From IGA Complexity to IVIP

Dr. Heiko Klarl

My Personal Lessons from the Gartner IAM Summit on Visibility, Intelligence, and the Future of Identity Governance

The discussions at the Gartner IAM Summit in Dallas, Texas (December 2025) converged around a shared message, delivered from different angles by Rebecca Archambault, Brian Guthrie, Nathan Harris, and Steve Wessels:

Identity Governance and Administration is no longer just an operational discipline. It is becoming the backbone of enterprise security, risk management, and compliance – and many organizations are not yet equipped to handle that shift.

IGA today is powerful, but it is also complex, fragmented, and often overwhelming. Enterprises rarely fail because they lack tools. They struggle because visibility is incomplete, intelligence is siloed, and action is too slow or too manual.

A Market Growing Faster Than Its Maturity

Gartner’s market outlook confirms how central IGA has become. The market is projected to reach USD 8.8 billion by 2026 and grow to more than USD 27 billion by 2033. This growth is driven by fundamental changes in how identities are created, used, and abused.

Human identities are no longer the dominant challenge. Machine identities, non-human identities, service accounts, workloads, APIs, and increasingly agents and Agentic AI now form a large and fast-growing part of the identity landscape. Combined with Zero Trust strategies, least-privilege enforcement, regulatory pressure, and AI-driven analytics, identity has become the primary control plane for enterprise risk.

IGA is now the largest vendor segment within IAM – yet Gartner data shows that most organizations still use less than half of the capabilities they already pay for.

The Expanding IAM Attack Surface

A recurring theme across the sessions was the IAM attack surface. Identity-related attack paths now span internal systems, cloud platforms, SaaS applications, third parties, digital supply chains, and AI-driven processes.

What makes this especially dangerous is that much of this surface is not directly visible. Risks are buried in fragmented monitoring tools, incomplete discovery of machine identities and agents, obscured credential usage, and weak linkage between identity data and security signals.

From an attacker’s perspective, these blind spots define opportunity. From a defender’s perspective, they represent unmanaged risk.

Visibility Is Foundational – But Not Sufficient

To address this challenge, Gartner repeatedly returned to the VIA model: Visibility, Intelligence, and Action.

Visibility means having a comprehensive, near real-time understanding of all identity types – human, machine, service, workload, and agentic – along with their entitlements, relationships, and activity. Intelligence builds on that foundation by applying analytics, AI, and context to determine what matters, what is risky, and what requires attention. Action is where insight becomes outcome: automated, auditable remediation that actually reduces exposure.

A key insight from the sessions was that visibility without intelligence creates noise, and intelligence without action creates reports – not results. Organizations that connect all three close audit findings faster, reduce unauthorized access, and respond to incidents more effectively.

Identity Visibility and Intelligence Platforms as the Missing Layer

This is why Gartner positions Identity Visibility and Intelligence Platforms (IVIP) as a critical evolution of IGA. IVIP is not meant to replace IGA, PAM, or access management. Instead, it acts as a unifying layer that aggregates identity-relevant data, correlates it across systems, applies intelligence, and enables prioritized action.

IVIP also plays a key role in reacting to signals – whether they originate from identity systems, security tooling, or shared signal mechanisms across the enterprise. By consuming and correlating such signals, organizations can move from static governance to continuous, signal-driven identity remediation.

Where the NEXIS Platform Fits

This is exactly the space addressed by Nexis.

The NEXIS Platform goes beyond classic IGA capabilities. It brings together identity visibility, intelligence, and governance while explicitly connecting IAM with broader GRC objectives. In addition to unified visibility across human identities, machine identities, and Agentic AI, NEXIS enables real-time segregation of duties enforcement, AI-assisted and explainable recertification, and continuous Identity Security Posture Management.

Beyond these core capabilities, the platform extends identity intelligence into adjacent but highly relevant domains. Features such as the License Killer turn identity insights into measurable cost optimization. Enterprise and Third-Party Risk Management capabilities connect identity data with internal and external risk contexts. Mapping identities, entitlements, and controls to policies – and to standards such as ISO 27001 or corporate governance rules – helps organizations align identity governance with enterprise strategy and regulatory intent.