Photo courtesy of Rahul Sharma.
Opinions expressed by contributors are their own.
Enterprises adopting cloud services face a growing challenge: how to make authentication seamless for users while maintaining system security against account takeover, credential theft, and compliance gaps. Cloud providers have been enhancing their customer identity and access management (CIAM) services to meet this dual demand.
At Amazon Web Services (AWS), Amazon Cognito sits at the center of this effort, processing more than 100 billion authentications each month. Over the past year, Cognito has introduced new features, pricing tiers, and threat protection capabilities to cater to the needs of both developers and security teams.
Rahul Sharma, Principal Product Manager – Technical, leads the Cognito product management team and has guided and shaped these changes, working across engineering, design, and gotomarket teams.
Cognito’s feature set has steadily evolved to make it easier for developers to integrate and for users to sign in. The Managed Login experience introduced a nocode branding editor, realtime previews of UI changes, and simplified integration paths. At the same time, Cognito added passwordless authentication, including support for passkeys and onetime passwords through email or SMS.
These features responded to longstanding customer requests, while development teams sought a faster way to build branded signin flows without relying on frontend engineering, and enterprises aimed to move away from passwordonly authentication. Sharma played a key role in prioritizing these updates based on direct customer feedback and aligning crossfunctional teams to enable their launch at scale. These features can reduce friction for both developers and end users.
Across the CIAM industry, vendors are emphasizing both usability and security. Balancing a seamless enduser experience with an elevated security posture to guard against malicious actors is increasingly becoming table stakes, reflecting the demand to shorten timetomarket and reduce friction for endusers while maintaining strong authentication.
While usability and adoption features reduced friction for developers and end users, enterprises also needed stronger protection against account takeover (ATO) attempts and credential abuse. Cognito’s threat detection engine was expanded to further address these risks, and Sharma helped prioritize and deliver new rules and capabilities that enhanced the service’s ability to detect and respond to threats.
One enhancement was geovelocity rules, which analyze signin attempts from geographically distant locations within short time windows, often indicating compromised accounts. Cognito could now surface those signin risks, enabling customers to either automatically step up authentication or block such attempts. Sharma also worked on launching email multifactor authentication (MFA) as a second layer of defense when elevated risk was detected, giving administrators flexibility to harden security. To support deeper monitoring, Cognito introduced log streaming, allowing security events to be exported to multiple destinations for analysis and correlation with other enterprise signals.
Together, these updates expanded Cognito’s risk evaluation capabilities and provided enterprises with additional tools to tailor identity protection to their specific environments. For regulated industries, the improvements meant Cognito could be adopted with greater confidence, aligning more closely with compliance requirements while reducing exposure to emerging attack patterns.
Riskbased authentication and adaptive MFA are priorities across all cloud identity products. Providers are increasingly layering threat intelligence into their services.
Across the identity and access management market, pricing models have increasingly shifted toward offering clearer tiers of value. Organizations vary widely in their scale and requirements: smaller teams seek straightforward, lowercost entry points, while larger enterprises often require advanced security features and compliance support. Without flexible packaging, customers may struggle to understand how a service aligns with their needs.
In 2024, AWS introduced new tiered plans for Cognito (Lite, Essentials, and Plus) to address this need. Lite created a tier for valuefocused organizations, Essentials targeted organizations seeking a comprehensive set of identity and access management capabilities, and Plus targeted enterprises that required a comprehensive solution, combined with identity intelligence and threat protection capabilities. The pricing and packaging are geared to align more naturally with their size and use case.
Sharma was instrumental in guiding the development of AWS’s CIAM product’s pricing strategy, helping align product design with customer needs and expectations. He defined the pricing and packaging proposal, developing a bottomup framework that mapped features to customer profiles. He collaborated with stakeholders to model costs, forecast adoption scenarios, and stresstest the design against different usage patterns. He also worked with customerfacing teams to validate that the tiers reflected real adoption needs. After securing alignment from leadership, the new plans were launched in 2024.
For customers, a tiered structure provided greater flexibility to adopt the plan that best matched their needs, while also offering clearer predictability around cost and feature sets. The approach positioned organizations to choose the optimal level of capability for their stage of growth, from startups experimenting with CIAM to enterprises requiring advanced security and compliance features.
As enterprises began deploying AI agents that act on behalf of users or trigger workflows with preauthorized consent, traditional identity frameworks proved insufficient, as agents often need to interact with multiple applications in a single task while preserving consent, scope, and auditability. In response, Sharma helped shape AWS’s approach to extending identity to AI agents. In 2025, with Sharma’s product strategy and direction, AWS launched Bedrock AgentCore Identity in 2025, delivering a centralized agent directory that assigns each agent a unique identity with metadata, a secure credential vault for OAuth tokens and API keys, builtin support for both delegated and machinetomachine OAuth 2.0 flows, finegrained access controls over which resources an agent can invoke, and SDK annotations (such as @requires_access_token and @requires_api_key) that simplify integration.
In bringing Bedrock AgentCore to industry, Sharma made significant contributions to shaping the product concept and monetization model, working with engineering teams to prioritize which flows and integrations to support first, validate requirements for auditability, and define usagebased pricing tied to token and APIkey retrievals. By linking costs directly to measurable agent activity, the approach gave customers a transparent and flexible way to evaluate and scale AIdriven workloads.
Extending identity to nonhuman actors is emerging as an ask from various organizations. As organizations adopt agentic AI, identity frameworks must evolve to manage credentials, scope access, and enforce auditability with the same rigor that has long been applied to human identities.
These identity initiatives have also been visible externally. At AWS re:Inforce 2025, Sharma copresented with cloud security provider Wiz, detailing how Wiz migrated to Cognito, achieved FedRAMP authorization, and reduced IAM costs while increasing to 99.9% availability. The session served as a case study on how CIAM services can meet high regulatory standards without compromising performance.
AWS has also featured Sharma in its technical channels. In a 2024 AWS On Air broadcast, he discussed Cognito’s new pricing tiers, and his blog contributions have explained Cognito’s evolving feature set, including passwordless authentication and adaptive signin.
More broadly, the identity industry has leaned heavily on these kinds of case studies and technical explainers to demonstrate realworld adoption. Highlighting compliancedriven migrations and publishing clear guidance is becoming an avenue for providers to reassure enterprises that identity services can deliver both usability and trust at scale.
The evolution of these identity products highlights how identity services are expanding: easier for developers and users, stronger for security teams, and adaptable to new AIdriven patterns.
Through his product leadership on Amazon Cognito and Amazon Bedrock AgentCore Identity, Rahul Sharma has helped align identity services with both today’s enterprise requirements and the emerging demands of AI applications.
At the same time, the broader market is converging on identity as a cornerstone of digital trust. Whether through passwordless signin, adaptive threat detection, or frameworks for AI agents, providers are racing to deliver systems that keep pace with user expectations while standing up to new risks — a trend that will shape how enterprises adopt cloud identity in the years ahead.
