Identity in the AI Age: SailPoint Navigate 2025 Conference Update

At Navigate 2025 in beautiful Austin, Texas, SailPoint took the opportunity to launch several meaningful products, focusing on the emerging threats in a rapidly evolving security ecosystem. The products are created through the lens that identity has become the new control plane for enterprise security. That vision makes sense. However, it also reveals some harsh truths that many are already grappling with – or will be soon. It was often stated this week that “standing access is technical debt.” This reinforces the notion that our historic static, role-based access management will soon be outdated as a leading practice. At the same time, we must recognize that many higher institutions have not yet achieved the previous best practices in identity management.

Can institutions leapfrog their current state and adopt a modern identity security practice? In most cases, the higher education industry is not prepared to invest the resources to make this happen and truly protect students, faculty, and staff from the impact of breaches, fraud, and ransomware. It can be a tough sell to CFOs and boards, but the coming complexity and risk can’t be ignored.

I walked away with several key takeaways after hearing SailPoint’s perspective on their new offerings, as well as insights from SailPoint customers.

1. Identity is the New Attack Surface.

SailPoint makes a great point that identity has become the most critical attack vector. Most of us know it from experience. Phishing, smishing, and credential theft exploit people every day, and we’re all regularly trained on these risks. And in 2025, identity isn’t just about people. Bots, service accounts, and AI agents are proliferating across our environments, often outside of IT’s oversight.

These non-human identities can create even more vulnerabilities than a distracted employee clicking on the wrong link. Consider the risks of an AI agent being invoked that has access to data that the user does not have access to. The definition of “identity” is expanding faster than the tools and processes most organizations have in place to govern it.

SailPoint released five generally available products this week, which are targeted directly at addressing today’s added complexity and risk.

• Agent Identity Security (AIS): Discover, govern, and certify AI agents just like human users.
• Observability & Insights (O&I): A unified visibility plane powered by the identity graph, helping answer “who has access, how, and is it appropriate?”. Using access permissions, system metadata, and broad enterprise datasets, this solution can dig deeper into the impact of specific identities and their access.
• Atlas Enterprise: Advanced orchestration, adaptive approvals, and custom dashboards to bring identity context into security operations. Imagine your security operations center (SOC) or security team has deep visibility into activity and permissions.
• Accelerated Application Management (SAAM): Fast, SaaS-based app onboarding with Savvy’s browser extension tech for visibility and compliance. This key capability, acquired by Sailpoint through the acquisition of Savvy, enables the integration of solutions and agents into the identity context quickly.
• Privilege Security Posture Management (PSPM): AI/ML-driven discovery and classification of privileged entitlements; just-in-time access replaces standing privilege. In the most complex environments, AI and ML techniques can be used to find anomalies and understand their impact.
• (Coming soon) Response & Remediation: Real-Time Authorization and Data Access Security.

This is a daunting amount of products for customers to understand and implement, but more on that later. In the same year as their re-IPO in February, SailPoint’s product team is delivering quickly.

2. The Basics Still Matter, But the Scope Has Changed.

Strong authentication, least privilege, and monitoring will always be foundational. But the bar has been raised. It is no longer enough to control access for employees and contractors. Every identity must be governed, whether human, machine, or agent. I expect that as institutions begin to use agents, finding a way to manage access and reduce risk will rise in urgency this year and early next year.

I think SailPoint’s position that IAM platforms are the natural home for controlling agents is right – especially if that platform has ubiquitous access to the systems and data governed within the institution. They are building a platform that will put the discovery and controls in the hands of the security organization. Compared to the agentic control solutions being built by other enterprise vendors, this alignment achieves the most important control: what an agent can access and which humans can access it.

3. The Uphill Climb

A significant portion of SailPoint’s customer base across industries still runs on the on-premises IdentityIQ platform; most higher education institutions are running custom, fragmented identity ecosystems, even those that have commercial IAM solutions. Over the years, customers have invested considerable effort in customizing them by building workflows, embedding automation, and integrating them deeply into business processes. That investment makes it valuable, but it also makes moving to modern solutions, such as SailPoint’s platform Identity Security Cloud (ISC), feel daunting. This isn’t a patch or an upgrade. It is more like re-platforming ERP or HR to SaaS: complex, expensive, and risky. While SailPoint’s innovations are exciting, they are effectively out of reach until institutions find a way to plan and fund a complex implementation.

Each of the new products SailPoint announced aims to address a piece of the problem: discovering agents, providing visibility, embedding identity in incident response, and eliminating standing privilege. These are important steps, but they don’t change the fact that customers who remain on legacy solutions will struggle to take advantage of them.

The core message from Navigate is right: static governance of human identities is no longer enough. Identity needs to become the heart of enterprise security.

So What Should Institutions Do Now?

• Be honest about your starting point. If you’re still on a legacy platform (or no platform), build a roadmap to SaaS, even if it takes years. Without it, the next generation of identity tools will remain out of reach.
• Reframe how you think about risk. The front door isn’t where attackers come in anymore. They’re coming in through identity. Make sure leadership sees identity as a top-tier attack surface.
• Have conversations about how individuals and departments are using agentic AI. You have to understand where the demand is based on the value that these tools bring, and counsel users on immediate and long-term implications on institutional security needs.
• Expand your scope. Don’t stop at employees and contractors. Build processes now to discover, govern, and certify bots and AI agents before they become unmanageable.

This wave of technology innovation feels like many past technological waves. As a mainframe programmer, my departmental customers bought personal computers before IT did. Then, departments stood up client-server solutions in closet data centers. A few years later, users adopted SaaS solutions by clicking through agreements, then loaded institutional data into them without any concern for the security of that data. Recently, individuals in every organization (yes, yours) have been accessing GPT solutions without understanding the destination of the data they have included in their prompts. Keeping up with these waves from a security, spend, and knowledge perspective has always been difficult. This wave brings more risk, faster, at a moment when the attackers are more sophisticated.

Identity has always revolved around the question, “Who gets access to what?” Now the stakes are higher with the rapid pace, vast scale, and complexity of agentic AI being added to the mix. Institutions that grasp this reality and take proactive steps will be positioned for future success. Meanwhile, those who delay will find themselves scrambling to keep up as their institutions adopt this technology, whether governed or ungoverned.

You May Also Like

• Anthology’s Strategic Shift: A Retreat from the All-in-One Bet
• Workday Rising 2025: Repositioning Workday
• AI in Teaching and Learning: Pedagogy at Scale…And the Stakes if We Get it Wrong

Originally posted by Dave Kieffer on LinkedIn. Be sure to follow him there to catch all his great industry insights.