6 trends redefining organizations’ future with IAM

As your organization scales, the identity access management (IAM) difficulties can compound quickly as the environment becomes more distributed and complex, and new security threats continue to evolve. Year after year, industry threat intelligence reports find that compromised credentials remain the number one threat to security, according to the Verizon 2025 Data Breach Investigations Report.

The good news? With the right preparation, you can stay ahead of the most common IAM risks. Let’s explore the emerging IAM trends and what you can do to address them proactively.

6 trends shaping the next phase of IAM

Jason Waits is the Chief Information Security Officer at Inductive Automation, an organization specializing in industrial software solutions. Waits started using Cisco Duo multi-factor authentication (MFA) in 2018. Since the initial rollout, the company has grown nearly 30% year over year, and Waits has seen its cyberattack surface expand with the use of SaaS services and a larger workforce.

“As we’ve grown and matured, so has Duo, providing the features we need when we need them to keep on top of threats,” said Waits.

To keep pace with the organization's growth, Inductive Automation has scaled its implementation to strengthen device trust, streamline IAM, and build phishing resistance. Here are some of the ways you too can prepare for the next phase of IAM.

1. More session hijacking

The trend:

Session hijacking—where an attacker steals a user’s active session ID to impersonate them—is rapidly increasing. According to the 2024 IBM X-Force Threat Intelligence Index, the use of stolen credentials to access valid accounts surged 71% over the previous year.

How to prepare:

Cisco Duo Passport’s Session Token Theft Protection is a breakthrough in authentication security. It removes session cookies from the Duo authentication flow entirely, relying instead on the hardware security modules built into modern devices.

2. More identities to cover

The trend:

As you scale, you have more identities to track, including different identity stores, third-party accounts, and non-human identities such as agents and service accounts. The average enterprise identity stack is spread across nearly five separate systems.

How to prepare:

Identity sprawl is a challenge for growing organizations. Consider an identity broker that ensures every authentication is routed to the right place with the most effective security policy and controls in place. With Cisco Duo as your identity broker, you can easily separate employee and contractor access or connect multiple disparate identity storages with one seamless MFA experience.

3. More apps to authenticate

The trend:

A survey by Cisco Duo found that 69% of security and IT leaders are worried that MFA isn’t deployed across all devices and apps. As an organization grows, it adds more apps, employees, and resources, leading to more authentications to cover.

How to prepare:

In the case of Inductive Automation, to keep up with its growing distributed workforce, the security team ramped up its use of Cisco Duo, including onboarding over 50% more users, helping reduce the number of authorizations it needs. Every edition of Duo includes protection for unlimited applications, meaning app security can scale as an organization grows.

4. More complex policy setting

The trend:

Setting up or updating a new policy is time-intensive and only gets more complex and harder to keep up to date as an organization creates a more diverse workforce. Policy changes to increase security requirements can quickly cause friction among end users.

How to prepare:

Set a risk-based authentication policy for remembered devices to reduce user friction while still ensuring security. Cisco Duo’s powerful and intuitive policy engine helps to customize the security experience and provide granular access to applications and resources, with new tools to help admins recommend and test policy changes.

5. More third-party users

The trend:

Unauthorized access risks increase as the number of partners, agencies, suppliers, and contractors expands—each with their own identities, devices, and permissions. The Verizon 2025 Data Breach Investigations Report found that 30% of all breaches involved a third party—double the previous year.

How to prepare:

Set up security from day one and streamline third-party access with Cisco Duo Directory, adding MFA, device trust, and SSO policies out-of-the-box. That’s the approach Waits took: “Now when we have a contractor that needs access, we just invite their existing email addresses into Duo Directory without having to create all those other sprawling identities.”

6. More agentic AI

The trend:

The rise of AI agents and technologies like Model Context Protocol (MCP) servers enables AI to securely interact with your company’s applications and data, which can pose risks to permissions, trust, and visibility.

How to prepare:

The core tenets of zero trust and least privilege access still stand true in a world that moves at machine speeds. Cisco Duo's solution for agentic AI transforms AI security from a reactive challenge into a proactive enabler, adding visibility, lifecycle governance, and fine-grained authorization controls. Looking ahead, Waits anticipates AI’s role as a new threat vector: “AI is basically acting as an identity in some fashion via API keys and essentially passwords—another identity we have to protect.”

Scaling organizations must frequently adapt to stay in compliance with advancing identity security needs. Cisco Duo continues to add new features to keep organizations ready for what comes next with IAM. Try Cisco Duo for free with a 30-day trial.