Home » Blog » AI Agents and the Core of IAM: Key Takeaways from the Gartner IAM Summit 2025

AI Agents and the Core of IAM: Key Takeaways from the Gartner IAM Summit 2025

Jonathan Sander December 16, 2025

Another year, another Gartner IAM Summit in the books. While it was great to see old friends, it was the recurring themes that really struck a chord: proving that while technology evolves, the fundamental challenges remain the same.

The overarching theme, ‘Identity at the Core,’ was woven into everything, but there was a distinct ‘twist’ this year. That twist? AI Agents. They dominated every conversation. But unlike a fun plot twist, this one feels more like the moment in a horror flick where you realize the call is coming from inside the house. If you missed the summit, here are my three main takeaways on why old identity ghosts are resurfacing to haunt our new AI reality.

Identity at the Core: Connecting Security to Business Value

The conference theme, “Identity at the Core,” wasn’t just a slogan; it was the reality in every session. Obviously, the analysts stuck to it, but even in sessions by major enterprises like RBC and GM, it was clear that IAM has matured past its identity crisis of previous years. We have moved from being scared by every new shadow the business casts on the wall, and each creaking noise the CIO makes walking through the hallway, to a healthy “we’ve seen this movie before” attitude. Identity pros know they are in charge of one of the most crucial services the business needs, that it has business value, and that security can’t be effective without IAM. The movie’s not over, of course. There are still real struggles ahead, but the bad guys have all been unmasked, and now we need to focus on how to execute.

One of Gartner’s overarching messages was that “IAM is the core of the technology that runs the business.” The discussions showed how important it is to understand IAM’s merits using business value. However, there is a caveat: this only works if you have matured your IAM program to connect to business functions. That means explicitly mapping the connections between low-level technical elements—accounts, entitlements, and activity—to the actual users, whether they are human or non-human, internal or third-party.

AI Agents: Old Ghosts with New Speed

Sure enough, the ghosts haunting the whole show were AI Agents. You couldn’t walk away without thinking about them, as every session had a “stinger” at the end about how AI will change everything. Every session led by Gartner experts I attended brought up AI, specifically AI Agents, and they all drove home the same point: “you can’t control what you can’t see.”

It wasn’t that AI Agents are creating completely new, unheard-of challenges. Instead, they are resurrecting the “town legends” we thought we had buried. The old problems of service accounts, secrets management, hard-coded keys, and passwords are rising from their resting places to chase us down. AI Agents are taking these deep-rooted non-human identity problems and forcing us to solve them at unprecedented speed and scale. Erik Wahlstrom laid this out clearly, but I was also interested in the “hallway track” conversations.

Practitioners seemed to agree: while this year was about “exploring” AI Agents, next year is about enabling them to go from test to PROD. And, frankly, they don’t feel ready yet. In our executive session, none of the participants had AI Agents in production, but all had high-visibility projects underway. That is definitely a little scary.

The Hidden Threat: Post-Quantum Cryptography (PQC)

An unexpected plot twist came from Mark Horvath’s sessions on Post-Quantum Cryptography (PQC). Mark is one of the smartest people I’ve met, so when he suggests we should be more afraid than we are, I listen. His analysis showed that while Identity is at the core of the business, cryptography is at the core of identity. And it’s a house of cards which could all be crumbling (to paraphrase him). While about 30% of TLS is currently using PQC-safe cryptography, the message was stark: we have until 2030 at best before the bad guys turn internet traffic into a slasher flick. Did I already know all that? Yes – and I’ll bet you did, too. But I was unsettled by how long it had been since I actually did any work on it. It’s a lurking threat we can’t ignore.

Conclusion

While the Gaylord in Grapevine, Texas, was blasting Christmas songs and trying to be all about cheer, my mind was on these things in the shadows.

At our core, we know we’re fighting the good fight with identity. We are battle-tested. But we must recognize that the things leaping out in front of us are threats we recognize. It’s the old non-human identity problems, now supercharged by AI and agentic AI adoption trends. We have seen these movies before, so I’m fairly certain we can ensure a happy ending. Even if it’s going to be more of a franchise than a single film.