IAM history: the four waves

A walk through IAM's evolution in four waves — from the IT optimization of the 90s to today's Identity Security. Why understanding the history helps you read the present-day decisions you'll find in any organization.

Why read the history of a technical domain

There’s a pattern that repeats in any organization with more than ten years of life: you open an IAM console and find three things mixed together. A provisioning tool nobody knows who installed but “has always been there,” an access certification initiative born after an external audit, and a recent universal-MFA project that keeps stumbling forward. Each of those things belongs to a different wave of IAM.


If you don’t know the history, you’ll think it’s all noise and disorder. If you know it, you see geological layers: every tool and every practice answers a concrete question the industry was asking at that moment in time. That lets you predict, with surprising accuracy, what problems the organization has today and which ones it will have tomorrow.


In this article we walk through the four waves that took IAM from a humble IT-optimization project in the 90s to the Identity Security discipline we see today. Each wave responded to a crisis or to a new pressure from the environment, and each one left residue in the form of practices, products, and decisions that still surround us.



Big picture: the four waves

IAM evolved in four overlapping waves: IT Optimization (cut costs), Governance (pass audits), Security (stop breaches), and Identity Security (treat identity as the unified control plane). Each wave layered on top of the previous one rather than replacing it.


Before getting into each one, look at the full panorama. The dates are approximate — organizations don’t migrate in lockstep and there are always laggards and early adopters — but as a mental map they work.


timeline
  accTitle: Four waves of IAM from 1990 to present
  accDescr: A timeline showing four successive waves of IAM evolution — IT Optimization (1990–2005), Governance (2005–2015), Security (2015–2022), and Identity Security (2022–present) — each with its defining tools and practices.
  title The four waves of IAM (approximate dates)
  1990-2005 : Wave 1 — IT Optimization : SSO + basic provisioning
  2005-2015 : Wave 2 — Governance : IGA + regulatory compliance
  2015-2022 : Wave 3 — Security : MFA + PAM + Zero Trust
  2022-present : Wave 4 — Identity Security : ITDR + NHI + AI agents
A timeline of the four waves of IAM. Each wave builds on the previous one; it doesn't replace it.

Wave 1 tools are still alive; Wave 2 tools are the foundation of current compliance programs; Wave 3 tools are the day-to-day of the modern SOC. Wave 4 unifies them under a broader umbrella.


The common pattern

If you look at the four waves from enough distance, you’ll notice a pattern:

  1. An external crisis creates pressure on organizations (costs, laws, breaches, AI).
  2. New tools and practices appear to solve what the previous wave didn’t address.
  3. Emblematic vendors emerge that capitalize on that moment (Tivoli, SailPoint, Okta, CrowdStrike Identity).
  4. After a few years, the solution becomes “the new normal” and the next crisis starts pressing.

Carrying this pattern in your head lets you read industry headlines with judgment. When an analyst says “this is the new wave of X,” what they’re describing almost always is a phenomenon that meets the four points above.


Wave 1 — IT Optimization (~1990–2005)

The problem that triggered it

In the late 90s, mid-sized and large companies lived a daily pain that was simple but expensive: employees had too many usernames and passwords. Every corporate application — the ERP, email, the internal portal, the HR system, the ticket system — came with its own authentication system. A typical employee maintained between 5 and 15 different accounts, with passwords they constantly forgot.


The result: the help desk became a bottleneck. Studies of the era estimated that up to 30 to 40% of support tickets were just password resets. Each reset cost between $25 and $70 in operator time, according to Gartner and Forrester reports of the decade. A 5,000-employee company could be spending several million dollars a year on what was essentially a repetitive task.


The industry’s response

The conversation centered on IT optimization: how to reduce help-desk operating cost and improve user productivity. The solutions that emerged:

  • Single Sign-On (SSO): a single authentication to access multiple applications. Early versions were web SSO with cross-domain cookies; later it extended to enterprise applications via proprietary connectors.
  • Basic automated provisioning: when an employee onboarded, scripts created their accounts in the main systems. When they left, the scripts deactivated them.
  • Password self-service: the employee could reset their password without a ticket, by answering security questions (“what was your first pet’s name?”).
  • Centralized directories: Microsoft’s Active Directory (launched in Windows 2000) consolidated this pattern. LDAP, already standardized, was its query language.

Emblematic vendors of the wave

VendorProductCharacteristic contribution
MicrosoftActive Directory (Win 2000)Massively adopted centralized directory
Sun MicrosystemsSun Identity ManagerEnterprise provisioning
Tivoli (IBM)Tivoli Identity ManagerComprehensive account management
NovelleDirectoryMulti-platform directory popular on mainframes and Unix
Computer AssociateseTrust AdminEarly identity suite

A story to fix the wave in your mind

Picture a home-appliance manufacturer in 2002, with 3,000 employees distributed across five plants. The IT director walks into a meeting with two numbers under his arm: “last year we spent $1.8M on help-desk operations, and 38% of tickets were password resets.” The CFO asks: “what do we do about it?”. The answer: buy Sun Identity Manager, install password self-service, integrate every app to the corporate directory. Three years later, tickets dropped by 60%, the ROI was obvious, and nobody questioned the investment.


That conversation, multiplied across thousands of companies, was what funded Wave 1.


What this wave didn’t solve

Wave 1 was very successful at its goal: help-desk tickets dropped and employees could get into their apps with less friction. But it left two huge gaps:

  • There was no governance: once access was granted, nobody reviewed whether it was still needed. Employees accumulated privileges as they changed teams (what we today call privilege creep).
  • Security was an add-on, not the center: passwords were sometimes stored without proper hashing, MFA didn’t exist, privileged accounts lived in shared spreadsheets.

Those two gaps would become the engine of the two next waves.



Wave 2 — Governance (~2005–2015)

The problem that triggered it

In the early 2000s, a series of accounting scandals (Enron in 2001, WorldCom in 2002) shook the trust in corporate financial reporting in the United States. The legislative response was the Sarbanes-Oxley Act (SOX) of 2002, which required publicly traded companies to have demonstrable internal controls over their financial systems. SOX was soon accompanied by other regulatory pressures: HIPAA in healthcare, Basel II in banking, and later GDPR in European privacy.


Suddenly the question for many organizations changed. It was no longer “how do I reduce help-desk time?”, but:

  • Who has access to which financial systems?
  • Who approved that access and when?
  • Is it still needed today?
  • Are there people who can record AND approve the same payment (a classic fraud case)?
  • How do I prove that to an external auditor?

Wave 1 tools couldn’t answer those questions. They were designed to create accounts, not to watch them.


The industry’s response

A new category was born: IGA (Identity Governance and Administration). Its mission is to answer the questions above with auditable evidence. The components that became standard:

  • Access certification (recertification): every so often (typically quarterly or semiannually), managers or application owners review their people’s access and approve or revoke.
  • Access request with approval workflow: any new access goes through a workflow where the user requests, their manager approves, and optionally the app owner reviews.
  • Separation of Duties (SoD): rules that detect toxic combinations of permissions. “Create vendor + approve payment” in SAP is the classic combination SOX came to chase.
  • Continuous audit: logs of every access change, exportable to external auditors.
  • Role modeling: instead of managing individual permissions, functional roles are created (“accounting analyst”) that group accesses.

Emblematic vendors of the wave

VendorYearCharacteristic contribution
SailPointFounded 2005IdentityIQ, IGA leader for a long time
AveksaFounded 2005, acquired by RSA in 2013Pioneered access certification
CourionFounded 1996, repositioned in the 2000sAccess Risk Management
SaviyntFounded 2010Cloud-native IGA, born already thinking about SaaS
OracleIdentity ManagerIntegrated enterprise suite

How it played out in practice

Anyone who worked at a publicly traded company between 2005 and 2015 knows the words “certification campaign.” It was that period (sometimes two weeks, sometimes a month) when every manager received lists of their direct reports’ accesses and had to approve or revoke them one by one, row by row, in an IGA tool. It was tedious, generated a lot of resistance, and many managers ended up approving everything in bulk (“approve all”) just to finish on time.


That experience produced two important effects:

  1. Identity governance became a serious project inside IT: modern Identity Programs are born here.
  2. The industry realized that mass certification without context wasn’t very effective. That planted the seed of risk-based certification that we’ll see in Wave 4.

What this wave didn’t solve

IGA was very good at answering “who has access to what and why?”. But it kept leaving gaps:

  • It didn’t detect misuse: a person with legitimate access who abused it raised no alerts. SoD detected toxic combinations but not actual malicious activity.
  • It was designed for employees: service accounts, machine identities, external customers — all stayed outside.
  • The cloud was a blind spot: many traditional IGA platforms struggled to connect to cloud SaaS providers, which were growing in parallel.


Wave 3 — Security (~2015–2022)

The problem that triggered it

The years between 2013 and 2017 brought an avalanche of breaches that changed the conversation of the entire industry:

  • Target (2013): 40 million credit cards stolen. The initial vector: credentials of an HVAC vendor.
  • OPM (2015): 21.5 million US federal employee records exposed, including national security clearance files. Use of stolen valid credentials.
  • Anthem (2015): 78.8 million medical records. Spear phishing aimed at an administrator.
  • Equifax (2017): 147 million people. Although they entered through an Apache Struts vulnerability, the attacker moved laterally using internal credentials.
  • Marriott (2018): 500 million guests. Persistent access for 4 years.

The pattern became obvious: attackers no longer broke perimeters, they got credentials and logged in. Wave 1 and Wave 2 tools weren’t designed to defend against that vector. Meanwhile, cloud and remote work eroded the network perimeter — the topic we already covered in the second article of this series.


The industry’s response

The conversation pivoted to identity as the security plane. The solutions that became standard:

  • Universal MFA: no longer optional for administrators, but mandatory for every person. Platforms like Duo (founded 2010) and Authy grew explosively. Push notifications, TOTP, and gradually FIDO/WebAuthn.
  • PAM (Privileged Access Management): administrative accounts were treated as ultra-high-value assets. Credential vaults, session recording, automatic rotation.
  • IDaaS (Identity as a Service): the IdP in the cloud. Okta (founded 2009, IPO 2017) led this category alongside Microsoft Entra (then Azure AD) and Ping Identity.
  • Zero Trust: NIST published SP 800-207 in August 2020, formalizing what Google and others had already been practicing with BeyondCorp since 2014.
  • Modern federation: SAML first, then OIDC, became critical infrastructure to connect the SaaS ecosystem.

Emblematic vendors of the wave

VendorFocusWave milestone
OktaIDaaS / SSOIPO in 2017, symbol of the new category
CyberArkPAMClear leader of the privileged segment
Duo SecurityMFAAcquired by Cisco in 2018 for $2.35 billion
MicrosoftAzure AD / EntraEntra ID became the de facto IdP of the Microsoft 365 world
BeyondTrustPAMTogether with CyberArk and Delinea, the three big PAM names

The mindset shift

What started as “let’s add MFA” ended up being a complete redefinition of how security is thought of. Three phrases born in this wave that are still alive:

“Identity is the new perimeter.”

“Assume breach.”

“Never trust, always verify.”


Each one summarizes a deep shift. The first, that the network no longer protects; the second, that you have to design as if the attacker is already inside; the third, that verification doesn’t end at login but continues at every decision.


What this wave didn’t solve

Wave 3 was tremendously successful at raising the security bar. But gaps remained:

  • Identity threat detection was immature: you had MFA, but if someone managed to bypass it (with MFA bombing, AitM, etc.) the system didn’t necessarily detect it.
  • NHI stayed in the background: PAM covered human administrators, but machine identities, workloads, and secrets in code were still a minefield.
  • Platforms remained silos: AM, IGA, and PAM were separate products from different vendors, with little integration.


Wave 4 — Identity Security (~2022–present)

What’s triggering it

We’re living this wave right now, so what follows is tentative reading more than consolidated history. Three concurrent forces define it:

  • Sophisticated attacks on identity infrastructure: SolarWinds (2020), the Okta breach (2022), Lapsus$, MOVEit (2023), Snowflake (2024). Attackers are now attacking the IdP itself, not just users.
  • Explosion of non-human identities: cloud workloads, microservices, AI agents. The question shifts from “who is this user?” to “how many machine identities does my organization have and what can they do?”.
  • Industrialized ransomware: professional groups with ransomware-as-a-service offerings. Attack ROI is so high that defense investment is directly proportional.

On top of this, there’s a growing expectation that identity not only protects, but enables the business: that digital identities open new channels (embedded banking, platform ecosystems, AI agents serving the customer) instead of only setting up barriers.


The emerging response

Wave 4 is producing new categories that haven’t yet settled, but already have recognizable names:

  • Identity Threat Detection and Response (ITDR): the automated eye over the identity plane. Gartner formalized the category in 2022.
  • Identity Security Posture Management (ISPM): continuous visibility of risk in identity infrastructure. Do you have shadow admins? Are there active golden tickets? How exposed are you?
  • Identity Fabric: an architectural approach promoted by Gartner since 2021 that seeks to unify AM, IGA, PAM, and ITDR under a single control plane with consistent policies and observability.
  • Mass passkeys: Apple, Google, and Microsoft pushing passkeys as a password replacement. Exponential adoption in CIAM.
  • NHI security platforms: a new category of companies (Astrix, Token, Oasis) focused exclusively on governing machine identities.
  • AI agent identity management: still no standard, but every major player is building capabilities.

Representative vendors

CategoryExamples
ITDRMicrosoft Defender for Identity, CrowdStrike Falcon Identity, Silverfort, Semperis
ISPMWiz Identity, Microsoft Entra Permissions Management, Sonrai
NHI SecurityAstrix, Token Security, Oasis Security
Identity FabricStrategy of Okta, Ping, ForgeRock, SailPoint

The narrative shift

There’s a subtle but important difference between Wave 3 and Wave 4. Wave 3 was defensive (“identity is the perimeter that has to be protected”). Wave 4 adds an enabling component: well-designed identity allows things that were previously impossible.

  • Offering embedded banking inside a retail app without the bank giving the retailer access to the customer database — only signed claims.
  • Launching AI agents that act on behalf of the customer with precise, revocable scopes.
  • Creating multi-tenant ecosystems where each organization keeps control of its data but shares services.

That’s what’s now called “Identity Security” (capital I, as an umbrella concept) or also “Identity-First Security”.


How the waves stack up

A useful closing image. Each wave doesn’t replace the previous one — it layers on top of it. Like geological strata, the deeper layers are still there, holding everything above them up. The schematic below shows that stacking the way you’d find it in a modern organization.


A hand-drawn diagram of four stacked horizontal slabs representing geological layers. From bottom to top: a wide slab labeled Wave 1 — IT Optimization (SSO, AD, provisioning); above it a slightly narrower slab labeled Wave 2 — Governance (IGA, certifications, SoD); above that Wave 3 — Security (MFA, PAM, Zero Trust, IDaaS); on top Wave 4 — Identity Security (ITDR, ISPM, NHI, AI agents). A thin dashed band at the very bottom is labeled foundations: identities, attributes, credentials. Short vertical arrows labeled 'relies on' connect each slab to the one below it.
Each wave relies on the capabilities the previous one brought. Wave 4 has no traction without Wave 3, which has no traction without Wave 2 — its immediately preceding layer.
A hand-drawn diagram of four stacked horizontal slabs representing geological layers. From bottom to top: a wide slab labeled Wave 1 — IT Optimization (SSO, AD, provisioning); above it a slightly narrower slab labeled Wave 2 — Governance (IGA, certifications, SoD); above that Wave 3 — Security (MFA, PAM, Zero Trust, IDaaS); on top Wave 4 — Identity Security (ITDR, ISPM, NHI, AI agents). A thin dashed band at the very bottom is labeled foundations: identities, attributes, credentials. Short vertical arrows labeled 'relies on' connect each slab to the one below it.

Reading the schematic: there’s no point talking about Identity Security (Wave 4) if your organization doesn’t yet have universal MFA (Wave 3), and no point talking about MFA if joiners and leavers aren’t processed automatically (Wave 1). The order matters.


What this wave hasn’t yet solved

It’s premature to take stock because we’re still in it, but tensions are already noticeable:

  • Complexity accumulates: organizations have IAM tools from all four waves coexisting, with fragile integrations.
  • AI agent identity is a new problem without mature solutions. Whoever solves it well will probably be the SailPoint or Okta of the next ten years.
  • Talent is scarce: few professionals understand the four waves at the same time. That’s exactly what this program is trying to develop.

How to apply this historical knowledge

Beyond curiosity, knowing the waves has three concrete practical uses.


1. Quick organizational diagnosis

When you walk into a new organization, watch for these signals:

Observed signalLikely wave
Password reset by security questions, no MFAWave 1 still dominant
Quarterly certification campaigns but no ITDRWave 2, missing Wave 3
MFA everywhere but ungoverned NHIWave 3 mature, Wave 4 incipient
Identity Fabric, ITDR, NHI governanceWave 4 in progress

2. Investment justification

When you have to defend an IAM project before an executive committee, chaining the waves gives you a strong narrative: “we’ve solved X (previous wave); now competitive/regulatory/security pressure requires us to solve Y (next wave)”. It’s more persuasive than listing features.


3. Anticipation

Thinking in waves helps you anticipate the next one. If Wave 4 is Identity Security, what comes next? Reasonable bets include: decentralized identity with wallets, generalized post-quantum cryptography, federated governance of AI agents. Whoever starts designing for that Wave 5 today will have an advantage in five years.


Recap

The four waves of IAM tell a coherent story: the discipline was born to save costs (Wave 1), matured to comply with regulations (Wave 2), pivoted to security when breaches demanded it (Wave 3), and today reorganizes itself to respond to a world where identity — human, machine, and AI agent — is the control plane of everything.


If you carry the following table in mind, you’ll be able to read any organization in just a few questions:

WaveDominant questionDominant response
1How do we cut IT costs?SSO + provisioning
2How do we comply with audits?IGA + certifications
3How do we protect against breaches?MFA + PAM + Zero Trust
4How do we treat identity as a unified control plane?Identity Security: ITDR + NHI + Identity Fabric


Three questions to test yourself

  1. You work as an IAM consultant and walk into a large family company with 2,000 employees. They have Active Directory + password reset by security questions + a provisioning script. What wave are they in and what would you recommend prioritizing for the next 12 months?
  2. Your CFO tells you “we already paid for SailPoint 8 years ago, why do we need more identity tools?”. How do you explain the difference between IGA (Wave 2) and Identity Security (Wave 4) in less than three minutes?
  3. If you had to bet on what defines Wave 5 of IAM, what hypothesis would you hold and what early signals would confirm it?

Frequently asked questions

What are the four waves of IAM?

IT Optimization (1990–2005, cut help-desk costs with SSO and provisioning), Governance (2005–2015, pass audits with IGA and access certification), Security (2015–2022, stop breaches with MFA, PAM, and Zero Trust), and Identity Security (2022–present, treat identity as a unified control plane with ITDR, non-human-identity governance, and AI agents). Each wave layers on top of the previous one.

What is the difference between IGA and Identity Security?

IGA (Wave 2) answers who has access to what and why, with auditable evidence for compliance. Identity Security (Wave 4) is a broader umbrella that unifies Access Management, IGA, PAM, and ITDR into a single control plane and treats identity — human and non-human — as the security perimeter.

What triggered the shift to identity-first security?

A wave of major breaches between 2013 and 2017 — Target, OPM, Anthem, Equifax — where attackers used stolen valid credentials to log in instead of breaking perimeters, combined with cloud adoption and remote work eroding the network boundary.

Why does IAM history matter for a practitioner?

Because most organizations contain tools and practices from every wave coexisting at once. Knowing the waves lets you quickly diagnose where an organization stands, what it is missing, and frame an investment as the natural next step after the wave it already completed.