The New Identity-First Future

This article is an adapted version of my opening keynote at Identiverse® D.C., November 2025. The original slide deck is available as a PDF.

If you attended Identiverse in Las Vegas, in June 2025, you’ll recall that I spoke in my opening keynote about the need not simply to manage change, but instead to build systems (and teams, and skillsets) that are malleable, or ‘flexible within constraints’. (If you weren’t there, or if you want a refresher, you can access a video of that talk.)

Malleable systems are, at the same time, sufficiently adaptive and sufficiently resilient. In other words, they can bend and adjust to changing circumstances without breaking. By staying flexible in our approach, whilst simultaneously respecting the guardrails provided by standards, policies, and reference architectures—and leaning on the interoperability those same guardrails deliver—we manage for change instead of being managed by change. Change—for the identity and IAM industry, and for the digital identity profession—is coming fast. One might argue it is our “new normal.” It is imperative that we adapt and respond.

The Job of Identity

Adapt what? Well, let me start with a perspective about the job that we, as identity practitioners, do. In my view, we have one job, with two components. Part one is to enable people—and organisations—to get things done in our increasingly digital world. Part two is to protect those people and those orgs (and the systems and data they both rely on) whilst they’re doing the things we enable. Why ‘protect’ and not ‘secure’? Protection from harm is more than defending against attack. It might also mean protecting our organisations from failures of governance, something achieved in part through regulatory compliance. Alternatively, or even in addition, it might mean protecting the workforce, or our customers, from surveillance or data collection overreach, both of which carry their own unique risks (and in some cases carry material risks to organisations, and eventually to the entire identity landscape). And so on. Making activities safely and usefully possible in the digital (and hybrid) world is hard to do, and it’s getting harder. I spoke about this, too, at Identiverse in June 2025. Our remit—the scope of things we’re asked to do—is expanding. The pace and the scale we’re operating at are increasing. The environment we’re working in is getting more complex. Our ’enable and protect’ job is getting harder for lots of reasons. But I think there are two era-defining issues that are applying a disproportionate amount of pressure: artificial intelligence and systemic fragility. These are the things we need to respond to.

Era-defining issues

No. 1: Artificial Intelligence

The first of these is Artificial Intelligence. And let’s start by recognising that at present there is a significant amount of froth to contend with in the AI space. According to a McKinsey survey : “80 per cent of companies have deployed generative AI in some form for at least one business function. Of the AI adopters, 80 per cent still report no material contribution to earnings from the deployments.” Gartner reports that “over 40% of agentic AI projects will be canceled by the end of 2027, due to escalating costs, unclear business value or inadequate risk controls…” Reports like the ones referenced above are useful in giving us a big-picture view of something that, frankly, we’ve all probably experienced. I could point at any number of examples, but here’s one which cropped up for me just the other day.

This screenshot shows the in-app “help” currently provided in a well-known enterprise tool. I won’t name it, partly out of courtesy; and partly because—frankly—I could have picked any number of examples. And you don’t have to take my word for it. The Guardian reported on how a study of ChatGPT, Copilot and others found that these AI services offered incorrect and misleading tips on investments, tax and insurance.

Nutrimatic Think Dispenser

“…almost, but not quite, entirely unlike tea…" If you’re familiar with the Hitchhiker’s Guide to the Galaxy : we’re at the “Nutrimatic Drink Dispenser” stage of the evolution of AI. The Nutrimatic Drink Dispenser was a computer-based drinks machine which, disappointingly for the protagonist Arthur Dent, who was at this point several million light-years away from England, Earth, and was feeling rather homesick, produced a drink which was “almost, but not entirely, quite unlike tea.” You might say that genAI is more a “Nutrimatic ‘Think’ Dispenser”, producing something which is almost, but not quite, entirely unlike intelligence. We are presently at a stage where much of the output we get is almost, but not entirely, quite unhelpful. But that will change.

The Substance of AI

“There are applications of machine learning that are well scoped, well tested, and involve appropriate training data such that they deserve their place among the tools we use on a regular basis.” This extract is taken from an article written by the authors of “ The AI Con ”. Both the article and the book are good reads as counterpoints to the hype. This is precisely the frustration with the froth: it’s hiding the good stuff underneath. What good stuff? Things like ’traditional’ machine learning; and constrained-context large language models and agents, enabled and protected with model-context protocol. The bottom line is, I believe, that within some period of time—it will be a process rather than all happening overnight—we’re going to be doing a lot of things differently, and potentially, better. There is opportunity here. There are also risks.

The Risks of AI

With AI, I see two big risks. The first is what we all tend to concentrate on within the industry.

AI and Security

Deepfakes, AI-enabled or—Anthropic just issued a report on this—AI-operated attacks, malicious bots, supply-chain compromise through vibe coding, data breach, IP leaks, and so on. It’s all a cause for concern because the list of risks is long, and it’s getting longer. There is, however, a second risk, which, if not more important, is at least deserving of equal attention: the risk of missing the boat.

AI: Missing the opportunities

The risk that we might miss the very real opportunities that are in front of us. And by this I mean three things: Failure to ENABLE organisations to use AI safely, appropriately, and responsibly. We need to remember our primary job: to Enable and Protect. Failure to EVOLVE our identity systems to cope with AI requirements, pace, and scale. In order to enable and protect our organisations (and our users) in this new world, we must, as a priority, rebuild our identity systems to cope with AI requirements, AI pace, and AI scale. MCP is a useful starting point, but there is a lot more to do. Failure to RE-INVENT the human-to-identity services interface with (helpful) AI tools. We must consider ways in which AI tools might help specifically in the interface between the user and the identity services they are using.

Enabling AI

The advent of AI is driving new requirements for us to enable and to protect. And creating new ways for us to enable and to protect. With that, let’s turn to our second phenomenon: Fragility.

No.2: Fragility

I urge you to read some of Heather Flanagan’s work on this for some very valuable and detailed insights. Writ large, there is a proliferation, duplication, and misalignment of standards, regulations, and legislation. We’re seeing growing complexity in legislation, regulation, and standards (technical and non-technical); increasing divergence and misalignment, which leads to more friction for businesses, teams, individuals, and systems. This, in turn, leads to personal, commercial, and political operating environments that are highly mutable, unpredictable, and heterogeneous. For a long time, perhaps unwittingly, we’ve assumed benign, immutable, and homogeneous environments; this is no longer a safe assumption. Rather, we have to work on the assumption, at all times, that even if things work well today, a breaking change might happen at the drop of a hat.

Systemic erosion of trust

This effectively leads to a loss of trust throughout the system. If you don’t have some predictable consistency of behaviour from a business, a colleague, an agent, a standard, or an app, it’s hard to lend your trust. That’s true no matter how big or small your org. Regardless of your role or your focus in the industry and the profession. And that’s why our job is getting harder. We are called to deliver era-defining change in generationally less trustworthy environments. And our existing approaches aren’t up to the challenge. Something needs to change.

New foundations

The good news is that we have two new foundations to build on as we adapt.

  • Continuous Identity
  • Pervasive Trust

Continuous Identity

If you’re not familiar yet with the concept of continuous identity, there’s plenty of existing material online from Ian Glazer , Sean O’Dell , and Andrew Cameron , amongst many others—you can read some of my own early perspective here . Conceptually, think of continuous identity as a flow of discrete, contextual data from multiple sources with which we can act to make real-time privilege decisions. We’ve made a good start on this: the Shared Signals Framework, Zero Standing Privilege, in-market product and services… There is more work to be done, though, in particular in applying new systems architecture and application design to our existing estate. But implementing a continuous identity model is necessary if we are to act and to react at AI scale and pace.

Pervasive Trust

The second big development is something I’ve taken to calling Pervasive Trust. Think of this as the next step after ‘zero-trust’. Zero-trust is a starting point: it’s not the end-point. Assuming a breach will happen is an important perspective, but then what? To put it another way: it’s insufficient “assume breach” but then think it’s not your problem to deal with. You can be victimised by zero-trust. Instead, you need to develop trust signals in order to establish trust. In fact, you need to build in as many trust signals as you can to help get you to a point where—for a point in time—you can establish trust. We do some of this already, but not enough, via tools like:

  • Assurance programs
  • Certification programs
  • Professional qualifications

Implement these things within your org; insist on them from your vendors. Under no circumstances take shortcuts with these programs.

Big changes

These are not small adjustments. Implementing the concepts of Continuous Identity and developing the Signals framework to enable Pervasive Trust will change your architecture, design process, and professional development needs, among other things. Change is hard, even when it’s for the better. But these changes are necessary, and they will be worth making. So what does this new identity-first future look like? As we move towards a world of continuous identity and pervasive trust, what can we expect? Imagine a future in which a user (or agent) doesn’t “log in”.
Instead, they (or some agent on their behalf) will present minimal, selectively disclosed, trusted claims which — along with other contextual signals — you can use to grant privilege for a specific action. One. Specific. Action. Enabling and protecting in its purest form. So how do we get there?

Seven suggestions

I have seven suggestions to make. Some are obvious and uncontroversial. Some will provoke some debate, which is good! But I think these seven are at least a solid starting point.

  1. Deploy MFA: If you are not already requiring MFA, you are behind the curve. You are putting your org and your users in harm’s way. You are taking an unacceptable risk.
  2. Follow UX norms: Avoid breaking user expectations with a non-standard log-in flow. Breaking user expectations introduces risk and erodes trust. Leaving aside the sheer affront of dragging the user out of their current work context into their email client, or sending them off to find their phone, in order to get the code you just sent them (assuming it arrives promptly. Or at all) I’ll also point out that the log-in code flow is also fraught with risk. Take the email flow: if the user’s email is compromised (which we know happens not infrequently) there is nothing standing between you and the fraudster. Nothing.
  3. Deploy passkeys: If you’re not deploying passkeys yet, start. Passkeys may be sufficiently secure to replace MFA. Evaluate carefully. Thousands of organisations—including at citizen-national and global scale—have deployed passkeys, and done so with huge success. The flow for the user is better; calls to customer help lines go down, and security is improved.
  4. (4a, really) Proof with care! If you need an identity proofing/verification solution, make sure it is properly vetted and assured so that you and your users can trust it. That’s a big if. Proceed with caution, especially in customer or consumer-facing cases. 3141 First, be sure you actually need an identity proofing solution. Not everyone does. Double- and Triple-check. Push back. If you’re sure, then deploy a properly assured solution, and minimise as much as possible the data you (or your service) request and store. There are systemic risks to the over deployment of identity proofing; at best, the large-scale erosion of trust, and at worst the fundamental collapse of viable proofing. We all have a responsibility to guard against this. However…
  5. (4b, really) Assure the workforce: If you aren’t thinking about an identity proofing solution for your workforce, start (remember: properly vetted and assured). Workforce assurance has some very tangible benefits. Your level of need and your approach will differ by country and by jurisdiction, but you should have an appropriate strategy in place. Make sure it is a trustworthy one: for you, and for your workforce. Again: assurance programs, conformance testing, and data minimisation are critical.
  6. Prepare for wallets: If you aren’t developing a strategy around identity wallets & verifiable credentials, start now. If you don’t have a strategy for how your infrastructure is going to interact with wallets and VCs, start developing one as a matter of urgency.
  7. Get continuous: Start with the Shared Signals Framework. Don’t stop there. A key part of getting ready for identity wallets is getting your infrastructure ‘continuous-ready’. As a bare minimum, understand the shared signals framework, and start considering how to adapt and enhance your infrastructure to make use of it. That’s your starting point, but you need to keep abreast of this: more is coming.
  8. Watch for the intersection: An intersection between passkeys, verifiable credentials, and identity wallets is emerging. Watch out for impacts and opportunities. Finally, be on the alert for an emerging intersection between passkeys, VCs and wallets (including payments).

So that’s it. Seven suggestions. You’ll find information on many of these from Identiverse and from Authenticate (especially the passkey material) earlier this year.

Start today

Talk to vendors about what they can do to help. Help them understand your requirements. Help them build the products and solutions that meet your needs. Discuss problems and approaches, and solutions with your peers. Contribute where you can, whether formally through engagement with standards bodies and working groups; informally at meet-ups or through professional associations like IDPro —if you haven’t explored the body of knowledge and the CIDPRO certification , I encourage you to do so!—and consider sharing your knowledge and expertise through conferences. The Identiverse Call for Presentations for 2026 is open now; other opportunities obviously exist! Putting in a proposal for any of these is no guarantee of a spot, but if you don’t put a proposal in, you’re unlikely to be speaking. And remember: the work that goes into crafting a proposal is never wasted. It can help clarify your own thinking and inform your work in other areas—such as blog posts, internal presentations, and even discussions with colleagues. But whatever you do: start. In an era defined by AI and Fragility, our work—to enable and to protect—is needed more than ever. That work is hard, and it’s getting harder. But we have a new foundation upon which to build. Continuous Identity and Pervasive Trust will make the difference—but we will need all hands on deck to make our new identity-first future a reality.

Select references

To watch

To read

Image credits

If you’re interested in other thoughts I have on digital identity, privacy, and corporate governance, I encourage you to read through this site or follow me on LinkedIn .