The era of virtualized SIMs has arrived.
For decades, SIM cards have been the most inflexible component of the cellular stack. They were physical, operator-locked, and difficult to replace after deployment. Global scaling required complex logistics, inventory management, and per-market agreements, often after devices were already deployed.
This is changing. SGP.32, the GSMA’s IoT Remote SIM Provisioning standard, converts the SIM into software and is the first eSIM standard designed specifically for large-scale IoT.
After slow adoption of SGP.02 and SGP.22, SGP.32 is gaining significant traction in security systems, automotive, body cameras, fixed wireless, and industrial IoT.
The key reason is that SGP.32 shifts control of identity.
The fundamental change: enterprises now own device identity.
SGP.32 introduces not only a technical shift, but a structural one.
Traditionally, operators owned device identity. The IMSI resided on an operator-issued SIM, and switching networks required physical changes, complex migrations, or accepting vendor lock-in.
With SGP.32, the enterprise owns the identity. The eUICC (the chip) is embedded in the device, and the eIM manages profile downloads and lifecycle management. Operators still provide profiles, but enterprises control which to use, when, and where. This enables enterprises to:
- Ship one global SKU
- Simplify supply chains
- Make connectivity decisions after deployment
- Reduce dependency on a single carrier
Modern connectivity should be flexible, software-defined, and aligned with the device lifecycle rather than constrained by SIM limitations.
How to adopt SGP.32: three deployment options
Enterprises adopting SGP.32 typically have three options:
1. Purchase directly from the eUICC vendor. Work with vendors such as Kigen, IDEMIA, or Giesecke+Devrient, deploy your own eIM, and manage operator integrations. This provides maximum control but requires significant telecom expertise, certification, and extended timelines.
2. Lease the SGP.32 platform from a connectivity partner such as Monogoto. Devices ship with a bootstrap profile, connect globally upon activation, and can switch profiles over the air. This approach offers:
- Faster deployment
- Reduced operational complexity
- Full control of identity without building the stack from scratch
3. Become your own MVNO. This is viable only for organizations ready to make telecom a core competency.
For most enterprises, the second option offers the best balance of control, flexibility, and speed.
Bootstrap connectivity is more powerful than most teams realize
When people hear “bootstrap SIM,” they usually think of day-one provisioning. That’s only half the story.
Use case 1: Bootstrap as a deployment accelerator. Devices ship with a preloaded profile, connect immediately, and operator selection occurs remotely. This results in:
- One SKU
- Simplified logistics
- Faster global rollout
Use case 2: Bootstrap as built-in resilience. More enterprises should consider this approach. A secondary profile can remain dormant on the eUICC and be activated remotely if the primary network fails due to outages, pricing changes, or coverage gaps. This eliminates:
- Physical intervention
- Device recalls
- Single-carrier dependency
A dormant profile is a simple way to introduce redundancy at the identity layer.
The Zero Trust advantage: identity ownership delivers additional value.
SGP.32 offers an additional benefit that is often underestimated: once you own the identity, you can implement Zero Trust security.
Zero Trust is now the default security architecture in enterprise IT: never trust based on network location, always verify, and authenticate every request against a hardware-rooted credential.
This model works well for laptops and cloud workloads, but has been difficult to apply to IoT because most devices still rely on weak identity systems:
- Shared credentials or passwords
- Firmware-based certificates
- Chips that aren’t tamper-resistant
As a result, device fleets often have inadequate security.
SGP.32, combined with IoT SAFE, addresses this challenge.
The eUICC serves as a tamper-resistant secure element, and the GSMA’s IoT SAFE applet establishes it as a hardware root of trust for the device:
- Credentials are securely stored
- Keys cannot be extracted
- Authentication extends across cellular, Wi-Fi, private networks, and satellite NTN
For Physical AI deployments, connected vehicles, robotics, security cameras, and autonomous industrial systems, secure device identity is essential. A compromised credential on a connected car can result in a hijacked vehicle. In robotics, it means loss of control. For body cameras, it jeopardizes the chain of custody in legal proceedings.
And this is the part that often gets overlooked: you cannot fully implement Zero Trust on an identity you do not own.
Why this moment matters
Several factors are converging:
The standard is real. SGP.32 is finalized, products are shipping, and the certification path is well understood.
Operational friction is decreasing. Virtualization eliminates the physical SIM logistics that have complicated global IoT deployments, including per-market SIM negotiations, SKU proliferation, and recalls due to operator changes.
Connectivity is now multi-bearer. With identity on a software-defined eUICC, the same credential can authenticate across private cellular (CBRS, private 5G), Wi-Fi with EAP-SIM/AKA, and satellite NTN.
One identity. Multiple bearers. No hardware changes. The enterprises that own their identity today will be the ones that integrate satellite and private network connectivity smoothly tomorrow.
Advice for CTOs considering this transition
Act promptly. Do not attempt to build the entire platform internally before gaining field experience. Do not rely solely on existing operator relationships for protection.
Integrate an SGP.32-ready bootstrap into your next hardware revision. Partner with providers such as Monogoto for the eIM and bootstrap profile to accelerate deployment. Learn from real-world usage, maintain control of your identity, and preserve flexibility.
The enterprises that figure this out early will build a connectivity stack that becomes more flexible and resilient over time. The ones that don’t will spend the next decade managing the same SIM logistics they’ve managed for the last 20 years.
