Deepak Gupta

Theme · 2025

Consolidation in the enterprise tier.

The enterprise CIAM field continued to compress in 2025, fewer independent vendors, more platform overlap, and a clearer dividing line between the platform-tier survivors and the legacy-tier holdouts.

Published 2026-05-11

Key takeaways

The enterprise CIAM tier consolidated further in 2025: fewer independent enterprise-focused vendors, more competition between platform-tier incumbents (Okta-owned Auth0, Microsoft's Entra External ID, SAP CDC) than between specialists.
The middle of the enterprise market, vendors that were neither platform-attached nor sharply differentiated, felt the pressure most. Several pivoted toward narrower niches; a few effectively exited.
ForgeRock's continued post-merger ambiguity remained the largest enterprise-CIAM story by buyer impact even when no specific quarterly news was loud, uncertainty itself is a procurement blocker.
Mid-market and developer-first CIAM continued to fragment in the opposite direction, with new entrants per year staying steady or growing. Consolidation pressure is a tier-specific story, not a category-wide one.

The shape of the tier

To talk about enterprise CIAM consolidation honestly, we have to be clear about what counts as "enterprise" in this report. The working definition: vendors targeting buyers with five-figure-and-up MAU contracts, multi-year procurement, dedicated identity teams on the buyer side, and integration expectations spanning workforce, customer, and partner identities. The vendors that meet this definition in 2026 are a smaller set than they were five years ago, and a meaningfully smaller set than they were twenty-four months ago.

Three forces drove the 2025 compression:

Platform-tier gravity. Microsoft's Entra External ID, Okta's Auth0 acquisition, and SAP's continued investment in Customer Data Cloud collectively made it harder for independent enterprise CIAM vendors to compete on procurement breadth. The platform-tier incumbents could package CIAM with adjacent enterprise software in ways specialists could not, and enterprise buyers, already biased toward fewer vendor relationships, found the bundled value compelling.

M&A consequences cascading. The ForgeRock acquisition's continuing post-merger integration sat across most of 2025 as an unresolved procurement question. Buyers evaluating enterprise CIAM in late 2024 and through 2025 either deferred ForgeRock decisions or chose alternatives. The acquisition's announced benefits remained largely unmaterialized through the year, and the resulting "who is our renewal account manager in 12 months" question pushed evaluators toward platforms with clearer roadmaps.

Standards-stack rewrites. The agentic identity standards push (see the dedicated theme essay) raised the floor for what an enterprise CIAM product needed to ship in 2025. Vendors that had invested heavily in their 2023-era feature set faced compounding catch-up cost. Some absorbed it; some did not.

Who consolidated upward

The platform-attached vendors had the cleanest 2025:

Auth0 (Okta) continued to leverage Okta's enterprise distribution without sacrificing the developer-first DNA that made Auth0 distinct. The agentic identity work shipped credibly, FGA matured, and the enterprise tier kept growing.

Entra External ID (Microsoft) closed the gap with its predecessor (Azure AD B2C) over the course of the year and benefited from the Microsoft enterprise distribution flywheel. By year-end, Entra was a defensible default-choice option for enterprise buyers in Microsoft-heavy environments.

SAP Customer Data Cloud continued to be the enterprise B2C reference for consent / preference / data-residency at scale. SAP's broader enterprise relationships made CDC sticky even where the standalone product comparison was tighter than the procurement reality.

Who held position

The credible challenger tier, independent enterprise CIAM vendors who remained operationally healthy and product-differentiated through 2025:

Ping Identity kept its identity-platform positioning intact through the merger integration. Whether ForgeRock's eventual roadmap consolidation strengthens or weakens Ping is the open 2026 question; the Ping product line itself remained credibly enterprise-ready throughout 2025.

IBM Security Verify continued to be the right choice for IBM-shop enterprise buyers and a credible standalone choice elsewhere. The product strategy stayed disciplined.

Curity maintained its standards-depth positioning, the right choice when standards conformance is the leading procurement axis and a credible alternative for buyers who don't want platform-tier vendor lock-in.

Strivacity remained the sharpest-positioned challenger in this index on editorial brand, small enough to feel modern, deep enough on enterprise CIAM features to be procurement-viable.

The middle that compressed

The most-pressured group was the middle of the enterprise tier: vendors who weren't platform-attached, weren't sharply differentiated, and didn't have the brand-strength of the named challengers. Several pivoted toward narrower niches; a couple effectively exited the enterprise CIAM conversation for adjacent specializations.

Akamai Identity Cloud continued its narrowing focus toward B2C-with-CDN-context use cases, a defensible niche, but a different shape than its peak-Janrain enterprise-CIAM positioning.

Oracle IDCS remained a viable choice for Oracle-shop buyers and a weaker choice elsewhere; the standalone positioning didn't strengthen.

Cyberark Customer Identity is the newer entry to this tier and benefits from Cyberark's broader IAM relationships; the standalone CIAM product is credible but still establishing differentiation.

The ForgeRock question

ForgeRock occupies its own category for 2025. The Thoma Bravo acquisition and subsequent integration with Ping continued through the year without producing the unified-product clarity buyers needed. ForgeRock customers operating existing deployments largely stayed put through 2025 (migration cost being what it is). Net-new ForgeRock evaluations declined, and the 2025 Avoid placement in the enterprise CIAM segment award reflects this: buyers picking a platform now should expect roadmap ambiguity into 2026 at minimum.

The downside risk here isn't catastrophic. ForgeRock has real customers, real revenue, and a roadmap that may yet consolidate cleanly. The upside risk is also bounded, even a successful integration produces a product that competes against Auth0, Entra, and Ping rather than displaces them. The pragmatic 2025/2026 read is: do not pick ForgeRock for a net-new enterprise CIAM deployment until the post-merger product strategy is publicly settled.

The opposite trend in the rest of the field

It's worth saying explicitly: this consolidation story is tier-specific, not category-wide. The B2B SaaS CIAM segment continued to fragment, with multiple new entrants per year (Tesseral, Wristband, Scalekit, PropelAuth, SSOJet, Stack Auth all credible in 2025). The dev-first segment saw new projects (BetterAuth) and continuing momentum from the established players (Clerk, Stytch). The open-source field stayed steady. The passwordless specialist tier kept growing.

CIAM-the-category is not consolidating. Enterprise CIAM is. The distinction matters for buyers and for vendor strategy: where you're deploying determines which directional pressure you're navigating.

The 2026 outlook

Enterprise CIAM in 2026 will likely continue compressing along the same axes that defined 2025: platform-tier gravity, standards-stack catch-up cost, M&A consequences. The interesting question is whether a new independent enterprise CIAM vendor can emerge in 2026, one differentiated enough to break the platform-default procurement pattern. The current field doesn't suggest an obvious candidate, but emerging entrants (some not yet in this index) are positioning for that shape. We'll revisit this in the 2026 report.

Vendors discussed

← Back to CIAM Annual Report 2025