In the final months of 2025, identity-focused M&A activity accelerated. Palo Alto Networks paid $25 billion for CyberArk, ServiceNow acquired Veza, and CrowdStrike announced its intention to acquire SGNL. The pattern is clear: major security vendors are making significant investments to add identity capabilities they don't already have.
For IAM leaders, this consolidation signals something important. Identity has proven ROI at scale, and comprehensive security stacks must now include it as a core component. But the trend also reveals a gap: while vendors race to acquire identity capabilities, many enterprises still struggle to govern the applications they already have.
In a recent conversation, Cerby CEO Bel Lepe was joined by Yousuf Khan, Venture Partner at Ridge Ventures and former CIO, and they identified five trends that will separate identity programs that thrive from those that stall.
1. The great consolidation: identity goes mainstream
The M&A wave reveals two things: first, that identity is no longer a nice-to-have security feature, it's table stakes. Second, even the largest security vendors can't build comprehensive identity capabilities fast enough, so they are acquiring pieces of the identity stack instead.
These acquisitions are not delivering end-to-end identity management. Vendors are betting on select technologies or use cases, not the full spectrum of identity governance, lifecycle management, and identity security. As a result, the same disconnected apps that challenge enterprises today often remain unaddressed.
Consolidation alone will not solve your coverage gaps.
What this means for you: Don't wait for vendors to solve identity coverage through acquisition. While comprehensive identity management is now table stakes, piecemeal acquisitions will not automatically extend governance to your disconnected apps. Security and IT leaders must proactively assess the gaps in their environment and build a strategic identity program now, choosing an architecture that fits their organization rather than inheriting one that does not.
2. The structural shift: 100% coverage becomes viable
Here's what changed: historically, it was cost and time prohibitive to design, build, implement, test, and deploy custom connectors for every disconnected app. Customers chose to connect the most sensitive apps while leaving others exposed. Today, modern solutions can do it quickly and cheaply with pre-built integrations and new technologies, eliminating these tradeoffs.
This matters because the average enterprise has 370+ applications and over 40% don’t support the necessary standards or APIs to connect to existing identity tooling.
"100% coverage is possible, and in an economically viable way where it would be foolish not to pursue it," says Bel Lepe, CEO of Cerby. "Modern identity automation technologies allow you to make up for the gaps that those disconnected apps create, without expensive custom integrations or SCIM upgrades."
monday.com showed us that it’s possible, when they brought 200+ previously unmanaged applications into their identity perimeter within six months, increasing their app coverage from 20% to 78%.
What this means for you: If you're not protecting the majority of your apps, your infrastructure is vulnerable. Set a realistic goal to protect the majority of your apps by the end of 2026. Start with your "last mile" applications, marketing tools, social media platforms, HR or finance portals, or on-premise solutions. These are your highest-risk, lowest-coverage assets, that are now possible to quickly and economically viable to protect.
3. The AI double-edge: new risks and new solutions
AI is reshaping identity management in two opposing directions: creating new risks while enabling more powerful solutions. Many enterprises now use AI-powered tools, and 15% of employees are sharing sensitive data with these platforms.
"After phishing, identity is the #2 security threat to companies now," explains Yousuf Khan, Venture Partner at Ridge Ventures. “AI enables sophisticated phishing mutations, deepfake identity theft, and accelerated credential attacks at a scale we haven't seen before.”
But AI is also the solution. Modern platforms use AI to auto-discover applications across your environment, generate integration workflows automatically, and identify over-permissioned accounts at scale. Tasks that once took months of manual effort now happen continuously in the background.
The key is knowing where and how to use AI. While agentic systems can reduce manual effort, they introduce real risk in identity workflows, where even minimal variability is unacceptable. "When you're dealing with identity workflows, you can't tolerate even a 0.01% hallucination rate," Lepe notes. "What if the agent inadvertently puts credentials in the wrong field?" Agentic AI must be deployed with strong constraints, governed by deterministic layers to ensure predictable outcomes.
What this means for you: Use AI for discovery, workflow generation, and anomaly detection. But avoid it for direct permission assignment or credential management, in any workflow where you can't tolerate variability. And don't forget the non-human identity explosion: for every employee, there are now 100 machine identities (APIs, service accounts, OAuth tokens). Most are over-permissioned and need immediate attention.
4. The budget reallocation: identity's growing share
According to KPMG, 99% of CISOs plan to increase their budgets over the next two to three years with 42% of leaders making IAM a top budget priority.
This isn't just about spending more, it's about recognizing what's at stake. For example, 23andMe lacked 2FA on customer accounts and the company value was essentially destroyed, impacting the personal data of millions of people around the world.
The business case for identity investment has never been clearer. Beyond preventing breaches, comprehensive identity management delivers measurable returns: Monday.com reclaimed 20% of unused software licenses, $400K in manual lifecycle management costs, with a 280% ROI within the first year.
"Security strategy is now directly linked to revenue generation," says Khan. "If you have a breach, customers lose trust in the company. That's not the CMO's job, that's the CISO's job."
Poor identity hygiene also creates hidden costs: wasted licenses, lost productivity from access delays, and compromised marketing spend when agency credentials are breached.
What this means for you: Reframe the budget conversation. Move from "identity is a cost center" to "identity enables revenue while reducing risk." Build your business case around revenue protection (cost of breach vs. cost of prevention), hard cost savings (license reclamation), and productivity gains. If you're still at 10-15% of the security budget, you're below market. Start planning your case for 20-30%.
5. Identity becomes a full-time strategic function
The days of identity being a part-time responsibility for a system administrator are over. Leading organizations are treating identity as a dedicated, strategic function and it's showing in their security posture.
"Identity management is a full-time job requiring focused, dedicated effort," Khan emphasizes. "Because of the sprawl, the number of applications, and the platforms you're using, identity needs to be managed with full-time focus. This is not something you can tack onto another role anymore."
The metrics that matter are changing too. Move beyond traditional security metrics to track:
- Coverage percentage: What % of the app landscape is governed by identity controls, prioritized by criticality and cost?
- Time-to-access: Target under 5 minutes for standard requests
- License utilization: Active users vs. provisioned licenses
- Risk exception count: One pharmaceutical CISO's goal is zero identity-related exceptions
What this means for you: Make identity a dedicated role. If you're a mid-size enterprise (500+ employees), you need at least one FTE focused solely on identity. Build governance workflows, implement automated provisioning, and create regular access reviews. Run your identity program like a product, your employees are your customers, and their experience matters.
2026: The inflection point
These five trends converge to make 2026 a pivotal year for identity and access management. The technology has matured, the economics have fundamentally shifted, and organizational understanding of identity's strategic importance has finally caught up to reality.
For years, identity programs stalled after securing only the most critical applications, often covering just 30%-40% of the enterprise. That constraint is no longer technical or economic. Modern automation and AI techniques now make near total app coverage achievable and realistic.
The gap between leading identity programs and lagging ones will widen significantly this year. Organizations that act now can achieve broader application coverage, eliminate manual provisioning workflows, and secure their AI tool adoption before it becomes ungovernable. Those who wait will accumulate technical debt, face mounting breach risk, and lose competitive ground.
"Identity is not an end destination, it's an incremental strategy that's multifaceted and complex," Khan notes. "But with the right approach, 2026 can be the year your identity program matures from tactical to strategic."
The question isn't whether to invest in comprehensive identity management. The question is whether you'll lead this transformation or be forced to catch up later at higher cost and greater risk.
This post was adapted from a live executive discussion. For more context and perspective on these trends, watch the full conversation between Bel Lepe and Yousuf Khan.