- Passkeys, AI-driven governance, and verifiable credentials are set to dominate identity security by 2026, according to SailPoint’s Rex Booth.
- Deepfakes, machine identities, and IoT expansion are forcing a move away from static authentication methods.
- CISOs are increasingly becoming custodians of both identity security and digital trust across enterprises.
Traditional login passwords are becoming weaker due to new security threats. In a recent interview with Sailpoint’s Rex Booth, he noted that by 2026, we will transition from using traditional passwords and other login credentials to utilizing passkeys, AI-based security governance, and real-time trust models.
Identity Governance Moves to Center Stage Using Artificial Intelligence
As companies continue searching for better methods to maintain their security amidst rapidly evolving landscapes, manual methods of assuming permission (i.e., Manual Review of Access) and role/permissions schemes have become too time-consuming, slow, and error-prone.
By 2026, Booth expects the norm for all companies will be using AI-driven IGA (Identity Governance & Administration), where AI systems will continually evaluate user activity, access, and risk signals, allowing companies to give to and withdraw from someone in real-time based on those evaluations.
Organizations will stop granting long-lasting privileges to employees, which hackers can exploit. Instead, they will adopt a just-in-time access model that reduces the attack surface, lowers the risk of insider threats, and improves operational efficiency.
Deepfakes Accelerate the Rise of “Liveness” Biometrics
As deepfake technology advances, it weakens the reliability of traditional biometric verification methods (facial images, voice prints), and hence, the importance of static biometrics is diminishing for high-risk scenarios.
In response, organizations must implement various “liveness” detection techniques, including multi-frame facial analysis and advanced voice pattern recognition.
Authentication processes will transition from a focus on confirming someone’s identity to verifying that the individual present for authentication is actually a real, live human being.
Password-less Authentication Becomes the Standard
Over the years, many people have been talking about doing away with Passwords for good. So it is probable that passwords will not be an acceptable form of authentication when accessing online resources after 2026.
More and more services will use Passkeys access control through passkeys, a combination of usability and security will contribute to the rapid rise of Passkey-based authentication across the Internet or Cloud.
In the future, passwordless authentication will be the normal way of verifying users, which means that users will have a very limited number of times in the future that they need to enter a password.
In addition, users will now be able to complete their authentication with their own mobile devices, using biometrics and/or other authentication methods, rather than needing to remember a Password.
Organizations Start Paying Attention to Decentralized Identities
Developers originally created decentralized identity solutions for payment systems in the cryptocurrency and blockchain sectors.
According to Booth, decentralized identifiers (DIDs) and self-sovereign identities (SSIs) can play an important role in streamlining the onboarding process and reducing data-related risks.
Utilizing verifiable credentials means that individuals can provide organizations with their identity information (for example, educational credentials, employment history, and access permission) while retaining ownership of this information in a secure digital wallet and cryptographically verified.
This allows organizations to avoid relying on centralized databases, which are common targets for cyber attackers.
However, the move toward decentralization and user-controlled data also aims to dismantle the legacy of opaque, anonymous transactions that have fueled some of the most notorious criminal marketplaces on the dark web.
Why Identity is Becoming the New Perimeter
Identity becomes the primary enforcement layer for creating a zero-trust architecture vs having a traditional network perimeter.
The rapid pace of technological development today, along with constant shifts in the nature and types of threats facing organizations, from sophisticated deepfakes to major data breaches that spill onto the dark web, is ushering in a new era of security, where identity is going to play a central role.
In 2026, organizations will focus their cybersecurity strategies on protecting identities.
This change will also transform the role of the Chief Information Security Officer from one focused primarily on traditional security responsibilities to broader trust, privacy, and digital risk management functions.
Organizations that view identity as a critical and strategic asset (rather than simply part of IT) will be in the best position to respond to the rapidly evolving threat landscape, as identity controls will become built into application development cycles.
