Why should Identity Management be treated as innovation and an element of company development strategy?

In a world where every organization is becoming a technology company, identity management is becoming one of the key components of security architecture and user experience. IAM (Identity and Access Management) is no longer just authentication and access control, but the backbone of digital services, platforms, and ecosystems integrating hundreds of applications, partners, customers, and employees.

Meanwhile, many organizations still struggle with fragmented systems, shadow access, technical debt, and lack of a flexible, scalable approach to access management. Traditional IAM solutions prove to be too rigid, expensive, or difficult to implement in complex IT environments.

In response to these challenges, open-source, modular, and flexible solutions are gaining popularity, such as Keycloak – an IAM platform that allows not only centralizing identity management but also implementing new security standards and creating better end-user experiences.

About why identity management is a strategic topic today and what can be gained by thinking about IAM as innovation, we speak with Marcin Parczewski, CEO and co-founder of Inteca, responsible for implementing advanced Keycloak-based deployments in the enterprise sector.

The market increasingly talks about so-called Identity-first security – an approach where identity management becomes the foundation of the entire security strategy and operations. Gartner indicates that by 2026, over 70% of organizations will adopt an identity-based approach as the main access controller in hybrid and cloud environments. Do you think this change in companies’ approach is already visible, or is IAM still thought of exclusively in technical terms – as a security solution?

Yes, the change is definitely visible – especially in organizations that have already gone through the first wave of digital transformation. The question increasingly asked is not “do we need IAM” but “how can IAM help us develop business faster and improve customer experiences.” Because the entire digital business starts with identity – from the moment a customer logs into an application, goes through the onboarding process, verifies their identity, and then gains access to services. If these processes are unintuitive, lengthy, or inconsistent across different channels, then everything else – even the best product – loses value.

Do companies perceive it this way?

Companies are beginning to understand that IAM is not just security, but primarily an element of user experience and business ecosystem integration. For example: the ability to log in once and seamlessly use both proprietary and partner services is becoming the standard today. Customer identity should be recognizable throughout the entire value chain – from the bank, through the insurer, to e-commerce services. More and more organizations notice that friendly onboarding and centralized identity management are key to acquiring and retaining customers. That’s why we talk about identity-first security – not as an additional security layer, but as the foundation for building new digital services and scaling business models. In this sense, IAM becomes a real “enabler” of innovation, not just background technology.

It’s said that “IAM is the new API” – everything in digital organizations must authenticate, connect, and grant permissions today – while users expect everything to “just work”… Meanwhile, in many companies, access logic is scattered across different systems, and identity management is still sometimes treated as a technical cost. How do you think it should be treated?

Exactly – today identity becomes the new API. Every process, every integration, every access starts with the question “who is this and what rights do they have?” The problem is that in many large organizations, this logic is scattered – access is managed by separate HR, CRM, ERP, legacy systems, sometimes even individual business applications. The result? Chaos, lack of consistency, shadow access risk, and from the user’s perspective – frustration, because they have to remember dozens of passwords and go through login processes multiple times.

That’s why I believe that IAM should not be treated as a technical cost, but as a strategic investment – just like CRM in sales or ERP in finance. A modern approach to identity management is an opportunity to organize the entire IT landscape while creating a foundation for developing new digital services.

What Do You Think is most Important in this Approach?

The key is that IAM becomes the foundation for implementing the two biggest trends in digitization:

• Zero Trust Security – where access is not granted based on location or network, but always verified dynamically through the lens of user identity and context. Without centralized, flexible IAM, such an approach is practically unfeasible.

• Boundaryless Information Flow – the ability for free, secure information flow between applications, organizations, and business partners. It’s IAM that enables consistent management of permissions and identities throughout the entire ecosystem, not just within a single company.

What Benefits Does this Bring from a Business Perspective?

In this sense, IAM is not a “technical implementation” but an element of digital business development strategy. Companies that look at it this way gain much more:

• Operational efficiency – fewer systems to maintain, fewer incidents, lower costs,

• Accelerated time-to-market – new applications immediately use one standard IAM,

• Better user experience – customer or employee logs in once and has consistent access to services,

• Openness to partners – easier to build joint platforms and marketplaces based on unified identities.

Many reports, including the aforementioned Gartner, show that the role of IAM systems is growing year by year. What causes this and are we still talking only about access and identity management, or is IAM actually starting to fulfill a different – more strategic – function?

The role of IAM is growing because the way organizations operate is changing. E very company is becoming a technology company. Even a bank, insurer, or logistics operator must operate like a digital services provider, where key processes move to applications and online channels. This means that the starting point of every interaction is authentication and identity of the customer, employee, or partner.

We have growing ecosystem complexity. Companies no longer operate in isolation. They increasingly create joint platforms with partners, enter marketplace models, or integrate with external providers. For this to be possible, consistent and flexible identity management throughout the entire ecosystem is needed – otherwise business development is hampered.

New work and security models. Remote work, hybrid work, cloud usage, Zero Trust approach – all of this means we can no longer “secure the network.” We must secure user identity and context, because they become the organization’s boundary. That’s why talking about IAM today exclusively as access management is definitely too narrow.

And Treating it more Broadly Creates What Opportunities?

IAM becomes a strategic layer that:

• Shapes customer experience – from onboarding to daily service usage,

• Enables innovation and new business models – because integration with partners and rapid launch of new services are only possible with consistent identity,

• Ensures compliance and security – centrally, not point-by-point in each system,

• Supports boundaryless information flow – because user identity can be recognized and managed across multiple domains simultaneously.

Capabilities are one thing, but companies are probably more interested in specific challenges they need to face. What do you think are the biggest pain points for large organizations today in the context of IAM?

The biggest problem we see in organizations is that IAM has been treated in a point-by-point manner for a very long time, rather than systemically. The result is that in large companies we often have dozens of authentication and authorization systems – separate ones for HR, legacy applications, customer portals, partners. This leads to several serious pain points:

Scattered access logic – lack of a single place where you can see “who has access to what”. This creates shadow access risk and makes compliance audits difficult.

Difficult onboarding and poor user experience – customers have to create multiple accounts, employees log in dozens of times a day, partners don’t have consistent platform access. And today users expect identity to “just work” and for login to be as simple as in consumer services.

Technical debt – many organizations still use outdated, monolithic IAM systems that are expensive to maintain and difficult to integrate with modern microservice or cloud architectures.

Lack of flexibility and scalability – traditional solutions often can’t keep up with the pace of business changes. Launching a new channel or application means months of integration and additional costs.

Regulatory pressure – GDPR, PSD2, DORA, eIDAS – require precise identity management, permissions, and process compliance. Without modern IAM, meeting these requirements is increasingly difficult and expensive.

Organizations today suffer primarily from fragmentation and lack of central IAM strategy. This not only makes life difficult for users, but also actually blocks business – because without consistent identity it’s hard to scale platforms, introduce innovations, and build customer trust.

And where Do Neglect or Risks most Commonly Occur – Such as Shadow Access, Scattered Access, Lack of Centralization?

Most risks appear where there’s a lack of central view of identities and permissions. In practice, we see several recurring areas:

Shadow access and lack of recertification – employees often change roles, projects, teams, but their access to old systems remains. This is a classic example of excessive permissions that in extreme cases can be a gateway to abuse.

Scattered access across multiple systems – authorization logic is dispersed across HR, CRM, ERP, and legacy applications. There’s no single place where you can answer a simple question: “who has access to what?”. This makes audits difficult and causes real security risks.

Lack of central IAM for customer and partner channels – companies often have excellent internal security processes, but customers or partners have to create separate accounts for different services. This not only ruins user experience but also increases the attack surface.

Misalignment with Zero Trust model – many organizations still rely on the concept of “trusted network”. Meanwhile, in the hybrid and cloud work model, boundaries disappear and identity becomes the only reliable control layer. Lack of modern IAM makes Zero Trust impossible to implement in practice.

Lack of automation in offboarding – employee departure, end of partner cooperation, or role expiration doesn’t always mean immediate revocation of permissions. In many organizations this is a manual and scattered process – and that’s a huge risk.

And in What Situations Does So-Called “Bad IAM” Actually Slow down or Hinder Business?

“Bad IAM” is not just a problem for the security department – it’s something that can actually stop business development. Examples are very clear:

Customer onboarding – if registration in an app or online banking requires 10 steps, several emails, and a branch visit, customers often give up. The “first contact” impression determines whether they’ll stay on the platform.

Time-to-market for new services – when a company launches a new application or sales channel, and each IAM integration takes months, business loses competitive advantage. We’ve seen situations where a marketing project was ready but couldn’t start because IAM couldn’t keep up.

Partner collaboration – in an ecosystem model, quick partner onboarding is crucial. If this requires creating separate accounts and manual processes, partners are reluctant to enter such integrations, and companies lose opportunities to expand their offerings.

Hybrid work and mobility – poor IAM means having to use VPNs, multiple passwords, and procedures that frustrate employees and reduce productivity. In the era of remote work, this is a real operational barrier.

Compliance and regulations – lack of central IAM means difficulties in reporting “who had access to what”. Audits drag on for months, and the risk of regulatory penalties is very high.

 

Let’s talk about Keycloak then, a specific IAM solution in the Red Hat ecosystem that’s gaining popularity. What makes so many companies choose it and what sets it apart?

Keycloak stands out primarily because it addresses the biggest challenges organizations face today – and does so in a simpler, more flexible, and cost-effective way than many traditional IAM solutions.

Open source and no vendor lock-in – companies using Keycloak have full control over the solution and can customize it to their own needs, without licensing restrictions or dependency on a single vendor. This provides flexibility and freedom, especially in large enterprise environments.

Fast integration with modern architectures – Keycloak supports standards like OpenID Connect, OAuth2, SAML “out of the box” – making it easy to connect with web, mobile, cloud, or microservice applications. For business, this means new services can be launched faster and without multi-month integration projects.

Better user experience – Keycloak offers ready-made Single Sign-On mechanisms, multi-factor authentication, federation with other identity sources (e.g., Active Directory, Azure AD, eIDAS). Customers or employees log in once and can use all services – and that’s key to user retention today.

Scalability and modularity – Keycloak works well in both small projects and complex ecosystems with millions of users. It can be developed step by step – starting with login centralization and ending with building a consistent identity platform in a Zero Trust model.

Cost-effectiveness – in a world where traditional IAM systems can cost millions in licenses and implementation, Keycloak provides comparable capabilities based on an open source model, which translates to a much better cost-to-business-value ratio.

Companies choose Keycloak because it’s a solution that’s open, flexible, and future-proof, combining security with user experience. This way, IAM stops being a barrier and becomes a catalyst for business development.

And for which Organizations Would this be the Best Solution?

Keycloak is the most natural choice for organizations that:

Have a complex ecosystem of applications and partners – e.g., banks, insurers, telecoms. Where we have hundreds of systems, customer channels, mobile applications, and partner integrations – central IAM based on Keycloak finally allows organizing identities and implementing consistent standards.

Build digital platforms or marketplaces – where one of the key requirements is easy and secure login for different types of users: customers, partners, suppliers. Keycloak handles such scenarios excellently through identity federation and SSO.

Want to implement a Zero Trust model – moving away from “trusted networks” towards access control based on identity and context. Keycloak as a central identity broker is the foundation of this approach.

Need open source flexibility – e.g., technology companies, software houses, integrators. For them, the ability to customize IAM to their own processes, without licensing restrictions, is a huge advantage.

Are under strong regulatory pressure – e.g., financial sector, energy, public administration. Keycloak makes it easy to meet requirements for auditing, reporting, strong authentication, and compliance with standards like PSD2 or eIDAS.

 

What are the most Common Use Cases for it?

 

When it comes to use cases, the most common ones are:

• Single Sign-On for employees and customers across the entire company ecosystem,

• Identity federation – e.g., integration with Azure AD, LDAP, national or European systems (e.g., eIDAS),

• Online customer onboarding – social login, multi-factor authentication, identity verification,

• API and microservices access management – especially in modern cloud architectures,

• B2B and B2B2C scenarios – when a company needs to handle different types of users on one platform.

What Does Implementation Look like, What Concerns Do Clients most Often Come with, and how Do You Handle Them at Inteca?

We always implement Keycloak in large organizations in stages – we start with one key process, e.g., customer login to a portal or central SSO for employees. Only later do we expand this to other systems and channels. This way, the organization has control over the change and quickly sees the first results.

The most common client concerns are quite similar:

“Open source – is it really secure and stable?”
Many CIOs believe that open source is a “community project.” Meanwhile, Keycloak is developed by Red Hat and deployed in the world’s largest corporations. In our projects, we additionally emphasize that for critical deployments, we provide maintenance together – us as Inteca, as well as Red Hat through commercial support. This provides complete security and predictability.

“Integration with our IT landscape will be a nightmare”
This is a natural fear, because many companies run hundreds of systems, including a lot of legacy ones. Our experience shows that most integrations can be handled through standards (OIDC, OAuth2, SAML), and in more difficult cases, we build adapters. Example: systems based on CAS, which don’t support modern protocols – we can connect them to Keycloak without interfering with application code.

“IAM is a critical layer – won’t it paralyze the business?”
This is one of the most important questions. That’s why we always design implementations in a high availability model, with redundancy and load testing. The key is that we do the rollout gradually – first a pilot, then subsequent applications – there’s never a risk of “big bang” that could stop the organization’s operations.

“Who will maintain this?”
IT departments worry that they’ll lack the competencies to develop the IAM platform. That’s why in practice, we most often handle maintenance and development of critical deployments ourselves, providing the client with SLA and 24/7 monitoring. For clients who want additional support, we work with Red Hat, which offers commercial support and long-term versions of Keycloak.

All these concerns usually disappear after the first few months – when clients see that Keycloak works stably, integrates well even with older systems, and actually improves user experience.

 

Can You Give some more Unusual or Advanced Use Cases that You’ve Implemented Using Keycloak?

Indeed, many people associate Keycloak only with login screens and SSO. Meanwhile, in practice, it’s an identity platform that can be used to build very advanced and innovative business scenarios. A few examples from our projects:

1. Customer onboarding with identity verification and electronic signature

   In the financial sector, we implemented a process where a customer goes through full identity verification (KYC) and can immediately sign a document with a qualified signature (e.g., a loan agreement). Keycloak manages step-up authentication – the user gets additional MFA only at the moment of signing.

   Business effect: reducing onboarding time from several days to several minutes, higher customer conversion.

2. Delegated administration in B2B model

   In one of our partner projects, we implemented a model where each partner company manages its own users and roles within the client’s platform. Central IT no longer has to manually create accounts and assign permissions.
   
   Business effect: huge time savings for the IT department and faster launch of cooperation with new business partners.

3. Risk-based authentication and step-up MFA

   In systems handling payments, we implemented dynamic policies: if a user logs in from a new device or submits an application for a large amount, Keycloak automatically requires stronger authentication.

   Business effect: higher transaction security without reducing user convenience in daily operations.

4. Boundaryless information flow in partner ecosystem
   For one of the industry platforms, we built identity federation that allows partners to use their own IdPs and seamlessly log into the client’s application.

   Business effect: quick partner onboarding to the platform and the ability to develop marketplace models without losing control over security.

    

What about more complex systems? Can Keycloak support digital transformation or, for example, creating digital services composed of multiple components (MACH, microservices)?

Keycloak fits perfectly into the needs of digital transformation, especially in organizations that build services based on MACH architecture or microservices. Why? Because in such environments, identity becomes the common “glue” that binds hundreds of independent components.

In traditional monoliths, authorization was embedded in the application. In the world of microservices, this approach doesn’t work – we have dozens of independent services, APIs, and frontends that must collectively recognize the user and work cohesively. Keycloak serves as a central identity broker that:

• Provides Single Sign-On and consistent authentication – the user logs in once and has access to the entire ecosystem of microservices, APIs, and applications, regardless of how many clouds they run in.

• Delivers tokens with business context – through mappers and scopes, microservices don’t need to build their own permission systems. In the token from Keycloak, they get all the necessary information (role, group, business attributes).

• Handles federation and various identity sources – which is crucial when a digital service uses data from external providers, partners, or social login.

• Enables Zero Trust implementation in practice – access is granted dynamically, depending on context (who, from what device, to which service, at what moment).

• Accelerates time-to-market – new microservices don’t need to build their own authentication, they simply “plug into” the standard IAM.

From a business perspective, this means the organization can develop new digital services faster, without chaos in access management and without losing control over security. Keycloak also makes it easy to create composite digital services – such as industry platforms or applications combining data from multiple sources – where user identity and permissions are recognized throughout the entire ecosystem.

Let’s move on to the question of usability – can IAM be treated as a UX element, for example, in building a better end-user experience?

Absolutely – and this is one of the biggest changes in the approach to IAM in recent years. Until recently, identity systems were an “invisible security layer.” Today, identity and the way users log in become the first user experience with a digital service – and often determine whether they stay on the platform.

From a UX perspective, IAM is responsible for:

• simple onboarding – quick registration, integration with social login, or eID or mObywatel verification instead of complicated forms,

• Single Sign-On – users don’t have to remember five passwords or log into each application separately,

• smooth and contextual MFA – additional authentication appears only when truly needed, instead of hindering every operation,

• personalization and identity federation – users can access company and partner services without creating dozens of accounts,

• control over their own data and consents – users can see what attributes they share and manage them independently.

Well-designed IAM works like a silent enabler – users feel that everything “just works” while benefiting from the highest security standards. So we can say that today it’s an element of customer experience strategy – just as important as the application interface or customer service quality. Companies that understand this build competitive advantage by combining security with convenience, which is exactly what today’s customers expect.

 

How do you think the future of identity management will look? In what direction is the market developing, and does the growing role of AI, distributed architectures, and edge computing affect how we need to think about identity management?

The future of identity management is intelligent, distributed, and user-centric IAM. Identity will become the universal API of digital business – something that enables building new service and collaboration models, not just securing systems. In my opinion, the future of identity management has three main directions:

AI in service of security and UX – identity will increasingly be verified and protected using artificial intelligence mechanisms – from recognizing user behavior (behavioral biometrics) to automatically detecting anomalies and access risks. This will make IAM more “intelligent”: instead of forcing everyone to use multi-factor authentication at every step, the system will decide when to raise the security level and when to let users through without friction.

Distributed architectures and edge computing – organizational boundaries are disappearing. We have cloud, edge, IoT, mobile devices, and external partners. In such an environment, there’s no longer one “trusted network” – there’s only identity, which must be recognized and respected everywhere. IAM will evolve toward distributed models based on federation, standardization, and dynamic access policies that also work at the network edge.

User identity in the user’s own hands – and solutions like self-sovereign identity and government tools like eID or mObywatel will play a greater role, allowing users to control what data they share and in what context. Organizations will need to learn to work in a model where the user is the “owner” of their identity, and the company only uses its confirmation.

 

What will be the most strategic aspects of IAM in the Next 2–3 Years?

Looking at how the market and business requirements are changing, I would say that in the next 2–3 years, four aspects of IAM will be strategic:

Zero Trust in practice – not as a marketing buzzword, but as a real standard. Companies will move away from the “trusted network” model and transition to continuous verification of identity and user context. Identity will become the main security boundary.

User experience as a competitive advantage – IAM can no longer be a challenge for users. Simple onboarding (e.g., with eID or mObywatel), smooth login, passwordless, and intelligent MFA will be the difference between a company that acquires a customer and one that loses them.

Integration with ecosystems and partners – organizations will need to open up to collaboration in platform models. Identity will become the key to building trust between companies and enable boundaryless information flow across entire industries.

Machine identity and API management – alongside people, services, microservices, and devices play an increasingly important role and also need their own identity. IAM must evolve to centrally manage both users and “non-human identities.”

In short, IAM in the coming years will be the foundation not only of security but also of digital business development strategy. Companies that start treating it as a strategic layer today, rather than just background technology, will build new service models and ecosystems much faster.

 

And in What Direction are You Developing your IAM Services?

At Inteca, we see that IAM is becoming one of the most strategic elements of digital transformation – that’s why we’re investing heavily in this area. We’re developing our services in several directions:

Enterprise-class implementations based on Keycloak and Red Hat: this is a natural foundation for us – we deliver projects that centralize identity management in complex ecosystems and build coherent Zero Trust strategies around it.

Managed services (Managed IAM): more and more clients say “we don’t just want implementation, we want you to also maintain IAM 24/7.” That’s why we offer a model where we take full responsibility for the stability, security, and development of the IAM platform – often together with Red Hat.

Innovative business scenarios: we don’t limit ourselves to login – we integrate IAM with customer onboarding processes, identity verification (e.g., eID, mObywatel), qualified signatures, or access management for APIs and microservices. Our goal is for IAM to actually support sales, marketing, and customer experience, not just be an “IT cost.”

Preparing for the future: we see the growing importance of AI in security, machine identities, and access management in edge environments. We’re already experimenting with these areas today to be ready for the next wave of changes in IAM.

We want Inteca to be a strategic partner for our clients throughout the entire IAM lifecycle – from analysis and architecture, through implementation and integration, to ongoing maintenance and development. This allows our clients to treat IAM not as a technical problem, but as a business development tool.

 

What Clients Can Inteca Deliver the Greatest Value to?

For us, the most interesting projects are those where IAM has a strategic dimension, not just a technical one. We’re talking about companies that understand that identity is the foundation for developing new digital services and building competitive advantage.

• Large enterprise organizations: banks, insurers, telecoms, energy companies, or public administration. There we deal with enormous user scale, distributed systems, and regulatory pressure – the perfect environment to showcase the power of centralized IAM.

• Platform and ecosystem projects. Particularly interesting for us are initiatives where a company builds a shared platform with partners or B2B2C services. In such projects, user identity must be recognizable throughout the entire value chain – and that’s exactly where Keycloak performs best.

• Innovative projects where IAM goes beyond “login” and supports business processes – e.g., customer onboarding using eID or mObywatel, integration with qualified signatures, or managing access to APIs and microservices in MACH architecture.

We’re primarily interested in clients who want to look at IAM not as a security maintenance cost, but as a digital business enabler. That’s exactly where we can deliver the greatest value.

 

If Someone is Looking for Support in the Keycloak Area Today – What Can They Expect from Working with Inteca?

If someone comes to us with IAM and Keycloak topics, they can primarily count on a practical approach. We don’t sell “technology for technology’s sake” – we always start by understanding what business problem we want to solve: whether it’s accelerating customer onboarding, organizing access in a large organization, or opening the platform to partners.

Clients value us for being able to quickly translate strategy into working solutions – in small steps, without the risk of large and costly projects. We focus on stability (HA, testing, monitoring), while simultaneously providing space for innovations like passwordless, risk-based MFA, or integration with mObywatel.

And most importantly – we don’t abandon clients after implementation. In critical environments, we take over Keycloak maintenance and development, often together with Red Hat, so the organization can focus on business rather than IAM infrastructure.