Takeaways from Gartner SRM and Identiverse 2026
The identity security community showed up this season, and so did we. From the Gartner Security and Risk Management Summit in National Harbor to the sessions at Identiverse in Las Vegas, the 1Kosmos team was on the ground for both.
What struck us was how consistent the conversations were across both events: identity has moved from a supporting function to the center of enterprise security strategy.
Here’s what we took away.
Face-to-face still changes everything
Gartner SRM set the tone. The booth conversations were substantive, the interest was real, and the energy on the floor matched what we are hearing from the market. We co-hosted a Happy Hour at Harbor Social with our friends at Simeio, which gave everyone a chance to decompress and connect outside the conference sessions.
As our head of events, Jen Boulay, shared afterward:
Events like Gartner SRM remind us why face-to-face connections matter.
That applies to the serious conversations too. One thread that kept surfacing across the week was kids' digital safety, and the passion people brought to that topic was genuinely encouraging. We’re excited to see the next season of 1Kids Cyberspace Academy roll out for the same reason.
The industry's question is changing
Identiverse 2026 felt like a turning point in how practitioners and vendors talk about identity. In previous years, most sessions focused on getting IAM to work: MFA rollouts, access reviews, privileged access governance, cloud migration. That work is still happening, but the framing at the conference has shifted.
Our COO, Huzefa Olia, captured it this way:
The conversation has shifted from 'how do we make identity work?' to 'how do we know which identity to trust, at what moment, for what action, and with what accountability?'
That is not a small change. It reflects a maturing market where the mechanics of implementation are no longer the hard part. Attribution, trust, and proof are.
The machine identity gap is real and growing
One of the most consistent signals at Identiverse was the scale of the non-human identity problem.
Human workers are no longer the majority of identities enterprises need to manage. Service accounts, bots, and integrations already outnumber people in most large organizations, and AI agents are set to widen that gap considerably. Several sessions raised the possibility that enterprises could soon be managing scores of agents for every human employee.
The challenge is that the IAM frameworks built over the last two decades were designed for people: employees, contractors, partners, customers. AI agents fall outside that model entirely. They can take autonomous action, access sensitive data, call external APIs, hand off tasks to other agents, and do all of it faster than any human oversight process can track.
As Huzefa noted, "that creates a new accountability problem," and the industry is only beginning to work through the implications.
Agents need real identities, not inherited trust
The argument Huzefa brought back from Identiverse is one we have been building toward at 1Kosmos: AI agents cannot keep being treated as service accounts or background automation. They need to be first-class identities, with the same governance rigor we apply to human workers.
In practice, that means each agent needs a unique identity, a human owner or sponsor, a clearly scoped purpose, least-privilege access, short-lived credentials, runtime monitoring, delegated authorization, and a complete audit record that connects intent to action to proof.
The current default, long-lived API keys and client secrets, does not meet that bar. API keys, client secrets, and shared service accounts “do not provide enough attribution, lifecycle control, or runtime trust," as Huzefa put it.
The path forward points toward workload-based credentials with short lifespans, verifiable at runtime; standards like SPIFFE for machine identity; OAuth-based delegation frameworks; continuous authorization rather than point-in-time access grants; and observability that reflects what identities actually did, not just what policy said they could do.
The next accountability question
Huzefa's prediction from the conference floor is worth sitting with:
The next major wave in IAM will be about agent accountability. Not just 'Can this user log in?' Not just 'Does this workload have a certificate?' But: 'Can this autonomous actor be trusted to perform this task, in this context, on behalf of this human or business process, and can we prove it?'
That’s the question the market is moving toward, and the question we are building answers for. We’ll see everyone at the next round of events and continue to bring real solutions to the table.
About the author

1Kosmos
1Kosmos enables remote identity verification and passwordless multi-factor authentication for users to securely transact with digital services.



