TL;DR: Matrix Conference 2025 reinforced that Matrix is moving from experimental secure messaging toward production-grade, federated collaboration, with work on Matrix 2.0, Matrix-based whiteboards, and post-quantum and MLS research shaping the next phase, according to SSH Communications Security. The governance question is no longer whether the protocol is viable, but how identity, trust, and lifecycle controls scale across collaboration ecosystems.
At a glance
What this is: Matrix Conference 2025 showed Matrix maturing into a production-grade, federated collaboration platform with stronger focus on stability, scalability, and usability.
Why it matters: That matters because IAM, NHI, and collaboration teams now have to govern secure communication as an ecosystem, not just a chat layer.
👉 Read SSH Communications Security's analysis of Matrix's secure collaboration evolution
Context
Matrix is an open, federated communications protocol for secure messaging and collaboration, not a proprietary chat stack. In this article, SSH Communications Security uses the Matrix Conference 2025 to argue that the ecosystem is moving into a production-grade phase, with Matrix 2.0, whiteboarding, voice, video, and group collaboration now treated as deployable infrastructure rather than future possibility.
For identity and access teams, the important shift is that secure communication is becoming part of the broader trust fabric. That raises questions about who can join federated spaces, how membership is governed across organisations, how encryption keys are managed, and how lifecycle controls behave when collaboration spans many tenants and devices. It also makes open standards and local control more relevant to sovereign and regulated environments.
Key questions
Q: How should organisations govern federated collaboration platforms like Matrix?
A: Treat federated collaboration as an identity governance domain, not just a communications tool. Assign clear ownership for membership approval, device trust, key lifecycle, and cross-domain revocation. The control objective is to make federation explicit and auditable, especially where multiple organisations share rooms, workspaces, or cryptographic trust boundaries.
Q: Why do open communication standards create new access governance challenges?
A: Open standards reduce lock-in, but they also distribute trust across organisations, devices, and servers. That means access decisions cannot rely on a single vendor boundary. Teams must define who can join, how exceptions work, and how access is removed when collaboration spans multiple domains.
Q: How can security teams manage secure collaboration as the platform expands beyond chat?
A: They should govern collaboration roles, not just messaging accounts. Whiteboards, voice, video, and shared workspaces each introduce additional entitlement layers, so access reviews need to include memberships, device confidence, and data visibility across all collaboration surfaces.
Q: What should identity teams prioritise for long-lived encrypted collaboration channels?
A: They should prioritise encryption agility, group key lifecycle management, and migration planning for new cryptographic standards. Long-lived channels need a path for rekeying and algorithm change, otherwise the collaboration layer can become resilient operationally but brittle cryptographically.
Technical breakdown
Matrix 2.0 and production-grade federation
Matrix 2.0 is presented as a step toward more stable, scalable deployment of the protocol. The technical point is not simply better messaging performance, but stronger operational viability for federated systems where multiple homeservers, clients, and bridges must interoperate reliably. In practice, that means the protocol’s architecture is being tuned for real-world load, not just protocol purity. For security teams, production readiness changes the governance question from can this work at all to how do we control trust boundaries across a distributed mesh of identities and endpoints?
Practical implication: treat Matrix federation as a governed production platform and define membership, key, and endpoint controls before broad rollout.
Secure collaboration ecosystems beyond chat
The article describes Matrix moving beyond messaging into real-time collaboration through tools such as whiteboards and multi-user workspaces. That matters because identity and authorization no longer stop at message send and receive permissions. Shared workspaces introduce richer participation states, more persistent artefacts, and broader access relationships across chat, voice, video, and documents. Once collaboration spans multiple modalities, the control plane must manage not only users but sessions, device trust, room membership, and content visibility across the full interaction surface.
Practical implication: extend access governance to collaboration roles, workspace membership, and device trust, not just messaging accounts.
Post-quantum cryptography and MLS for long-term trust
The conference discussion on post-quantum cryptography and Messaging Layer Security points to future-proofing encrypted group communication. PQC addresses the risk that today’s cryptography may not remain safe against future adversaries, while MLS is designed to support efficient group key management for dynamic conversations. The governance issue is that cryptographic resilience is now part of communications architecture, not a separate research topic. Organisations planning long-lived secure collaboration channels should expect encryption agility and group-key lifecycle management to become baseline requirements.
Practical implication: build encryption agility and group key governance into collaboration roadmaps before long-lived channels become hard to rekey.
NHI Mgmt Group analysis
Matrix’s maturity shift changes the governance question from adoption to control design. Once a federated communications platform is treated as production infrastructure, the identity problem is no longer limited to secure message transport. It becomes a question of how organisations govern membership, device trust, key lifecycle, and interoperability across organisational boundaries. The implication is that collaboration security now needs the same governance discipline as any other shared access surface.
Open standards create sovereignty benefits, but they also shift trust management from vendor boundary to programme boundary. Matrix’s appeal in public sector deployments is that it avoids lock-in while preserving interoperability and local control. That is also the challenge: when control is distributed across homeservers, clients, and organisations, governance must be explicit about who owns access, who revokes it, and how exceptions are handled. Practitioners should treat federated collaboration as a policy design problem, not just a deployment choice.
Secure collaboration is expanding into a broader identity and access surface. As Matrix-based tools move into whiteboards, voice, video, and workspace coordination, the access model becomes more layered than simple account authentication. This is where NIST Cybersecurity Framework 2.0 and zero-trust thinking become useful, because they push teams to align identity, device confidence, and continuous verification. The practical conclusion is that collaboration governance now sits inside the wider identity programme, not outside it.
Long-term cryptographic planning is now part of communication governance. The article’s focus on post-quantum cryptography and Messaging Layer Security shows that secure collaboration cannot be treated as a static feature set. Encryption agility, group key lifecycle, and future algorithm transitions are becoming design assumptions for any platform expected to remain relevant over a decade. Practitioners should regard cryptographic migration readiness as part of operational resilience, not a later enhancement.
Named concept: federated collaboration governance gap. Matrix’s maturation exposes a gap between the way organisations approve messaging platforms and the way federated collaboration actually behaves. The protocol can be open, sovereign, and usable at the same time, but that does not remove the need for clear entitlement ownership, revocation discipline, and cross-domain trust policy. The implication is that teams must govern the collaboration ecosystem as a living identity boundary, not a static tool rollout.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials, according to The 2024 Non-Human Identity Security Report.
- For the next step, compare collaboration governance with the broader identity lifecycle view in Ultimate Guide to NHIs , 2025 Outlook and Predictions.
What this signals
Federated collaboration is becoming an identity governance problem, not a product selection problem. As platforms like Matrix expand from messaging into shared workspaces, the control surface shifts from a single login to a distributed entitlement model. Teams should prepare for access reviews that cover rooms, devices, keys, and external trust relationships together, because the collaboration boundary is now wider than the chat boundary.
88.5% of organisations say their non-human IAM lags human IAM, according to The 2024 Non-Human Identity Security Report, and that gap matters here too. Collaboration platforms increasingly depend on service integrations, bots, and automation around the messaging layer, so the governance model must account for machine access alongside human users. If the NHI layer is weak, the collaboration stack inherits that weakness immediately.
The most useful programme response is to treat federated collaboration as part of the wider identity lifecycle. That means onboarding, revocation, device trust, and encryption governance need to be designed together, not handed off to separate communications and IAM teams.
For practitioners
- Define federation ownership boundaries Map which team owns homeserver policy, cross-domain trust decisions, and exception handling before expanding Matrix-based collaboration beyond pilot users.
- Extend access reviews beyond accounts Review room membership, workspace roles, and device trust together so collaboration access is evaluated as a full entitlement set rather than as a single login.
- Plan encryption agility early Document how key rotation, group rekeying, and future cryptographic migration will be handled for long-lived collaboration channels and sovereign deployments.
- Align collaboration controls with zero trust Apply continuous verification to devices, sessions, and trust relationships so federated collaboration does not rely on one-time approval at onboarding.
Key takeaways
- Matrix’s move toward production-grade collaboration changes the problem from secure chat to governed federation.
- The real control challenge is not message encryption alone, but ownership of memberships, devices, keys, and trust boundaries.
- Identity teams should fold collaboration platforms into lifecycle and zero-trust governance before they become operationally entrenched.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | Federated collaboration needs govern, protect, detect, and respond controls across shared trust boundaries. | |
| NIST Zero Trust (SP 800-207) | Matrix federation relies on continuous trust decisions across distributed clients and servers. | |
| NIST SP 800-63 | Federated collaboration still depends on strong identity proofing and authentication for users joining shared spaces. |
Use assurance-appropriate authentication for collaboration users and align it with room and workspace access policy.
Key terms
- Federation: Federation is a trust model where separate systems interoperate while keeping their own administrative control. In secure collaboration, federation means identity, policy, and data access can span organisations without forcing them onto one shared platform or one shared directory.
- Collaboration workspace: A collaboration workspace is a shared environment that combines messaging, presence, voice, video, or content collaboration into one access surface. It broadens identity governance because membership, device trust, and entitlement revocation must be managed across more than a single communication channel.
- Encryption agility: Encryption agility is the ability to change cryptographic algorithms, key management methods, or transport protections without disrupting service. It matters for long-lived collaboration systems because secure communication must stay maintainable as threats, standards, and compliance expectations evolve.
- Device trust: Device trust is the confidence an organisation places in the endpoint used to access a system. For federated collaboration, it influences whether a user can join sensitive rooms, share data, or participate in persistent workspaces under a zero-trust model.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
This post draws on content published by SSH Communications Security: Matrix Conference 2025 and the evolution of secure, decentralized communication. Read the original.
Published by the NHIMG editorial team on 2025-11-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
