IT governance isn’t just paperwork anymore, it’s becoming a critical foundation for how modern organizations operate, stay secure, and stay compliant. This week, Matthias Reinwarth is joined by advisors Kai Boschert and Patrick Teichmann to break down what effective IT governance actually looks like in 2025.
Together, they unpack:
✅ What IT governance really is — and how it bridges strategy and operations
✅ The differences (and overlaps) between strategy, governance, and compliance
✅ Why the “1.5 line of defense” model helps close crucial gaps
✅ The role of target operating models in making governance work at scale
✅ How to bring stakeholders, processes, and tools together effectively
✅ Practical steps to start improving governance today — without boiling the ocean
Whether you’re shaping governance for a large enterprise or just beginning to formalize your processes, this conversation delivers real-world insights from active advisory work with end-user organizations.
The holiday season might be the most wonderful time of the year—but it’s also prime time for cybercriminals. In this Videocast episode, Warwick Ashford talks with Danny Jenkins, CEO and co-founder of ThreatLocker, about why attacks spike between November and December and what companies can do to stay protected.
They unpack:
✅ Why cyberattacks surge during holidays
✅ How to close your organization’s biggest security gaps
✅ The importance of automated responses and real-time monitoring
✅ Why good backups (and tested restores!) still matter
✅ How a “cyber health check” can save your business from disaster
📈 Whether you’re a security professional or a business leader, these insights will help you strengthen your defenses during the holidays and beyond.
The fragmentation of enterprise identity systems is creating real security risks but IPSIE is here to simplify and standardize.
In this episode, Matthias Reinwarth and Warwick Ashford explore IPSIE (Interoperability Profiling for Secure Identity in the Enterprise), how it improves interoperability, enforces secure defaults, and provides measurable maturity levels for enterprise identity management.
🔹 Key Topics Covered:
✅ What IPSIE is and why it matters for enterprise identity 🧠
✅ How fragmentation of SaaS and cloud identity systems increases risk
✅ Opinionated profiles and secure, consistent standard implementation
✅ Maturity levels for session lifecycle, account lifecycle, and entitlements
✅ How IPSIE fits into the broader Identity Fabric strategy
✅ Current limitations: focus on human identities and next steps for non-human accounts
💡 IPSIE doesn’t reinvent identity standards, it helps organizations implement what they already have consistently and securely, creating a foundation for stronger enterprise security.
The future of Identity and Access Management (IAM) is already being built — but are we preparing for 2040?
In this episode, Matthias Reinwarth and Martin Kuppinger explore how organizations can design future-ready identity fabrics, avoid tool sprawl, and build the platformized IAM architectures needed to thrive in a fast-changing digital landscape.
Key Topics Covered:
✅ What the “Identity Fabric 2040” means for IAM strategies 🧠
✅ The rise of orchestration, signals & API-first design
✅ Avoiding IAM tool sprawl and capability duplication
✅ Platformization vs. best-of-breed: what really works?
✅ Why outcome-driven IAM is the only sustainable approach
✅ How signals redefine authentication, authorization & user experience
💡 Your IAM decisions today shape the next 15 years. Are you building for 2040—or already falling behind?
In this special Halloween edition of the KuppingerCole Analyst Chat, Matthias Reinwarth is joined by Jonathan Care, Lead Analyst at KuppingerCole Analysts, to explore one of the most talked-about cybersecurity stories of the year — the F5 supply chain incident.
The discussion highlights how even well-established organizations can become targets of sophisticated, long-term attacks — and what this means for the future of software supply chain security.
Together, Matthias and Jonathan examine how incidents like this can happen, what lessons can be learned across the industry, and how companies can strengthen resilience, transparency, and response capabilities in their own environments.
Key topics covered:
✅ Understanding the dynamics of modern supply chain attacks ⚠️
✅ Why detection and dwell time remain a major industry challenge
✅ The growing importance of vendor risk and software transparency
✅ Lessons learned for CISOs and IT leaders
✅ Practical measures to improve visibility and response
✅ Why collaboration and information sharing are key to resilience
🕸️ Even trusted systems can hide a few ghosts — are you ready to uncover yours?
Unlock invaluable insights into cyber resilience by exploring real-world examples of organizations rebounding from cyber incidents. Gain strategies to safeguard operations, enhance data resilience, and leverage clean rooms and cloud solutions for recovery. Learn how to transform cyber threats into opportunities for improvement and fortify your organization's digital landscape with adaptive resilience strategies.
Read the original blog post here: https://www.kuppingercole.com/blog/small/cyber-resilience
Is your IAM strategy focused too much on tools? In this episode of the KuppingerCole Analyst Chat, Matthias Reinwarth and Patrick Teichmann, Lead Advisor at KuppingerCole, dive into one of the most common pitfalls organizations face: starting IAM projects with the wrong priorities.
They explore how a Target Operating Model (TOM) helps define why and how your IAM should work before deciding on technology. Patrick shares insights from real projects, explaining how to align business goals, processes, and governance to achieve long-term success.
Key Topics Covered:
✅ Why IAM projects often fail due to tool-first thinking
✅ How a Target Operating Model sets the foundation for IAM success
✅ The role of governance, people, and processes in effective IAM
✅ Real-world examples of aligning strategy and technology
✅ How to evaluate tools after defining your IAM capabilities
Are AI agents the future of cybersecurity or a threat to human expertise? In this episode of the KuppingerCole Analyst Chat, Matthias Reinwarth talks with Alexei Balaganski, Lead Analyst and CTO at KuppingerCole, about the rise of AI agents and their potential to reshape the cybersecurity landscape.
They explore how autonomous AI systems could fill the cyber skills gap, automate incident response, and even act as digital coworkers in SOC environments. But how far can we trust them—and will humans still have a place in the loop?
Key topics covered:
✅ What AI agents really are—and how they differ from traditional automation
✅ The role of AI in SOCs, incident response, and threat detection
✅ Can AI agents help close the cybersecurity skills gap?
✅ Risks of rogue or “hallucinating” AI systems
✅ Why access governance and identity management are critical for AI agents
✅ The future of cybersecurity jobs in the age of automation
Are we already living in a post-data privacy world?
Breaches are everywhere, data is constantly being leaked, and GDPR fines haven’t stopped surveillance capitalism or shady data brokers. In this episode of the Analyst Chat, Matthias Reinwarth is joined by Mike Small and Jonathan Care to explore whether privacy still has meaning — or if resilience and risk management are the only ways forward.
They debate:
✅ Is privacy truly dead, or just evolving?
✅Why regulations like GDPR often miss the mark ⚖️
✅How cyber resilience is becoming more critical than “traditional” privacy
✅The personal, societal, and legal dimensions of privacy
✅What organizations (and individuals) can still do to protect data
Ghost tapping is shaking up the payment security landscape, turning stolen card data into quick profit through NFC relay fraud. This emerging threat exploits digital vulnerabilities, making unauthorized taps at retail points seamless and undetected. Businesses and regulators must urgently rethink their defenses against this global attack vector that crosses digital and physical boundaries.
Read the original blog post here: https://www.kuppingercole.com/blog/ashford/ghost-tapping-a-new-front-in-identity-security-risk
Are KPIs and KRIs just compliance checkboxes, or can they truly prove the value of Identity and Access Management (IAM)? In this episode, Matthias Reinwarth and senior advisor Shikha Porwal explore how Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) can transform IAM from a technical function into a business enabler. They unpack the differences, the overlap, and how to make metrics relevant to both security and strategy. Expect real-world examples—from onboarding to MFA adoption—that show how measurement drives maturity and risk reduction.
Key Topics Covered:
✅ KPIs vs KRIs in IAM: what they are and how they differ
✅ Aligning IAM metrics with business goals and governance
✅ Onboarding & offboarding metrics for efficiency and risk reduction
✅ MFA adoption and help desk tickets as signals of IAM maturity
✅ Developer enablement and API adoption as success factors
✅ Mapping IAM indicators to risk frameworks and security posture
✅ Adapting KPIs/KRIs for non-human identities (NHI)
💡 If you’re working in IAM, identity governance, MFA strategy, or security architecture, this discussion will help you build meaningful metrics that prove value and strengthen your identity program.
Are IVIPs truly a new platform that organizations must adopt, or are they just old capabilities rebranded with fresh marketing spin? Today, Matthias Reinwarth and Martin Kuppinger dig into the latest acronym shaking up the IAM world: IVIP (Identity Visibility & Intelligence Platforms). We unpack the promises, the risks, and what IVIP really means for the Identity Fabric concept. Expect a critical take on buzzwords, vendor strategies, and what enterprises actually need to strengthen IAM maturity.
Key Topics Covered:
✅ What IVIP actually is and how it fits into IAM
✅ The connection between IVIP and the Identity Fabric approach
✅ Risks of marketing buzzwords in identity management
✅ When a new platform really brings value—and when it doesn’t
✅ What organizations should focus on instead of chasing hype
💡 If you’re working in identity, access governance, ITDR, IGA, or security architecture, this conversation will help you decide whether IVIP deserves a place in your roadmap—or if it’s just hype.
Identity and Access Management (IAM) is no longer a one-off project—it’s an ongoing journey. In this episode of the KuppingerCole Analyst Chat, Matthias Reinwarth is joined by Christopher (CISO & Lead Advisor) and Deniz Algin (Advisor) to explore how organizations can successfully apply the Identity Fabric concept.
How to evolve from legacy systems to a future-proof IAM strategy without breaking existing operations? Why interoperability matters? What are the most common pitfalls organizations face when trying to modernize IAM? Find the answer to these questions and more in this episode!
Key Topics Covered:
💡 Whether you’re just starting your IAM journey or looking to operationalize interoperability at scale, this episode is packed with practical strategies and lessons learned.
DDoS attacks are evolving and becoming more dangerous than ever. In this video, Osman Celik speaks with Andrey Leskin from QRator Labs about the current DDoS attack landscape and how organizations can defend themselves.
You’ll learn:
With Layer 7 attacks rising by 74% year-over-year and record-breaking volumetric attacks now lasting weeks, no industry can afford to ignore this threat.
Watch now to understand how to protect your business from DDoS, botnets, and evolving cyber threats.
In this episode of the KuppingerCole Analyst Chat, Matthias Reinwarth is joined by Martin Kuppinger and special guest Felix Gaehtgens to explore two of the hottest (and most debated) topics in identity today: Identity Threat Detection & Response (ITDR) and Non-Human / Machine Identities (NHI).
Together, they gothrough the buzzwords to reveal what’s real, what’s hype, and how organizations should approach these fast-evolving areas of IAM. From visibility vs. observability, to governance challenges and the future of machine identity management, this episode delivers sharp insights and practical recommendations from three IAM veterans.
So tell us — are ITDR and NHI just marketing buzzwords, or essential must-haves for modern identity security?
Key topics covered:
In this episode of the KuppingerCole Analyst Chat, Matthias is joined by Charlene Spasic and Kai Boschert to break down what real IAM maturity means. They explain why structured frameworks like the KuppingerCole Identity Fabric and Reference Architecture are critical, and how organizations can move beyond tools to focus on capabilities, governance, and business alignment.
So tell us, is your IAM program truly mature—or just a checklist of tools?
Key Topics Covered:
💡 If you’re looking to strengthen your IAM foundation and align it with business priorities, this episode is for you.
The fraud landscape has been rocked by a seismic shift—obsolete security systems no longer stand a chance. Enter FRIPs, the revolutionary platforms transforming identity verification and transaction security. As fraudsters evolve, only enterprises leveraging these advanced defenses will thrive. Can your business afford to lag behind in this high-stakes IT arms race?
Read the original blog post here: https://www.kuppingercole.com/events/ifid2025/blog/how-frip-weaponizes-identity-fabrics-the-security-revolution-hiding-in-plain-sight
In this practical episode of the KuppingerCole Analyst Chat, Patrick Teichmann joins Matthias Reinwarth to address a surprisingly common organizational issue: IAM teams being tasked with solving everything.
From HR data gaps to legacy tool cleanup and cross-department handovers — IAM teams often inherit work that isn’t truly their responsibility. This episode is a call to realign IAM strategy with clear ownership, realistic boundaries, and strong service delivery.
In this conversation:
Key takeaway: Sharpening your focus as an IAM team isn't about doing less — it’s about doing what matters most, better.
In this episode of the KuppingerCole Analyst Chat, Martin Kuppinger joins Matthias Reinwarth to dive deep into one of the most overlooked but critical areas in identity and security: non-human identities (NHI) and workload secrets. As cloud-native development and AI-driven workloads grow, so does the complexity of managing machine identities. With AWS now supporting long-lived API keys for generative AI, this episode explores why that's a risky move — and what a modern, secure, and developer-friendly alternative looks like.
In this episode, you'll learn:
Key takeaway: Security must be built around short-lived secrets, automation, and clear separation between identity, secrets, and entitlements — especially for workloads and AI agents.
In this episode of the KuppingerCole Analyst Chat, Warwick Ashford joins Matthias Reinwarth to explore a hidden but growing risk: third-party access to your systems.
Third-party contractors, suppliers, and partners often have access to internal systems — but lack the same governance, oversight, and security controls as employees. This episode explores why Third-Party Access Governance (TPAG) is now a strategic security priority, not just a technical integration.
What we cover:
✅Why third-party identities now outnumber employees in many orgs
✅The governance gap: no HR triggers, lifecycle oversight, or certifications
✅How traditional IAM systems fail to manage external access
✅The role of the Identity & Security Fabric in enabling TPAG
✅Regulatory drivers (DORA, NIS2, CMMC) making this a board-level issue
✅Core capabilities of modern TPAG solutions
✅Practical first steps for building a third-party access governance strategy