NIST Updates Digital Identity Guidelines: What It Means for Your Cybersecurity Strategy

The U.S. National Institute of Standards and Technology (NIST) has just released its first major update to the Digital Identity Guidelines since 2017, and it’s a big deal for organizations of all sizes. This update addresses emerging threats like AI-powered phishing, deepfake fraud, and synthetic identities, reshaping how businesses should approach identity and access management (IAM).

To break down what this means for business leaders, we spoke with Regine Bonneau, Founder and CEO of RB Advisory, LLC, a recognized cybersecurity expert and trusted advisor to regulated industries.  Bonneau is also known as “Regine the Cyber Queen™.”

Why This Update Matters

“Identity is the new perimeter,” says Bonneau. “The NIST update acknowledges that the threat landscape has changed dramatically. Cybercriminals are not just going after passwords, they’re targeting entire identity systems using tools like AI, deepfakes, and advanced phishing tactics.”

The guidelines, formally known as NIST Special Publication 800-63, Revision 4—build on existing standards but introduce stronger authentication measures, updated fraud prevention controls, and new safeguards against forged media. They also emphasize that digital identity management is now a cross-functional responsibility, requiring collaboration between cybersecurity teams, privacy officers, usability experts, and business leaders.

Key Changes in the 2025 NIST Digital Identity Guidelines

NIST’s latest revision introduces several notable changes:

• Phishing-Resistant Authentication
  Emphasis on passkeys, FIDO2, and other password less methods to block credential theft.
• Stronger Fraud Prevention
  New requirements for detecting and mitigating forged media, such as deepfakes.
• Continuous Risk Evaluation
  Organizations are encouraged to adopt ongoing monitoring and analytics for IAM systems.
• Expanded Identity Proofing Controls
  Clearer role definitions and improved verification steps to reduce the risk of synthetic identities.
• Recognition of New Technologies
  Including subscriber-controlled digital wallets and synced authenticators.

Expert Insight: How Businesses Should Respond

Bonneau stresses that these updates are more than just compliance checkboxes—they’re an opportunity to strengthen trust with customers, partners, and employees.

“Businesses need to move beyond thinking of identity security as a one-time setup,” she explains. “The NIST guidelines encourage continuous evaluation, layered authentication, and a holistic view of risk. This is exactly where many organizations still fall short.”

She also notes that user experience remains a key theme in the revision. “If security measures are too cumbersome, users will find workarounds, so balancing security with usability is critical.”

Steps Organizations Should Take Now

RB Advisory recommends the following immediate actions:

1. Review Your IAM Strategy
   Compare your current authentication, identity proofing, and federation processes against the updated NIST guidelines.
2. Adopt Phishing-Resistant Authentication
   Implement passkeys or FIDO2-based solutions to protect against credential theft.
3. Integrate Continuous Monitoring
   Use behavioral analytics and automated alerts to detect anomalies in real-time.
4. Train Staff on Emerging Threats
   Educate employees about deepfakes, AI-driven phishing, and evolving identity scams.
5. Engage Cross-Functional Teams
   Bring together IT, HR, legal, and compliance teams to ensure a unified approach.

The Bottom Line

The 2025 update to NIST’s Digital Identity Guidelines marks a pivotal moment for identity security. With cyber threats becoming more sophisticated, organizations must evolve their defenses to keep pace.

“Identity is at the heart of trust in the digital economy,” says Bonneau. “Those who act now will not only reduce their risk but also position themselves as leaders in secure, customer-friendly digital interactions.”

About RB Advisory LLC
RB Advisory provides cybersecurity risk management, compliance, and data protection services to businesses in regulated industries. Led by industry expert Regine Bonneau, RB Advisory helps organizations protect their most valuable assets and build resilience in a constantly changing cyber landscape.