Continuous identity is here: And it changes everything

What if identity didn’t stop at the login screen?

That’s the question driving the rise of continuous identity, a new model that treats identity not as a one-time check at the door, but as a living, context-aware stream of signals that’s evaluated before, during, and even after a user session.

The problem, say identity leaders Sean O’Dell of Disney and Andrew Cameron of General Motors, is that most modern identity and access systems go quiet after authentication. “You get a green light once, and you’re in,” said O’Dell. “But real security requires constant reevaluation. Context changes. Threats evolve. Identity must keep up.”

At Identiverse 2025, the duo made the case for transforming traditional IAM frameworks into dynamic, event-driven architectures that use real-time signals, from endpoint health to behavioral anomalies, to continuously verify user trust and permissions.

Cameron described it as moving from “two-dimensional access control to a multi-dimensional orchestration of data, context, and risk.”

Their approach is grounded in open standards like CAEP (Continuous Access Evaluation Protocol) and the Shared Signals Framework, which allow identity, security, and infrastructure systems to communicate and adapt in real time. It's the backbone of what they called a modern identity fabric, one where access is provisioned just in time, and automatically revoked as context shifts.

To explain the model, O’Dell turned to a personal analogy: a fridge repairman named Shane. “You let Shane in once to fix the fridge, that’s authentication. But if he shows up the next day uninvited, he’s not getting back in,” he said. “It’s not about who Shane is. It’s about whether he still has a right to be there.”

That shift—from identity as a static claim to a constantly evaluated state—is the core of continuous identity. It enables real-time session revocation, responsive access changes, and tighter alignment with Zero Trust principles.

The Orchestrator: The brain behind continuous identity

A pivotal component in this emerging model is the orchestrator, a decision engine that evaluates incoming signals and dynamically enforces access policy across systems. Rather than relying on rigid, one-time configurations in Identity Governance and Administration (IGA) or Single Sign-On (SSO) platforms, the orchestrator reacts in real time to changes in user context, threat signals, or business policy.

“Without orchestration, you’re just collecting signals with no one listening,” said Cameron.

It’s how systems can enforce, for example, a policy that blocks production changes unless the user has an active ServiceNow ticket. Or how they can revoke access mid-session if a CrowdStrike alert flags a device as compromised. The orchestrator translates these inputs into action.

“Your existing IAM components (stack) become appliances,” said O’Dell borrowing again from the analogy of the fridge repairman. The event hub (i.e. orchestrator) is essentially controlling what the appliances do via the identity data fabric. “The identity data fabric is key here,” he said.

The orchestration and identity data fabric play together in sync, in context and with purpose.

It’s not just a tech problem

Despite the technical implications, both speakers underscored that the biggest challenge isn’t infrastructure, it’s culture.

Continuous identity demands close collaboration across siloed teams: authentication, governance, endpoint, HR, and development. Without shared language and operational alignment, even the best tools can create friction or conflicting policies.

“If your policy team updates conditional access and your data team doesn’t know,” O’Dell warned, “you’ll be secure, but broken.”

They pointed attendees to Ian Glazer’s “Modern IAM Principles” as a useful guidepost: data, events, policy, orchestration, and action. These aren’t just technology concepts—they're workflow disciplines for making identity work across departments.

Start small, build smart

Crucially, O’Dell and Cameron emphasized that continuous identity isn’t a rip-and-replace strategy. Organizations can begin with the tools they already have, provided they can integrate signals and enforce policy across them.

“You don’t need to buy a new suite,” said Cameron. “You need to make the systems you have smarter.”

They encouraged security leaders to identify a focused, high-impact use case, such as privileged access management or CIAM flows, and prove out the value of dynamic orchestration. From there, capabilities can scale.

“Every signal isn’t useful. Every event isn’t urgent,” said Cameron. “But knowing what matters is what makes continuous identity work.”

O’Dell closed with a reminder that this shift isn’t theoretical. It’s already underway. “Continuous identity isn’t a buzzword,” he said. “It’s the foundation of adaptive security and it’s possible now, with the tools you have, if you’re willing to rethink how identity works.”