If identity is the new firewall, it explains why the research company Forrester estimates the market for identity and access management (IAM) products will grow by 15.3 percent each year to rise from US$13.5 billion ($19.4 billion) in 2024 to reach US$27.5 billion ($39.5 billion) by 2029.

According to Forrester, that growth is coming from five specific segments, being traditional workforce IAM (WIAM), customer IAM (CIAM), privilege identity management (PIM), authentication, and authorisation management.

Of these, workforce identity management will continue to account for more than half of all spending, rising from US$7.9 billion in 2024 to US$15.6 billion ($22.4 billion) in 2029.

According to Forrester senior analyst Meng Liu, the growth in investment in IAM across APAC has been driven by the need to deliver secure, seamless digital experiences for both customers and employees.

“Over 70 percent of security decision-makers in the region plan to increase spending on CIAM and WIAM,” Liu said.

He said this push was being fuelled by four key trends. The first of these related to IAM investments, and was driven by a race to enhance digital onboarding and customer trust.

The second related more to WIAM and resulted from accelerated cloud and hybrid migrations. A growing reliance on third-party ecosystems was also creating an urgent need for simplified and robust sign-on solutions for employees, while fragmented regulatory environments across the region meant organisations were seeking uniform compliance within their operating markets.

Furthermore, he said IAM was now recognised as being central to enabling Zero Trust strategies, enforcing least-privilege access, and ensuring compliance.

One of the key developments within IAM is the evolution of the identification methods used. According to Liu, use of passwordless authentication has been growing steadily, as has the use of biometrics. He said these methods suited mobile-first, tech-forward consumers in APAC, with 70 per cent viewing biometric methods such as palm or facial recognition as more secure than traditional PINs.

Meng added that phishing-resistant multi-factor authentication (MFA) techniques, such as FIDO2 passkeys and hardware tokens, were also seeing rapid adoption, particularly in workforce IAM.

“Single sign-on has become table stakes for delivering frictionless cross-platform experiences, while decentralized digital identity is emerging as a privacy-first alternative to centralized identity providers,” he said.

The demand for IAM services was also being quickly reshaped by the adoption of AI agents and machine identities, as their users learned the risk inherent in allowing non-authenticated agents to access systems.

According to Liu, the explosion of cloud-native apps, APIs, and IoT devices meant machine identities now represented one of the fastest-growing attack surfaces.

“Within APAC, firms are investing in machine identity management to secure non-human accounts, rotate credentials, and monitor machine-to-machine interactions - extending Zero Trust to digital agents,” he said.

The rapid maturing of AI was also causing significant headaches for users of some traditional IAM techniques, with highly realistic deepfakes becoming a more common attack technique. However, many organisations appeared uncertain how to defend against this technique, or whether they needed to.

Meng said that Forrester research showed that while 74 per cent of APAC organisations were concerned about deepfake-related financial fraud and impersonation, fewer than 30 per cent were using AI tools to detect it.

“To mitigate this risk, firms should implement liveness detection in authentication workflows, deploy deepfake detection AI, and update incident response plans to include synthetic media scenarios,” he said.

“In short, IAM in APAC is no longer just a security function—it’s a business enabler. Organisations that align IAM with customer experience, AI governance, and fraud prevention will be best positioned to thrive in the region’s dynamic digital landscape.”

Case Study – PEXA

Sitting at the centre of Australia’s property market, PEXA processes more than 20,000 property settlements each week and has facilitated over $5 trillion in transactions since 2013.

With such high-value transactions flowing through its platform, its not surprising that in the 2025 financial year PEXA experienced (and successfully defended against) 6.5 million intrusion attempts.

In recent times chief information security officer Graham Fairley and his team have worked to consolidate the company’s overall cyber security stack.

“As a designated critical infrastructure provider, we’ve had to significantly uplift our capabilities, including how we integrate threat intelligence and improve resilience,” Fairley said.

“At the same time, we need to ensure the reliability and trustworthiness of our technology to maintain a strong customer experience.”

A key part of this strategy has been simplifying PEXA’s identity and access management capability through consolidating multiple tools into a single platform, provided by Okta. Fairley said resilience and reliability were key criteria for this decision.

“IAM is effectively the front door into our platform and so it is subject to a fair bit of attack,” Fairley said.

“We need to strengthen how we manage access by understanding where users are coming from, whether behaviour aligns with expected patterns, and identify anomalies. Modern IAM platforms enable this through better signalling and data correlation.”

With a diverse customer base that ranges from small conveyancing firms to large financial institutions, PEXA must also balance the need for security with a requirement for usability.

“Having hard and fast security rules can drive unintended consequences from user behaviour, so it is important to find that balancing point,” Fairley said.

“Trying to deliver a good user experience that hits all of those demands is a key consideration.”

Having initially implemented Okta for workforce IAM seven years ago, PEXA has recently extended this capability to customer access, in conjunction with its UK expansion. This has delivered a unified approach to identity across both internal users and external participants.

“In the past year or so we have consolidated all of our customer identity, which is about risk-based authentication and uplifting and leveraging capabilities like dark web monitoring and user password checking,” Fairley said.

“Aligning to a single provider also simplifies integration and operational management.”

This unified IAM approach supports advanced capabilities including adaptive authentication, device posture assessment, API security at scale, and future-facing initiatives such as passwordless access.

“There is also a lot of discussion around how do we do AI safely and securely at scale, because it really is turbocharging the speed of interactions in this space,” Fairley said.

“As we get more into the agentic space, that is where some of that more modern thinking about defining and assigning roles to the agents becomes an expansion of our existing patterns.”

Whatever decisions the organisation makes, Fairley said they would need to align with it’s commitment to defence in depth.

“We are trying not to rely on one control to keep us safe and secure,” he said. “So it is really building those layers up.”