By Jean Chorazyczewski, InCommon Academy Director
Estimated reading time: 6 minutes
Signal #1 in our “6 Signals from ACAMP” Series
The 2025 Internet2 Technology Exchange (TechEX) has officially wrapped. From Dec. 8-12 in Denver, Colo., the research and higher education (R&E) IT community came together for a packed week of learning, networking, and connection. Once again, Advance CAMP (ACAMP) closed out the conference with a splash.
What is ACAMP?
Advance CAMP is held at the end of every Internet2 Technology Exchange.
Every year, IAM professionals — from IAM novices to late-career IT professionals — gather to pitch their own topics, run demos of tools, and participate in breakout discussions. Attendees build the agenda live and on the spot. Each session is collaborative and conversational, and dedicated scribes take notes to capture the conversations for the broader IAM community.
Identity and access management (IAM) professionals from across the global R&E community drove the conversation at ACAMP. In all, nearly 40 sessions were led by IAM team leaders, practitioners, and other InCommon community members.
This year, the peer-led sessions at ACAMP tackled some of the most urgent challenges emerging in R&E IAM. Discussions covered cloud platforms, trust federation, security, identity lifecycle management, operations, and emerging tools.
Coming out of ACAMP, the InCommon team compiled six signals reflecting what IAM practitioners shared during the sessions. These insights reveal what will shape the R&E community’s approach to IAM in 2026 and beyond.
InCommon is launching a short blog series at the start of 2026 to share these insights with our community.
We will share the discussions that took place at ACAMP and connect them to past or ongoing efforts from InCommon and the broader IAM community.
Security in the Spotlight for IAM
We kick off this blog series with one of the most recurring themes at ACAMP: security in IAM.
Pressure is hitting campus IAM teams everywhere to meet rapidly changing security standards.
Over the two days of ACAMP, discussions covered the following security-related topics:
eduroam Security and Baseline Expectations
ACAMP featured in-depth conversations on eduroam security practices. Several eduroam security practices are now becoming Baseline Expectations, and there’s an effort to build out infrastructure to help organizations analyze their security posture relative to other eduroam sites. Meanwhile, the drive toward passwordless authentication pressures organizations toward new forms of Extensible Authentication Protocol (EAP).
InCommon is running an eduroam RADIUS workshop on March 4-5, 2026.
Privileged Access Management
Privileged Access Management (PAM) typically lives under system admins with zero IAM involvement. It is used only for vaults, while service accounts remain eligible indefinitely. The key takeaway is that PAM is not password management, and you can’t fix lifecycle management without first breaking down silos.
Zero Trust
Open source solutions are still catching up on interoperability. So, what are the solutions for campuses? Microsoft’s Conditional Access works well because its components integrate with other parts of institutional IAM ecosystems.
Continuous Evaluation Replaces “Log-in and Done”
One big takeaway we heard at ACAMP was that device health, network context, and session risk need to be reassessed over a defined period of time — not just during authentication. This is currently happening inside closed platforms.
Addressing Cost Pressures
Many factors are driving up the cost of IAM security, and procurement cycles aren’t keeping up with deadlines. All institutions need to plan for unforeseen costs, including PAM licensing, necessary infrastructure upgrades, and identity proofing fees.
Identity Proofing
There were discussions about identity proofing solutions, including the need to revamp help desk processes and reduce financial aid fraud. Conversations also focused on enabling researcher access to National Institutes of Health (NIH) controlled-access repositories. Clearly, getting campus-wide buy-in for identity proofing could mitigate many risks.
The Emerging Need for Identity Proofing
Internet2 is spearheading several efforts to keep R&E institutions well-equipped for identity proofing mandates that emerged throughout ACAMP.
Heading into 2026, R&E institutions face mounting pressure to implement robust identity proofing measures to address fraud concerns and access sensitive research data and other resources.
During ACAMP, some IAM team members shared that federal mandates and fraud prevention have changed identity proofing to a mission-critical status. Infrastructure and cost realities are forcing institutions to rethink ownership and timelines.
In one example, the NIH is enhancing its security posture for sensitive research data repositories by increasing assurance requirements for user access. Beyond its current requirement for multi-factor authentication (MFA), NIH will require stronger identity proofing to ensure that authenticated users are reliably identified.
On Jan. 21, IAM hosted a session about InCommon Federation and NIH security compliance. Watch the recording of this informational webinar on the IAM Online YouTube channel.
At the end of 2025, InCommon distributed a survey to collect information on how U.S. campuses are addressing identity verification and fraud prevention challenges.
More than 170 respondents from 100 total institutions completed the survey. Key takeaways from the survey include the following:
- MFA recovery/reset and credential recovery represent the largest vulnerabilities.
- Fraud use cases are diverse and changing.
- Organization challenges, from resource constraints to vendor challenges, are common.
- There is a strong need for identity proofing solutions, and 75% of respondents are interested in a NET+ identity proofing service.
What did Internet2 learn from its members in 2025? Identity proofing has become critical, but institutions need help navigating vendor selection, implementing consistent standards, and building their processes. Chain of custody — knowing who has been identity proofed and to what level — is one of the biggest security challenges IAM teams now face.
To help institutions navigate identity proofing adoption, the Internet2 NET+ program is coordinating RFPs for identity proofing vendors. The NET+ RFP for Identity Proofing Services has now been posted.
InCommon is also launching workshops and running an Identity Proofing Accelerator in February 2026 for higher education institutions planning to implement identity proofing solutions.
Does your institution qualify for the InCommon Academy Identity Proofing Accelerator?
Learn more about the program and apply today.
Stay Tuned for More ACAMP 2025 Notes
Keep your eyes open for more blogs in this series about everything we learned about the IAM landscape during ACAMP.
You can find InCommon blogs on our social media channels. Want to get the news delivered directly to your inbox? Sign up for the monthly InCommon Newsletter.
Note from the author: These signals were informed by a review of ACAMP session notes, with artificial intelligence used to help summarize themes and surface patterns. We encourage you to explore the 2025 ACAMP scribing documents and draw your own insights from the community’s discussions.