Back to Blog
Industry Insights8 min readJan 6, 2025

The State of Identity Security in 2025: Trends and Predictions

Identity security in 2025: passkeys, ITDR, non-human identities, and AI-driven attacks. The trends and predictions shaping the year ahead.

P

Product Team

Revealer.US

The Year Identity Becomes the Perimeter, For Real

Every year since roughly 2019 has been declared the year of identity security. 2025 is different only in that the claim has finally stopped being aspirational. The 2024 breach reports from Verizon, Mandiant, and CrowdStrike all landed on the same finding: identity was the primary initial access vector in the majority of intrusions they investigated, outpacing software exploitation and phishing-to-malware chains. Identity security is no longer a subdomain of IAM or a budget line inside endpoint. It is the surface that most determines whether an organization gets breached this year.

The trends shaping 2025 are not speculative. They are already in production at the organizations setting the pace, and the gap between those organizations and everyone else is widening. Here is how we see the year unfolding and what security teams should put on their 2025 identity security roadmap.

Trend 1: Passkeys Cross the Adoption Chasm

Passkey adoption has been slow-building since FIDO2 shipped, but 2024 was the inflection year. Google reports hundreds of millions of personal accounts now using passkeys. Apple, Microsoft, and 1Password all ship passkey sync across their ecosystems. The enterprise side lagged, but Okta, Entra ID, Duo, and Ping all now support passkey enrollment as a first-class factor, and the shift from early adopter to mainstream is underway.

What to expect in 2025

  • Major SaaS vendors will default new tenants to passkey-preferred authentication
  • Regulatory guidance from NIST SP 800-63-4 will push federal contractors toward phishing-resistant MFA, which effectively means passkeys or smart cards
  • A visible split will emerge between organizations that have rolled out passkeys and those still relying on TOTP and push notifications, and the latter will remain the primary target for AitM phishing

Passkeys are not a silver bullet. They do not protect against session hijacking after login, they complicate shared-account workflows, and enrollment UX still trips up users. But as a defense against the AitM phishing that dominated 2024, nothing else comes close.

Trend 2: ITDR Goes Mainstream

Identity Threat Detection and Response (ITDR) was a Gartner category a couple of years ago and a crowded product space by the end of 2024. In 2025 it becomes a standard line item alongside EDR and SIEM. The thesis is simple: authentication logs alone do not tell you whether an identity has been compromised, because the interesting attacks happen after login.

What ITDR covers

  • Session-level behavioral analysis (geography, user agent, device posture drift mid-session)
  • Detection of OAuth app consent abuse and risky third-party grants
  • Privilege-escalation detection across federated directories
  • Identification of dormant, orphaned, and over-privileged accounts
  • Correlation of identity signals across SaaS, IaaS, and on-prem directories

Expect consolidation. The standalone ITDR vendors will either get acquired or bundled into broader XDR and SSE platforms. CrowdStrike's acquisition of Preempt, Microsoft's Defender for Identity, and Cisco Duo's investments all point to the same trajectory. Buyers in 2025 should pay less attention to the acronym and more attention to whether the product actually correlates behavior across their identity fabric.

Trend 3: Non-Human Identities Become the Bigger Attack Surface

For most organizations, human employees are now outnumbered ten to one or more by non-human identities: service accounts, machine tokens, API keys, CI/CD runners, OAuth app principals, and service principals. These identities rarely have MFA, frequently have excessive permissions, and often live with static credentials that never rotate.

The high-profile 2024 breaches at Cloudflare, Microsoft, and several SaaS vendors all turned on compromised non-human identities. The Midnight Blizzard intrusion into Microsoft relied on a legacy test tenant OAuth application with over-broad permissions. The pattern is consistent: humans get the MFA attention, machines get forgotten, and the machines hold the kingdom keys.

What to prioritize

  1. Inventory every non-human identity across cloud and SaaS (most organizations cannot currently produce this list)
  2. Rotate static credentials and move toward short-lived, workload-identity-based authentication
  3. Apply least privilege to service principals with the same rigor as human admin roles
  4. Monitor machine identity behavior for anomalies, because OAuth tokens that suddenly authenticate from a new region are as suspicious as a human session doing the same

Vendors like Astrix, Oasis, Entro, and Clutch Security built their businesses around this gap. In 2025 their capabilities get absorbed into broader identity governance suites, but the problem gets worse before the tooling catches up.

Trend 4: AI-Generated Phishing Hits Scale

AI-assisted phishing was a novelty in 2023 and a measurable trend in 2024. In 2025 it becomes the default. Large language models produce lure content that is grammatically perfect, contextually specific, and personalized to scraped victim data at a cost per message approaching zero. Voice cloning adds a second channel. Deepfake video in Zoom and Teams meetings, demonstrated in the Arup incident in 2024, has already moved from proof of concept to in-the-wild tradecraft.

The defensive implication is that user education hits diminishing returns. A user who was told to look for typos and awkward phrasing has no heuristic left when the phishing email is written better than their own manager's. The response is not more training. It is:

  • Phishing-resistant factors (passkeys, hardware keys) so that even a successful lure does not hand over credentials
  • Email authentication enforcement (DMARC at reject, SPF alignment, ARC)
  • Out-of-band verification for financial and identity-sensitive requests
  • Detection that assumes humans will click, because they will

Trend 5: Identity Unification Across SaaS

The modern enterprise runs on a sprawl of SaaS applications that each maintain their own identity store, their own role model, and their own audit log. Security teams have been asked to govern this sprawl with tooling that was designed for Active Directory. In 2025 the pressure to unify gets serious.

Expect movement in three places:

  • SaaS identity posture management (SSPM and its identity cousins) becomes a standard control
  • Cross-SaaS session correlation emerges as a feature in ITDR and SIEM platforms
  • Shared Signals Framework (SSF) and CAEP adoption accelerates, allowing identity providers to push risk signals to relying parties in real time

The endpoint for this trend is an identity fabric where a compromised session in one SaaS app automatically triggers revocation across every other federated app. The plumbing exists. 2025 is when enough vendors implement it for enterprises to actually use it.

Trend 6: Dark Web Monitoring Becomes Table Stakes

Exposure monitoring used to be a differentiator. In 2025 it is a baseline control. Stealer logs, credential dumps, and leaked session artifacts move fast enough that any identity program without continuous monitoring is operating with weeks of lag on its own attack surface.

Revealer.US continuously ingests stealer logs, breach dumps, and underground listings so that security teams see exposed credentials, cookies, and employee devices the moment they appear. Review pricing for options that fit team size and coverage needs.

Trend 7: Zero Trust Stops Being a Slogan

Zero trust has been abused as a marketing term for the better part of a decade. In 2025 the conversation shifts from architectural aspiration to measurable control enforcement. Buyers are asking vendors specific questions: Does your product enforce device posture on every session refresh? Does it honor continuous access evaluation signals? Can it revoke a session in seconds based on a third-party risk signal?

The answers separate real zero trust implementations from rebranded VPN replacements. CISA's Zero Trust Maturity Model v2 gives buyers and auditors a shared vocabulary for that evaluation, and in 2025 it starts showing up in procurement questionnaires with meaningful weight.

What Security Teams Should Prioritize

If you are building a 2025 identity security roadmap, the order of operations matters more than the completeness. Based on the intrusions we see across our customer base, the highest-leverage sequence is:

  1. Roll out phishing-resistant MFA (passkeys or hardware keys) for administrators first, then the broader workforce
  2. Inventory non-human identities and rotate static credentials
  3. Deploy ITDR or equivalent session-level monitoring for your identity provider
  4. Establish continuous exposure monitoring for credentials, cookies, and device artifacts
  5. Enforce conditional access that reacts to real-time risk signals, not just static policies
  6. Build an identity incident playbook that treats session compromise as a contained breach
  7. Measure and report identity risk in terms executives understand, because budget follows narrative

Conclusion

Identity security in 2025 is less about new categories and more about execution on trends that have been building for years. Passkeys, ITDR, non-human identity governance, and continuous exposure monitoring are not speculative bets anymore — they are the controls that distinguish organizations that weathered 2024 from the ones that made headlines. The defenders moving fastest in 2025 will be the ones who stop treating identity as an IT function and start treating it as the primary battleground.

Revealer.US focuses on the exposure monitoring layer of that stack, giving teams visibility into credentials, cookies, and identity artifacts the moment they surface in underground markets and stealer logs. Explore the docs to see how we fit alongside the rest of your identity program.

Want to bring continuous identity exposure monitoring into your 2025 roadmap? Start a free trial of Revealer.US and get visibility across the threats shaping the year ahead.

PreviousCase Study: Detecting a Supply Chain Attack in 48 HoursNextImplementing Zero Trust Architecture: Lessons from Real Deployments

Related Articles

View all
Industry Insights

Why Privacy Regulations Are Reshaping Threat Intel

How GDPR, CCPA, and US state privacy regulations shape what threat intelligence vendors can collect, store, and lawfully disclose.

7 min read
Industry Insights

The Economics of Cybercrime: Why Credentials Are the New Currency

Cybercrime economics explained: how the stolen credentials market works, from infostealer operators to automated marketplaces and initial access brokers.

9 min read
Industry Insights

The Evolution of OSINT: From Manual Research to AI-Powered Intelligence

How open-source intelligence has transformed over the past decade and what it means for modern security teams.

6 min read
Get Started

Ready to check your exposure?

Create a free account and search >21 billion records.

Start Free