Write a PREreview

Identity & Access Management (IAM) is being reshaped by two concurrent forces: (i) the use of artificial intelligence (AI) to turn rich telemetry into policy decisions, and (ii) the migration to post-quantum cryptography (PQC) across credentials, certificates, and protocol touchpoints. We argue that the most consequential risks live in the seams—account recovery/reset, non-human identities (NHIs), and crypto-agile upgrades—where attackers concentrate and operations are fragile. This paper contributes a problem framing, a literature/practice map, and three small, reproducible experiments designed for teaching and early planning. In a simulated risk-policy study spanning sign-in and recovery, a simple risk-based control blocks more fraud than a static baseline while lowering legitimate friction; an overhead model shows modest size-driven latency from PQC artifacts on typical enterprise links; and a micro-pilot comparing passkeys to password+OTP shows faster median sign-in and higher completion with passkeys. We close with a concrete research agenda for recovery governance, machine identity attestation and rotation, crypto-agile policy engines, and explainability/appeals. All datasets are synthetic so teams can replicate results without sensitive data.