KuppingerCole Analysts

As OT systems go online, controlling access becomes more critical than enabling it. In this episode of the Analyst Chat, KuppingerCole analysts Matthias Reinwarth and Warwick Ashford dive into one of cybersecurity’s most overlooked domains: OT (Operational Technology) security. As industrial systems become increasingly connected, the traditional boundaries between IT and OT are dissolving, bringing new risks and new security imperatives. Key Topics ✅ The rise of Secure Remote Access (SRA) in OT environments✅ Why VPN-based access falls short for industrial systems✅ Zero Trust and identity as the new security control plane✅ Regulatory drivers (e.g., NIS2) and auditability requirements✅ Convergence of PAM, SRA, and third-party access governance✅ The growing role of non-human identities in Industry 4.0 Identity is no longer just part of security, it is the control plane for modern cybersecurity.

In today's episode of the Analyst Chat, Matthias Reinwarth welcomes John Tolbert to take a deep dive into the rapidly evolving world of Consumer Identity and Access Management (CIAM). As organizations manage millions, or even billions, of identities, CIAM is shifting from a standalone capability to a core component of broader digital ecosystems. Key topics: ✅ Consumer vs. B2B IAM segmentation✅ Passkeys adoption and UX gaps✅ Identity lifecycle and account recovery✅ CIAM integrations and platform ecosystems✅ AI agents and identity governance Increasing scale, regulatory pressure, and user expectations are reshaping CIAM requirements. AI agents begin to act on behalf of users, introducing new risks, but also new opportunities for automation and innovation.

In the age of AI-generated content, the real challenge isn’t just detecting falsehood, it’s knowing what to trust at all. As deepfakes and disinformation scale, perception itself becomes a new attack surface. This week, Matthias Reinwarth and Jonathan Care explore how misinformation and disinformation are reshaping cybersecurity and enterprise risk. They clarify the difference between the two, examine how AI is accelerating the creation of deceptive content, and discuss why traditional trust models are breaking down. Key Topics ✅ Misinformation vs. disinformation: definitions and impact✅ Deepfakes, voice cloning, and synthetic identity risks✅ The “liar’s dividend” and erosion of trust✅ Emotional manipulation vs. factual accuracy✅ Enterprise attack vectors and real-world fraud cases✅ Pre-bunking, awareness training, and process-based defenses AI has industrialized deception: are your security controls keeping up? In a world of perfect fakes, trust is no longer a given, it’s a security problem.

The future SOC won’t replace humans with AI, it will empower us with AI-driven automation, accelerating detection and response while keeping humans in control of critical decisions. This week Matthias Reinwarth and Matthew Gardiner discuss the evolution of security automation with the introduction of AI SOC (Security Operations Center). They explore the challenges of alert fatigue, the importance of human oversight, and the cautious optimism surrounding AI's role in cybersecurity. The conversation delves into the balance between automation and human intervention, the trust issues associated with AI systems, and the current landscape of vendors in the AI SOC market. They conclude with insights on the future of AI in security and the potential impact on managed detection and response services. Key Topics:✅ Evolution from SOAR to AI-powered SOC✅ Using AI agents as junior security analysts✅ Managing alert fatigue and SOC analyst burnout✅ Balancing automation with human oversight✅ Explainability and trust in AI security systems✅ Impact of AI SOC on MDR and security service providers AI is reshaping SOC operations—but fully autonomous security is still far away. Discover why AI agents may become the “junior analysts” of the modern SOC, handling repetitive tasks while humans focus on complex decisions.

AI is everywhere, but are we using it the right way? In this Analyst Chat, Matthias Reinwarth speaks with CTO Alexei Balaganski about responsible AI usage, prompt engineering myths, data risks, and building a sustainable AI culture. From hallucinations to zero trust, this episode is your practical guide to using generative AI safely and effectively in business. Key Topics:✅ AI is mathematics — not intelligence✅ The biggest AI usage mistakes in companies✅ Data leakage & third-party risks✅ Prompt engineering made simple✅ Context limits & hallucinations✅ Building a responsible AI culture 💡Practice “Zero trust for AI”, skepticism is your strongest security control!💡AI can boost productivity, but only if you stay responsible, transparent, and in control.

Identity is no longer just about provisioning and single sign-on. Today’s organizations face fragmented IAM architectures, API sprawl, non-human identity growth, AI agents, and increasing Zero Trust demands. In this episode, Matthew Gardiner speaks with Binod Singh, Founder and Chairman of Cross Identity, about what the Identity Fabric really means and why it has become essential for modern enterprises. They discuss how legacy IAM environments evolved into siloed systems, why integration “tax” is becoming unsustainable, and how a federated, API-driven identity fabric architecture enables scalability, orchestration, and Zero Trust. You’ll learn:✅ What the Identity Fabric architecture actually is (and what it is not)✅ Why IAM silos and legacy systems create integration and security risks✅ How federated, API-based architectures improve interoperability✅ The rise of non-human identities and AI agents — and how to manage them✅ Why convergence and orchestration are critical for Zero Trust✅ How organizations can transition from fragmented IAM to a fabric model Whether you are a CISO, IAM architect, or security leader, understanding how to evolve toward an Identity Fabric approach is critical to reducing complexity, enabling Zero Trust, and future-proofing your identity strategy.

Access recertification is one of the most disliked processes in Identity & Access Management, and for good reason. In this episode, Matthias Reinwarth and Martin Kuppinger challenge the way organizations approach access reviews. Instead of endlessly optimizing broken campaigns, they ask a more fundamental question: What if we eliminated most of recertification altogether? Key topics:✅ Why traditional access certification campaigns fail✅ How overengineered role models create complexity and “rubber stamping”✅ Why 80–90% of entitlements can be automated via policy✅ How time-limited access dramatically reduces review effort✅ Where AI and usage analytics can safely remove unused permissions✅ Why static entitlements and standing privileges are the real root cause✅ How modern authorization (e.g., externalized policy models) changes the game The discussion also touches on the 50-year legacy of IBM RACF and why we still haven’t fully embraced externalized authorization — despite knowing better since 1976. If you struggle with 70-page access review PDFs, role explosion, or endless recertification campaigns, this episode offers practical, implementable guidance — much of it possible with capabilities you already have in place.

Shadow IT has evolved. Now it’s Shadow SaaS. Shadow AI. And it’s everywhere. In this week's episode of the KuppingerCole Analyst Chat, Matthias welcomes Matthew Gardiner for his first appearance to unpack one of the fastest-growing security domains: SaaS Security Posture Management (SSPM) and why that name may already be too narrow. Today’s organizations run on hundreds of SaaS applications. Many are sanctioned. Many aren’t. Some are connected via OAuth. Others are quietly leaking data through AI tools. And most security teams don’t have full visibility. In this conversation, we explore:✅ What SSPM actually means (and why the “PM” might be limiting)✅ How Shadow IT evolved into Shadow SaaS and Shadow AI✅ The intersection of identity and cybersecurity in SaaS environments✅ Misconfiguration risks, MFA bypass, OAuth sprawl & SaaS drift✅ Why continuous monitoring beats periodic audits✅ CASB vs SSPM vs CNAPP — where the lines blur✅ The growing governance challenge in AI-powered SaaS✅ Why SaaS security can’t be ignored anymore If your organization uses SaaS (spoiler: it does), this discussion is not optional.

Decentralized identity is moving from concept to reality, driven by the upcoming EU Digital Identity (EUDI) Wallet! But can digital identity truly become something we trust? Join us in this Road to EIC episode of the KuppingerCole Analyst Chat where Matthias speaks with Martin Kuppinger about what decentralized identity actually means, how EUDI Wallets work, and why their success depends on real business value. Tune in to learn how verifiable credentials, issuer-holder-verifier models, and privacy-preserving architectures could fundamentally reshape authentication, onboarding, and digital transactions across Europe. You’ll learn:✅ What decentralized identity and verifiable credentials actually are✅ How the EUDI Wallet changes control over personal data✅ Why trust depends on implementation, not just technology✅ The difference between mandatory use cases and real adoption✅ How businesses can reduce costs and streamline processes✅ Why success requires compelling everyday use scenarios✅ What organizations should do now to prepare Beyond government interactions, the real potential lies in transforming complex business processes, from onboarding and compliance to loans, contracts, and digital transactions using trusted, reusable identity data. The EUDI Wallet isn’t just a new login method, it’s foundational infrastructure for Europe’s digital economy. Watch now to understand what decentralized identity means for enterprises, citizens, and the future of trust online.

Authorization is changing, moving from static roles and provisioning to dynamic, real-time, policy-based decisions. But without standardization, modern authorization quickly becomes fragmented and unmanageable. In this episode of the Analyst Chat, Matthias Reinwarth is joined by David Brossard, contributor and co-chair of the OpenID AuthZEN Working Group, and Phillip Messerschmidt, Lead Advisor at KuppingerCole, to discuss how authorization is evolving — and why AuthZEN is a critical missing standard. You’ll learn:✅ Why RBAC is still relevant, but no longer sufficient on its own✅ How ABAC and PBAC address scalability, context, and dynamic access✅ Why role explosion and authorization silos limit visibility and governance✅ How runtime, continuous authorization supports Zero Trust architectures✅ What AuthZEN standardizes — and what it deliberately does not✅ How externalized authorization improves auditability and compliance✅ Why CISOs and architects should start asking vendors for AuthZEN support✅ How AuthZEN fits into the Identity Fabric and Road to EIC vision Authentication has been standardized for years — authorization is finally catching up. Watch now to understand how AuthZEN enables scalable, future-proof authorization for modern applications, APIs, and identity fabrics.

Quantum computing isn’t just a future threat to encryption, it’s a direct risk to identity and authentication. In this week's episode, Matthias is joined by Jonathan Care to explore why identity is the quantum bullseye and what organizations must do now to prepare for a post-quantum world. You’ll learn: ✅ Why authentication protocols depend entirely on cryptography✅ How “harvest now, decrypt later” (HNDL) already puts identity data at risk✅ Why identity, not data encryption, is the weakest point in a quantum future✅ What post-quantum cryptography standards (FIPS 203, 204, 205) change — and what they don’t✅ How Passkeys and FIDO2 are quietly becoming post-quantum ready✅ Why PKI, certificates, federation, and non-human identities face massive scale challenges✅ What crypto agility really means for IAM and Zero Trust✅ A practical 4-phase roadmap for CISOs to start preparing today  The biggest risk isn’t a future quantum computer — it’s the long-lived certificates and identity data issued today.

Zero Trust isn’t dead, it’s evolving. In this week's episode, Matthias Reinwarth joins Alexei Balaganski to explore why Zero Trust Network Access (ZTNA) is no longer enough and how Zero Trust Platforms are emerging as the next evolution of modern security architecture. In this episode, we explore: ✅ Why Zero Trust is a strategy, not a product✅ The limitations of ZTNA in modern hybrid and cloud environments✅ What defines a Zero Trust Platform✅ Universal access enforcement across human and non-human identities✅ Continuous trust evaluation and intelligent segmentation✅ Unified visibility, analytics, and policy enforcement✅ How vendors and organizations should think about Zero Trust moving forward 🚀 If you care about identity, cybersecurity, AI risk, or future-proof security architectures, this conversation is for you.