Security & Compliance

What the Gartner IAM 2025 Summit Revealed About the Future of Identity Governance

Chaithanya Yambari
Co-founder and CTO, Zluri
December 10, 2025
8 MIn read
Table of Contents
Table of Contents
This is also a heading
This is a heading
About the author

Chaithanya Yambari is the Co-founder and CTO at Zluri, where he oversees the product and technology roadmap. An engineer from BITS Pilani, Chaithanya leads the development of intelligent and scalable Identity Governance and Administration solutions, with a focus on simplifying complex identity processes through automation and thoughtful design. Before Zluri, he headed engineering at KNOLSKAPE and scaled the platform for global customers. Outside work, he’s an avid traveler who has visited more than 28 countries, and a professionally trained baker who enjoys experimenting with new recipes on weekends.

After three days at the Gartner IAM Summit 2025 in Grapevine, Texas, one thing was clear. The identity governance market is fragmenting and consolidating at the same time, and the winners will be the teams that master visibility right before governance.

The IVIP moment has arrived

Gartner has formalized a new market category called Identity Visibility and Intelligence Platforms (IVIP). It validates the approach we’ve taken at Zluri from day one. The definition reads like our product spec sheet: "products that provide rapid integration and visibility for IAM-relevant data, typically paired with advanced analytics capabilities."

What makes IVIP different from traditional IGA? It's the sequencing. Legacy IGA vendors built governance workflows first and bolted on visibility as an afterthought. They assumed organizations knew what applications they had, what access existed, and who owned what. In reality, about 60% of SaaS applications in the average enterprise exist outside the purview of SSO and traditional identity systems.

At Zluri, we built discovery and visibility first, because you can’t govern what you can’t see. Our patented discovery engine finds applications that traditional IGA vendors don’t even know exist. That’s exactly what IVIP calls for.

AI in Identity: Where It Actually Works

The Gartner sessions on AI use cases in IAM offered a sobering framework. Not all AI applications are created equal, and the conference explicitly warned against "spreading your team thin trying 25 things."

Four use cases emerged as genuinely high-value:

  1. Access modeling for authorization rules: Discovering the policies that should govern access, not just recommending approve/deny decisions
  2. Account takeover mitigation: ATO remains the primary attack vector, and AI-powered behavioral analytics can detect credential abuse
  3. Posture issue identification: Now referred to as ISPM, Identity Security Posture Management, which continuously tracks configuration drift and excess permissions.
  4. Report generation: Using AI to pull together insights across systems through natural language queries

Each of these is system-specific. An AI model trained to understand access patterns in Salesforce won't automatically work for Workday. This has profound implications for product architecture. We need composable AI that adapts to each integration, not monolithic models that claim to work everywhere.

The 82:1 Problem: The Non-Human Identity Explosion

Perhaps the most striking statistic from the conference: non-human identities now outnumber human identities 82:1 in the average enterprise. In cloud-native environments, that ratio can reach 40,000:1. And 99% of service accounts are over-permissioned.

This is the NHI (Non-Human Identity) tsunami that every IGA vendor is scrambling to address. The OWASP NHI Top 10, released in 2025, codifies risks we've been tracking: improper offboarding, secret leakage, long-lived credentials, and environment isolation violations.

To ensure robust security, companies must expand identity governance beyond humans to include non-human identities.

ISPM and the Shift to Continuous Identity Security

Identity Security Posture Management emerged as a distinct discipline at the conference. It’s where IVIP meets security operations. ISPM isn't a product; it's a framework of continuous assessment covering:

  • Misconfigured MFA policies
  • Over-privileged accounts that violate least privilege
  • Dormant accounts that expand the attack surface
  • Orphaned permissions from incomplete offboarding
  • SoD violations that create compliance risk

The keyword is continuous. Traditional IGA works in cycles, like quarterly access reviews and annual certifications. ISPM works in real time. That shift lines up well with an always-on discovery architecture that Zluri offers.

Why Fast Time to Value Wins

Gartner shared deployment statistics that should embarrass every legacy IGA vendor: organizations report application onboarding queues of 600+ applications with 8+ year projected timelines. Only 10% achieve new access provisioning within 2 days.

The conference explicitly recommended "Minimum Viable Deployment" strategies. Start with 5-10 high-value applications, prove value, and expand. This is how Zluri already works with its customers. We don't require 18-month implementations with armies of consultants. We get customers to value in weeks.

This isn't just a go-to-market advantage; it's a technical architecture decision. Cloud-native, API-first, and pre-built integrations are what enable rapid deployment.

The Shift Toward Modern Authorization

AuthZen, the OpenID Foundation's new authorization standard, demonstrated interoperability with 15 vendors at the summit. It's being positioned as "the OpenID Connect for authorization" - a standardized way for applications to request and receive fine-grained access decisions.

Most teams already understand authentication. OIDC solved a clear problem. It answered a simple question - Who are you?

Authorization has been harder. It answers a more complex question. Who or what is allowed to do what, on which resource, and under what conditions? Historically, this has been fragmented, inconsistent, and deeply embedded inside applications.

That approach no longer scales because:

  • Architectures are distributed and API-driven
  • Non-human identities such as services, pipelines, and agents now outnumber humans
  • Access decisions are high frequency and context dependent
  • Security and compliance require explainability and auditability

This is the gap AuthZen is trying to close.

We’re also seeing the authorization model itself evolve beyond basic RBAC (Role-based access control). We're seeing convergence around:

  • ABAC (attribute-based) for contextual decisions
  • ReBAC (relationship-based) for hierarchical permissions
  • PBAC (policy-based) as the architectural pattern that unifies them

Authorization-native platforms are gaining traction by making authorization data visible and governable.

Closing Thoughts

The IGA market is the largest and most crowded in IAM. That's both a threat and an opportunity. The threat is the clutter, every vendor claiming AI, every legacy platform slapping "cloud" on their marketing. The opportunity is that buyers are tired of complexity, high costs, and failed implementations.

Zluri's path forward is clear: we're an IVIP-led IGA platform built for organizations that live in cloud. We discover what you didn't know you had, govern what matters most, and deliver value in weeks, not months.

The Gartner IAM 2025 conference confirmed what we've believed from the beginning: visibility precedes governance and the future of identity is intelligent, continuous, and cloud-native.

We're building that future.

Take the First Step Towards Effortless Access Control

Experience the power of Zluri’s platform firsthand to boost your organization’s efficiency and security.

Book a demo →

Related Blogs

Team Zluri
December 10, 2025
December 10, 2025

The Access Review Resource Hub

Aditi Sharma
December 8, 2025
December 8, 2025

Getting Periodic User Access Review Right (Why One-Size-Fits-All Fails)

Sethu Meenakshisundaram
December 7, 2025
December 7, 2025

Why Access Reviews Feel Like Punishment (And What Actually Needs to be Fixed)

691, S Milipitas Blvd,
St 217 Milpitas 95035
Platform
AICPA SOC 2ISO 27701 CertifiedGDPRISO 27001 certifiedPCI DSSNLST
Recognition
GartnerG2FORRESTERAWS ReviewedGIGAOMCYBER_150
Platform
SaaS Management
Access Management
Access Reviews
Access Requests
Integrations
Compliance Readiness
SOC2
ISO 27001
HIPAA
SOX ITGC
PCI DSS
Why Zluri
Customer Stories
Product Tours
ROI Calculator
Solutions
Identity & Application Visibility
Uncover Shadow IT
Monitor AI Apps
Access Requests
Identity Lifecycle Management
Access Reviews
Resources
Blogs
Whitepapers
Webinars
Help Docs
Support
Trust Center
Sitemap
Company
Our Story
Careers
Events
Partners
Security
Contact Us
© 2025 Zluri, All Rights Reserved
Responsible Disclosure Policy
  -  
Terms & Conditions
  -  
Privacy Policy
  -  
Disclaimer
  -  
Terms of Service
  -  
Zluri AI Terms