This week marks a turning point for the identity world. After years of incremental updates and quiet roadmap shifts, the past month delivered a cluster of moves that signal a much larger realignment. Funding, acquisitions, new attack patterns, and early research breakthroughs all point to the same conclusion. Identity is widening. It is no longer a question of who logs in. It is becoming a question of who or what holds power inside your systems, how that power is granted, and how quickly it drifts.
The most visible move came from Saviynt. Their seven hundred million dollar raise at a multibillion valuation is not a normal funding event. It is a statement that governance is no longer optional and that enterprises are waking up to the scale of their identity debt. When a governance platform pulls that much capital in one shot, it signals that boards, auditors, and security leaders see the next decade of risk forming around access, entitlements, and the messy operational reality of identity sprawl.
Another major shift arrived with ServiceNow’s decision to acquire Veza. The Access Graph technology is not a cosmetic feature. It is a unifying layer that exposes effective permissions across human users, machine identities, AI agents, and SaaS applications. Folding this into a control plane used by thousands of enterprises suggests a future where identity visibility becomes a native part of broader operational platforms rather than a standalone security purchase. This is a quiet move with long consequences.
Okta delivered strong earnings in the same period. Revenue and performance obligations rose, the business signaled operational stability, and yet the market reaction was muted. You can feel a shift in investor psychology. Pure identity vendors now face a world where authentication is mature, the perimeter is dissolving, and new budgets are forming around governance, SaaS exposure, and non human identity. Strong execution is not enough. The category is transforming under their feet.
On the threat front, the most important story of the month emerged from a campaign exploiting OAuth token flows to bypass traditional identity protections. Groups like ToddyCat are demonstrating how persistent attackers now target the connective tissue between SaaS applications rather than the login screen itself. Stolen tokens, long lived credentials, and poorly monitored SaaS integrations are proving to be the weak points in modern identity. Many organizations have solved the wrong problem. Their MFA is strong, their conditional access is polished, and their OAuth hygiene is nonexistent.
This aligns with a broader trend. More organizations are reporting that their biggest exposure is not the user who logs in but the invisible service account that moves data between systems. The OAuth token that never expires. The integration nobody knows exists. The misconfigured workflow granted by an engineer three quarters ago. The shift toward non human identity is accelerating far faster than most IAM programs are prepared for. It is becoming normal to see companies with three times more machine identities than humans, each with privileges that never undergo review.
At the same time, the industry is doubling down on passwordless adoption. The major platforms continue to push passkeys deeper into everyday authentication, and the incentives are finally strong enough for enterprises to take the leap. The story here is not just user experience. It is the growing acknowledgement that password based identity remains the most expensive and least defensible legacy in the stack. As customer identity and workforce identity converge in technique, the pressure to simplify and harden authentication will only rise.
Meanwhile, research circles are proposing new models that break from the classic IAM patterns entirely. The recent work on cross domain authorization frameworks like POLARIS is worth watching. As companies adopt multi cloud, AI driven workflows, and distributed teams, the old assumptions of centralized directories and rigid entitlements begin to fail. Identity is evolving toward dynamic, policy based, verifiable credentials that operate across boundaries. It is still early, but it is a sign of where the architecture conversation is heading.
Taken together, these developments reveal a clear picture. Identity is shifting into a wider surface area. The core issues are no longer authentication or federation. The center of gravity now sits in permissions, machine identity, SaaS sprawl, and the operational ability to understand who or what actually has access inside an enterprise. Companies that treat identity as a login problem will fall behind. Companies that treat identity as a living control plane will define the next standard.
This is the first edition of IdentityGazette. Each week you will get a clear view of what actually matters across the identity industry. Not just the old guard. Not just the startups. The entire landscape. If you work in identity, this is your weekly operating brief.