulatory work under way,” he says. “GDPR, NIS2, DORA, PCI DSS 4.0, and sector-specific frameworks all focus on who accesses what, when, and why.”
Hanagan adds: “The EU often takes a different approach to the UK — eIDAS 2.0, for example, is driving digital identity wallet adoption across Europe — which makes compliance particularly difficult for multinational enterprises spanning multiple regions.”
Sovereign IAM and eIDAS 2.0 decentralize identity
With the introduction of the European Digital Identity (EUDI) Wallet, companies are looking at decentralized identity architectures.
“Instead of storing user data, European firms are becoming ‘relying parties,’ verifying identities through cryptographic proof via government-backed digital wallets to reduce PII [personally identifiable information] liability and comply with the EU Data Act, particularly regarding data minimization,” Context’s Turner says.
Managed IAM services make their pitch
Issues such as the cybersecurity workforce gap and the technical complexity of IAM in the modern enterprise are impacting both CISOs’ identity and access strategies and the direction of the IAM market.
“Most organizations are running hybrid estates alongside SaaS sprawl, and the identity surface is fragmented across multiple directories, legacy apps, and inconsistent entitlement models,” 1Password’s Lewis says.
To bridge the challenges posed by this complexity in the face of talent shortages, many organizations are turning to managed IAM services, according to Conscia’s Hanagan.
“Modern IAM solutions are complex to set up and require deep knowledge and expertise,” he says. “When this is coupled with the fear that AI may displace roles — which discourages new entrants into the profession — and tightening regulation, it takes its toll on why modern IAM projects struggle to progress at pace.”
The IAM industry consolidates
The IAM market is going through a period of consolidation as vendors vie to build the most comprehensive platforms while tackling the problem of managing machine identities and AI agents.
Notable IAM M&A activity over recent months include:
- Last July, Palo Alto Networks acquired privileged access management firm CyberArk for $25 billion.
- Delinea announced plans to acquire universal access management firm StrongDM in March. StrongDM provides “just-in-time” access for DevOps and AI agents, moving Delinea from offering static password management to offering a platform for dynamic, runtime authorization. Financial terms of the deal were not disclosed.
- CrowdStrike has announced deals to acquire identity security startup SGNL for $740 million and browser security startup Seraphic Security for $420 million in January 2026. SGNL provides the ability to grant access based on real-time context (e.g., “Allow this dev to see the database only while they have an active Jira ticket.”)
- Zscaler snapped up SquareX in February 2026, allowing it to acquire browser security technology that can detect identity-based attacks on unmanaged devices.
- Sophos is buying Arco Cyber in a deal focused on bringing AI-powered governance to the midmarket. “It [the deal] targets those 50- to 500-seat companies that lack a full-time CISO but need to meet the new UK Cyber Security Bill requirements,” Context’s Turner says.
See also:
- How cybersecurity leaders can defend against the spur of AI-driven NHI
- Agentic AI already hinting at cybersecurity’s pending identity crisis
- Your passwordless future may never fully arrive
- What are non-human identities and why do they matter?
- Always-on privileged access is pervasive — and fraught with risks
- Redefining multifactor authentication: Why we need passkeys