IAM in 2026 – 5 trends that will shape the year

2025 is soon passed into the history books, and we look forward to 2026. What trends in cybersecurity will shape the year? We dig out our crystal ball and take a look.

Looking back at our predictions for 2025, we can see that we were accurate with most of them, even if we discussed them a little differently than expected. One example is cloud repatriation and the drive to move workloads back on-premises. It remains a significant trend, but not primarily due to skyrocketing cloud service fees, rather because of a changing and unpredictable world.

And yes, there was AI everywhere. That will not go away in 2026, by any means. But to help prevent AI fatigue, we saved most of that for the end of our list. There are many other things to watch for in 2026.

1. Cyber Resilience Act is approaching

Another year, another EU regulation. With NIS2 and Dora active, now is the time to adapt to CRA, or the Cyber Resilience Act. As usual with new regulations, there are many aspects of CRA to ensure compliance. One way to achieve this is by encouraging a move to on-premises workloads.
Having your data on-premises means you have full control, making compliance easier. While cloud services are not inherently bad in this regard, it becomes more difficult to see where your data actually resides and who can access it.

2. Digital sovereignty as the primary strategy

This brings us to the second point in our list. Because CRA is just one of many factors emphasizing the importance of owning your own data, identities, and similar assets. There is a growing trend to move away from cloud services affected by the US Cloud Act, either to your own on-premises infrastructure or to more local cloud providers. Geopatriation is the word of the day if you have grown tired of using cloud repatriation.
Of course, choosing security solutions made in Europe, whether for on-premises strategies or local cloud options, will make it much easier to manage this new world of increased data sovereignty requirements.

3. Passwords finally go the way of the Dodo?

Maybe more of a heartfelt wish than a prediction from us, but still an important one. Passwords are not secure, and they remain a very common way to breach an organization. Microsoft recently reported that they track more than 7.000 password attacks per second.
Fortunately, multi-factor authentication exists and is still an effective strategy, especially when you can unify logins for all applications and services within your organization using the same authentication method. Or you can take it a step further and deploy passkeys organization-wide for even better security, centrally managed and covering all your login needs.

4. Regulations make ZTNA essential

The mindset and strategy of zero trust network access, ZTNA, is not new, but regulations like NIS2 make it much harder to ignore. Verifying every request is not just about compliance; it’s a strong foundation for your entire security strategy. Coupled with the end of passwords above, and a solid plan for securing digital identities below, ZTNA is an excellent way to ensure security and protect your valuable data, not just check a box for compliance.

5. AI emphasizes the importance of identity management

We saved AI for last, just as promised. And AI continues to seep into every aspect of our lives. Most of the time, it makes work faster or life easier for us. But the dark side of the AI moon is that bad actors are increasingly using it for cyber attacks. Faking identities is becoming easier and can now be done on a large scale. That means it is imperative that you protect your digital identities at every turn. Deploying passkeys or other means of MFA protects one part. But you also need an organization-wide strategy for securing digital identities. Make sure to create a single source of truth and let all applications, services, and systems draw from that source. That enables you to have consistency and also to provision and deprovision accounts automatically. It creates a solid foundation and allows you to close any security gaps across your entire organization from one single place, protecting your identities and limiting your possible attack surface.