The last time I witnessed a reboot of identity and access management (IAM) infrastructure was 1996. Web applications had taken hold and intranets and extranets were buzz words. The security industry responded with web access management (WAM), provisioning, strong authentication and directory services. The industry has since built on these technologies to deliver identity federation, risk-based authentication and identity and access governance. All these IAM technologies have served us well but a wave of new developments has revealed the need for a rethink.