KuppingerCole Analysts

Four weeks after EIC 2026 in Berlin, Matthias Reinwarth and Phillip Messerschmidt sit down to reflect on what the European Identity and Cloud Conference revealed about the state of identity and access management and what it means for the year ahead. Spoiler: agentic AI dominated, but it wasn't the only story. Key Topics: ✅ Agentic AI as a new class of insider threat — autonomous, non-deterministic, and without ethics✅ Data-centric defense vs. agent discovery: protect the vault, not the crowd✅ Why dynamic authorization and behavior analytics are the IAM industry's urgent next step✅ Data sovereignty and geopolitics: eroding trust in non-European SaaS vendors✅ AuthZEN wins the EIC Award — a standard built before anyone knew the problem it would solve✅ Martin Kuppinger's closing keynote: "Everything we failed to solve in the past decades bites back now" "An agent behaves like a human insider threat — but without any sense of right or wrong." If your IAM program isn't ready for that, this episode is required listening.

In today's episode of the Analyst Chat, Matthias Reinwarth welcomes John Tolbert to take a deep dive into the rapidly evolving world of Consumer Identity and Access Management (CIAM). As organizations manage millions, or even billions, of identities, CIAM is shifting from a standalone capability to a core component of broader digital ecosystems. Key topics: ✅ Consumer vs. B2B IAM segmentation✅ Passkeys adoption and UX gaps✅ Identity lifecycle and account recovery✅ CIAM integrations and platform ecosystems✅ AI agents and identity governance Increasing scale, regulatory pressure, and user expectations are reshaping CIAM requirements. AI agents begin to act on behalf of users, introducing new risks, but also new opportunities for automation and innovation.

The future SOC won’t replace humans with AI, it will empower us with AI-driven automation, accelerating detection and response while keeping humans in control of critical decisions. This week Matthias Reinwarth and Matthew Gardiner discuss the evolution of security automation with the introduction of AI SOC (Security Operations Center). They explore the challenges of alert fatigue, the importance of human oversight, and the cautious optimism surrounding AI's role in cybersecurity. The conversation delves into the balance between automation and human intervention, the trust issues associated with AI systems, and the current landscape of vendors in the AI SOC market. They conclude with insights on the future of AI in security and the potential impact on managed detection and response services. Key Topics:✅ Evolution from SOAR to AI-powered SOC✅ Using AI agents as junior security analysts✅ Managing alert fatigue and SOC analyst burnout✅ Balancing automation with human oversight✅ Explainability and trust in AI security systems✅ Impact of AI SOC on MDR and security service providers AI is reshaping SOC operations—but fully autonomous security is still far away. Discover why AI agents may become the “junior analysts” of the modern SOC, handling repetitive tasks while humans focus on complex decisions.

Identity is no longer just about provisioning and single sign-on. Today’s organizations face fragmented IAM architectures, API sprawl, non-human identity growth, AI agents, and increasing Zero Trust demands. In this episode, Matthew Gardiner speaks with Binod Singh, Founder and Chairman of Cross Identity, about what the Identity Fabric really means and why it has become essential for modern enterprises. They discuss how legacy IAM environments evolved into siloed systems, why integration “tax” is becoming unsustainable, and how a federated, API-driven identity fabric architecture enables scalability, orchestration, and Zero Trust. You’ll learn:✅ What the Identity Fabric architecture actually is (and what it is not)✅ Why IAM silos and legacy systems create integration and security risks✅ How federated, API-based architectures improve interoperability✅ The rise of non-human identities and AI agents — and how to manage them✅ Why convergence and orchestration are critical for Zero Trust✅ How organizations can transition from fragmented IAM to a fabric model Whether you are a CISO, IAM architect, or security leader, understanding how to evolve toward an Identity Fabric approach is critical to reducing complexity, enabling Zero Trust, and future-proofing your identity strategy.

Shadow IT has evolved. Now it’s Shadow SaaS. Shadow AI. And it’s everywhere. In this week's episode of the KuppingerCole Analyst Chat, Matthias welcomes Matthew Gardiner for his first appearance to unpack one of the fastest-growing security domains: SaaS Security Posture Management (SSPM) and why that name may already be too narrow. Today’s organizations run on hundreds of SaaS applications. Many are sanctioned. Many aren’t. Some are connected via OAuth. Others are quietly leaking data through AI tools. And most security teams don’t have full visibility. In this conversation, we explore:✅ What SSPM actually means (and why the “PM” might be limiting)✅ How Shadow IT evolved into Shadow SaaS and Shadow AI✅ The intersection of identity and cybersecurity in SaaS environments✅ Misconfiguration risks, MFA bypass, OAuth sprawl & SaaS drift✅ Why continuous monitoring beats periodic audits✅ CASB vs SSPM vs CNAPP — where the lines blur✅ The growing governance challenge in AI-powered SaaS✅ Why SaaS security can’t be ignored anymore If your organization uses SaaS (spoiler: it does), this discussion is not optional.

Authorization is changing, moving from static roles and provisioning to dynamic, real-time, policy-based decisions. But without standardization, modern authorization quickly becomes fragmented and unmanageable. In this episode of the Analyst Chat, Matthias Reinwarth is joined by David Brossard, contributor and co-chair of the OpenID AuthZEN Working Group, and Phillip Messerschmidt, Lead Advisor at KuppingerCole, to discuss how authorization is evolving — and why AuthZEN is a critical missing standard. You’ll learn:✅ Why RBAC is still relevant, but no longer sufficient on its own✅ How ABAC and PBAC address scalability, context, and dynamic access✅ Why role explosion and authorization silos limit visibility and governance✅ How runtime, continuous authorization supports Zero Trust architectures✅ What AuthZEN standardizes — and what it deliberately does not✅ How externalized authorization improves auditability and compliance✅ Why CISOs and architects should start asking vendors for AuthZEN support✅ How AuthZEN fits into the Identity Fabric and Road to EIC vision Authentication has been standardized for years — authorization is finally catching up. Watch now to understand how AuthZEN enables scalable, future-proof authorization for modern applications, APIs, and identity fabrics.

Zero Trust isn’t dead, it’s evolving. In this week's episode, Matthias Reinwarth joins Alexei Balaganski to explore why Zero Trust Network Access (ZTNA) is no longer enough and how Zero Trust Platforms are emerging as the next evolution of modern security architecture. In this episode, we explore: ✅ Why Zero Trust is a strategy, not a product✅ The limitations of ZTNA in modern hybrid and cloud environments✅ What defines a Zero Trust Platform✅ Universal access enforcement across human and non-human identities✅ Continuous trust evaluation and intelligent segmentation✅ Unified visibility, analytics, and policy enforcement✅ How vendors and organizations should think about Zero Trust moving forward 🚀 If you care about identity, cybersecurity, AI risk, or future-proof security architectures, this conversation is for you.

Cybersecurity and AI are evolving faster than ever, and 2026 is already proving that traditional predictions may no longer be enough. In this year's first episode of the Analyst Chat, Matthias Reinwarth is joined by Jonathan Care and Alexei Balaganski to attempt looking into some predictions for the coming year. Join to find out what organizations should realistically prepare for in cybersecurity and AI in 2026! You’ll learn:✅ Why traditional cybersecurity predictions are becoming less reliable✅ How geopolitical, economic, and societal shifts are shaping cyber risk✅ Whether cybersecurity can exist without AI — and where AI actually fits✅ Why governance, accountability, and responsibility matter more than tools✅ What’s flying under the radar in AI and cybersecurity today✅ The risks of AI hype, long-lived permissions, and autonomous agents✅ Why agility and resilience should be your cybersecurity mantra for 2026 📌 This discussion focuses on patterns, risks, and preparation strategies security leaders should consider as AI and cyber threats continue to accelerate.🔒 Watch now to understand how to think critically about AI, cybersecurity, governance, and resilience in 2026.