Skip to main content
How Can We Help?
Table of Contents
< All Topics
Print

AI Ushers the Arrival of IAM/IGA 2.0 

Published 23 August 2025

Abstract

News Flash: AI is here, and its use is growing exponentially. That would be a news flash for anyone living under a rock for the past 2 years!  However, with this rapid rise in the use of AI comes the promise of qualitative and quantitative improvements in how Identity and Access Management (IAM) and Identity Governance and Administration (IGA) can operate. 

Bear in mind that AI also brings many security concerns regarding agentic AI deployments and the management and governance of these agent deployments. In a “friend or foe” manner of speaking, AI transforms nearly everything we thought we knew about IAM and IGA best practices.

In this report, we’ll examine how AI is now able to facilitate enterprise IAM deployments by helping organizations perform many previously arduous and error-prone tasks with the promise of the proverbial “better, faster and cheaper” realization. In conjunction, we’ll address corollary security concerns and how best to manage and secure AI agents so that they meet enterprise risk management requirements.  

We’ll also demonstrate how AI revolutionizes our Reference Architecture for IAM and IGA – and what this means for you. 

Authors:

Doug Simmons
Principal Consulting Analyst
[email protected]		 Gary Rowe
CEO/ Principal Consulting Analyst
[email protected]

Executive Summary

Within most – if not all enterprise wide IAM and IGA solutions, there are myriad administration, lifecycle management, monitoring and configuration capabilities and “options” – and these can present a daunting set of considerations that will require a great deal of “resource (people) power”. In other words, while much of what a typical IAM and IGA environment requires can be reasonably “automated”, there still is a lot of manual effort required to continuously maintain and refine the ecosystem on a continual basis. Wouldn’t it be nice if there was an AI agent capability that could be deployed in concert with IAM and IGA to facilitate important common tasks such as workflow review and approvals, or performing ongoing discovery operations to find and fix potential anomalies across the entire identity and access management spectrum? 

Well, that time has arrived. Many IAM and IGA vendors are now incorporating AI to help organizations accomplish key, traditionally (human) resource-intense tasks such as the following:  

  • Automated Role & Access Recommendations: AI analyzes identity usage patterns to recommend least privilege access policies or identify unused permissions.
  • Access Review Automation: AI assists in scheduling and optimizing access reviews based on user behavior and risk signals.
  • Natural Language Queries: Administrators can ask AI agents in plain language: “Who has privileged access to financial data?” and get actionable insights.
  • Privileged Access Management (PAM) and Cloud Infrastructure Entitlement Management (CIEM): AI can discover and explain permission sprawl across on premises and multi-cloud environments (AWS, Azure, GCP) and help to remediate risks.
  • Just-In-Time (JIT) Access Optimization: AI suggests policy updates to enforce least privilege dynamically, reducing standing access.
  • Shadow Workload Discovery: AI assists in identifying non-human identities (e.g., service accounts, containers, other AI agents) and proposes governance policies.
  • Risk-Driven Alerts: Offers summaries and remediation advice for both workers and workload (non-human) identities with excessive or risky permissions.

These are just a few examples of how AI is beginning to help organizations realize a more mature and secure IAM and IGA infrastructure. Look again at the plethora of runtime decisions, management, audit and monitoring capabilities existing IAM and IGA solution makes available to its customers and consider that practically each of these can be automated with an intelligent, customizable, appropriately constrained yet self-learning agent. 

Our view is this: after having spent decades with our customers architecting and deploying IAM and IGA in large-scale, high-complexity, multi-national environments, TechVision sees this advanced use of Artificial Intelligence as a critical leap forward. 

The inclusion of AI assistance in the day-to-day important but mundane tasks that are required to maintain an appropriate security posture is to be heralded. In effect, this is truly the beginning of a new era for IGA (and IAM), which we will call IGA 2.0.

In summary, with the compelling inclusion of AI-powered “administrative companions” designed to enhance productivity and streamline workflows by offering contextual assistance, automating tasks, and providing real-time insights – AI is changing the IAM/IGA landscape and now is a good time to assess requirements, evaluate your current state, assess gaps and architect your next generation solution. We’ll explain how in more detail in this report.

TechVision generally recommends a structured approach to such a critical infrastructure element as IAM and has developed a Reference Architecture that is useful in evaluating the set of capabilities necessary for your future state AI-aware IAM and IGA foundation. With over 35 years of experience helping organizations of all sizes, in all industries around the world, TechVision can help you with this process.

Background

Let’s start this with a brief discussion about Zero Trust. While some may feel Zero Trust is now an overused term that many security professionals deem more “hype than reality”, TechVision feels zero trust is a journey more than a destination and its basic philosophy of identity centric authentication and authorization is a fundamental approach to cyber security we have been advocating for many years. For deeper insight into Zero Trust networking and identity management approaches, please see TechVision Research reports on Zero Trust Networking and Zero Passwords in a Zero Trust World, respectively.

In our view, Zero Trust is in fact a merging of networking, identity management and device management in a multi cloud and hybrid world. This approach gains more traction now, with increased focus on Machine Learning and Artificial Intelligence to manage adaptive access control and user identity and access governance

Simply put, appropriate integration of AI offers these high-level Zero Trust-oriented capabilities:

1.     Protect access to any application or resource for every identity.

2.     Secure and verify every identity, including employees, contractors, customers, partners, devices, applications, and workloads.

3.     Provide only necessary access by managing identity lifecycles and ensuring least privilege for any identity – including people and resources (i.e., agentic AI, apps and service accounts).

4.     Simplify the user experience by simplifying the authentication process utilizing intelligent security and unified administration.

With the compelling inclusion of AI-powered companions designed to enhance productivity and streamline workflows by offering contextual assistance, automating tasks, and providing real-time insights – your organization may be able to expand its IAM/IGA utility much more rapidly. 

In this report, we are going to dig deeper into the capabilities AI brings to the IAM and IGA landscape – and how robust AI capabilities can potentially bring an elevated level of comprehensiveness to an enterprise cybersecurity posture. Understanding that the AI sword swings both ways, however, we also dive into recommended best practices to manage and govern agentic AI across the enterprise. 

Introduction

In most – if not all enterprise wide IAM and IGA solutions, there are myriad administration, lifecycle management and configuration “options” – and these can present a daunting set of considerations that will require a great deal of “resource (person) power”. In other words, while much of what a typical IAM and IGA environment requires can be reasonably “automated”, there still is a lot of manual effort required to continuously maintain and refine the ecosystem on a continual basis. Wouldn’t it be nice if there was an AI agent capability that could be deployed in concert with IAM and IGA to facilitate important common tasks such as workflow review and approvals, or performing ongoing discovery operations to find and fix potential anomalies across the entire identity and access management spectrum? 

Well, that time has arrived. Many IAM and IGA vendors are now incorporating AI to help organizations accomplish key, traditionally (human) resource-intense tasks such as the following:  

  • Automated Role & Access Recommendations: AI analyzes identity usage patterns to recommend least privilege access policies or identify unused permissions.
  • Access Review Automation: AI assists in scheduling and optimizing access reviews based on user behavior and risk signals.
  • Natural Language Queries: Administrators can ask AI agents in plain language: “Who has privileged access to financial data?” and get actionable insights.
  • Privileged Access Management (PAM) and Cloud Infrastructure Entitlement Management (CIEM): AI can discover and explain permission sprawl across on premises and multi-cloud environments (AWS, Azure, GCP) and help to remediate risks.
  • Just-In-Time (JIT) Access Optimization: AI suggests policy updates to enforce least privilege dynamically, reducing standing access.
  • Shadow Workload Discovery: AI assists in identifying non-human identities (e.g., service accounts, containers, other AI agents) and proposes governance policies.
  • Risk-Driven Alerts: Offers summaries and remediation advice for both workers and workload (non-human) identities with excessive or risky permissions.

These are just a few examples of how AI is beginning to help organizations realize a more mature and secure IAM and IGA infrastructure. Look again at the plethora of runtime decisions, management, audit and monitoring capabilities existing IAM and IGA solution makes available to its customers and consider that practically each of these can be automated with an intelligent, customizable yet self-learning agent. 

Our view is this: after having spent decades with our customers architecting and deploying IAM and IGA in large-scale, high-complexity, multi-national environments, TechVision sees this advanced use of Artificial Intelligence as a critical leap forward. The inclusion of AI in the day-to-day important but mundane tasks that are required to maintain an appropriate security posture is to be heralded. In effect, this is truly the beginning of a new era for IGA (and IAM), which we will call IGA 2.0.

Nevertheless, AI can also bring a great deal of risk to the organization. The rapid rise of agentic AI to facilitate so many business processes and data management tasks can lead to a re-living of the dreaded “shadow IT” challenges of the early 2000’s, when cloud computing first gained traction. Left largely ungoverned, AI agents can introduce significant risks that include enhanced security vulnerabilities such as prompt injection, tool misuse, and lateral movement, which can lead to data leakage, unauthorized access, and disruption of operations. Other risks involve misaligned goals, leading to unpredictable or harmful outcomes, and loss of human control as systems become more autonomous. Organizations also face challenges with accountability and compliance, as determining responsibility for AI actions can be difficult.

In this report we discuss today’s AI as both “friend” and “foe”, specifically within the IAM and IGA realms. 

AI as “Friend”

Enterprises typically use IAM and IGA to control user (or thing, app or agent) access to enterprise applications and application resources based on their business requirements. For example, IAM administrators can configure access control systems to require multi-factor authentication when accessing important, higher risk organizational information resources. IGA is used to automate user provisioning between existing on-premises “identity repositories”, such as HR databases, contractor databases, enterprise directories, vendor databases and so forth. A summarization of the many capabilities supported by an IAM and IGA ecosystem are as follows:

·      Conditional Access to both on premise and cloud apps, including user entity behavior analytics (UEBA).

·      SSO to provide a single user identity for authentication and authorization to all resources.

·      Management of the organization’s identity through employee, business partner, vendor, service, and app access controls, including access reviews.

·      Application management of cloud and on-premises apps using single sign-on, “portalization” and Software as a Service (SaaS) apps.

·      Authentication management via self-service password reset, MFA, custom banned password list, and “intelligent” lockout.

·      Application development of apps that sign in all requisite enterprise identities and get tokens to call other APIs securely.

·      Business to Business (B2B) support for “guest” users and external partners, while maintaining granular access control.

·      Business to customer (B2C) support allowing customization and control of how customer users sign up, sign in, and manage their profiles when using enterprise B2C apps.

·      Detection of potential vulnerabilities affecting the organization’s identities, configuring policies to respond to suspicious actions, and taking appropriate action to resolve them.

·      Proactive monitoring to gain insights into the security and usage patterns in across the multi cloud/hybrid environment.

From our perspective, this is a reasonable subset of significant capabilities which we will discuss in terms of our Reference Architecture for IAM in subsequent sections. First, let’s look at IGA a little deeper.

Identity Governance and Administration

Application and system ‘owners’ generally have the responsibility to manage access to their environments and data within, but this capability becomes extremely onerous as time progresses. This is largely the fundamental reason that the specialized segment of IAM called Identity Governance and Administration (IGA), emerged nearly 15 years ago. In a nutshell, IGA combines entitlement discovery, the decision-making process, and the access review and certification of access governance with the identity lifecycle and role management of user provisioning. For many organizations today, IGA has become a critical service that provides operational management, integration, information security and overall integrity for an enterprise IAM program. In general, when we refer to IAM in this report, we are also referring to IGA under the IAM umbrella.

IGA operates at the intersection of business process management and access automation, allowing people and systems to communicate with each other, fulfilling day-to-day operational needs. A comprehensive IGA program across diverse constituencies can help identify and manage these risks and address compliance requirements. 

Organizations looking to get a handle on how access is being granted and managed over time and who also want to evolve toward a “least privilege” approach to issuing access, should consider how IGA can help achieve these goals. IGA requires a fundamental understanding of the current state of entitlements across all of the critical systems throughout the enterprise as well as what operations and data to which they actually grant access. 

These capabilities include access certification, access request, role management, and the automated fulfillment and enforcement of changes to entitlement settings through identity lifecycle management as well as applying entitlement risk scoring in adaptive access control systems and aligning roles and activities with privileged access management. 

For a much more detailed investigation and analysis of IGA requirements and deployment best practices, please refer to the TechVision document titled “Establishing a Modern-Day Identity Governance and Administration (IGA) Framework” as well as the more recent document titled “IGA Has Failed-What is the Best Way Forward?”.

Now, let’s look at some of the key IAM and IGA capabilities and how AI can elevate their efficacy. 

AI and Conditional Access

An AI administrative companion is an agent that can evaluate the organization’s Conditional Access policies, flags any policy gaps, suggests optimizations, and helps keep policies aligned with Zero Trust best practices. The agent evaluates the organization’s existing conditional access policies against the enterprise’s Zero Trust best practices, including enforcing MFA, blocking legacy protocols, requiring device-based access, and reducing policy redundancy. 

The conditional access agent can also flag gaps, suggest improvements, and automatically create new policies in “report-only mode” so they can be safely previewed before enforcement. As the environment evolves, the agent continuously checks for “drift”. For example, it will spot any newly added users or applications that aren’t yet covered by an existing conditional access policy. It can also look for opportunities to merge any overlapping or redundant policies, helping to simplify the policy landscape without weakening protection. 

These kinds of optimizations used to require tedious manual reviews, but now they’re surfaced automatically as part of each agent run. Agentic AI assistance can elevate an organizational identity threat security posture dramatically by “backfilling” the many tedious tasks formerly requiring human administrators – and subsequently left undone. Note, however, this is not to say that the agent can be held accountable, but that the human administrator can accomplish much more by relying on the agent to provide him or her with the right information at the right time to make accurate decisions.

Cloud Infrastructure Entitlement Management and Privileged Access Management           

Over the past 10+ years, much of enterprise IT has moved to “the cloud”. In conjunction with this trend, TechVision has written about IAM migrating to the cloud, Customer IAM is becoming primarily cloud-based and even Privileged Access Management (PAM) has largely moved to the cloud. Today, we find ourselves with a largely mixed set of IAM and IGA capabilities residing on premises, in the cloud, or both. Adding to this complexity for many organizations is that they may be using multiple Identity as a Service (IDaaS) offerings, may have multiple on-premises IAM systems and may be leveraging multiple cloud service providers. The many components that comprise an IAM environment, such as authentication, authorization, account lifecycle management and privileged access today can be sliced and diced in such ways that enterprises can select to run in the cloud certain capabilities that run more efficiently, are more cost effective and retain requisite security. TechVision dives into this topic of significantly in recent reports, such as “Architecting and Managing Hybrid and Cloud-based Identity Services”, and “Privileged Access Management: Will We Never Learn?”.

A consistent set of well thought out permissions management controls that are aligned to a comprehensive cybersecurity framework is an imperative for nearly every organization, enabling the automation and enforcement of controls over privileged credentials in any system, platform, or environment. Permissions management controls also identify all known exceptions that require special access control and monitoring implementation. This is particularly important considering the large number and dynamic nature of resources many organizations are deploying in the cloud, coinciding with requirements to provide on-going support for multi-cloud environments. Most of these cloud environments (e.g., Azure, AWS, Google) have powerful management consoles and APIs that can expand the available attack surface requiring protection and defense. The challenge many organizations have today is that multiple cloud consoles for managing permissions granularly are redundant, repetitive, disparate and cloud platform specific. While manageable to a degree, there is a dire need for a single administrative console to granularly manage permissions across each of these three major cloud platforms.

A mature and robust IAM and IGA ecosystem provides granular cross-cloud visibility to uncover permission risks, enforce least privilege, and continuously monitor and detect anomalies. That’s what CIEM/PAM means, as it allows security administrators to obtain a comprehensive view of all actions performed by any identity across AWS, Azure and GCP. This should also allow the system to right-size permissions and enforce the principle of least privilege based on historical usage and activity. It is also able to detect anomalous permission usage using machine learning and AI, and generate detailed forensic reports, which are capabilities sorely needed by security administration and operations. This ecosystem should address three key use cases: discover, remediate, and monitor.

Discover

·      Assess permission risks by evaluating the gap between permissions granted and permissions used for any identity (irrespective of the identity type and origin) across any cloud.

·      Analyze granular and normalized metrics for all identities across AWS, Azure, and GCP.

·      Track permission risks with an aggregated metric that continuously evaluates the level of risk based on the number of unused or excessive permissions and resources for all identities. This particular metric is a quantitative measure of risk associated with an identity or role determined by unused high-risk permissions and resources. It allows administrators to instantly evaluate the level of risk associated with the identities and resources. 

Remediate

Organizations can also “right-size” permissions based on historical usage, grant new permissions on-demand, and automate just-in-time access for cloud resources.

·      Automate deletion of permissions unused for the past 90 days.

·      Permissions on-demand: Grant identities permissions on-demand (with self-service workflow) for a time-limited period or on an as-needed basis.

Monitor

Organizations can detect anomalous activities with machine learning-powered (ML-powered) alerts and generate detailed forensic reports.

·      ML-powered anomaly and outlier detections.

·      Context-aware forensic reports around identities, actions, and resources to support more rapid investigation and remediation.

In this vein, AI supports a wider range of real-world identity and access scenarios – to help IAM teams investigate, monitor, and respond faster using natural language. In the traditional AI agent sense, administrators can just ask a question, and AI works across the entire enterprise data landscape to bring actionable insights. For example:

Identity Insights and Investigation

Provide a complete view of users, groups, sign-ins and risk, all in one place:

  • Users: Investigate a user’s sign-ins, roles, apps, groups, and permissions.
  • Groups: Understand group membership, access paths, and permissions.
  • Sign-In Logs: Analyze abnormal or failed sign-ins to detect access issues or suspicious activity.
  • Audit Logs: See who made changes to identities, policies, or configurations across the IAM/IGA ecosystem.
  • Lifecycle Workflows: Manage onboarding/offboarding workflows and flag issues across joiner, mover, leaver tasks.
  • Risky Users: Investigate high-risk users and prioritize remediation.

Access Governance and Review

Simplify reviews and reduce excessive permissions:

  • Access Reviews: Get summarized recommendations to streamline decisions.
  • Entitlement Management: Review access settings and assignments.
  • RBAC: Spot over-privileged roles and analyze assignments.

App and Resource Protection

Quickly identify risky apps, secure configurations, and improve licensing hygiene:

  • App Risk: Investigate app behaviors, detect misconfigurations, and flag risky integrations.
  • IAM/IGA Recommendations: Act on best-practice guidance, security alerts, and policy recommendations.
  • Enterprise Software License Utilization: Analyze license usage to optimize costs and tie licenses to active identities.

Monitoring and Posture Management

Get a clearer view of the enterprise IAM/IGA ecosystem, to help keep it healthy and secure:

  • Alerts in Scenario Health Monitoring: Detect risks tied to misconfigurations or coverage gaps.
  • Service Level Agreements in System Health Monitoring: Identify performance or reliability issues affecting key identity workflows.
  • MFA Auth Methods: Audit usage and enforce phishing-resistant MFA.

Again, we’re not pushing this as a panacea, but TechVision does see this level of agentic AI “assistance” across the broad spectrum of IAM and IGA capabilities as the key harbinger of IGA 2.0.

AI and Verifiable Credentials

TechVision has written four research reports that cover Decentralized Identity and Verifiable Credentials over the past 6 years (and one more in process) – so we’ll describe this model at a high level here. Decentralized Identity with a verifiable credential ecosystem has the potential to be the foundation for the new Digital Enterprise by supporting the sharing of only the relevant elements of verifiable information necessary to perform specific transactions. It can also support identity authentication, identity proofing and has the potential of moving the industry to a user-centric identity model that has been discussed and explored over the past 30 years.

These new models can be applied to a diverse set of services ranging from logging on to an employer’s network, accessing services from a healthcare provider network or leveraging the on-line services of Amazon, Netflix or other service providers. The goal of Decentralized Identity is to develop mechanisms to easily establish trust, gain explicit consent and easily share relevant information with these services without requiring a 3rd party to control and/or intermediate every transaction. It is effectively the basis for a viable Bring Your Own Identity (BYOI) universe.

This new piece in the modern identity puzzle is called a verifiable credential. This can be thought of as an Identity metasystem that uses credential exchange as the unifying protocol for exchanging Identity data and to verify the claim being made from an authoritative source. A verifiable credential is a qualification, achievement, quality, or piece of information about an entity, such as a name, government ID, payment provider, home address, or university degree. Such a credential describes a quality or qualities, property or properties of an entity that establishes its existence, uniqueness and trustworthiness. Entities (people, organizations, devices) need to provide many kinds of credentials as part of their everyday activities.

As we described in our recent reports “The Future of Identity Management 2022-2027”, and “Decentralized Identity and Verifiable Credentials”, decentralized identity’s transparent model can support Bring Your Own Identity (BYOI) in a more secure, immutable, and non-repudiated identity ecosystem that effectively crosses enterprise and personal identity boundaries.

AI is helpful to the deployment and administration of verifiable credentials in many ways, including:

  • Verifiable Credential Analysis: AI helps issue, verify, and audit decentralized credentials at scale. It surfaces inconsistencies or anomalies in credential use.
  • Governance Insights: AI provides a comprehensive view of identity assurance levels across internal and external users.
  • Aid in incident investigation & remediation: AI provides natural-language summaries and actionable insights based on identity data — including logs, face-check outcomes, sign-ins, audit trails, and credential issuance events. This helps admins quickly identify, assess, and resolve anomalies.
  • Intelligent credential workflow support: AI can help construct or troubleshoot credential issuance and verification flows. For example, one can ask:
    • “Show me recent face-check failures during verifiable credential issuance.”
    • “Summarize high-risk credentials issued in the past 24 hours.”

These prompts help tune issuance policies and spot fraudulent proofing. 

  • Reviewing identity governance and access decisions: AI can evaluate access review outcomes that rely on verifiable credentials evidence. Example prompts include:
    • “Identify which reviewers overrode verifiable credentials face‑check recommendations.”
    • “What percentage of credential-based reviews require escalation?”

This has been an overview of the ways AI is becoming a “friend” of the enterprise IAM and IGA ecosystem. Now, let’s turn our attention to how to protect the enterprise from agentic AI becoming a formidable “foe”.

AI as “Foe”

AI offers game-changing benefits for individuals and enterprises but also exposes organizations to potentially devastating risks. One of the greatest AI-related risks and the focus of this paper is the management and security of AI agents (Agentic AI) that are designed to take proactive, autonomous actions on behalf of a wide range of stakeholders. From a security perspective, any agent that takes autonomous action must be clearly identified, understood, managed, and governed and the right IAM foundation can play a major role in supporting this. The time to address Agentic AI is now for most enterprises in that it is increasingly being rolled out by organizations in a largely ungoverned manner.  

We remember warning organizations against the threat of “shadow IT” growing exponentially as divisions or departments within organizations were rushing to “get something on the cloud” that could be rolled out super quickly and relatively cheaply. In this “model”, it was all about time-to-market and the common refrain was “we will bolt on security as soon as possible – we just have to get this application out there, or else we’ll be replaced by someone who will!” Fear motivates.

In 2025 we have AI large language models (LLMs)/large language processing, generative AI, Deep Learning and Self-aware AI – all of which are being incorporated into “agents” or bots. These agents or bots are AI-immersive applications that can become exceedingly dangerous because we are not governing them properly before putting them into production. Furthermore, AI is moving from providing insights and predictions to taking action (in a “quasi perfect world”) on our behalf…but what if the action is not in the interest of the individual or enterprise? That is where a combination of modern IAM and IGA that understands agentic AI objects, new security approaches and new governance models are needed and is currently a key part of TechVision’s focus (and hopefully enterprise and vendor focus) in 2025, and beyond.

This has the very real potential to become the “shadow IT” of the Death Star. This is not gaslighting. This is not the Angel of Doom speaking. We have proven that as a species, we don’t really know how or want to know how to protect ourselves from the unintended consequences of our digital existence if such protection gets in the way of time-to-market- to say it mildly.     

Agentic AI has the real potential to dramatically exacerbate organizations’ insider threat risk, because AI agents are “insiders”. We are creating AI agents in our image – warts and all. But it’s worse than that: AI agents can harm us by:

·      Requiring large amounts of data that may compromise privacy or expose confidential information

·      Being targets for bad actors if they are trained with proprietary data.

·      Collaborating or colluding in harmful ways if agents are compromised in any number of ways, such as via influence operations and social engineering (just like us humans).

·      Hallucinate and provide erroneous outputs due to the lack of enough reliable data to train AI systems, especially for complex tasks.

To name just a few of the very real threats.

Know Your Agent (KYA) and Identity and Access Management (IAM) are two sides of the same “information protection coin”:

·       We define KYA as the process of identifying, analyzing, and addressing the risks associated with agentic AI behavior as it relates to an organization’s information management, access, processes and procedures – just like we do with the workers.

·       Identity and Access Management (IAM) has been a cornerstone of cybersecurity since the inception of modern computing – as well as today’s Zero Trust authentication and access control frameworks. These bedrock principles apply to agentic AI every bit as much as they apply to human workers. 

Agentic AI design and deployment governance must therefore have direct interaction with the enterprise IAM system(s) to Know Your Agent. This IAM visibility includes accurately and temporally facilitating access to sensitive information and configuration capabilities. For example, an AI agent designed to analyze financial market data might need access to a specific database within a company’s system. IAM and IGA systems need to be able to identify and authenticate AI agents, which can be complex due to their dynamic nature and potential for rapid evolution. IAM/IGA would define the agent’s unique identity and grant it the necessary permissions to access the data while restricting access to other sensitive areas. This simple example should illustrate how mature IAM/IGA can lessen your risks associated with agentic AI error or malfeasance.

Agentic AI has the real potential to dramatically exacerbate organizations’ insider threat risk, because AI agents are “insiders”. Please let that sink in. AI agents as insider threats pose several risks, including technical, ethical, and socioeconomic risks.

Technical risks

  • Errors and malfunctions: AI agents can make errors or malfunctions, which can lead to data breaches.
  • Security issues: AI agents can be used to automate cyberattacks.
  • Coding logic errors: AI agents can make unintended or malicious coding errors.
  • Data poisoning: Malicious data can be injected into training data, which can compromise the AI’s decision-making.

Ethical risks

  • Decision-making and accountability: AI agents can make decisions that are not aligned with human values.
  • Accountability: Who is responsible when an AI system makes a faulty decision that harms someone?
  • Collusion: AI agents could work together in harmful ways.
  • Bias: AI agents can amplify biases present in the data they are trained on.

Socioeconomic risks

  • Job displacement: AI agents could automate tasks that humans currently perform, which could lead to job displacement.
  • Over-reliance: People could become overly reliant on AI agents, which could lead to disempowerment, or more likely, abdication of responsibility.

While many, if not most, organizations have had evolving and growing risk management and Governance, Risk, and Compliance (GRC) initiatives in place for the past two decades, the advent of agentic AI risk focus is worth noting. This is because up until now, risk management has been focused on the notion of humans interacting with IT. As humans become less involved in the actual functioning of many organizational efficiency initiatives, there needs to be something tied to someone who is watching the crown jewels. Agentic AI, as we briefly noted above, has the potential to cause the organization much damage if not appropriately secured. If roughly 75% of all breaches today are human-induced, and we are rolling out agentic AI in our human image, it would be foolish to believe that agentic AI can be trusted any more than humans can.

This begs the question, “what can be done?” which we’ll discuss next.

AI Agent Threat Controls and Procedures Guidance

Today, “conventional wisdom” seems to indicate that to mitigate these risks and others, organizations can and should: 

1.     Establish clear ethical guidelines, 

2.     Prioritize data governance and cybersecurity, 

3.     Educate the organization about AI agents, 

4.     Improve the transparency of AI agents, and 

5.     Implement “human-in-the-loop” oversight.

For example, the National Security Agency’s Artificial Intelligence Security Center (NSA AISC) published the joint Cybersecurity Information Sheet Deploying AI Systems Securely in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).

The guidance provides best practices for deploying and operating externally developed artificial intelligence (AI) systems and aims to:

  • Improve the confidentiality, integrity, and availability of AI systems.
  • Ensure there are appropriate mitigations for known vulnerabilities in AI systems.
  • Provide methodologies and controls to protect, detect, and respond to malicious activity against AI systems and related data and services.

According to CISA, there are three types of AI risk:

  • Attacks that target AI systems
  • Failures in the design and implementation of AI systems
  • Attacks that use AI

CISA’s guidelines are comprised of four functions: Govern, Map, Measure, and Manage.

Govern

·       As in the National Institute of Standards and Technology (NIST) cybersecurity framework, Govern sits at the center of the model, and is built on the foundation of a culture of AI risk management. The guidelines here support the establishment of policies, processes, and procedures that allow organizations to enjoy the benefits of AI while mitigating its risks. It follows a “secure by design” philosophy, where cybersecurity leaders build a culture in which security is a top priority.

·       Among the different guidelines within Govern is the need to create a detailed plan for cybersecurity risk management, establish transparency in AI system use, and integrate AI threats, incidents, and failures into information-sharing mechanisms.

·       Furthermore, organizations should establish roles and responsibilities with their AI vendors, invest in workforce training, and collaborate with industry groups or government agencies to stay on top of risk management tools and methodologies.

Map

·       Mapping is key to understanding where and how AI systems are being used. The visibility into these systems allows security teams to assess, evaluate, and mitigate specific risks.

·       The guidelines include documenting AI use cases, their risks, and mitigations, as well as conducting an impact assessment of the AI tool and the negative potential impact that could arise from the implementation.

·       Security teams should also assess whether certain AI systems require human supervision to address any malfunctions or unintended consequences.

Measure

·       Within this function, organizations are guided to develop systems capable of assessing, analyzing, and tracking AI risks. It asks security teams to identify repeatable methods that can monitor AI risks and impacts throughout the AI system lifecycle.

·       As part of this function, security teams should define metrics for detecting and tracking known risks and incidents. Organizations should continuously test AI systems for errors and establish practices to prevent exposure of confidential information.

·       AI systems should be developed and used with resilience in mind, which enables fast recovery from any type of disruption. Most importantly, teams should also establish processes for AI security reporting, to collect feedback from impacted stakeholders.

Manage

·       The last of CISA’s guidelines covers the need to prioritize and act upon AI risks to safety and security. Organizations should establish and follow AI cybersecurity best practices, including the use of role-based access controls and logging all system use.

·       Whenever possible, mitigations should be applied before systems or applications are deployed, and systems should be monitored for any kind of unusual or malicious activity behavior.

·       When incidents arise, security teams and stakeholders should follow established incident response plans to restore and secure the AI system.

Agentic AI Managed Through IAM/IGA 2.0

Here are some of the most important aspects of today’s enterprise IAM/IGA environments that will be necessary to securely support agentic AI across the enterprise:

·      Identity Registration

·      Lifecycle Management

·      Authentication

·      Access Control

·      Monitoring, Threat Detection and Remediation

We describe these below.

Registration

AI agent registration before release into Production is critical. In this process, a reasonable amount of information about the agent, such as the human owner of the agent, its purpose, its data and access requirements, its time-to-live and other key characteristics need to be captured, stored and maintained within the IAM subsystem.

The level of access to sensitive information resources should dictate the level of registration information required – just like with people. The enterprise needs to know what functions this particular agent can perform within the context of the enterprise’s data and systems, including system configuration.

Lifecycle Management

The lifecycle of the agent must be managed closely as the functionality and “awareness” of the AI agent will likely change over time. This requires that agent identities be audited, and access rights certified in perpetuity. This key requirement has been traditionally oriented toward the workers (people) of the organization. Now, this lifecycle management process must include registration and re-certification of agentic AI.

IGA helps detect and mitigate accumulation of privilege, which is a tremendous risk to many organizations who let workers accumulate access rights for the duration of their employment, often not in concert with the workers’ current job requirements. This may also happen with AI agents as they “mature” and adapt through self-learning/machine learning, etc. 

Identity lifecycle management and IGA helps enforce separation of duties and enable strong Privileged Access Management (PAM) to limit functions systems agentic AI administrators may perform. Agentic AI administrators already exist. The train is leaving the station at breakneck speed. PAM needs to be extrinsically integrated with AI agents that can perform any administrative or sensitive tasks anywhere in the IT infrastructure – on-premises and in-cloud.

Agent Authentication

Agentic AI authentication is how an agent identifies itself unambiguously to the enterprise cybernetic systems. A mature IAM implementation requires agentic AI to authenticate using methods commensurate with the risk of information loss, including a combination of factors like unique identifiers, cryptographic keys, and behavioral analysis – rather than relying solely on traditional user credentials like passwords. 

Furthermore, as we detailed in our recent report titled “Personhood Credentials: An Emerging Solution to AI Deception”, the rise of AI-generated deception, including deepfakes and synthetic personas, presents significant challenges in maintaining trust and authenticity in digital environments. TechVision advises that Personhood Credentials (PHCs) offer a novel solution by providing cryptographic proof that an individual is human, without revealing personal information. Unlike traditional identity systems, PHCs focus solely on verifying humanness, using privacy-preserving techniques like zero-knowledge proofs. These credentials can be issued by various entities such as governments or tech companies and are designed to combat AI-driven fraud, misinformation, and manipulation. With their decentralized issuance model and privacy-preserving features, PHCs provide a robust defense against large-scale manipulation while maintaining user anonymity. As AI technologies continue to evolve, PHCs represent a simple yet critical tool for safeguarding online trust and protecting against the misuse of AI at scale. We strongly encourage organizations to invest in approaches to authentication such as this so that they can minimize, if not eliminate AI-centric fraud emanating from their own agentic AI.

Access Control

IAM / access control systems must enforce least privilege access and prevent unauthorized actions by AI agents. This functionality should be used to maintain blacklists of threat indicators and files that AI agents are disallowed from accessing. A continuous monitoring and feedback loop should be established to identify and correct any unwanted actions resulting from AI agent inaccuracies.

Monitoring, Threat Detection and Remediation

The IAM environment must proactively monitor all authentication and access activity and enforce user entity behavior analytics (UEBA), risk scoring, and other effective run-time (proactive) safeguards to ensure an agent isn’t erroneously or malevolently accessing/retrieving sensitive information or changing system configurations. 

Baseline behaviors should be established to identify outlier transactions, which can then be addressed through automatic real-time remediation. These real-time monitoring capabilities can alert IAM to automatically suspend and remediate rogue transactions while forwarding any unresolved issues to human operators for manual review.

These are just a few of the many capabilities that an IAM/IGA ecosystem provides to the enterprise in terms of cybersecurity. These capabilities must be extended immediately to support agentic AI in the context of providing services and protecting the organization. In fact, IAM is the cornerstone of the Zero Trust Architecture movement that we will discuss next.

Agent Risk, IAM and Zero Trust

TechVision Research has published several reports focusing on Zero Trust networking and enablement. Our position is that IAM is the essential underlying infrastructure that enables the adoption of zero trust architecture. The National Institute of Standards and Technology (NIST) describes Zero Trust Architecture as “an end-to-end approach to network/data security that encompasses identity, credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure.” 

What this definition implies is that an enterprise should only trust someone or something that is granted and reestablished/verified through Identity and Access Management (IAM) services designed to:

·      Provide proper controls to securely onboard, manage, and offboard agent identities, 

·      Enable sufficient authentication and authorization mechanisms as per enterprise risk management, and 

·      Provide an extensive proactive alerting and reactive audit trail of all agentic AI access to the enterprise resources. 

Because Zero Trust is not a product or even a prescribed implementation strategy (despite some vendors’ insistence), it makes sense that the decisions made about solving for Zero Trust across the enterprise demonstrate the consistent application of the following capabilities:

  • Least Privilege – An agent is granted the appropriate access and entitlements for a resource based on the need to perform its intended function and only during the time the function is being performed.
  • Strong Verification – Move beyond passwords! into advanced methods of authentication and practice progressive collection and disposal of credentials required to achieve least-privilege functional execution.
  • Risk-based enforcement – Evolve to decision making based on factors beyond a strongly verified agent identity. Factors such as resource value, location, device and network security postures, and agent/user behavior are included in access/entitlement decisions in a least privilege regime.
  • Continuous Evaluation of Assurance – Identify and assess levels of risk to the achievement of business objectives. Considers a combination of monitoring and auditing capabilities, such as: 

o   Analyzing trends 

o   Correlating outliers 

o   Highlighting potential exposures 

o   Evaluating and remediating exposures

  • Continuous Evaluation of Entitlement – Monitor and review the application of policies that grant, resolve, enforce, revoke, and administer fine-grained access entitlements to agentic AI (and human workers!) for resources.

Each of these capabilities identified above for Zero Trust should be extended to agentic AI deployment.

Remember, Zero Trust is about always asking if this activity/action is “appropriate” – during runtime.  

To determine that level of appropriateness, you need to consider the risk, the activity, and the identity and the associated credentials to determine authentication, access, and entitlements. This means that the “identity is the perimeter” and it is the one piece of the puzzle that must be secured with the utmost care to preserve the integrity of the information ecosystem as the agentic AI “identity” traverses from the device, over the network to the actual data, as illustrated below.

Figure 1:  Identity Based Zero Trust Applies to Agentic AI

Now, let’s look at how AI – friend and foe, fit into the TechVision Reference Architecture for IAM and IGA.

AI and the IAM/IGA 2.0 Reference Architecture

In this section, we will map the AI-specific capabilities and requirements with the TechVision Research Reference Architecture for IAM and IGA, which is a master template that identifies the IAM capabilities (rather than technologies) that can be improved or enabled, allowing business stakeholders and technical architects to achieve a common language for IAM/IGA functions. These functions can then be refined over time, and the purpose of the Reference Architecture is to maintain a “living, breathing” representation of the organization’s IAM strategy. Please note that considerably more information is available in the many TechVision Research documents that encapsulate the Reference Architecture for IAM/IGA within discussions about authentication, MFA, PAM, runtime authorization, and Application Development. The overarching TechVision Research document titled IAM Reference Architecture is recommended as a good starting point to gather more detailed background information.

­­­The following high-level template starts the IAM journey:

Figure 2: Top Level IAM Reference Architecture Template

These IAM capabilities are described at the highest level as:

Interact: Interact is a layer of user interaction (UI) and application programming interfaces (API) that simplify end user, application developer or agentic AI interaction with the rest of the IAM/IGA infrastructure. In this way, non-experts can follow the best practices of IAM without having to be experts in the field.

This allows the enterprise to:

·      Incorporate new security capabilities without having to reengineer applications.

·      Increase speed to market by removing security from the critical path of service development.

·      Enhance security through the automatic adoption of best-of-breed security and privacy components.

·      Decrease on-boarding friction by isolating complex security infrastructure through intuitive user interfaces.

Access: Access is the layer that answers the “Who or what has access to what?” question. It ensures customers can confidently exchange information and get the services they need to buy and use your products. It ensures employees, partners and AI agents have all the digital resources they need to get the job done, nothing less and nothing more

This allows the enterprise to:

·      Ensure the right people have the right access to the right resources at the right time.

·      Protect the assets of the company and its customers.

·      Reduce productivity drains and costs created when people can’t access the resources they need.

AI supports these capabilities through enforcement of entitlement management, lifecycle workflows, provisioning, privileged access management and cloud infrastructure entitlement management services, as well as the Authentication, MFA, SSO and verifiable credential services.

Change: Change manages the relationships between all the moving parts within the digital environment. Change establishes the connections between people, devices, applications, and data when they enter the environment, manages the connections while the relationship exists, and disconnects when access is no longer necessary.

This allows the enterprise to:

·      Establish and maintain the proper rights, entitlements, and restrictions in order to reduce your attack surface, because users and their identities are the most vulnerable link in a network.

·      Orchestrate identity across device, network, and application boundaries because in the absence of the traditional security perimeter, identity is the common denominator across the entire digital environment. 

·      Prevent toxic combinations through transparency of entitlements across business processes.

AI supports these capabilities through enforcement of entitlement management, lifecycle workflows, provisioning, privileged access management, cloud infrastructure entitlement management services, runtime authorization, as well as the authentication, MFA, SSO and verifiable credential services.

Manage: Manage is where the administrators of the IAM/IGA platform upgrade, configure, tune, troubleshoot, document, and audit the platform and its components.

This allows the enterprise to:

·      Incorporate new security capabilities without having to reengineer applications.

·      Increase speed to market by removing security from the critical path of service development.

·      Enhance security through the adoption of best-of-breed security and privacy components.

·      Increase agility through isolating security software releases and patches to the underlying infrastructure components.

AI supports these capabilities via the agent-enabled configuration, discovery and management tools within the IAM and IGA ecosystem.

Measure: Measure is the lens into the digital environment. It allows live behavior observation, anomaly detection, platform health checks, and deeper analysis of usage and threats. It also provides the audit and reporting capabilities necessary to prove you are performing your duty to protect.

This allows the enterprise to:

·      Understand behavior to improve user experience balanced with risk management.

·      Detect vulnerabilities before they are crises. The costs of prevention are much less than the costs of a breach. 

·      Prove compliance as required by law.

AI supports these capabilities via the agent-enabled configuration and management tools within the IAM and IGA ecosystem

Store: Store is the shared place where the identity profiles, attributes, and relationships are kept and maintained. It may be physically centralized or distributed and contains the map which defines “who has access to what?”, often in the form of an entitlements catalog and enterprise directories.

This allows the enterprise to support two important groups:

·      For customers, it becomes the backbone for the entire customer experience; the customer data layer where all your interactions are captured.

·      For employees, it becomes a user-centric view of entitlements across the entire digital environment.

IAM and IGA administrative agents can monitor the integrity of identity stores to better ensure no identity data tampering is occurring.

We will now dissect these IAM capability descriptions in more detail below. 

Capabilities of the IAM Functional and Technical Landscape

Now, let’s look at the next level of the architecture, which we subtly tailor to identify the functional capabilities that are the foundation for a best-in-class IAM Reference Architecture. Each category is divided into multiple capabilities at a level of greater detail. For example, interfaces can be for applications / developers (APIs, messaging services), lines of business/LOBs, self-service, or even robotic processes. This applies to each category and, based on stakeholder input, use cases and priorities can be further developed into Reference Architecture patterns or templates for specific services.

Remember, at this level the Reference Architecture is not focused on the actual implementation of things that carry out these controls. Rather it is a model of what the controls are, how they work, and how they interact to assure the utility of content.

It is important to understand that these functional capabilities consider all types of objects and use cases within the IAM foundation. As ultimately implemented, different enterprises enable different IAM capabilities in different ways to meet different protection needs. And they do so differently for different content and business functions because of the different risks and potential consequences associated with failures and costs associated with protection. And they may do so with hybrid solutions that simultaneously run on-premises and in the cloud. One size does not fit all. 

The next layer of the TechVision Research Reference Architecture for IAM (see below) allows us to identify the IAM capabilities that are to be supported in the hybrid IAM infrastructure.

Figure 3: IAM Capabilities Within Reference Architecture

With this information, technical architects can rapidly zero-in on the current options (technology and process) their IAM/IGA architecture should encompass to achieve the required capabilities for the business. In the form of architecture considerations, each of the options available is then described in more detail to help identify the right approach for an optimal IAM/IGA architecture and deployment strategy. In the subsequent section, we’ll look at sample IAM/IGA Reference Architecture patterns and map them to many of the key capabilities enabled by AI. 

IAM & IGA 2.0 Reference Architecture Patterns

Now let’s look at some examples where our customers have deployed various IAM services. We will take a look at authentication, SSO, runtime access management, IGA, entitlement management and audit/monitoring capabilities in the context of the Reference Architecture for IAM / IGA 2.0. Generically, the IAM/IGA capabilities are used as input to the development of the Reference Architecture pattern illustrated below:  

Figure 4: Typical IAM Service Pattern

It is important to note that much of the overall IAM infrastructure supports or consumes the provisioning and IGA processing output. For example, the “login service” in the upper left corner relies on the IGA policies, birthright access provisioning, workflow and approvals and so on to be able to function appropriately and securely through the “App Dashboard” (PEP, for policy enforcement point) – which interacts during runtime with the access policy repository (PDP, for policy decision point), the Enterprise Directory/Cloud Directory and the entitlements catalog. 

Now, let’s take a look at this IAM architecture pattern when the enterprise determines that it wants to leverage AI to grow or strengthen existing IAM/IGA deployments. 

IAM/IGA 2.0 Pattern Example With AI

Below is an illustration of the Enterprise IAM and IGA Reference Architecture embedding AI functions:

Figure 5: IAM Reference Architecture Using AI Capabilities

As this modified pattern shows, all of the standard, required IAM and IGA capabilities as defined by our Reference Architecture are supported and enhanced with AI. The administrative and self-service interfaces along with the associated service request/response workflows are enhanced with AI, along with automated discovery, recommendations, and remediation. This is also the area where agentic AI is registered and managed, providing the authoritative source of all AI agents deployed across the enterprise. The discovery process will assist in keeping this agent registry accurate and up-to-date. 

When overlaid with AI, the robust set of IAM/IGA 2.0 capabilities become more scalable, manageable and reliable. In other words, with so many “moving parts” in terms of capabilities, the inclusion of AI to meaningfully assist in the deployment, maintenance and further refinement of the architecture is substantially valuable.   

Summary and Recommendations

Most organizations have a deployed a substantial number of Identity, Security, Governance and related technologies. The introduction of AI has the potential to increase the enterprise’s reach and coverage. Furthermore, as described in this report, AI integration with IAM and IGA can bring an impactful amount of automation and assistance to the growing complexity of enterprise wide, multi-cloud, global footprint IT ecosystems, summarized as follows:

 1. Enhanced Identity Governance at Scale

  • Reduces human error and oversight in managing large identity estates.
  • Promotes zero trust and least privilege principles through intelligent insights.

 2. Improved Operational Efficiency

  • Simplifies complex IAM tasks via conversational AI.
  • Reduces administrative workload by automating access reviews, policy generation, and anomaly detection.

 3. Accelerated Security Response

  • Speeds up time-to-detection and remediation for identity-based threats.
  • Aligns with identity threat detection and remediation systems to correlate threat signals via shared signals.

 4. Better Compliance and Audit Readiness

  • AI generates audit trails and explanations for identity decisions.
  • Helps enterprises meet regulations like GDPR, HIPAA, and SOX more effectively.

 5. Support for Hybrid and Multi-Cloud Identity Scenarios

  • Works across Azure, AWS, and GCP for cloud entitlements.

 6. Support for Verifiable Credential Use Cases

  • AI helps issue, verify, and audit decentralized credentials at scale. It surfaces inconsistencies or anomalies in credential use.

The bottom line is that AI can now significantly elevate and modernize the entire IAM and IGA ecosystem, and those organizations that are currently using some combination of IAM and IGA solutions need to take a fresh look at their architecture, service capabilities and patterns. 

That said, you must also ensure your technical controls are reasonable and prudent regarding the threats, vulnerabilities, and potential consequences your risk appetite avails. Indeed, a balance must be struck between KYA and IAM/IGA to best ensure your potential breaches will be identified and mitigated before they happen. There are many advancements in the IAM capabilities of IGA, PAM, UEBA, risk scoring, trust scoring and emerging agentic AI security that can provide most organizations with the technology needed to reduce agentic AI risk. Do not delay getting your arms around this potentially crushing risk that is already alive, well and hungry…

At a minimum, organizations should understand that AI is changing the IAM and IGA landscape and it is a good time to assess requirements, evaluate your current state, assess gaps and architect your next generation solution. TechVision generally recommends a structured approach to such a critical infrastructure element as IAM and IGA, and has developed a Reference Architecture that may be useful in evaluating the set of capabilities necessary for your future state IAM/IGA 2.0 foundation. With over 35 years of experience helping organizations of all sizes, in all industries around the world, TechVision can help you with this process.  

About TechVision

World-class research requires world-class consulting analysts, and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skillsets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

About The Authors

Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM. Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for 10 years and security, and leading global identity management/security consulting at Gartner for 5 years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. Core areas of focus include:

Identity and Access Management, business/technology trends, cloud computing, security/risk management, privacy, innovation, AI, new IT/business models and organizational strategies.

Prior to starting TechVision Research he was President of Burton Group from 1999 to 2010, the leading technology infrastructure research and consulting firm. Mr. Rowe grew Burton to over $30+ million in revenue on a self-funded basis, sold Burton to Gartner in 2010 and supported the acquisition as Burton President (now Gartner for Technical Professionals) at Gartner.

Tags:

We can help

If you want to find out more detail, we're happy to help. Just give us your business email so that we can start a conversation.

Thanks, we'll be in touch!

Stay in the know!

Keep informed of new speakers, topics, and activities as they are added. By registering now you are not making a firm commitment to attend.

Congrats! We'll be sending you updates on the progress of the conference.