The RSA Conference, held annually in San Francisco, consistently draws tens of thousands of cybersecurity professionals, thought leaders, and vendors. It is renowned as a key platform for unveiling groundbreaking technologies, discussing emerging threats, and shaping the future of digital security. This year, the pervasive influence of AI on every facet of cybersecurity was an undeniable theme, from threat detection and response to, crucially, identity and access management (IAM). Against this backdrop, Microsoft’s decision to bring external multi-factor authentication (MFA) support in Microsoft Entra ID to general availability, and RSA Security’s announcement of an expanded partnership with Microsoft focused on securing the "AI workforce," resonated deeply with attendees grappling with the dual challenges of legacy infrastructure and future AI integration. The confluence of these announcements highlighted a collective industry recognition that securing identities—both human and non-human—is paramount in an increasingly interconnected and AI-driven operational landscape.
Microsoft Entra External MFA Achieves General Availability
Microsoft’s move to make its external MFA feature generally available within Microsoft Entra ID marks a significant stride towards greater interoperability and flexibility in identity management. Announced at the conference, this capability directly addresses a long-standing challenge for large enterprises: how to integrate existing, often substantial, investments in third-party MFA solutions with Microsoft’s cloud-native identity platform without compromising security or operational efficiency. Previously, organizations reliant on specialized MFA providers for reasons ranging from stringent regulatory compliance to complex multi-vendor environments faced hurdles in fully leveraging Microsoft’s Conditional Access policies, often resorting to less integrated "Custom Controls" which are slated for deprecation by September 2026. This timeline underscores the urgency for IT departments to transition to more robust and modern integration methods.
Built upon the widely adopted OpenID Connect (OIDC) standard, the external MFA feature allows organizations to seamlessly plug their chosen third-party MFA providers directly into Entra ID. This means that an IT administrator can manage all authentication methods, whether native Microsoft or external, from a single, unified admin console. This "single pane of glass" approach dramatically simplifies management overhead, reduces potential configuration errors, and provides a consistent user experience. Crucially, sign-ins processed through external MFA still undergo Microsoft’s comprehensive policy evaluation, including real-time risk assessments, ensuring that the same high standards of security are applied regardless of the MFA provider. Administrators retain granular control over authentication prompts, sign-in frequency, and session controls, enabling them to align security policies precisely with business objectives. However, Microsoft also prudently cautioned against overly aggressive reauthentication policies, noting that excessive prompts can inadvertently condition users to approve authentication requests without proper scrutiny, thereby increasing susceptibility to phishing attacks. This highlights a nuanced understanding of human behavior in security design, advocating for a balance between security and user experience.
The importance of MFA cannot be overstated in the current threat landscape. Microsoft’s own extensive research consistently demonstrates that MFA reduces the risk of account compromise by more than 99%. This staggering figure underscores why broadening MFA adoption across all organizational identities, human and non-human, is a fundamental pillar of modern cybersecurity strategy. Data from Verizon’s annual Data Breach Investigations Report (DBIR) consistently points to stolen credentials as a primary vector in data breaches, further emphasizing the critical role of strong authentication. By extending this critical protection to organizations whose authentication infrastructure includes non-Microsoft native solutions, Entra external MFA democratizes access to robust security, making it easier for diverse enterprises to achieve a higher security posture. This flexibility is particularly vital for global organizations, those undergoing rapid mergers and acquisitions, or entities operating in highly regulated sectors such as finance, healthcare, or government, where specific MFA technologies or hardware tokens (e.g., FIDO2 keys, smart cards) are often mandated by standards like PCI DSS, HIPAA, or various national security frameworks. The general availability signifies a maturation of Entra ID as an identity fabric capable of accommodating the diverse realities of enterprise IT, supporting hybrid cloud strategies and complex regulatory environments.
RSA Security’s Strategic Focus on the AI Workforce
Complementing Microsoft’s focus on human identity flexibility, RSA Security unveiled a strategic expansion of its partnership with Microsoft, specifically targeting the emergent "AI workforce." This initiative is intricately tied to Microsoft’s recently launched Microsoft 365 E7: The Frontier Suite, a comprehensive offering that bundles Microsoft 365 productivity tools, the generative AI capabilities of Microsoft Copilot, Entra identity services, and Agent 365, a governance platform designed for AI agents. RSA is positioning its ID Plus for Microsoft offering as the essential identity trust layer that underpins and secures this entire ecosystem.
The premise behind RSA’s announcement is both straightforward and increasingly urgent: as AI agents evolve from simple scripts to autonomous entities capable of executing complex workflows, accessing sensitive data, and operating with privileged access within enterprise systems, the scope of identity governance must expand beyond human users. The statistics supporting this shift are compelling; research indicates that non-human identities, encompassing everything from service accounts and IoT devices to software bots and AI agents, already outnumber human users by a factor of 17. This dramatic imbalance highlights a significant attack surface that often remains inadequately secured by traditional identity management paradigms. The sheer volume and diversity of these non-human identities, often created without proper oversight, represent a growing blind spot for many organizations.
RSA’s identity trust layer for the E7 suite addresses this challenge through a multi-faceted approach, focusing on three core areas:
- High-Assurance, Phishing-Resistant Authentication for Human Users: While the focus is expanding to AI, securing human access remains foundational. RSA ID Plus provides advanced authentication methods designed to resist sophisticated phishing attempts, ensuring that the human operators interacting with AI systems, or those overseeing their operations, are robustly verified. This often includes FIDO-based authentication or other cryptographic methods that eliminate the possibility of credential theft via phishing.
- Risk Intelligence and Contextual Evaluation: Leveraging advanced analytics and machine learning, RSA’s solution continuously evaluates contextual signals associated with access attempts. This includes factors like device posture, location, time of access, behavioral patterns, and the specific resources being accessed to flag and mitigate suspicious access attempts, whether originating from a human or an AI agent. This proactive, risk-based approach is crucial in detecting anomalies that could indicate a compromise or misuse of an identity, even if credentials appear valid.
- Secure Access Controls for Privileged Operations of AI Agents: As AI agents take on more autonomous and critical tasks, their access to sensitive data and systems must be meticulously governed. RSA’s framework extends robust access controls, similar to those applied to human privileged users, to AI agents. This includes implementing principles of least privilege, continuous verification, and robust API security, ensuring that AI agents’ access is precisely defined, regularly reviewed, and subject to real-time monitoring and audit trails, mirroring the stringent controls applied to human privileged users. This minimizes the risk of an exploited AI agent becoming an insider threat or being leveraged for malicious purposes.
Further strengthening the synergy between the two companies, RSA confirmed its availability as an external MFA provider through Microsoft Entra’s newly generally available framework. This means organizations already leveraging RSA’s robust authentication solutions can now seamlessly integrate them directly within their Entra configurations, benefitting from both the flexibility of Entra ID and the specialized capabilities of RSA ID Plus, especially as they begin to onboard AI agents into their operational workflows.
The Broader Landscape: Identity Security in the Age of AI
The announcements from Microsoft and RSA are not isolated product updates; they represent a foundational shift in how the cybersecurity industry perceives and secures digital identities in the era of artificial intelligence. The concept of "identity" itself is expanding, demanding a more comprehensive and adaptive security framework. For years, the focus of IAM has predominantly been on human users – employees, customers, partners. However, the rapid proliferation of machine identities, and more recently, the emergence of sophisticated AI agents, necessitates a radical rethinking. The global identity and access management market, valued at over $15 billion in 2023, is projected to grow significantly, driven in no small part by the complexities introduced by AI and the need for unified governance.
The challenges posed by AI agents are multifaceted. Firstly, their autonomous nature means they can initiate actions, access resources, and make decisions without direct human intervention, potentially at machine speed. If compromised, an AI agent with broad privileges could exfiltrate vast amounts of data, disrupt critical operations, or propagate malware far more rapidly and extensively than a human attacker. Secondly, traditional security tools and policies, designed with human behavior and interaction patterns in mind, are often ill-equipped to monitor and govern non-human entities effectively. How do you apply "least privilege" to an AI agent that requires dynamic access to diverse data sets for its learning algorithms? How do you conduct "behavioral analytics" on an entity that doesn’t have a typical "login time" or "browsing habit"? These questions highlight the need for new security paradigms specifically tailored for AI.
Gartner’s prediction that 33% of enterprise applications will include agentic AI by 2028, a dramatic increase from less than 1% in 2024, underscores the urgency. This rapid adoption trajectory means that the security frameworks to govern these agents, including consistent identity controls that mirror what’s already applied to human users, are not a future consideration but a core IT challenge in the near term. The security community is actively exploring concepts like "AI identity lifecycle management," "AI credential management," and "AI privileged access management (AI-PAM)" to address these emerging needs, emphasizing immutable identities for agents and robust API security.
Moreover, the regulatory landscape is beginning to catch up with technological advancements. Regulations such as the EU’s NIS2 Directive, DORA (Digital Operational Resilience Act), and even broader data protection laws like GDPR, while not explicitly naming "AI agents," implicitly demand robust security and governance for all entities accessing and processing sensitive data. The forthcoming EU AI Act also introduces stringent requirements for AI systems, including aspects of robustness, accuracy, and security, which will inevitably impact how AI identities are managed and secured. Organizations will increasingly be held accountable for breaches originating from compromised non-human identities, just as they are for human ones. This evolving regulatory pressure will further accelerate the adoption of comprehensive identity security solutions for the AI workforce.
Industry analysts are largely in agreement regarding the strategic importance of these moves. Many see it as the logical evolution of zero trust principles, extending the ‘never trust, always verify’ mandate to encompass every identity, whether human or machine. The consolidation offered by Microsoft’s external MFA for human identities, combined with RSA’s proactive development of a trust layer for AI agents, represents a synergistic approach deemed essential for market needs. This convergence highlights a proactive stance by leading vendors to address the security implications of a rapidly digitizing and AI-infused enterprise landscape.
Implications for IT Professionals and Businesses
For IT professionals, particularly those managing complex hybrid environments with existing legacy MFA investments, Microsoft Entra external MFA’s general availability offers a considerably cleaner and more strategic migration path than the previous "Custom Controls" approach it replaces. The impending September 2026 deprecation deadline for Custom Controls means that planning for this transition should commence immediately. This is not merely a technical upgrade but an opportunity to streamline identity governance, enhance security posture, and reduce operational complexity by consolidating disparate authentication systems into a single, OIDC-compliant framework. It liberates IT teams from vendor lock-in anxieties, allowing them to choose best-of-breed MFA solutions while still leveraging the powerful policy engine of Entra ID. This shift will also necessitate upskilling IT teams in OIDC protocols and advanced identity orchestration.
On the RSA side, the integration story with Microsoft 365 E7 is more forward-looking but equally critical. While AI agents as enterprise workers might still be an emerging model for some organizations, its arrival is accelerating rapidly. Identity teams would be wise to proactively engage with this paradigm shift. This involves not just understanding the technical implications but also rethinking identity lifecycle management processes to include non-human entities. Questions around provisioning, de-provisioning, access reviews, and audit trails for AI agents will become commonplace. Organizations that get ahead of this curve will be better positioned to leverage AI’s transformative potential securely, avoiding the pitfalls of uncontrolled "shadow AI" and ensuring compliance with emerging AI governance standards. This also means budgeting for specialized tools and potentially new roles focused on AI security.
The broader implications for businesses are profound. A unified identity security strategy, encompassing both human and AI identities, directly contributes to enhanced operational resilience, reduced cybersecurity risk, and improved regulatory compliance. By securing the "AI workforce" with the same rigor applied to human employees, enterprises can unlock the full potential of AI automation without inadvertently expanding their attack surface. This proactive approach fosters trust in AI deployments, a critical factor for successful adoption and innovation. Furthermore, a flexible identity platform reduces the total cost of ownership (TCO) by minimizing the need for custom integrations and reducing the management burden associated with siloed security tools. It allows organizations to focus on strategic initiatives rather than reactive firefighting.
The convergence of these two announcements at the RSA Conference signals a maturing understanding within the cybersecurity industry. Identity is no longer just about who you are, but what you are, and what you are allowed to do. As AI continues its inexorable march into every corner of the enterprise, the frameworks and solutions demonstrated by Microsoft and RSA will be instrumental in ensuring that this revolution is built on a foundation of trust and security. The call to action for IT leaders is clear: future-proof your identity strategy today, or risk facing tomorrow’s sophisticated threats with yesterday’s defenses.
