TL;DR: 2025 turned crypto policy from rulemaking into implementation, with MiCA, the GENIUS Act, stablecoin oversight, tokenization and fraud controls all exposing national friction, supervisory gaps and operating-model changes across major markets, according to Chainalysis. The practical lesson is that compliance maturity now depends on execution, not legislation alone.
At a glance
What this is: This is a regulatory round-up showing that 2025 turned crypto oversight into an implementation problem, with global rules advancing unevenly across stablecoins, tokenization, TradFi participation and financial crime controls.
Why it matters: It matters because IAM, PAM, fraud, compliance and governance teams need to understand how regulatory change reshapes access, controls, accountability and cross-border operating models in crypto-adjacent programmes.
By the numbers:
- Over 90 firms were authorized as CASPs in the EU one year into MiCA’s full applicability.
- Tokenized money market funds holding U.S. Treasuries rose above $8 billion in December 2025.
- AUM for tokenized commodities such as gold climbed above $3.5 billion in 2025.
👉 Read Chainalysis' 2025 crypto regulation round-up and 2026 outlook
Context
Crypto regulation in 2025 has shifted from drafting rules to trying to make them work in live markets. That matters for identity and access governance because the operational burden now sits on authorisation, supervision, auditability and control enforcement, not just on legal text.
The article also shows how compliance, fraud prevention and operational resilience are converging around digital asset services. For identity teams, the relevant question is how regulated access, delegated authority and lifecycle controls hold up when firms expand across jurisdictions, products and counterparties.
Key questions
Q: What is the biggest challenge in implementing crypto regulation in practice?
A: The biggest challenge is not drafting the rule, but making it enforceable across real workflows, tools and jurisdictions. Implementation friction appears when legal requirements collide with inconsistent interpretations, overlapping regimes and limited supervisory capacity. Teams should focus on evidence, approvals and operational ownership, because those are the points where compliance either works or fails.
Q: Why do stablecoin rules create identity governance issues for financial institutions?
A: Stablecoin rules change who can issue, distribute, custody and service regulated assets, which turns access into a compliance issue. Financial institutions need controlled delegation, auditable approvals and tight entitlement review because privileged actions now affect regulatory exposure as well as operational risk.
Q: How should organisations manage cross-border differences in digital asset regulation?
A: Organisations should build a single operating model with jurisdiction-specific overlays, not separate control philosophies for every market. The key is to keep identity, entitlement and evidence standards consistent while adapting only where local rules materially differ. That reduces audit drift and makes supervisory conversations more defensible.
Q: Who is accountable when crypto-related fraud or laundering is detected?
A: Accountability usually spans security, fraud, compliance, legal, and platform operations because each owns a different part of the control chain. A usable response model defines who can preserve evidence, who can escalate to exchange partners, and who can approve external referrals.
Technical breakdown
Why implementation friction becomes the real control problem
Crypto regulation often looks complete on paper long before firms can implement it consistently. The article shows this clearly in MiCA, where technical standards, national interpretation and overlapping payments rules create practical uncertainty for firms that must translate legal obligations into onboarding, monitoring and transaction controls. The same pattern appears in Travel Rule deployment, where tool interoperability, risk expertise and treatment of unhosted wallets all shape whether compliance is actually enforceable. In practice, a regulation only becomes a control system when it is operationally specific enough to be executed across institutions and borders.
Practical implication: teams should test whether obligations can be enforced in workflows, not just mapped in policy documents.
How stablecoin regulation changes identity, custody and access governance
Stablecoin regimes are not only about reserve assets and market integrity. They also reshape who is allowed to issue, distribute, custody and service these instruments, which pulls identity governance into the centre of the operating model. The article points to restrictions on non-compliant stablecoins, mutual recognition questions and clearer AML expectations, all of which increase the importance of controlled access, regulated delegation and auditable approvals across issuers, exchanges and banking partners. When stablecoins become embedded in mainstream financial plumbing, identity and access controls become part of the compliance perimeter rather than an IT detail.
Practical implication: map every privileged pathway in stablecoin operations to a named owner, approval rule and review cadence.
Why tokenization raises the bar for controls around market plumbing
Tokenization is moving from pilots to market infrastructure, which changes the governance challenge from proving feasibility to controlling production access. The article describes institutional participation, public-private experimentation and regulatory review of securities laws, all of which increase the need for separation of duties, strong entitlements and traceable decision rights. As tokenized instruments enter mainstream custody, trading and settlement flows, the most relevant control questions are who can alter smart-contract-linked workflows, who can approve exceptions and who can recover from operational failure without breaking trust.
Practical implication: treat tokenization platforms like critical financial systems and apply stronger entitlement reviews before production scale-up.
NHI Mgmt Group analysis
Implementation friction is now the dominant governance risk in crypto regulation. The article makes clear that the hardest problems are no longer whether rules exist, but whether they can be interpreted and enforced consistently across institutions and jurisdictions. That is a familiar governance failure mode for identity programmes too, where policy intent breaks down at the point of workflow, approval and exception handling. Practitioners should treat regulatory implementation as a control design problem, not a legal afterthought.
Crypto regulation is converging with identity governance because market participation is now an access problem. Stablecoin issuance, custody, tokenized asset operations and regulated distribution all depend on who can do what, under which authority, and with what evidence. That is fundamentally an IAM and PAM question wrapped inside a financial policy question. As more firms move into crypto under formal supervision, access governance becomes part of compliance readiness.
Cross-border fragmentation creates a verification trust gap for regulated digital asset services. The article shows that national rules, passporting limits and divergent interpretations continue to fragment operations even when policy goals are similar. Verification trust gap: when a firm cannot prove that identity, entitlement and compliance decisions will mean the same thing in every jurisdiction, the control model loses consistency. Practitioners should expect more scrutiny on auditable access decisions and jurisdiction-specific controls.
Financial crime and asset recovery are becoming identity accountability problems, not just surveillance problems. The focus on sanctions, fraud monitoring and gatekeeper obligations means regulators are asking who owns the decision to approve, stop or reverse a transaction. That shifts attention toward evidence trails, exception governance and accountable access in platforms that support crypto services. Practitioners should design for decision provenance, not just detection.
Regulated crypto operations now depend on lifecycle control of privileged access across counterparties. Banks, CASPs and infrastructure providers are all expanding into more complex service chains, which increases the risk of stale approvals, overbroad delegation and weak offboarding. That is where identity governance, audit and operational resilience meet. Practitioners should expect access lifecycle discipline to become a regulatory expectation, not only an internal hygiene measure.
What this signals
Regulated digital asset services will continue to force IAM, PAM and compliance teams into the same operating conversation. The practical issue is not whether access can be granted, but whether every privileged action can be justified, evidenced and revoked under regulatory scrutiny.
The next programme risk is control drift across jurisdictions. As firms expand into multiple rulebooks, they will need a consistent evidence model for approvals, reviews and offboarding, otherwise the same access will be treated differently in different markets.
Regulated access provenance: crypto programmes will increasingly need to prove who authorised a privileged action, why it was allowed and when it was reviewed. That pressure will also spill into adjacent identity governance work, especially where third-party access and financial crime controls overlap.
For practitioners
- Map regulatory obligations to executable workflows Translate each crypto compliance obligation into a specific workflow, system owner and evidence point. If a requirement cannot be tested in onboarding, approvals, monitoring or reporting, it is not yet operationally controlled.
- Review privileged access across crypto service chains Identify who can issue, distribute, custody, amend and reverse crypto-related actions across internal teams and third parties. Remove standing access that is not tied to a current duty, and document exception approvals for audit.
- Align stablecoin controls with regulated delegation For stablecoin and tokenization programmes, define who can approve reserve actions, distribution changes and operational exceptions. Require named approvers and periodic entitlement review for every privileged path.
- Strengthen cross-border control consistency Where services operate across jurisdictions, test whether identity, access and compliance decisions produce the same outcome in each market. Use jurisdiction-specific control overlays only where rules differ materially, and keep the evidence model consistent.
Key takeaways
- 2025 showed that crypto regulation is no longer just about policy design, because implementation and supervision now determine whether the rules actually work.
- The article’s main evidence is that market growth, from over 90 CASPs authorised under MiCA to multi-billion-dollar tokenized funds, is outpacing control consistency.
- For practitioners, the priority is to turn regulatory obligations into auditable access, entitlement and accountability workflows that survive cross-border expansion.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | The article is about governance, policy implementation and operating context. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central to privileged access in regulated crypto operations. |
| ISO/IEC 27001:2022 | A.5.15 | Access control governance matters where regulated crypto workflows span teams and third parties. |
| GDPR | Only relevant where identity data or personal data processing appears in regulated services. |
Apply GDPR only where customer identity data or personal data is processed within the crypto programme.
Key terms
- Stablecoin issuer: A stablecoin issuer is the entity responsible for creating and maintaining a fiat-linked digital asset. Under the GENIUS Act, that role carries reserve, disclosure, AML, and sanctions obligations, making issuer identity and control ownership central to compliance governance.
- Travel Rule: A Travel Rule is a regulated requirement for financial platforms to exchange originator and beneficiary information during qualifying transfers. In crypto, it turns transfer handling into an identity and compliance workflow, where the platform must know which counterparties can receive data and how that exchange is recorded.
- Data Tokenization: Data tokenization replaces sensitive values with surrogate tokens that have no exploitable relationship to the original data. In AI environments, the control matters because prompts and responses often contain sensitive content in plain language, so the token must protect the value while preserving enough context for the model to remain useful.
- CASP: A Crypto-Asset Service Provider is an organisation that offers regulated services involving crypto-assets, such as custody, exchange, or transfer activities. For compliance teams, the key issue is that CASP status brings licensing, governance, and control evidence obligations that must be maintained continuously, not only at application time.
What's in the full report
Chainalysis' full round-up covers the operational detail this post intentionally leaves for the source:
- Regional policy-by-policy breakdowns across the US, EU, UK, APAC and Middle East
- Detailed discussion of MiCA implementation issues, including stablecoin regime questions and supervisory convergence
- Specific regulatory developments around tokenization, DORA and anti-money laundering expectations
- The article’s own 2026 watchlist for policy, supervisory and market-structure change
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, IAM and secrets management in a practitioner-focused format. It helps security and identity teams strengthen lifecycle control across regulated environments and adjacent access-heavy programmes.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org