2025 RSAC insights: the rapid rise of autonomous identity security

The vision becomes reality

Two years ago, we shared a bold vision for identity security that needed to evolve into an autonomous solution spanning posture management, ITDR, and governance. 

Fast forward to RSA 2025, and that conversation has completely shifted. What was once a bold idea is now widely acknowledged as essential — with some vendors even claiming to be first movers in the space! It’s a remarkable validation of the vision we’ve championed over the last two years.

After walking the show floor, attending presentations, and engaging in countless conversations with prospects, customers, and even competitors, here’s my candid perspective on where identity security stands today. 

The rebranding wave:  Everyone's claiming to be an “Autonomous Identity Security Company" 

The most striking trend at RSA this year was how quickly "identity security" and "autonomous identity" became central to nearly every vendor's messaging. What stood out wasn't just the growing recognition of identity as the foundation of modern cybersecurity—it was how broadly and rapidly the market messaging and positioning aligned around this vision. Companies across diverse categories, some with only adjacent involvement in identity, repositioned themselves to reflect this shift.

Governments going all-in on identity

I've seen US federal agencies at RSA before, but the physical global government presence was fascinating. These weren't just security experts at the booths—they were clearly on a mission.

The Saudi Arabia pavilion was impressive. They're going all-in on their Vision 2030 Cybersecurity Framework, which mandates identity-centric zero trust for critical infrastructure. They've updated their Essential Cybersecurity Controls (ECC) with strict NHI governance requirements. Looks like they've set aside significant investment for security startups through Saudi Aramco's venture fund.

Germany was focused on implementing Industry 4.0 and the EU AI Act. They've published machine identity requirements for manufacturing through BSI and are developing detailed guidelines for IAM systems under Article 9 of the EU AI Act. I learned they've allocated a large investment for quantum-resistant identity protocols through TU Munich and the Fraunhofer Institute.

Singapore was showcasing its ASEAN Secure Smart Cities Exchange and particularly emphasized cross-border payment interfaces. They've established a large fund for identity startups focused on biometrics, decentralized identity, and zero-knowledge proofs.

Lastly, India is proving to be a much stronger emerging market than I initially expected. I met three different startup founders whose companies are generating higher revenues and adopting new ideas more rapidly in India compared to the U.S. I also had a valuable conversation with the CEO of the Data Security Council of India, who provided insights into how the central government is creating opportunities and opening the market, especially for Indian-founded startups.

The takeaway? Governments are no longer passive consumers of identity technology; they're actively shaping it through standards, investments, and strategic partnerships.

The real real: what everyone was buzzing about

The hallway conversations and after-hours discussions revealed the real priorities:

1. "Autonomous" everything. It feels like we've crossed some invisible threshold, and customers are now willing to hand off identity operations to AI. This is a significant shift from just a year ago, when automation was acceptable but "autonomous" was viewed with suspicion.
2. Identity-First Security - Network-centric approaches continue to lose ground to identity-centric security strategies. I heard several CISOs say something like, "Identity is the new perimeter or battleground." These words have moved from marketing slides to the mindset of security leaders.
3. Agentic AI Identity - This wasn't front-and-center in the official program, but in private conversations, everyone wanted to discuss how to secure AI agents. It's clear this will be the next battleground.
4. The "NHI Crisis" - Everyone positions unmanaged machine identities as a crisis. While there's truth to the problem, the framing feels manufactured to create urgency. Nevertheless, many organizations are scrambling to launch projects around machine identities and API tokens, partly driven by AI agent initiatives.

What lies beneath: the hidden risks and the graph approach

What many don't see is how seemingly innocuous permissions create unexpected paths for threat actors. Like a complex puzzle where each piece looks harmless, the combination of an extra cloud app access here and a forgotten service account there can create a perfect storm of vulnerability that slips past standard security reviews. 

We received strong positive feedback around how valuable it is to have both the composite nature of the access graph and the depth of the graph, all the way to resources with activity overlay and permission information. Customers understand that not all graphs are comprehensive, and we are proud of the work that went into the platform vision to show the core differentiated approach to this problem.

This isn't about creating fear—it's about revealing the invisible connections that traditional tools miss and turning silent whispers of risk into clear, actionable insights.

Oleria’s take: enterprises need comprehensive platform intelligence 

I'm proud of all the work that went into our RSA preparations. Our demos resonated with prospects - their eyes literally lit up when they saw the depth of our integrations and AI capabilities. Our vision of autonomous identity security continues to guide our strategy:

1. Double down on our platform vision - CISOs strongly supported and validated our comprehensive approach to end-to-end identity security. Some of the executives I spoke with are tired of managing 15+ identity tools. Deploying Identity technology like Microsoft Entra is not equal to achieving Identity Security. 
2. Differentiate our "autonomous" capabilities - We continue positioning ourselves as the leader in the autonomous identity security space, with measurable outcomes. Our adaptive access control, intelligent access reviews, and predictive access modeling will set us apart in the era of agentic AI.
3. Prioritize a customer-first approach - Customers don't want more data; they want curated, actionable insights. The faster and more accurately we can deliver what CISOs and SecurityOps teams need at a glance, the greater the value we provide.

RSA 2025 validated our vision but also showed that competition is intensifying rapidly. The market clearly recognizes the need for unified governance across human and machine identities, where Oleria is and will continue to be the leader in the era of agentic AI.

‍