The year CIAM grew up.

For the customer identity and access management category, 2025 was the year the field stopped pretending it could ignore three problems at once: AI agents arriving as a legitimate identity class, passkeys becoming the new default for consumer authentication, and pricing transparency becoming a real procurement question rather than a vendor-side preference.

This is a retrospective annual report. We waited until mid-2026 to publish not because the year took that long to assess, the major arcs were visible by Q4, but because the M&A and standards milestones that shaped the year needed a few quarters of operating consequences before the editorial conclusions stabilized. Reports published in January routinely revise themselves by April. This one shouldn't have to.

How to read this report

Four themes structure what happened in 2025. Eight segment awards give the editorial verdict on where to buy. Six capability rankings give the data underneath. One vendor-of-the-year call surfaces the company that, on net, did the most to define the year.

The themes are essays, read them in order or pick the one that fits your role. The awards are short and scannable; click into any segment for the reasoning behind the Leader / Strong Challenger / Niche Pick / Avoid placements. The rankings are sortable tables auto-derived from the public capability matrix that backs every vendor profile on CIAM Compass, adding a vendor or changing a flag on any vendor profile updates these tables on the next publish. Nothing here is hidden behind a paywall and there is no vendor money behind any placement.

What didn't make the cut

A note on what 2025 did not settle. Authorization remains the most-active sub-category that this report doesn't yet give its own theme essay, FGA, ReBAC, and ABAC continued to grow, but the field is fragmenting faster than consolidating, and an editorial verdict at scale isn't yet defensible. The IDV / fraud overlap with CIAM also continued to deepen without a clean narrative arc that's worth 1,500 words on its own. Both will be candidates for theme essays in the 2026 edition.

The capability matrix that backs this report sits at 47 vendors in 2026 and is intended to keep growing. Adding a vendor mid-cycle does not retroactively revise the placements in this published edition; it does flow into the 2026 ranking tables in real time.

On the placement of "Avoid"

CIAM Compass treats "Avoid" placements as the editorial commitment that makes this report worth publishing. Anyone can rank top three. Saying don't buy this in 2026 is what differentiates editorial guidance from a directory. Where a segment has no defensible Avoid placement, passwordless specialist, open source, identity orchestration, we leave the slot empty rather than manufacture one for symmetry. Where we name an Avoid (ForgeRock in enterprise CIAM, LoginRadius across multiple consumer segments), the reasoning is in the segment-specific rationale and the vendor's public capability profile.

The rest of the report is the work behind those calls.