Identity Mesh Beats Identity Federation

Identity federation as a model assumed a small number of identity services, with a clear hub and clear spokes. That picture has not described production environments for several years. Most enterprises now run multiple IdPs (workforce, customer, partner, government, sometimes one per acquired subsidiary), several IGA components, fraud and risk signals from a SOC, browser-layer enforcement, machine-identity services, and AI-agent identity. Each of these is its own product, often from its own vendor.

The Identity Mesh framing — what KuppingerCole calls Identity Fabric, what Gartner calls Identity Fabric Immunity — names the composition. A mesh is not a federation graph; it is a runtime in which multiple identity services exchange signals and produce decisions that downstream relying parties consume as if they came from a single authority.

The risk in the framing is that "mesh" becomes a euphemism for sprawl: many identity services running independently, with no signal exchange, no consistent policy, and no way to reason about failure modes. That is the unmanaged version of the architecture every organisation has by default.

The disciplined version requires explicit choices: which service is authoritative for which decision; what signal exchanges are mandatory; what happens when a participating service is unavailable; and what the policy across the mesh looks like for an outside auditor or supervisor. We do this work as identity-architecture engagements.