Author: Kari Mattsson, founder of Trivore
A year ago, identity management trends were distilled into passwordless authentication, integrations, and regulation. In just twelve months, the world has changed more than in the previous five years combined.
Geopolitical tensions have transformed cloud strategy into a question of sovereignty. Artificial Intelligence has emerged as a force that both threatens and fortifies identity management. The identities of machines and software agents have exploded beyond traditional control. Meanwhile, the EU Digital Identity Wallet is nearing deployment, and the market is consolidating at a breakneck pace.
Identity and Access Management (IAM) has migrated from the IT department to the boardroom agenda – not by choice, but by necessity. Finland’s Cybersecurity Act now places personal liability on leadership; attackers no longer “break in” to systems but simply “log in” using stolen identities; and a single flawed architectural choice can tether an organisation to the legislation of a foreign state.
Here are the five key trends defining identity management in 2026.
1. Geopolitics and Data Sovereignty: Identity is the New Interface
Cloud strategy is now a geopolitical statement, not merely a technical decision. Geopatriation – named by Gartner as a strategic trend for 2026 – describes the phenomenon where organisations move workloads and data from global public clouds to local or sovereign environments. Over 60% of West European IT leaders now expect geopolitics to drive them toward local service providers.
In November 2025, France and Germany hosted the EU Digital Sovereignty Summit, introducing EuroStack: a strategic framework for building European alternatives in cloud services, AI, and cybersecurity. Simultaneously, AWS launched its European Sovereign Cloud in January 2026, promising that metadata, identity management, and billing remain within the EU. However, European trust is not guaranteed; the Chief Digital Officer of Airbus has publicly questioned whether US-based hyperscalers can ever truly be immune to extraterritorial legislation.
This isn’t just about perception. The US CLOUD Act allows authorities access to data managed by US providers, regardless of physical location. Identity management sits at the heart of this debate because it dictates who can access what data and under what conditions. If your IAM system runs on a US platform, your sovereignty strategy ultimately rests on the laws of another nation.
2. Generative AI: The Threat, the Defender, and the Tool
AI is reshaping identity management from three directions simultaneously:
- AI as a Threat: Attackers are already using GenAI to launch personalised phishing campaigns at machine speed. Deepfake technology has moved from experimentation to production: AI-generated voices have successfully bypassed bank phone authentication, and real-time video spoofs can now impersonate corporate leadership. Traditional MFA methods are increasingly inadequate against MFA fatigue, SIM swapping, and session hijacking.
- AI as a Defender: These same technologies are bolstering our defences. Continuous behavioural monitoring and predictive anomaly detection allow identity-based attacks to be thwarted in real-time—far faster than manual oversight. AI also streamlines everyday IAM operations: role mining, automated provisioning, and data cleansing reduce deployment times and human error.
- Securing AI Tools: The third dimension is protecting an organisation’s own AI tools. As AI assistants and agents operate in production environments, their access to data must be governed as rigorously as that of human users. This requires a shift from static rules toward context-aware access management, where decisions are based on real-time trust assessments.
3. Non-Human Identities: The Invisible Attack Surface
Service accounts, API keys, automation bots, IoT devices—and now AI agents. The number of non-human identities (NHIs) has exploded relative to human users. Industry research suggests the ratio is typically 100:1, reaching as high as 500:1 in some organisations. Yet, the vast majority of these identities remain outside formal IAM processes.
The problem isn’t new, but the scale is. Five years ago, a typical enterprise app was a monolith talking to a database. Today, microservice architectures generate dozens or hundreds of service identities for a single application. Add autonomous AI agents that cross system boundaries, and the traditional IAM model simply cannot keep up. This accumulated “identity debt” must be addressed systematically; an organisation cannot protect identities it doesn’t know exist.
In 2026, OWASP published both the Non-Human Identities Top 10 and the Agentic Applications Top 10. According to the Cloud Security Alliance, 78% of organisations have yet to define policies for creating or decommissioning AI identities. This is a challenge that demands immediate attention, not further planning.
4. Identity Fabric: The Year of Consolidation
The IAM market is consolidating more aggressively than ever. Palo Alto Networks acquired CyberArk for $25 billion; ServiceNow bought Veza; CrowdStrike announced the acquisition of SGNL. The message is clear: identity has become the core of security architecture, and the major players want it integrated into their platforms.
For organisations, this creates pressure to move away from fragmented point products toward a unified identity architecture, or Identity Fabric. This is a logical layer that provides identity services via APIs and event-driven architectures, regardless of whether the target is a cloud system, a legacy app, or an AI agent. Crucially, this layer manages human, machine, and AI identities under a single set of principles.
A modular, microservice-based Identity Fabric also enables future-proofing in a way monolithic systems cannot. When NIST released the first Post-Quantum Cryptography (PQC) standards in August 2024, the clock started ticking. Organisations must be able to update cryptographic algorithms without replacing their entire infrastructure. This “crypto-agility” is a natural feature of an architecture built to be modular from the ground up.
5. EUDI Wallet and Regulation: The CIAM Turning Point
By December 2026, every EU member state must provide citizens with at least one certified EUDI Wallet—a digital identity wallet that enables authentication for both public and private services across the Union. From November 2027, organisations requiring strong authentication will be legally obligated to accept the wallet.
This represents a paradigm shift for Customer Identity and Access Management (CIAM). Previously, organisations built their own registration and login flows. With the EUDI Wallet, a user can prove their identity or a specific attribute—such as age or professional qualification—without the organisation needing to collect or store excessive personal data. This “selective disclosure” reduces data risk and simplifies GDPR compliance.
Furthermore, the regulatory environment is tightening. Finland’s Cybersecurity Act (124/2025), which implements the EU’s NIS2 directive, came into force in April 2025 and is being strictly enforced this year. Section 10 of the Act places personal liability on senior management for cybersecurity risk management—cybersecurity can no longer be “delegated” away to IT. The sanctions are significant: up to €10 million for key entities, with personal bans for leadership in cases of repeated negligence. IAM is at the heart of this compliance, as it governs access to critical systems and data.
What does this mean in practice?
The identity management trends of 2026 are inextricably linked. Data sovereignty requires a European IAM architecture. AI is transforming both the threat landscape and our defences. Non-human identities demand that we extend governance to all digital actors. Identity Fabric provides the architectural answer to these challenges, and the EUDI Wallet opens a new chapter in customer identity.
The common conclusion is clear: identity management is no longer a support function to be buried in the IT department. It is a strategic decision that dictates an organisation’s ability to operate, grow, and survive in a volatile environment.
Trivore: A European Identity Fabric
Trivore is building a European identity management platform designed specifically for these challenges. Our microservice-based architecture functions as an Identity Fabric, unifying human, machine, and AI agent identities into a single, manageable whole—from legacy systems to the cloud and EUDI Wallet integrations.
Our approach to AI is a conscious choice: AI serves as an intelligent extension layer to enhance operations, strengthen defences, and enable context-aware access. However, our core engine remains deterministic; in identity management, predictability is a prerequisite for security, not an optional feature.
As a European provider, we do not depend on the infrastructure of US hyperscalers. This makes our promise of sovereignty credible—it is not marketing speak, but an inherent feature of our architecture.
Would you like to discuss how these trends impact your organisation’s identity management strategy? Get in touch—let’s build a sustainable foundation together.