In March, it was time for our USO team to pack their bags once again. First, we headed to Bergisch Gladbach for the IT Security Strategy Days, and then on to Rethink! IAM in Berlin. What awaited us there: in-depth professional discussions and a refreshing level of openness. Speakers and participants talked honestly about pain points, detours, and real progress. Here is our recap.

Whether it was IAM, IGA, CIAM, PAM, or Zero Trust, the usual buzzwords came up quickly. But instead of just scratching the surface, the sessions at both events went deep.

One example: a customer identity use case showed how European IAM providers are enabling passwordless authentication through a combination of privacy focus, local data hosting, and FIDO2-based MFA. This is especially interesting for customers in security-sensitive regions—and a genuine alternative to U.S. platforms.

Another session, presented by Swisscom in its dual role as both provider and user of the solution, focused on Privileged Access Management and Access Governance in a heterogeneous IT landscape with parallel legacy systems. The goal was to establish end-to-end access control across all user groups and infrastructures, including the integration of IGA and CIAM to support enterprise customer and service-provider access. In complex transitional architectures, that kind of interplay is especially valuable.

A quick detour: aha moments beyond IAM

IT Security Strategy Days 2025 at Schloss Bensberg were once again a real highlight. Security executives gathered there to learn about the latest IT security strategies and take away one or two concrete recommendations for action. But there was one topic hardly anyone had on their radar.

Together with our partner ReversingLabs, we were able to captivate participants with demonstrations around software supply chain security. And the alarm bells were not only going off on the screen—they were going off in people’s minds as well. Because software supply chain security remains a major weak spot in many organizations.

We will soon be sharing deeper insights into software supply chain security and the current regulatory landscape in a dedicated blog post “Software Supply Chain Security: Choosing the Secure Path“.

One statement from a well-known consumer electronics retailer particularly stood out to us:

“In the end, the tool is almost secondary.”

That resonated strongly with us, because it is something we have been telling our customers for years. Technology contributes only part of what makes Identity and Access Management successful—roughly 25 to 30 percent, if we had to put a number on it. The first instinct to blame a failed project on the tool is usually not justified. Much more often, the real causes are unclear responsibilities, insufficient process maturity, or unrealistic expectations.

Another message came up again and again:

“If you want to make IAM successful, you first need to understand your processes and your data flows.”

Identity security works only when it is built on clean data and a clear target vision. The right tool stack comes afterward. And to a certain extent, it remains interchangeable—provided you do not get lost in excessive customization.

In other words, IAM success depends not just on choosing the right vendor or product, but above all on understanding your own position, your level of maturity, and your internal processes. Only once you have examined and documented your people, your processes, and your data flows—and developed a target vision, strategy, and architecture based on the current state—does it make sense to move on to tool selection.

At the end of the day, the challenges in identity management are less technical than organizational. Outdated or unnecessarily complex paper-based processes, inconsistent master data, missing role models, and too many manual steps push even the best tools to their limits. Projects stall because governance is missing, responsibilities are unclear, process ownership is undefined, or organizations simply do not understand their own data flows well enough.

These issues were summed up particularly clearly in one session that outlined seven reasons why IGA projects fail—including poor data quality, unclear role models, and insufficiently defined Joiner-Mover-Leaver processes. The message was unmistakable: without clean master data and reliable processes, nothing works.

What we could clearly feel at both events was a real willingness to change. More and more organizations are asking fundamental questions: Which systems do we actually need? Where can synergies be created? And how do we balance regulatory requirements with usability? In precisely these discussions, open and honest peer exchange becomes a real success factor. Because anyone who shares not only milestones but also dead ends helps move the whole community forward.

So what remains? A realistic understanding of what identity management can achieve—and what it cannot. A system on its own is not enough. It is the processes, the data, and the people behind them that determine whether IAM projects succeed. That is why IAM needs to move out of its IT niche and into the strategic center of the organization. Only those who truly understand their identities can build digital trust.