State of CIAM 2026: 14 Trends from 200+ Vendor Changelogs

I have monitored 200+ CIAM vendor changelogs over the last 12 months. Here are the 14 trends shaping customer identity in 2026, what each one means for buyers, and which vendors are leading the shift.

This piece is the annual companion to the work that lives at CIAM Compass (47 vendors tracked) and the research catalog at guptadeepak.com/research. The aim isn't to predict the future. It is to surface what's actually shipping in production this year, based on what the vendors themselves have released.

Methodology, briefly

I subscribed to the public changelog, release notes, or feature blog of 47 CIAM vendors (the CIAM Compass vendor set, plus a few adjacent IdPs that don't qualify as pure CIAM but ship in the same buying decision). I categorised every release shipped between May 2025 and May 2026 into one of ~40 capability buckets. A trend made the cut if at least 5 vendors shipped meaningfully in the bucket, or if the buyer-side impact crossed a clear threshold (a new compliance requirement, a procurement question that didn't exist last year, a category that emerged).

Where I cite a vendor as "leading" a trend, that vendor either shipped first or shipped the most complete implementation. The full data lives at CIAM Compass changelog, refreshed monthly. The scoring rubric is at CIAM Compass methodology.

The 14 trends

1. Passkeys finally moved from "available" to "default"

The shift in 2026 is that passkeys are no longer the opt-in advanced setting. Stytch, Clerk, Descope, and Beyond Identity ship passkey-first signup flows where the password is the fallback, not the primary. Auth0 added the same as a configurable default in early 2026. Buyer implication: if your vendor still treats passkeys as a secondary option in the default flow, you are at least a release cycle behind. Passkeys explained.

2. AI agent identity emerged as its own category

This was the biggest new category of 2025-2026. MCP servers, agentic workflows, and autonomous task runners all need identity, and they don't fit the human-user model. Workload identity systems (SPIFFE-derived) and CIAM systems are converging awkwardly in the middle. Vendors leading: Auth0 (Tokens for Agents), Stytch (Connected Apps), Descope (agentic auth). Buyer implication: if you ship any product surface that AI agents will call on behalf of users, your auth model needs to support delegated, attenuated, revocable agent credentials. Authentication for AI agents and AI agent identity and MCP.

3. MCP server identity standardised faster than expected

The Model Context Protocol shipped in late 2024, and by mid-2026 every major CIAM vendor has a story for it. OAuth 2.1 with PKCE is the de facto standard; sender-constrained tokens (DPoP) are showing up in early-2026 implementations from Auth0 and Stytch. Buyer implication: when you select an MCP server framework, check that your CIAM vendor's OAuth implementation matches the MCP authorization spec; mismatches here are extremely painful to fix later. MCP server identity model.

4. Sender-constrained tokens (DPoP, mTLS) crossed the chasm

For years, sender-constrained tokens lived in the OAuth specifications but not in mainstream CIAM products. 2025-2026 changed that. Curity, Authress, Ory, and Auth0 all shipped production-grade DPoP. mTLS-bound tokens are still niche but growing in regulated sectors. Buyer implication: if you handle payments, healthcare records, or any high-value API, the next pen-test is going to ask whether your tokens are sender-constrained. Be ready. Token lifetime best practices.

5. B2B-specific identity platforms ate a real slice of the market

WorkOS, Frontegg, PropelAuth, Tesseral, Wristband, SSOJet, and Scalekit all grew this year. The pattern is consistent: a B2B SaaS sells to enterprises, needs SAML/SCIM/Organisations/audit logs, finds Auth0's B2B offering too generic, picks a B2B-first vendor instead. Buyer implication: if you sell to other companies, evaluate B2B-first vendors as a first-class option. The big-vendor B2B layer is no longer the obvious default. WorkOS, B2B SaaS identity guide.

6. Identity verification converged with CIAM at signup

KYC/IDV used to be a separate vendor (Onfido, Persona, Stripe Identity) bolted onto the signup flow. In 2026, Stytch, Descope, Beyond Identity, and Transmit shipped native IDV integrations where the document scan and liveness check happen inside the CIAM SDK. Buyer implication: if you currently maintain a separate IDV integration, your CIAM vendor may already offer the same capability with one fewer contract. Identity verification and KYC.

7. SCIM 2.0 adoption finally became table-stakes

SCIM existed for a decade but only the enterprise IdPs took it seriously. In 2026, SCIM 2.0 is now table-stakes for B2B CIAM. WorkOS, Frontegg, Stytch, Descope, Auth0, and the rest of the B2B set all ship SCIM provisioning and de-provisioning, and the enterprise procurement questionnaire now asks for it explicitly. Buyer implication: if your vendor doesn't support inbound SCIM from your customers' IdPs, you will lose deals. SCIM provisioning.

8. FIDO2 plus recovery: the recovery flow problem got solved

The unsolved problem with passkeys for years was: what happens when the user loses their device? The 2026 answer is a combination of synced passkeys (Apple, Google, 1Password, Bitwarden all sync passkeys across devices in a user's account) plus account recovery flows that don't fall back to passwords. Beyond Identity, Stytch, Hanko, and Corbado lead here. Buyer implication: evaluate the recovery flow as carefully as the primary auth flow. A passkey product without a recovery story is incomplete. Account recovery design.

9. Fine-grained authorization (ReBAC) moved from research to product

Google Zanzibar inspired a generation of fine-grained auth systems (OpenFGA, SpiceDB, Permify, Auth0 FGA). In 2026 they shipped enough product surface and integration depth to start displacing the homegrown RBAC implementations that most SaaS products have. Buyer implication: if your product has any concept of "share with these users" or "give this team access to that workspace," FGA is now the credible answer to a problem you may be solving by hand. Fine-grained authorization, Zanzibar explained.

10. Passwordless-first onboarding became the default for new products

Three years ago, asking users to create a password at signup was the obvious flow. In 2026 it's an active negative-signal for product-led B2B SaaS, because every comparable product offers magic link or passkey onboarding. The shift is fastest in developer tools (Vercel, Linear, PlanetScale, Sentry all moved to passwordless-first signup) and slowest in financial services (regulatory inertia). Buyer implication: if you are launching a new product in 2026 with password-first signup, you are dating yourself. Passwordless authentication, Magic links vs OTP.

11. Fraud detection converged into CIAM

Adaptive auth, bot defense, account takeover protection, and risk scoring used to be separate categories. In 2026 every major CIAM vendor ships them as part of the platform. Transmit Security, Beyond Identity, Authsignal, and Auth0 (with Bot Detection) lead. Buyer implication: if you currently pay for a separate bot defense or risk engine, your CIAM contract may already include adequate coverage; check before renewing. Adaptive risk-based auth, Account takeover defense, Bot defense.

12. SMS OTP deprecation accelerated

NIST's SP 800-63B-4 effectively deprecated SMS-based OTP for any account that protects valuable data. 2026 was the year mainstream CIAM vendors stopped recommending SMS in defaults and started actively warning admins. The TOTP-with-passkey-recovery pattern is now the default MFA shape. Buyer implication: if your MFA defaults still surface SMS as the first option, fix it before the next compliance audit. SMS OTP deprecation 2026, TOTP vs SMS OTP.

13. Data residency stopped being optional outside the US

EU regulators, Indian DPDP, and a half-dozen other regimes hardened their stance on cross-border identity data in 2025-2026. CIAM vendors that previously offered "deployed in the US, that's it" started losing deals. Auth0, Okta, Ping, ForgeRock, and WorkOS all expanded regional deployment options. The smaller vendors are still catching up. Buyer implication: if you sell internationally, regional CIAM deployment is now a hard procurement requirement. Data residency and sovereignty.

14. Decentralized identity moved out of beta in two specific places

Verifiable credentials (W3C VC) and decentralized identifiers (DIDs) had been a research project for years. In 2026 they shipped in two real places: EU's eIDAS 2.0 wallet rollout, and B2B onboarding flows where one company verifies another company's employees without integration. The mainstream consumer story is still years out, but the enterprise story is here. Buyer implication: if you sell into the EU, your roadmap needs eIDAS 2.0 wallet compatibility within 18 months. Decentralized identity for CIAM.

What this means for buyer decisions in 2026

Three composite implications.

The B2B-specific vendor split is real. Five years ago, picking Auth0 for B2B was the safe choice. In 2026, picking WorkOS or Frontegg for B2B-specific needs is the better choice, and Auth0 remains the default for B2C and mixed-mode. The market has bifurcated and the procurement question has changed shape.

The "AI agents need identity too" point is not theoretical. If your roadmap includes any agentic feature (an AI that calls APIs on a user's behalf, an MCP server that talks to your product), your CIAM vendor's agent-identity story is now a load-bearing piece of the architecture. The AI agent identity crisis covers the strategic shape; the trend list above covers the tactical implementations.

Passwords are not dead, but password-first is. The base rate of password-first signup in new products has crossed below 50% based on the 2026 product-launch sample I tracked. The password column will live in your database for a long time, but it is no longer the primary credential for new users. Pair this read with the future of CIAM and the complete CIAM guide for 2026.

What's missing from the CIAM landscape in 2026

Three gaps the market hasn't filled.

A credible "identity for autonomous agents" standard. Every vendor has shipped a proprietary version. The OAuth working group is working on the standardised version. Until it ships, expect lock-in.

A unified "recover my passkey when I lost my phone, didn't sync, and don't have a backup device" flow. Synced passkeys solved 80% of the problem. The remaining 20% is still painful and is going to cause real support load for any product with a passkey-first flow.

A meaningful answer to "my customer's IT admin wants to disable my product for one user across all their devices in 60 seconds." Token revocation latency is still 5 to 60 minutes for most vendors. For B2B sold to security-conscious buyers, this is the next procurement question.

Closing

The 47 vendors tracked at CIAM Compass ship roughly 1,400 customer-facing changes per year. The 14 trends above are the ones that crossed a threshold of meaningful adoption. There are another 30 to 40 that are visible in changelogs but haven't yet crossed the threshold; many of them will be on next year's list.

Two pieces of adjacent reading: decentralized identity enterprise playbook for the trend 14 angle, and AI agent identity crisis for trends 2 and 3.

I will refresh this analysis in May 2027. If you want monthly updates as vendors ship, the CIAM Compass changelog is the live feed.