Deepak Gupta: the future of CIAM and why legacy identity systems are dead
Deepak's April 2026 essay on what's replacing legacy CIAM. Argues the heritage tier (Akamai, ForgeRock, IBM, Oracle) is being superseded by developer-first platforms, and why the next decade's identity stack looks different.
The thesis
The CIAM market is going through its most consequential generational shift since the Auth0 / Okta rise in the mid-2010s. Heritage platforms, built for an era of password-centric auth, web-first integrations, and quarterly release cycles, are being abandoned by their acquirers (Akamai sunsetting, ForgeRock merged into Ping, Oracle IDCS rationalized) or rebranded into broader portfolios (IBM Verify, CyberArk Identity).
What's replacing them isn't a single category. Three forces are reshaping the stack:
- Passkey-first auth as the default factor, with passwords as legacy fallback rather than primary credential.
- Agent identity as a first-class concern, distinct from human users, with different lifecycles and audit needs.
- Modular stacks that combine identity (CIAM) + authorization (FGA) + verification (IDV) + bot defense, rather than monolithic enterprise suites.
Deepak's take
Legacy identity systems aren't dying because they're badly built. They're dying because the assumptions they were built on no longer hold. Password-centric flows, role-list authorization, human-only user models, and quarterly compliance cycles are all being superseded, not because incumbents stopped innovating, but because the underlying problem changed.
The full essay walks through what specifically replaces each layer of the legacy stack and why mature B2B SaaS in 2026 is best-served by a 3-4 vendor identity portfolio rather than a single suite contract.
Why it's worth reading
This piece is the conceptual frame the rest of the CIAM Compass content sits inside. The vendor profiles, comparison pages, and decision tools all reflect the bifurcation Deepak describes here:
- Heritage tier (Akamai EoL, ForgeRock-Ping merger, Oracle IDCS rationalized, IBM Verify rebrand), managed migration territory.
- Modern developer tier (Auth0, Stytch / Twilio, Clerk, Descope, MojoAuth), where most greenfield decisions land.
- B2B specialists (WorkOS, Frontegg, SSOJet), when the buyer is the IT admin.
- Open-source self-hosted (Keycloak, Ory, Zitadel, FusionAuth, Authentik), sovereignty + cost-ceiling answer.
Read the full piece on guptadeepak.com.
Related content
- CIAM vs IAM vs IDaaS, the categorical landscape.
- Build vs buy CIAM, the procurement framework.
- Vendor selector tool, apply the framework to your scope.