The dust has barely settled on RSA Conference 2025, which wrapped up its run at San Francisco’s Moscone Center this past May 1st. Interestingly, that date also happens to be what some call Passkey Day – though that rebranding, and the potential demise of its predecessor, Password Day, is a discussion best saved for another time. From April 28th to May 1st, the cybersecurity world’s eyes were, as always, glued to the happenings in California.

Full disclosure: I wasn’t physically present amidst the bustling expo halls and keynote speeches. Like many cybersecurity professionals, my insights come secondhand – gleaned from the flurry of news articles, the real-time commentary of friends and colleagues on LinkedIn, and the ever-vibrant echo chamber of X (formerly Twitter). So, consider this a view from the digital sidelines, a synthesis of the buzz that permeated the virtual sphere.

You might wonder why I’m offering my take if I wasn’t on the ground. The answer, I believe, is relatively straightforward. Identity security vendors invest significant resources to have a presence at or around RSAC, precisely to capture the attention of the broader cybersecurity community, including those who couldn’t make the physical journey. Suppose their marketing efforts were solely intended for the attendees within the Moscone Center’s walls. In that case, they might as well invest in advertising at a Freemason meeting or some other equally exclusive gathering. The real winners are those whose message resonated beyond the conference floor, reaching those of us following along remotely. So, let’s dive into the trends in identity security that managed to break through the noise and capture our collective attention.

Two Key Identity Topics Capturing Attention

Even from my remote vantage point, two core themes within Identity Security dominated the conversations and announcements surrounding RSAC 2025: Identity Security Posture Management (ISPM) and Machine Identity Management.

As I’ve noted before, the white paper ‘Identity Security: The Value of a Unified Platform,’ published in July 2024, already highlighted the staggering ratio of machine identities to human identities – a cited figure of 6 to 1. This starkly illustrates the inherent complexity and management challenges these non-human identities pose within enterprise IAM systems. Moreover, the explosive growth of machine identities driven by AI agents and microservices and the pervasive adoption of SaaS components amplify this challenge and, consequently, its impact on overall cybersecurity. The increased focus at RSAC 2025 underscores the urgency and importance of the industry in effectively addressing this expanding attack surface, a task that each of us, as cybersecurity professionals, plays a crucial role in.

So, recalling the Gartner Hype Cycle for Digital Identity 2024, it appears Machine Identity Management, which seemed to be navigating the Trough of Disillusionment, is likely on track to reach the Plateau of Productivity in the following report. This increased visibility and maturity are further validated by the attention it received at RSAC 2025.

Whether managing these machine identities will primarily fall under the purview of traditional PAM (Privileged Access Management) solutions or if dedicated, specialized solutions will take the lead. Interestingly, CyberArk showcased some machine identity capabilities during RSAC, alongside a wave of innovative startups. These newcomers could either carve out their niche as dedicated Identity vendors or become attractive acquisition targets for the more established PAM players looking to solidify their market position. Silverfort has enhanced its non-human identity (NHI) security capabilities by incorporating cloud-based identities, striving to deliver a unified identity security platform that seamlessly integrates both on-premises infrastructure and contemporary cloud environments.

The second central talking point was ISPM – Identity Security Posture Management – fueled by significant announcements from Saviynt and RSA. An anecdote from a contact who visited the RSA booth suggests their ISPM launch might have been more of a forward-looking statement, evidenced by their subsequent press release indicating general availability by Q3. In contrast, Saviynt’s ISPM offering, particularly with the buzz around their Savi Copilot, seemed to garner more immediate and widespread attention from specialized media, suggesting a more readily available or demonstrably functional solution.

So, the emergence of ISPM couldn’t be more timely, especially for companies grappling with the fundamental question of where to begin when managing their digital identities. In this context, the beauty of leveraging AI lies in its ability to sift through massive volumes of data and pinpoint critical focus areas that human analysts might miss. The potential of AI in managing digital identities is a reason for optimism in identity security. I can already envision the excitement among audit and compliance teams at the prospect of having such a powerful feature at their disposal.

As Thais Gasperini, a respected Cybersecurity Executive and IAM authority, astutely noted in a recent social media post: ‘It sounds very basic, but the vast majority of companies have no idea what their assets, perimeters, and “edges” are.’ We couldn’t agree more with Thais’s observation.

Far too often, we encounter organizations that lack even the most rudimentary understanding of their IT landscape – no comprehensive hardware or software inventory, let alone a prioritized list of critical assets.

This lack of basic visibility is fertile ground for attackers, who thrive by exploiting the ‘Extreme Go Horse’ approach that many companies unfortunately adopt to manage their IT and information security needs. Our mission as identity security professionals, including vendors and service providers, is to guide these organizations towards more mature practices. Still, we cannot perform miracles in the absence of foundational knowledge.

Therefore, I strongly encourage you to take stock of everything you absorbed during RSAC – beyond the vendor parties and presentations – and to forge a strong partnership with your trusted identity security advisor. Whether you need to build a new identity security strategy from the ground up or replan your existing one, now is the time to translate those insights into actionable steps.”

An Identity Vendor Who Caused a Buzz in the Media

Amidst the flurry of announcements at and around RSAC 2025, P0 Security generated significant buzz across specialized media channels by unveiling its Unified Identity Control platform. Their core message resonated with a critical pain point: the fractured and often inadequate approach to managing identities in today’s multi-cloud environments. P0 highlighted a concerning statistic from the Cloud Security Alliance, revealing that 95% of organizations have experienced a cloud-related breach in the past 18 months. Shockingly, 99% of those incidents attributed the root cause to insecure identities.

P0 argues that traditional IAM, PAM, IGA, and even newer CIEM tools operate in silos, each with different policies and limited visibility, leading to confusion, complexity, and dangerous blind spots. Their Unified Identity Control platform aims to break down these silos by providing a single, cloud-native solution to secure and govern all types of access – from human users to machines and non-human entities – across major cloud providers like AWS, Azure, and GCP.

Key capabilities of the P0 platform include a comprehensive inventory of all identities, real-time security posture analysis to identify and remediate risks like stale credentials and overly broad roles, automated orchestration of access with just-in-time and ephemeral permissions, and continuous, policy-driven governance with automated reviews and audit trails.

P0 Security’s message about the fragmented nature of cloud identity management tools strikes a chord. The statistics they cite are alarming and underscore the urgency of addressing cloud identity security holistically. While it remains to be seen how much traction their unified platform will gain with customers, the problem they are highlighting is very real. The increasing complexity of managing diverse identities across multiple clouds is a significant challenge, and a platform that genuinely offers a unified control plane could be a game-changer. It will be interesting to observe how P0 Security’s approach resonates with organizations struggling with cloud identity sprawl and whether they can effectively capture market share in this evolving landscape.

Conclusions from RSAC 2025 from Who Never Stepped There

Despite my physical absence from the Moscone Center, the digital echoes of RSAC 2025 paint a clear picture of the prevailing winds in identity security. Even through the lens of social media and industry news, it was evident that the major identity vendors were out in full force, showcasing their latest innovations and engaging with existing and potential customers. The sheer volume of posts and photos from the expo floor and various off-site events – the business meals and the in-person meetings – underscored the continued importance of this event for the industry.

It was also encouraging to observe the presence of many first-time attendees. This suggests democratizing the conference, broadening its reach beyond just top-tier clients, and fostering a more inclusive environment for a broader range of cybersecurity professionals. RSAC remains a crucial launchpad for new features and products across the entire information security spectrum, and the diverse audience, from C-level executives to hands-on practitioners, provides invaluable exposure for the exhibiting vendors.

However, it’s important to remember that RSAC is just one piece of the identity security event landscape. We also have specialized gatherings like Identiverse and the IAM Tech Day, which is making its United States debut this year – stay tuned for more details next month. And, of course, the Gartner IAM Summit in the US, a key event that has wisely relocated to Grapevine, TX, taking place from December 8th to 10th.

From my virtual vantage point, the dominant narratives around identity at RSAC 2025 were undeniably the ascent of AI-powered ISPM and the growing urgency surrounding Machine Identity Management. The buzz generated by P0 Security’s unified cloud identity platform also signals a critical area of focus for the industry. While the physical experience of RSAC is unique, the key trends and innovations managed to break through the digital noise, offering valuable insights for all of us working to secure the ever-evolving world of digital identities. The conversations started in San Francisco will continue to shape our strategies and solutions in the coming months.