How Will the Metaverse Impact Identity Governance?


By Martin Kuhlmann

Businesses have exciting new opportunities thanks to the metaverse, but there are also identity and security hurdles.

The development and growth of the metaverse will alter our social interactions and broaden each person’s digital footprint. Businesses will be keen to participate in the metaverse market, which is expected to grow to over USD$1.6 trillion by 2030.

It will also influence the idea of identity. The effect on digital identification and the idea of providing people with more ownership via a universal digital identity have been the subject of numerous discussions. Even if the concrete shape of a “Metaverse” is still blurry, businesses must be mindful of how digitally enhanced worlds and business models will affect their identity strategy with regard to employees, contractors and business partners.

The current dynamic situation highlights the importance of having a solid identity governance program in place that maintains business security, adheres to data privacy laws and upholds the rights of partners and staff.

Digital identity beyond borders

Digital identity beyond borders

Consumers are constantly creating new digital identities and use multiple logins for their many online accounts. Even while solutions exist to limit the spread of personal data (e.g., consent management), companies continue to collect and generate a variety of data about everyone they interact with.

In spite of current identity federation technology, organisations often create and retain proprietary identities for their workers and, typically, for their collaboration partners as well. Organisations partly trust third parties for identity and authentication in specific situations, such as when using Microsoft Azure guest accounts for B2B collaboration or nationwide universal education IDs for students in some nations. Many businesses still need to modify their governance strategies in light of these scenarios and prepare for higher volumes of identities and increasing dynamics of interaction.

We anticipate being able to move “digitally” within a mesh of digital platforms, in a metaverse. This necessitates more sophisticated identity and authentication portability, as Gartner described in its “identity trust fabric” (ITF). Controlling and protecting a person’s “digital twin” and the information that goes with it will be a major concern for individuals.

In these situations, problems like trust and governance must be addressed:

  • What aspects of identity governance within an organisation need to be rethought? This covers risks associated with “external” authentication, risks found through outside knowledge of the identity and risks regarding access within the company.
  • How can an identity’s total risk profile be established and maintained, and where might this run afoul of data privacy?
  • How much, and under what circumstances, does a company trust “universal” or external identities? Who is the creator and owner of these?
  • To what extent does the company trust third parties to keep their own employees’ information safe?
  • What falls under the purview of the digital identity’s owner? What elements of identity governance does a trusted identity provider cover?

If businesses permit extensive use of third-party platforms by employees, they must make sure that the disclosure of user data or the potential for tracking user behaviour doesn’t violate privacy or expose proprietary information about the company. 

Developing a long-term identity strategy

For good reason, identity is increasingly at the heart of many organisations’ security strategies. According to the Identity Defined Security Alliance’s 2022 Trends in Securing Digital Identities report, 79% of respondents had experienced an identity-related compromise in the past two years. Such a breach can have significant financial and reputational consequences. According to the report, 78% of respondents who experienced an identity-related breach stated that it had a direct impact on their business.

To ensure compliance and security, organizations need appropriate transparency into the digital identities engaging with their workers or accessing their digital services and data. They must know the accuracy and dependability of identity information, as well as the purposes for –and circumstances under – which identities require access. These are the fundamental elements of identity governance and the foundation of an Identity Governance and Administration (IGA) plan.

Identity governance will become more crucial and difficult as identities are used across boundaries and for a variety of purposes. There will be an increase in the number of identities that are digitally related to an organisation. A metaverse-driven ecosystem needs trusted spaces in which these identities can interact, and clearly defined workplaces, services and resources they are provided and allowed to use. IGA solutions will be required to automate access management and maintain control.

For example, the recertification of access privileges will likely emerge into a broader capability to assure that identities are moving and operating within the desired boundaries. Yet, new issues must be dealt with: Businesses must determine how safe they believe an identity to be, how trustworthy the proffered identity qualities are, and how much the identity’s “digital behaviour” complies with corporate security needs – without compromising individual freedom.


Many enterprises still don’t have an effective IGA approach, but even if you do have a strategy in place, you need to future-proof it. You must immediately build an integrated corporate and B2B IGA plan while concurrently keeping track of how the “identity trust fabric” is developing. Start by making sure you have all the necessary elements to manage identities from various sources. You must be ready in the event that a new trust architecture emerges.

Toward a safer Metaverse

Businesses have exciting new opportunities thanks to the metaverse, but there are also identity and security hurdles. As identities are used more widely and in greater numbers, identity management becomes more complex. As a result, the company’s assets might be in jeopardy. To make sure that everyone who needs access to information and services is who they say they are and can fulfil their duties, identity managers require a defined plan. Using the suggestions above, start developing a future-proof identity strategy that can grow together with the metaverse.

About the Author

OMA Martin KuhlmannDr. Martin Kuhlmann heads up the Global Presales Team at Omada. In this position and formerly as Senior Solution Architect, he has been advising strategic customers and designing Identity & Access Management solutions. Martin has been active in the IT Security space for more than two decades and has been a frequent speaker and panelist at international conferences. As a consultant and strategist, he had a leading role in various security integration projects in large organizations. He specializes in Identity & Access Management and IT governance, risk & compliance. Martin published numerous journal articles and several scientific papers on Role-based access control (RBAC) and application security.