In the autumn of 2019, Stroom Capital was less than eighteen months old and already forming a view that would shape every investment thesis since: Europe's identity infrastructure is not merely outdated — it is structurally misaligned with the threat landscape it faces. This is not an observation about individual enterprise systems. It is about the entire stack, from how federated identity protocols are deployed across organisational boundaries to how national digital identity schemes interoperate (or fail to) with private-sector verification flows. The question we kept returning to was simple: if an attacker can move laterally across an enterprise network by exploiting a single OAuth misconfiguration or an overprivileged service account, why is the dominant response still a perimeter firewall upgrade?
The fragmentation problem runs deep. A large Dutch financial institution operating across six EU member states in 2019 might have deployed Active Directory Federation Services for internal SSO, a separate SAML 2.0 broker for partner integrations, a home-built API key management system for machine-to-machine authentication, and an entirely different vendor's solution for customer-facing identity verification — none of which shared a common credential lifecycle policy. This is not negligence; it is the natural consequence of acquiring identity tooling piecemeal over fifteen years, each purchase solving an immediate operational problem without reference to the attack surface it creates in aggregate. The result is an identity estate that no single team can audit end-to-end, with orphaned accounts persisting for months after role changes, and machine identities often never rotated at all.
We want to be precise about what we are and are not arguing here. We are not saying that older federation standards like SAML are inherently broken — SAML 2.0 with correct signature validation and binding enforcement is adequate for many scenarios. What we are saying is that the operational posture around these standards in European enterprises is broken. The attack vectors we see exploited most consistently are not cryptographic weaknesses in the protocol itself; they are implementation gaps: unsigned SAML responses being accepted, SP-initiated flows where the IdP does not validate the RelayState, OIDC clients with overly permissive redirect URI patterns. These are configuration failures, and they exist at scale because the organisations deploying these systems have no continuous visibility into how their identity estate is actually behaving in production.
The European regulatory context should, in theory, be forcing this rethink. eIDAS — the EU Regulation on electronic identification and trust services — established a framework for cross-border digital identity recognition that, by 2019, had been live for three years without producing the interoperability it promised. The core problem was that eIDAS Level of Assurance definitions (Low, Substantial, High) defined assurance in terms of enrolment processes rather than continuous session integrity. An identity asserted at High assurance based on a robust in-person enrolment process could, in practice, be bound to a session token with a thirty-day validity and no step-up authentication requirement for sensitive operations. The assurance framework was front-loaded. What we needed — and what we believed startups would eventually build — was assurance architecture that was continuous, context-sensitive, and capable of expressing uncertainty rather than binary pass/fail.
From an investment standpoint, we formed a conviction in late 2019 that the most defensible identity infrastructure companies would be those that treated identity not as a gating mechanism at the perimeter but as a continuous signal threading through every application layer. The businesses that would win were not those building another IdP federation broker — that market was mature and consolidating — but those building the verification substrate that sits beneath the session: biometric liveness, document authenticity, behavioural consistency, and cryptographic proof of device binding. This thesis would inform our pre-seed investments in Tuned and Ondato two years later, and it remains the organising principle behind our Fund III identity category interest in zero-knowledge credential architectures.