Our takeaways from Identiverse 2026 in Las Vegas: AI agent identity moved from theory to roadmap, passkeys turned operational, deepfakes pressured identity verification, and session security took center stage.

As NIST post-quantum standards mature, certificate and PKI vendors began planning crypto-agile migrations for machine identity.

Work continued on OAuth 2.1, which folds widely adopted security practices into a single specification and removes legacy grants.

Vendors and standards bodies began addressing identity for AI agents, focusing on scoped, delegated, and revocable credentials and MCP authorization.

Microsoft research found the overwhelming majority of identity attacks target passwords, and that phishing-resistant MFA blocks over 99% of them.

Banks and governments piloted reusable, wallet-based credentials to cut repeat KYC, aligned with eIDAS 2.0 and W3C standards.

IBM Cost of a Data Breach research showed a modest decline in average breach cost, driven by faster identification and containment.

The FIDO Alliance said more than 15 billion online accounts now support passkey sign-in, roughly doubling availability year over year.

Industry analysts continued to position identity as the primary security control plane, driving investment in ITDR, ISPM, and governance.

Palo Alto Networks agreed to acquire privileged access leader CyberArk in a deal valued around $25 billion, its largest acquisition and a major bet that identity security is core to platform consolidation.

Investor interest in non-human identity governance grew, with multiple startups raising rounds to discover and secure service accounts, tokens, and agents.

Analysts and vendors formalized non-human identity governance as its own category, covering discovery, posture, and lifecycle for machine identities.

Ping Identity acquired Procyon and relaunched it as PingOne Privilege, adding cloud just-in-time privileged access to its platform.

The OpenID Foundation advanced OpenID for Verifiable Credentials profiles, improving interoperability for issuing and presenting digital credentials.

Adoption of the Shared Signals Framework and CAEP grew, letting providers share security events and revoke sessions in near real time.

Threat researchers reported a sharp rise in infostealer malware harvesting credentials and live session cookies, enabling attackers to bypass MFA.

Microsoft began defaulting new consumer accounts to passwordless sign-in with passkeys, citing the scale of password-based attacks.

Researchers described one of the largest aggregations of stolen credentials to date, largely sourced from infostealer logs and prior breaches.

CyberArk research found non-human identities vastly outnumber human ones, driven by cloud and AI, and that most organizations lack controls for them.

The W3C finalized the Verifiable Credentials Data Model 2.0 family as Recommendations, a milestone for decentralized identity and the EU Digital Identity Wallet.

The FIDO Alliance marked World Passkey Day with new adoption data and a pledge program to accelerate the shift away from passwords.

The annual Data Breach Investigations Report again highlighted stolen credentials, phishing, and the human element as dominant breach factors.

Identity governance leader SailPoint listed on Nasdaq again under ticker SAIL, while remaining majority-owned by Thoma Bravo.

Reports of exposed cloud credentials drew attention to single-sign-on and federation hygiene, though details and scope were disputed.

GitGuardian found tens of millions of new hardcoded secrets exposed in public commits, with a large share still valid long after leaking.

Developer identity vendors began shipping features to issue and verify identities for AI agents and bots, an early sign of agentic identity going mainstream.

CyberArk acquired cloud-native identity governance vendor Zilla Security to add lightweight access reviews and provisioning to its platform.

Verification vendors reported rapid growth in deepfake and injection attacks against remote identity proofing, raising the bar for liveness detection.

The OAuth 2.0 Security BCP became RFC 9700, consolidating hardening guidance such as PKCE everywhere and sender-constrained tokens.

The Digital Operational Resilience Act began to apply, raising the bar for access controls, identity governance, and third-party risk in EU finance.

A US cybersecurity executive order directed federal agencies toward phishing-resistant authentication such as passkeys and PIV, reinforcing the move off passwords.

The FIDO Alliance published specifications to let users securely move passkeys between providers, addressing a key adoption blocker.

CISA reiterated guidance to move from SMS and push-based MFA to phishing-resistant methods like FIDO2 and passkeys.

Major consumer brands continued rolling out passkeys, with the FIDO Alliance reporting steady growth in passkey-enabled accounts.

Authorities warned that the Scattered Spider group continued to bypass MFA through help-desk social engineering and SIM swapping, hitting major enterprises.

Yubico grew its YubiEnterprise subscription for distributing hardware security keys, easing phishing-resistant rollouts at scale.

Microsoft enabled passkeys in its Authenticator app, expanding phishing-resistant sign-in options for consumer and work accounts.

The NIS2 directive deadline pushed many EU organizations to strengthen MFA, access control, and identity governance as baseline obligations.

CyberArk completed its acquisition of Venafi, combining human and machine identity security as certificate and workload identities proliferate.

Okta detailed hardening and a secure-identity initiative following its 2023 support-system breach, including session and admin protections.

Apple introduced a standalone Passwords app across its platforms, making passkeys and credential sync more visible to consumers.

NIST advanced SP 800-63-4, emphasizing phishing-resistant authentication, syncable passkeys, and revised identity proofing guidance.

Developer-led authorization engines saw rising adoption as teams externalized access decisions from application code.

Okta introduced Identity Threat Protection, using shared signals to detect risk and revoke sessions in real time across the session lifecycle.

Researchers reported a massive aggregation of previously leaked passwords, a reminder that credential reuse keeps fueling account-takeover attacks.

Following customer breaches, Snowflake began letting admins enforce MFA and moved toward mandatory multifactor authentication for accounts.

WorkOS acquired Warrant to add fine-grained, relationship-based authorization to its enterprise-readiness toolkit for B2B SaaS.

A wave of breaches at Snowflake customers was attributed to stolen credentials and accounts without multifactor authentication, fueling major data theft.

Live Nation confirmed a breach of Ticketmaster data hosted in Snowflake, part of a campaign exploiting accounts without multifactor authentication.

The EU adopted eIDAS 2.0, requiring member states to offer digital identity wallets and accelerating verifiable-credential adoption across Europe.

Google began prompting users to create and use passkeys by default, accelerating mainstream passwordless adoption.

Cisco Duo notified customers that a breach at a telephony provider exposed SMS multifactor message logs, underscoring the weakness of SMS-based MFA.

SailPoint expanded through acquisitions including Imprivata governance assets and UK-based PAM vendor Osirium, broadening its identity security platform.

Entrust acquired identity verification specialist Onfido, adding AI-based document and biometric verification to its IAM and PKI portfolio.

Password manager 1Password acquired Passage to accelerate passkey adoption across consumer and business products.

HashiCorp introduced Vault Radar to scan code and systems for unmanaged and leaked secrets, extending its secrets-management footprint.

IBM agreed to acquire HashiCorp, bringing Vault secrets management and Boundary access into its hybrid-cloud portfolio. The deal closed in 2025.

The Change Healthcare ransomware attack, one of the most disruptive in US healthcare, started with compromised credentials on a server lacking MFA.

Microsoft finished renaming Azure Active Directory to Microsoft Entra ID and expanded the Entra family with Internet Access and Private Access.

Microsoft reported the Russia-linked Midnight Blizzard group accessed executive email after password-spraying a legacy test account without MFA.

23andMe attributed a large data exposure to credential stuffing against accounts that reused passwords and lacked MFA, later leading to settlements.

Okta disclosed that attackers accessed its support system using a stolen credential, exposing session tokens and prompting customers to harden configurations.

Tenable acquired Ermetic, folding cloud infrastructure entitlement management into its exposure-management platform.

Attackers reportedly reset an employee credential via the help desk to breach MGM Resorts, a high-profile example of social engineering defeating identity controls.

Thoma Bravo closed its ForgeRock purchase and combined it with Ping Identity, consolidating two enterprise access-management leaders under one owner.

Microsoft disclosed that a China-linked group, Storm-0558, forged authentication tokens using a stolen signing key to access email, intensifying scrutiny of token security.