- 2025-01Breach
Change Healthcare disclosure finalized at ~190M Americans
UnitedHealth finalized the disclosure of the Feb-2024 Change Healthcare breach at ~190 million Americans — the largest medical-data breach in US history. Initial attack vector was a Citrix portal account without MFA. Settlement + regulatory consequences are still unfolding throughout 2026.
Source: UnitedHealth official statement
- 2025-01Regulation
HIPAA Security Rule NPRM — comment period closes
HHS-OCR's Notice of Proposed Rulemaking (Dec 27, 2024) to modernize the HIPAA Security Rule received 4,700+ comments. Proposed changes include MFA on all PHI access, encryption at rest, and mandatory annual technical audit. A January 2025 federal regulatory freeze created uncertainty about the final-rule timing; original target was May 2026.
Source: HHS OCR NPRM
- 2025-11Regulation
NYDFS Part 500 — final phased deadlines hit
The Part 500 second amendment (effective Nov 2023) added MFA + privileged access + governance requirements with phased rollout. The final phase came due Nov 2025. NYDFS examinations through 2026 are scrutinizing identity-control evidence specifically.
Source: NYDFS Cybersecurity Regulation
- 2025-Q2Vendor / M&A
AI agent identity as a distinct vendor category
CyberArk, SailPoint, Saviynt, and the major IdPs all announced AI-agent-identity capabilities in 2025-2026. CyberArk's 2025 research shows 80:1 machine-to-human identity ratios and 68% of orgs lacking AI-agent-specific controls. The category went from "emerging" to "must-have" in 18 months.
- 2026-Q1Platform / market
Passkey adoption crosses majority threshold
75% of consumers now have at least one passkey enabled; 49% use passkeys regularly when offered. Enterprise deployment hit 87% (47% deployed + 40% in active rollout). Workforce passwordless is no longer the differentiator — it's the baseline.
- 2025-2026Standards
OAuth 2.1 + FAPI 2.0 momentum
OAuth 2.1 remains a draft but is the de-facto baseline for new implementations. FAPI 2.0 (financial-grade API security) is now mandated in multiple open-banking jurisdictions. The legacy patterns OAuth 2.1 removed — Implicit Flow, ROPC, bearer tokens in query strings — are increasingly hard to ship through security review.
Source: IETF + OpenID Foundation
- 2026-Q1Regulation
FedRAMP modernization continues
The FedRAMP PMO continued the multi-year transformation initiative — automation of continuous monitoring, clearer reuse / inheritance model, R5.2 control catalog alignment. Authorization count cleared 500+ offerings. JIT privileged access + phishing-resistant MFA are now Category-1 examination focus areas.
- OngoingPlatform / marketPractitioner observation
Help-desk MFA reset is the new social-engineering vector
Multiple 2024-2025 breaches (Cisco, Microsoft, Uber, MGM and others) traced their initial vector to help-desk MFA reset. Vendors + practitioners are now treating reset workflows as the highest-risk surface in the IAM stack. Tighter controls — manager attestation, video verification, government-ID checks — are becoming the new baseline.
Annual recap, updated monthly.
We update this page monthly as the year unfolds. The final recap publishes in December — by then it covers a full 12 months of breaches, regulatory moves, vendor M&A, standards updates, and market shifts. The 2025 edition will be archived; this page becomes “2027 Year in Review” in January.
Reviewed 2026-05-22. CC BY 4.0.