An Interview With Eve Maler
Heya,
This is another in my series of interviews about the future of CIAM from experts in the space.
Eve Maler spent 26 years building the systems identity leaders depend on — co-creating SAML and User-Managed Access, contributing to OAuth, and serving as ForgeRock's CTO through its IPO and $2.3B acquisition by Thoma Bravo. She championed those standards across UK Open Banking, US government health IT, and the medical Internet of Things — negotiating agreements, educating implementers, and making the case at every level. She also spent years at Forrester Research mapping the enterprise identity landscape, covering IAM, strong authentication, and API security. Today, as founder of Venn Factory, she works with executive teams on the problems that technical competence alone doesn't reach. Her book Mastering Digital Identity: From Risk to Revenue argues that identity is your business model in disguise — and CIAM is its most literal expression: the one discipline where, by definition, you're not the boss of them.
I’m excited to hear Eve’s views on CIAM, identity and more. I also got the chance to interview her for my employer’s webinar series. It was a ton of fun.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Eve: The CIAM programs doing this well refuse to accept tradeoffs among four identity “jobs to be done.” In Mastering Digital Identity I call them the Four Ps: Protection, Personalization, Payment, and People, with a hidden Fifth P, Productivity, running underneath all of them.
Most CIAM deployments still get built to optimize one P at the expense of the others — lock down Protection and you tank conversion; chase Personalization and you widen the attack surface; ignore People, the actual humans navigating your flows, and you generate support tickets that erode the Productivity gains everywhere else.
The problem CIAM solves, when it’s done right, is letting an organization stop choosing: a login flow that’s both secure and frictionless, a consent experience that satisfies both regulators and customers, an online purchase that’s rooted in an accountable human while supporting more valuable transactions. That’s the no-compromises promise — and the hardest part to sell internally, because most budgets, reporting structures, and metrics are still built around one P at a time.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Eve: IDPro’s vision statement at one point described identity practitioners as “vital and vibrant counterparts to privacy and information security.” Since identity tech attempts to capture who we are in bits and bytes, I agree we are duty-bound to do so in ways that are ethical, secure, privacy-protecting, and reliable.
But in practice, the CIAM function often carries a burden of satisfying organization-wide security and privacy goals that it’s not prepared to bear. As one example, you can’t offer a “right to be forgotten” option in good faith if you don’t know where all of the user’s data is.
Meanwhile, the organization’s MarTech stack is tied directly to revenue in a way identity is not. It also drives the digital surveillance that end-users reasonably think is “creepy” — and generally sits outside CIAM’s purview. That gap is one reason data monetization practices are so hard to dislodge once they’re embedded.
My book makes the argument that the marketing and identity teams should be allies. Most people running customer data platforms have no idea that identity systems could help them achieve their core goals. And most identity people have no idea they could be influencing their counterparts on identity-rooted privacy and consent innovations that foster trust and loyalty instead of undermining them.
Dan: What excites you about the future of CIAM? Any predictions?
Eve: CIAM is finally being forced to treat identity as relational, not solitary. No identity is an island, and the consequences turn up in places you wouldn’t expect. Chapter 6 of the book includes a case of “identity beyond the grave”: the fraud and access challenges that thrive in someone’s digital estate after they’ve died, when accounts, subscriptions, and payment methods outlive the person who created them. As Dean Saxe, founding co-chair of the DADE Group, says, “Death is not an edge case.” And yet identity systems weren’t designed to understand family, household, and caregiver relationships well enough to ease the ultimate state transition.
The relationship I think CIAM will spend the next decade re-architecting around is the one between a person and the AI agents acting on their behalf. CIAM has spent two decades authenticating a human on the front channel. The next decade is about authorizing an agent acting for a human who isn’t there.
Getting consent, scope, and accountability right when delegation is the default rather than the exception — that’s coming, and the basic principles will get hammered out by the end of 2026. Having worked on relationship and delegation architectures since 2008 — the early days of UMA — I’ve watched the state of the art advance rapidly in recent months and even weeks.
Getting it right will require humans to have a real, enforceable say that persists throughout long-running interactions and data flows, not just a one-time consent checkbox. Get that right, and you solve a key agentic AI problem and a key digital estate problem with the same architecture. Underneath, they’re the same problem: identity has to keep doing all of its jobs after the person who anchored it stops being directly present.
Thanks again to Eve for sharing her views.
Dan
PS I’ll pick a random winner from all the people who reply to this email and answer the question “what is your favorite P is and why?”. I’ll ship the winner a copy of Mastering Digital Identity. (I’ll ship via Amazon, so if you live in Antarctica or someplace else it doesn’t ship to, you’re out of luck, sorry.)