At this year’s EDUCAUSE Cybersecurity and Privacy Professionals Conference (CPPC) in Anaheim, CA, attendees might have shared an escalator with a Star Wars character or seen a wave of Minnie Mouses bounding through the lobby. The social media influencer expo across the street proved that selfie sticks are a practical accessory and neon tank tops are always appropriate attire.
Inside the conference area, though, were hundreds of cyber defenders discussing how to keep higher education secure as AI, regulation, and attacker tradecraft all accelerate at once. The sessions covered AI-enabled threats, the risks and promise of AI agents, zero-day resilience, framework harmonization, grounding modernization efforts in security, and defending your IT ecosystem against fraud. A major thread running through the conference was that identity will be where the next decade of higher education security is built.
Three takeaways are worth carrying back to campus.
Takeaway 1: MFA is necessary but can no longer carry the load alone
Several sessions took different paths and ultimately arrived at the same point. Browser-in-the-middle phishing kits proxy a real login, allowing the user to complete MFA and then steal the authenticated session. Prompt-bombing, SIM swaps, and attacker-in-the-middle kits are routine now, not edge cases. AI-authored phishing has reached a quality and volume that traditional user training struggles to match. Voice deepfakes aimed at help desks were called out as an active threat pattern.
A number of sessions made it bluntly clear: MFA protects credentials, but today's attacks go after sessions, devices, recovery flows, and the people answering the phone.
The next phase is familiar in its pieces–Phishing-resistant factors bound to the legitimate site and a trusted device, continuous evaluation of session and device risk after login, governance tied to role, and lifecycle automation that removes access the moment a person changes role or leaves. MFA on its own was never going to answer this, and neither will running these capabilities as disconnected tools. The institutions making real progress are bringing them together on a unified identity platform.
Takeaway 2: AI sprawl and agents are showing up on campus
If you were hoping to have a week where you weren't hearing about AI and AI agents, this conference was the wrong place. Sessions ran in parallel: one told horror stories of AI-enabled attacks, while the other espoused the promise of agentic use cases.
This is where higher ed IT lives right now. Productive and efficient AI agents are emerging across IT departments faster than anyone can inventory them. Faculty are convinced that OpenClaw might be better than their TA if it could just have access to a few more systems. And students are spinning up new use cases in every corner of campus.
The risk has two sides. On the attacker side, AI has reduced the cost of creating convincing phishing, business email compromise, deepfakes, and automated reconnaissance to a level where static authentication and access policies cannot keep pace. On the shadow AI on-campus side, ask a security team how many AI agents are running across their institution, and the answer is almost always an estimated range followed by, "at least those are the ones we know about."
Identity offers a solution for both sides, and it comes down to being able to answer three questions:
- Where are my agents?
- What do they have access to?
- What can they do?
Universities are already building AI assistants and workflows across many teams, tools, and platforms. The challenge is not whether these institutions will use AI, but rather how to scale it on an identity foundation that enables them to answer those three questions with confidence, which will mean:
- Discovering every agent
- Registering ownership
- Safely delegating user authority
- Enforcing fine-grained access with human approval where it matters
- Maintaining an auditable record across the campus IT ecosystem
Takeaway 3: Research enclaves, regulated data, and the identity layer underneath
Compliance came up most often where it lands hardest. Research-intensive universities and academic medical centers need to manage the requirements of multiple, often overlapping, compliance frameworks on the same systems simultaneously, including CMMC, NIST 800-171, HIPAA, FERPA, and federal data agreements. One session walked through their journey of building a regulated research enclave that satisfies CMMC Level 2, and the operational pattern became clear: identity is foundational.
Much of CMMC Level 2 consists of identification, authentication, access control, audit, and accountability–which shows up the same way across HIPAA and federal research data agreements. A unified identity platform that handles authentication, privileged access, governance, and audit-ready reporting reduces duplicated effort across all of them.
An identity security fabric does not deliver compliance on its own; it makes the identity portion of the work measurable, repeatable, and defensible.
The happily ever after
This recap might read like a conference all about identity, held suspiciously close to the happiest place on Earth. The reality is that it was a gathering of cyber professionals working through the hardest security, compliance, AI, and resilience problems in higher education. Identity just happened to turn up everywhere. And not everybody went on ALL the rides.
For higher ed cyber and privacy professionals, the goal is no longer limited to better SSO and modern authentication. It is a unified identity security fabric that threads together access, governance, risk, compliance, AI safety, and user experience, so everyone on campus can safely use any technology.
