Last week, we had the privilege of hosting our first-ever Beyond Identity conference. We gathered an incredible group of customers, thought leaders, and innovators to discuss the future of identity security, our product roadmap, and our company vision.

The event surfaced valuable, practical, and occasionally surprising insights about the evolving identity and security landscape. We’ve consolidated the top 10 takeaways from this year’s BeyondCon below. 

1.  Identity is security

One of the most resonant themes of the conference was that identity is security. As businesses shift towards digital-first environments, identity has become the new perimeter. With identity-first security models, companies can ensure a safe, trustworthy community. This approach treats the identity layer as the front line of defense, aligning security with every interaction, transaction, and point of access in a digital ecosystem.

2. Identity is a business enabler

A key insight from the conference was that identity is no longer just a security measure—it's a business enabler. In his welcome remarks, Jasson Casey (CEO and co-founder of Beyond Identity) stated that every business problem you care about is an identity problem. 

With an identity infrastructure that is secure-by-design, simple to admin, and simple to use, organizations can enhance customer experiences, drive innovation, and streamline operations. Attendees recognized that investing in advanced identity management doesn’t just mitigate risks; it can also unlock new business opportunities by building trust and enabling faster, more efficient revenue generation.

3. Identity stack requires a data layer

A theme that carried across sessions was the need for a unified data layer that can communicate, normalize, and pull fresh data from disparate tools. The reality of identity, security, and IT is that the tooling ecosystem is increasingly complex. A consolidated data layer allows for better operational collaboration and faster incident and response between identity, security, and IT platforms, ensuring that access controls are based on accurate, real-time data and decisions are informed against a full set of data inputs. 

4. Defending against AI threats is top of mind

As artificial intelligence (AI) proliferates across every industry, it’s no surprise that defending against AI-based attacks was top of mind for many attendees. AI poses both opportunities and threats: while it can accelerate productivity, bad actors are also actively weaponizing it. 

Unfortunately, existing AI detection solutions are poor solutions to the proliferation of AI use because the approach of detection is doomed to fail from the start. There are two reasons that make AI detection a fool's errand:

1. There are legitimate reasons to use AI, and detection leads to high alert rates for false alarms. These legitimate use cases include real-time enhancements to voice, appearance, and/or text, which are generally not security concerns.
2. The mechanism of AI detection is such that the detection models can be used to train better AI generators. In other words, the detection tool itself can be exploited successfully for adversarial purposes. It creates an ongoing arms race in which the models used to detect deepfakes are used to develop better deepfakes, and so on.

In the security and authentication context, deterministic attestation of authenticity is the only strong option to counter AI-based impersonation threats. To that end, Beyond Identity recently released a product called RealityCheck that extends our AAL3 authentication and device trust to deliver deterministic, visual attestations of authenticity in video conferencing tools like Zoom. The tamper-proof attestations that Beyond Identity offers enable organizations to defend against deepfakes and AI-impersonation attacks without relying on best-guess detection tools.

5. Secure-by-design: the future of SSO

Another key takeaway was the growing demand for secure-by-design single sign-on (SSO) solutions. SSOs were created to provide a productivity highway for end-users, getting them to their applications as quickly as possible. However, as we’ve seen in recent years with major breaches affecting major SSOs, including Okta and Microsoft, bad actors are adept at catching a ride on the same SSO highway to access organizational resources. 

The rate and severity of threats have led companies to look for SSOs that can actually deliver security access. We heard loud and clear from our customers the need for SSOs with security architected from the ground up to shrink the attack surface and ensure that user access remains safe without adding complexity.

6. The future of identity is integrated

As organizations adopt more advanced security tools, integration between platforms is critical for success. Point solutions that operate in silos are no longer sufficient; customers are looking for end-to-end solutions that work seamlessly together to ensure comprehensive coverage across the entire tech stack, even if the solution itself doesn’t cover every capability natively, which is an impossible expectation either way. Solutions that offer tight integration and interoperability will have the competitive edge moving forward.

Check out our CrowdStrike integration to see how Beyond Identity treats integrations as a first-class citizen in our platform. 

7. NIST’s new passkey revision

The identity industry is abuzz with discussions about the National Institute of Standards and Technology’s (NIST) 800-63 Revision 4 and its companion publications SPs 800-63A and 800-63C. The new revision has categorized syncable passkeys at AAL1 and device-bound passkeys at AAL2, with the potential to rise to AAL3. This standardization ensures that organizations have a clear framework for implementing passkey security at various assurance levels, providing more options for deploying strong, phishing-resistant authentication methods.

8. Rethinking privilege assignment

A central theme at the conference was the urgent need to rethink privilege assignment within IAM systems. Traditional models that grant long-term privileges are a liability, as they can lead to over-privileged accounts, orphaned permissions, and proliferated attack surfaces. Instead, there was excitement from the attendees to approach privilege from a zero standing perspective.

With zero standing privileges (ZSP), no user or service account has persistent access rights by default. Instead, access is granted on a just-in-time (JIT) basis, ensuring that users only have the minimum privileges required for the task at hand and only for the time needed. By shifting to a ZSP framework, organizations can effectively neutralize the threats of excessive privilege accumulation and faulty provisioning processes.

9. Cyber as the great equalizer in global conflict

In a thought-provoking session, a speaker compared cyber threats to the apocalyptic horsemen, arguing that cyber has become the fifth horseman, a great equalizer in global conflict and chaos. The talk highlighted how cyber warfare has transcended traditional boundaries, impacting not just businesses but also critical infrastructure and national security. Unlike conventional warfare, cyber attacks can be launched from anywhere, at any time, making them a potent tool for adversaries.

The speaker urged organizations to take a proactive and rigorous approach to cyber defense, as simply hoping for the best is not a viable strategy. With the stakes higher than ever, companies must invest in robust cybersecurity frameworks, continuous monitoring, and rapid response capabilities to mitigate the risk of being blindsided by this digital horseman.

10. Phishing-resistance overtakes passwordless as a priority

While passwordless authentication has been a buzzword for years, the conversation at this year’s conference revealed a shifting focus: phishing resistance is now taking center stage. As attackers evolve their tactics, it’s clear that simply eliminating passwords is not enough.

Passwordless solutions provide convenience and eliminate the vulnerabilities associated with password reuse and weak credentials, but they can still be susceptible to sophisticated phishing attacks with improper implementations. In other words, passwordless authentication is not necessarily phishing-resistant, but all phishing-resistant authentication must be passwordless.

Attendees highlighted that the ultimate goal is to create a secure, user-friendly experience that inherently cannot rely on passwords.