The rapid growth of embedded finance, open banking and interconnected ecosystems have dramatically reshaped the traditional perimeter of trust in financial services. As third-party providers become indispensable to delivering modern banking experiences, the concept of identity and access management (IAM) is undergoing a fundamental shift.

To unpack this transformation, I recently sat down with Adam Preis, Director of Product Solution Marketing at Ping Identity, who shared some critical insights into how financial institutions are rethinking security, managing risk, and preparing for a future where AI agents, not just humans, interact on behalf of customers.

Third-Party Access: A Growing Threat and a Strategic Priority

Adam began by emphasising that secure third-party access is no longer a niche concern. It has become a cornerstone of scalable digital finance. Historically, access for partners, vendors and suppliers was managed within either customer or workforce IAM systems. But these were never designed to accommodate the scale and complexity of today’s interconnected ecosystems.

As banks and financial services providers accelerate digital transformation, they are relying on an ever-expanding network of third parties to deliver products, services and infrastructure. The problem, Adam explains, is that managing this manually is no longer viable, and the infrastructure in place is often no longer fit for purpose.

It’s not just an operational headache, it’s a major vulnerability. Adam shared an eye-watering statistic that by their calculation, over 54% of companies have suffered a breach due to third-party access weaknesses, 40% of which involved compromised credentials. Unlike customer-facing access points, which are increasingly protected by multi-factor authentication (MFA) and strong security protocols, third-party access often still relies on outdated methods such as passwords.

(Take a look at Ping Identity’s ebook “3 Ways to Accelerate Embedded Finance with Digital Identity” for further information).

To make matters more pressing, regulation is catching up. The European Union’s Digital Operational Resilience Act (DORA) mandates that financial service providers secure not only their internal systems, but also their third-party vendors and suppliers.

This is no longer optional; it’s required.

From Silos to Converged Identity

One of the biggest challenges banks face is their organisational structure. Large institutions typically have siloed departments making isolated decisions about identity and access: customer IAM in one silo, workforce IAM in another. According to Adam, this fragmented approach is increasingly untenable.

“We find that converged identity is a mechanism for breaking down silos and forcing holistic thinking,” he says. For example, fraud prevention can’t be limited to onboarding alone; it must encompass the entire user journey. Similarly, third-party access should not be thought of separately from internal or customer access as it’s all part of the same risk surface.

Adam offered a powerful analogy: “Identity is not just the key to your front door. It’s about what you can do once you’re inside the house.” Authentication gets you in, but authorisation determines what you can access and what actions you can perform.

That distinction is critical and often overlooked.

Best Practices: Relationship Models and Fine-Grained Access

So how are leading banks addressing the challenge?

Adam points to Ping Identity’s approach, which includes embedding third-party access as a native capability within their platform. This means thinking beyond user credentials and focusing on the relationships between entities. In modern financial ecosystems, institutions often operate across organisational and jurisdictional boundaries.

Understanding who a third party is and what they are allowed to do becomes complex very quickly.

Policy-based access control (PBAC), also referred to as fine-grained authorisation, is key. This approach enables institutions to define nuanced access rules based on context, risk, and business relationships. Rather than granting blanket or role-based access, which is still common, PBAC allows for decisions such as: “This third party can view transaction histories, but not initiate transfers, and only for accounts in this region.”

This level of control is not only a best practice, it’s rapidly becoming a necessity.

Avoiding the Common Pitfalls

When asked about common mistakes, Adam highlights one in particular: failing to future-proof. Many banks build access systems that work for today’s needs, but don’t account for the evolving landscape. The reality is that identity is no longer a static concept; it’s a strategic investment with long-term implications.

In one striking example, Adam shared a case from a non-banking enterprise where over two-thirds of the organisation’s identity-related risk came from third-party access, yet there was no dedicated team or infrastructure to manage it!

In banking, where trust and security are paramount, this level of oversight simply isn’t sustainable.

Enter Agentic AI: The New Identity Challenge

One of the most forward-looking parts of our conversation revolved around agentic AI - autonomous digital agents that act on behalf of users.

While most conversations around AI in banking focus on how institutions can use generative AI internally, Adam and I explored a different angle: what happens when customers start deploying their own AI agents to interact with banks?

Imagine a future where your personal AI assistant applies for loans, compares insurance policies, or manages investments on your behalf.

It’s not far-fetched. In fact, it’s already on the horizon.

This raises profound questions for IAM. Is your agent you? Should it be granted the same access rights? How do you manage and monitor what it does?

Adam argues that we must treat these agents as distinct identities with their own lifecycle, permissions and entitlements. “I don’t want to give my agent blanket access to all my financial information,” he says. “I want to give it limited, time-bound access to specific services, for specific purposes.”

Given my personal experience of the degree with which some GenAI models hallucinate, I’m inclined to agree with him!

This is where fine-grained authorisation and PBAC return to the spotlight. Banks will need to implement robust systems that allow customers (or the agents themselves) to define and control access dynamically.

The Regulatory Question

As this AI-driven future takes shape, regulators are at risk of being left behind.

Current frameworks such as GDPR, PSD2, and even the recently drafted EU AI Act are struggling to keep pace with the emergence of non-human identities. Agentic AI is evolving faster than the legislative frameworks designed to govern it.

Adam anticipates a whole new raft of regulations and technical guidance in the coming years, particularly as we move closer to the rollout of eIDAS 2.0 and the requirement for member states to offer a digital identity wallet by mid-2026. But even that framework was conceived before the idea of autonomous agents became mainstream.

The key challenge will be ensuring that regulations not only protect users but also enable innovation, especially as new commercial models emerge around agent-led interactions and digital identity.

Looking to 2030: What Comes Next?

As we wrapped up our discussion, I asked Adam for a bold prediction: what will identity and access management look like by 2030?

His response was a vision of a transformed landscape:

• Authorisation will become a critical tool for fraud prevention across all identity types.

• Chief Identity Officers will join the C-suite at major banks.

• Decentralised identity will gain ground, with wallet-based credentials and privacy-preserving verification becoming standard.

• Digital trust anchors will allow banks to confirm identities without requiring full disclosure of personal data.

• And above all, identity will be both a security discipline and a competitive differentiator.

For financial institutions, the message is clear: identity is no longer just about keeping the wrong people out, it’s about enabling the right interactions, at the right time, with the right entities.

Human or otherwise.

Final Thoughts

As banks move from monolithic systems to open, interconnected ecosystems, identity and access management becomes both more complex and more strategic. Third-party access must be treated with the same rigour as customer access. Converged identity platforms, fine-grained authorisation, and future-ready thinking are essential to stay secure and competitive.

And as agentic AI enters the mainstream, institutions that fail to adapt may find themselves outpaced not just by fintechs, but by their own customers’ digital agents.

The future of identity is already here.

The question is: are you ready for it?