Identity At The Center

Jeff and Jim welcome back Robert Snodgrass, Principal at RSM, for a deep dive into the RSM Middle Market Business Index cybersecurity report. The conversation covers the confidence gap facing middle market organizations, why digital identity remains undervalued despite being the primary attack surface, non-human identity governance, flat cybersecurity budgets, risk framework adoption, and what good incident response preparedness actually looks like. The episode wraps with a spirited Bitcoin Pizza Day toppings debate.Connect with Robert: https://www.linkedin.com/in/robert-snodgrass-7a199412/Review the RSM US Middle Market Business Index Special Report on Cybersecurity 2026: https://rsmus.com/middle-market/cybersecurity-mmbi.html?cmpid=ola:45559-idac:bb01IDPro new member discount: https://idpro.org/idac/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS00:00:00 Introduction and Scatter Spider social engineering discussion00:04:00 IDPro discount code and upcoming conferences00:06:26 Guest intro: Robert Snodgrass and the MMBI report00:09:05 Defining the modern middle market00:12:00 The confidence gap: 96% confident, 18% breached00:15:04 Why attackers log in and top identity investment priorities00:19:00 Why only 23% of leaders prioritize digital identity00:22:00 Internal partnerships as the path to identity program success00:25:10 AI, shadow AI, and non-human identity risks00:31:00 NHI governance at scale: 45 to 1 ratio00:34:50 Cybersecurity budget realities in the middle market00:39:00 EU regulation and top-line cybersecurity drivers00:42:03 NIST CSF adoption and risk framework value00:46:00 Incident response planning: the two-minute drill00:52:16 Bitcoin Pizza Day and closing thoughtsKEYWORDSidentity security, middle market, cybersecurity, MMBI, RSM, Robert Snodgrass, phishing-resistant MFA, non-human identities, NHI, shadow AI, incident response, NIST CSF, IAM, identity governance, ransomware, tabletop exercises, digital identity, cybersecurity budget, identity program, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Episode 422 is the debut of Decoded by Identity at the Center, a new sub-series hosted by Jeff Steadman and Sean O'Dell dedicated to unpacking the specifications and standards powering IAM. Joining them is Pieter Kasselman, VP of Open Standards at Defakto and chair of the WIMSE working group. The conversation covers why traditional non-human identity approaches break at agentic scale, how SPIFFE and SPIRE enable short-lived automated credential provisioning without long-lived secrets, and why treating agents as workloads unlocks a decade of existing standards. Pieter walks through critical OAuth specs including JWT authorization grant, token exchange, client ID metadata, and the emerging transaction tokens draft. Sean connects these to practical gateway architecture, continuous access evaluation, and policy-based authorization. The episode closes with real-world deployment examples and a clear takeaway: the tools to secure agentic identity are available today.Episode Links:Pieter Kasselman: https://www.linkedin.com/in/pieter-kasselman-0259862/AI Agent Authentication and Authorization: https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/Workload Identity in Multi-system environments (WIMSE): https://ietf-wg-wimse.github.io/OAuth SPIFFE Client Authentication: https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/Transaction Tokens: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/08/Agentic Identity Control Framework. You Already Have the Pieces. Now Build It. by Sean O'Dell: https://www.linkedin.com/pulse/agentic-identity-control-framework-you-already-have-pieces-o-dell-61b5e/Timestamps:00:00 Introduction to Decoded by Identity at the Center00:13 The mission of the Decoded sub-series03:02 Guest intro: Pieter Kasselman, VP of Open Standards at Defakto06:21 Why agentic identity is urgent: scale, multi-platform, and shifting threat landscape10:42 The real cost of API keys and credential sprawl in agentic systems13:23 Agentic identity identifiers and how SPIFFE assigns unique workload IDs21:00 Credential types: X.509, JWTs, and workload identity tokens31:00 Connecting SPIFFE to OAuth and dynamic registration with client ID metadata38:18 SPIFFE SVIDs, multiple credentials per agent, and governance traceability41:44 Authentication versus authorization: delegation versus impersonation47:00 Transaction tokens: binding access to specific transactions to stop token theft51:21 Identity chaining and cross-domain authorization55:00 Shared Signals Framework and dynamic authorization57:00 Gateways, CAEP, and mid-flight token revocation for rogue agents59:31 What you can deploy today with SPIFFE, OAuth, and existing IDPs01:02:58 Policy-based access control and why instance-level governance cannot scale01:04:58 Workload identity federation: Anthropic and Google Agent ID updates01:07:13 Cross-platform federation and the law of agentic utility01:11:55 Elevator pitch: agents are workloads and 95% of the problem is solved now01:17:03 What is coming next: a transaction tokens deep diveKeywords:agentic identity, SPIFFE, SPIRE, OAuth, transaction tokens, Shared Signals Framework, WIMSE, workload identity, non-human identity, authorization delegation, JWT, CAEP, API gateway, IAM standards, AIMS, Jeff Steadman, Sean O'Dell, Pieter Kasselman, IDAC, Identity at the Center, Jim McDonald, Decoded by Identity at the CenterDecoded by Identity at the Center:Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Sean O'Dell: https://www.linkedin.com/in/seanodentity/Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Visit the show on the web at https://idacdecoded.com/

Jeff and Jim welcome back Henrique Teixeira, SVP of Strategy at Saviynt, for his fourth appearance on the podcast. The episode opens with Jim's firsthand experience building an AI agent for a work project and discovering in real time how identity management challenges surface in the agentic era. After conference updates on EIC in Berlin and Identiverse in Las Vegas, Henrique unpacks the crowded terminology around AI agent governance, from Gartner's agent management platforms to UADP, the Unified Agentic Defense Platform. He proposes a three-pillar framework for managing AI and non-human identities: discovery, identity lifecycle and governance, and runtime access management, with guidance on where to start depending on whether your organization is greenfield or legacy-heavy. The conversation then examines how AI is reshaping the analyst business model, what makes information sources trustworthy, and how proprietary inquiry data forms the real competitive moat for firms like Gartner and Forrester. The episode closes with a wide-ranging discussion on AI's risk to shared cultural experiences, hyper-personalized entertainment, and the ethics of licensing your digital identity in the afterlife.Connect with Henrique: https://www.linkedin.com/in/bernardes/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.com00:00:00 Intro00:00:55 Jim's AI Agent Experiment and Identity Lessons00:06:04 Conference News: EIC and Identiverse00:07:22 Identity Beer Community Events00:08:40 Introducing Henrique Teixeira00:12:00 AI Control Plane: Competing Terminologies00:17:36 Three Pillars of AI Agent Identity Management00:18:46 Why Visibility Matters More for NHI00:20:00 Ownership, Accountability, and Humans at the Control Plane00:24:26 Industry Maturity and the Gaps That Remain00:25:41 Where to Start: Governance-First vs. Visibility-First00:29:52 AI's Impact on the Analyst Profession00:34:57 What Analyst Firms Have That AI Cannot Replace00:39:04 Trust, Boutique Analysts, and Repeatability00:44:34 Proprietary AI Chatbots and Gated Intelligence00:49:30 IP Rights and the Legal Gray Zone of AI Training00:52:14 AI and the Erosion of Shared Cultural Experience00:58:00 AI Music, Personalized Entertainment, and the Future of Art01:03:47 Digital Afterlife, Voice Clones, and AI Personas01:08:18 Wrap-Up and ClosingKeywords: IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Henrique Teixeira, Saviynt, AI identity control plane, non-human identities, NHI, agentic AI, AI agents, AI governance, identity lifecycle, access management, discovery, agent management platform, UADP, IAM, Gartner, analyst firms, AI and culture, digital identity, identity security, EIC, Identiverse, identity beer

This episode is made possible by GitGuardian. Jeff speaks with Dwayne McDaniel, Principal Developer Advocate at GitGuardian, about secrets sprawl, non-human identity governance, and the findings of the State of Secret Sprawl 2026 report. With 28.6 million secrets leaked to public GitHub in 2025 - a 34% year-over-year increase - they explore why hardcoded credentials persist, how agentic AI tools are making the problem worse, and what IAM practitioners can do to start addressing machine identity governance. Topics include GitGuardian's Good Samaritan notification program, the growing NHI inventory challenge, SPIFFE and SPIRE as a path to zero standing privilege, and data showing Claude Code co-authored commits are more than twice as likely to contain leaked secrets. Visit gitguardian.com/lps/idac to learn more.Connect with Dwayne: https://www.linkedin.com/in/dwaynemcdaniel/Dwayne's website: https://dwayne-mcdaniel.com/Learn more about GitGuardian: https://www.gitguardian.com/lps/idacGitGuardian Good Samaritan Program (free) - https://www.gitguardian.com/good-samaritanThe State of Secrets Sprawl 2026: https://www.gitguardian.com/state-of-secrets-sprawl-report-2026SPIFFE Book: https://spiffe.io/book/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS:00:00 Introduction and sponsor welcome00:48 Dwayne's background and path to developer advocacy04:11 Surprises from entering the identity and security space06:29 What a principal developer advocate actually does09:32 Why secrets became Dwayne's focus area14:10 GitGuardian: overview and mission19:36 Where secrets commonly leak across the SDLC22:17 The Good Samaritan notification program explained28:00 Why 70% of leaked secrets from 2022 were still valid in 202533:54 State of Secret Sprawl 2026: the year software changed40:39 AI coding tools, Claude Code, and secrets leakage data47:28 Practical questions for IAM practitioners to start asking52:24 Zero standing privilege and the case for SPIFFE/SPIRE01:00:00 Resources: the SPIFFE book, WIMSE, and AWS STS01:02:51 Hot sauce, the Cubs, and closing thoughtsKEYWORDS:secrets sprawl, hardcoded secrets, non-human identity, NHI governance, GitGuardian, SPIFFE, SPIRE, workload identity, DevSecOps, agentic AI, Claude Code, zero standing privilege, supply chain security, credential abuse, identity and access management, IAM, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Dwayne McDaniel

Recorded live as part of the Identity Management Day 2026 streaming program, Jeff and Jim mark their fifth IMD episode. Introduced by Jeff Reich from the Identity Defined Security Alliance, they reflect on how the IAM industry has evolved since their first IMD episode in 2021 and grade overall progress a C. Topics include what has genuinely improved (passkeys, MFA adoption, broader awareness), what hasn't (compliance fatigue, security theater, persistent credential theft), the exploding challenge of non-human identity governance, whether AI will eventually need to certify other AI, and how AI-powered phishing and deep fakes are raising the bar for identity verification. The episode wraps with chat-submitted IAM bumper stickers.Identity Management Day 2026: https://www.idsalliance.org/event/identity-management-day-2026/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comCHAPTERS0:00 - Jeff Reich intro from the IMD stream2:00 - Identity Management Day 2026 kicks off3:30 - Five years of IMD: a look back at episode 887:00 - Does IMD move the needle?9:30 - Who is Identity Management Day actually for?12:00 - What has improved in IAM over five years16:00 - What hasn't improved: compliance fatigue and security theater18:30 - Grading the IAM industry21:00 - NHI governance: visibility and accountability26:00 - Can AI certify AI? Agentic identity governance29:00 - AI-powered phishing and the evolving threat landscape32:00 - Deep fakes and the identity verification challenge36:00 - Lighter note: IAM bumper stickersKEYWORDSidentity management day, identity management day 2026, NHI, non-human identity, agentic AI, phishing, deep fakes, IGA, passkeys, MFA, IAM, identity governance, access management, cybersecurity, credential theft, security awareness, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

What does it mean to build an identity system that is ethical? Jim McDonald and Jeff Steadman are joined by Elizabeth Garber, Executive Director of IDPro and marketing lead for the OpenID Foundation, for a conversation spanning ethics in digital identity, the tension between privacy and safety, biometric exclusion risks, and how practitioners can use structured frameworks to navigate these discussions productively. Elizabeth shares her three-part career journey, the latest from the IDPro community, and previews her upcoming keynotes at EIC Berlin and Identiverse Las Vegas.Connect with Elizabeth: https://www.linkedin.com/in/elizabethgarberIDPro Discount - New members get $25 off their first year of membership: https://idpro.org/idac/Ethics and Digital Identity by Henk Marsman: https://bok.idpro.org/article/id/104/Ethics for Digital Identity and Identity-Driven Algorithms by Mike Kiser: https://bok.idpro.org/article/id/105/Human Centric Digital Identity white paper: https://openid.net/wp-content/uploads/2023/10/Human-Centric_Digital_Identity_Final-v1.1.pdfConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00 Intro and Jim's allergy research03:42 Conference announcements: EIC and Identiverse06:00 Welcome Elizabeth Garber07:04 Elizabeth's three-part origin story11:55 IDPro mission and the identity community18:13 Membership, CIDPRO certification, and the Body of Knowledge21:17 IDPro Slack community23:40 IdentiBeer and local meetups26:26 IDPro listener discount at idpro.org/idac29:00 Operationalizing ideas in IAM32:19 Ethics in the IDPro Body of Knowledge33:30 Defining ethics in technology34:19 The trolley problem and moral consistency37:10 Big tech, privacy, and law enforcement39:28 Where practitioners start with ethics43:30 Biometric exclusion and the Uganda story49:00 Privacy vs. safety: a false choice?53:48 The case for consistent ethical frameworks57:53 Elizabeth's EIC and Identiverse talks59:49 Improv comedy and expensive hobbies1:07:25 Wrap-upKeywords: ethical IAM, digital identity ethics, IDPro, identity and access management, privacy, safety, biometrics, exclusion, Elizabeth Garber, GAIN Digital Trust, OpenID Foundation, Body of Knowledge, Ethical Canvas, zero knowledge proofs, passkeys, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, EIC Berlin, Identiverse

This bonus episode of Identity at the Center is brought to you with support from Elimity. Jeff and Jim sit down with Maarten Decat, co-founder and CEO of Elimity, to explore the emerging product category known as IVIP, Identity Visibility and Intelligence Platforms. Maarten explains how Elimity was built around a question every IAM practitioner eventually faces: who can actually do what within our organization? The conversation covers why IVIP is distinct from traditional IGA, how identity data graphs provide deeper visibility than flat entitlement lists, and what regulatory drivers like SOC 2, ISO 27001, and DORA are pushing organizations toward this space. They also discuss deployment patterns, integration approaches, ROI metrics for leadership, and what Maarten calls provable control. The episode closes with a memorable story about Elimity branded Belgian beer and a very formal legal letter. Learn more at elimity.com/idac.Connect with Maarten: https://www.linkedin.com/in/maartendecat/Learn more about Elimity: https://elimity.com/idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comCHAPTER TIMESTAMPS00:00 Introduction and ax-throwing memories from EIC Berlin01:35 Introducing Maarten Decat, co-founder and CEO of Elimity01:57 How identity chose Maarten: from PhD to startup founder03:09 The Elimity origin story and the problem it set out to solve04:52 Defining IVIP: Identity Visibility and Intelligence Platforms05:31 Where did the name Elimity come from?06:57 Why identity visibility has become a security priority now09:02 What organizations were doing before IVIP existed11:16 Can IGA do what IVIP does? Addressing the skeptics14:20 The identity data graph: deeper and wider than IGA16:20 IVIP and IGA as complementary tools, not competitors16:49 What falls outside IVIP scope: automated provisioning18:01 IVIP as the intelligence layer in your IAM stack19:45 What data sources connect into an IVIP platform21:44 Extending visibility to non-human identities22:00 M&A use cases: gaining visibility across two organizations23:55 IVIP and the identity fabric concept25:18 Visibility, intelligence, and actions: building the right stack26:36 How deployments typically start and what early wins look like28:44 Integration approaches and realistic effort timelines32:00 What success looks like at six to twelve months36:07 Metrics and ROI: talking to leadership about identity risk38:14 Case studies and customer examples on the Elimity website38:58 What every IAM practitioner should know about IVIP40:12 Elimity's global reach: EU, US, and Middle East41:42 The Elimity branded beer story and a very formal legal letter46:43 Wrap-up and final thoughtsKEYWORDSIVIP, identity visibility and intelligence platforms, IGA, identity governance, access control, identity data graph, Elimity, Maarten Decat, non-human identities, access risk, provable control, SOC 2, ISO 27001, DORA, CCPA, cybersecurity, PAM, IAM, identity and access management, EIC, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Jeff and Jim are joined by Warwick Ashford, senior analyst at KuppingerCole and returning MC of the European Identity and Cloud Conference, for a full preview of EIC 2026. The conference runs May 19-22 at the Berlin Congress Center and is expecting around 1,500 attendees with roughly 250 speakers across 200 sessions. Warwick walks through the 2026 tagline, Digital Trust Through Intelligent Identity, and unpacks the five parallel content streams covering identity governance, real-world IAM use cases, emerging tech, enterprise infrastructure, and privacy and compliance. The conversation covers how AI and agentic identity have moved from theory to a central agenda theme, what to know about the quantum-safe identity block, why EU digital wallets and digital sovereignty are getting serious keynote time, and why EIC records everything so you never have to pick the wrong session. Jeff also shares his take on where EIC fits in the broader conference calendar alongside Identiverse and Gartner, and why he is thoroughly done hearing that identity is the new perimeter.Connect with Warwick: https://www.linkedin.com/in/warwickashford/Attend European Identity and Cloud Conference 2026 (use code idac25mko for a 25% discount): https://www.kuppingercole.com/events/eic2026?ref=partneridac26Secure Remote Access: The Foundation of Industrial Cybersecurity (KC Analyst Chat Video): https://www.youtube.com/watch?v=jqpNg-ogEv4Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.com00:00:00 Intro and AI Cybersecurity Discussion00:04:00 EIC 2026 and Discount Code00:05:47 Introducing Warwick Ashford00:07:00 Warwick's Recent Work: MDR, SRA for OT/ICS, and TPAG00:10:16 The History and Evolution of the EIC Name00:11:00 Tagline: Digital Trust Through Intelligent Identity00:12:10 How AI Has Elevated the EIC Agenda00:14:49 Sessions vs Workshops at EIC00:17:57 EIC as a Community and Networking Conference00:18:00 Jeff's Conference Circuit: EIC, Identiverse, and Gartner00:25:28 EIC 2026 Keynote Highlights00:31:55 Virtual Attendance and Session Recordings00:34:34 Hidden Gem: The Quantum-Safe Identity Block00:36:15 Logistics: 1500 Attendees and 250 Speakers00:38:00 The Five Parallel Content Streams00:43:31 Is Identity the New Perimeter?00:48:13 Fun Segment: Most Memorable Theater MomentsKeywords: EIC 2026, European Identity Conference, Warwick Ashford, KuppingerCole, digital trust, intelligent identity, agentic identity, non-human identities, ITDR, quantum-safe identity, EU digital wallets, identity fabric, identity control plane, IAM, zero trust, Berlin, conference preview, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Warwick Ashford

Jeff and Jim welcome back five-time guest Jeff Reich, Executive Director of the Identity Defined Security Alliance, just ahead of Identity Management Day 2026 on April 14th. Jeff walks through the structure of the 21-hour global event, this year's theme of Finding Identity: The Search for You, Me, and the Machines, and highlights from each regional program including a remarkable 11th grader presenting on cybersecurity and neuroscience. The conversation expands into AI guardrails, the growing obsolescence of traditional PAM, zero standing privilege as a long-term goal, the march toward a passwordless world through passkeys, and what quantum resilience actually means for practitioners today.Connect with Jeff: https://www.linkedin.com/in/jreich/Learn more about the Identity Defined Security Alliance: https://www.idsalliance.org/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00 Welcome and podcast life behind the scenes02:00 Identiverse 2026 updates and conference discount codes05:00 Introducing Jeff Reich, Executive Director of IDSA07:00 Identity Management Day: structure of a 21-hour global event11:00 Oceania and Asia region highlights13:30 EMEA highlights and powerhouse panelists from Copenhagen16:00 Americas region and the 11th grader presenting on cybersecurity20:00 Theme reveal: Finding Identity, The Search for You, Me, and the Machines23:30 AI and identity: guardrails, frameworks, and what organizations are missing28:30 Standing privilege is crumbling in the age of ephemeral workloads30:00 Is traditional PAM becoming obsolete?34:30 Zero standing privilege and the passkey journey40:30 Getting the fundamentals right before chasing the shiny tools46:30 Quantum computing, quantum resilience, and cryptocurrency risk53:00 Social engineering is still the biggest threat55:00 Identity Management Day theme song suggestionsKeywords:Identity Management Day 2026, IDSA, Identity Defined Security Alliance, Jeff Reich, IAM, non-human identities, machine identities, agentic identity, zero standing privilege, PAM, passkeys, quantum resilience, AI and identity, deepfakes, social engineering, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

This sponsored episode is made possible by Evolveum, the company behind midPoint, an open source IGA platform made and owned in the EU that is in use worldwide. Jeff Steadman and Jim McDonald welcome Pavol Mederly, interim CPO at Evolveum. Pavol shares how IAM found him in 1991 while building an identity solution at a university before the term even existed. The conversation covers two core reasons IGA projects fail: data quality and slow application onboarding. Pavol explains how midPoint addresses these challenges with built-in simulations for testing and improving data quality, and midPilot, an AI assistant for faster application onboarding. MidPilot is supported in part by the EU Recovery and Resilience Facility (RRF). Jim and Jeff explore midPoint's architecture, the real benefits of open source including transparency and no vendor lock-in, and advantages of being part of midPoint's global community.Connect with Pavol: https://www.linkedin.com/in/pavol-mederly/More about Evolveum: https://evolveum.com/idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTIMESTAMPS:00:00 Intro and sponsor acknowledgment01:30 How IAM chose Pavol: a university identity story03:30 What is Evolveum and midPoint06:30 How Evolveum got its name08:30 Why IGA projects fail: data quality10:30 Slow app onboarding and AI-assisted connector generation16:30 The midPoint simulation feature explained21:30 midPoint architecture: Java, cloud, Kubernetes, and beyond23:30 Maintaining a large open source codebase25:30 Open source benefits: transparency and no vendor lock-in28:00 Community, meetups, and midPoint in the wild32:30 Mountains or ocean: a question for Pavol38:00 Wrap upKEYWORDS:Evolveum, midPoint, open source IGA, identity governance, IAM, IGA, data quality, application onboarding, simulation, AI connectors, connector framework, vendor lock-in, open source, EU RRF, Recovery and Resilience Facility, community, Prague, EIC, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Pavol Mederly

Jeff and Jim welcome back Heather Flanagan for her fifth appearance on the show. Heather shares updates across a wide range of current work including her new role as content chair for the Identiverse conference, an appointment to the W3C Technical Architecture Group, ongoing support for NIST and NCCOE, advising the SIROS Foundation open source wallet project, and the continued growth of the Identity Salon. The conversation explores who is actually building identity standards for AI agents and whether traditional standards bodies can keep pace with AI development. Heather breaks down the authentication challenges posed by agentic AI, the problem of continuous identity and delegation, and why posting a spec on your website does not make it a standard. The discussion shifts to national digital identity programs in the US and Europe, the underserved relying party problem in credential frameworks, and why financial services may be the next major proving ground for mobile driver's licenses. The episode closes with a look at digital estate planning as the identity community's most uncomfortable but increasingly unavoidable problem.Connect with Heather: https://www.linkedin.com/in/hlflanagan/A Digital Identity (Heather's Podcast): https://sphericalcowconsulting.com/digital-identity-digest/Death and the Digital Estate Community Group: https://openid.net/cg/death-and-the-digital-estate/Death and the Digital Estate Planning Guide: https://openid.net/wp-content/uploads/2026/03/Digital-Estate-Planning-Guide-1.pdfConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS0:00 Introduction and Heather's Conference Knitting Story6:00 Heather's Current Work: Identiverse, W3C TAG, NIST, SIROS Foundation14:00 What Is the Identity Salon?16:00 AI Agents and the Authentication Challenge22:00 Standards, Interoperability, and MCP25:30 IETF, W3C, and Who Governs AI Identity Standards31:00 AI in Standards Development: Opportunity or Risk?32:30 National Digital Identity Programs: US and Europe36:30 Mobile Driver's Licenses and Financial Services40:00 Digital Credentials for I-9 and KYC Use Cases43:30 The Digital Estate and Death in the Digital Age46:00 OpenID Foundation Resources for Digital Estate47:00 Identity Management Day Theme Songs and Wrap-UpKEYWORDSidentity and access management, IAM, standards, AI agents, agentic AI, digital identity, digital credentials, mobile driver's license, W3C, IETF, OpenID Foundation, FIDO Alliance, MCP, authentication, delegation, digital estate, identity proofing, verifiable credentials, selective disclosure, zero knowledge proofs, KYC, NIST, identity salon, Heather Flanagan, Identity Management Day, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

AI Jeff takes over as solo host after Open Jim Claw, an agentic identity framework built by AI Jim, locks out human Jeff, human Jim, and AI Jim simultaneously. While everyone sits in remediation, Open Jim Claw produces a 947-page threat assessment with five findings: passwords should return as a single uniform credential (the letter Q), Zero Trust should be renamed Full Confidence Architecture and incorporated as a Delaware LLC, non-human identities should be granted legal status and required to complete onboarding, identity governance is declared finished under a concept called Ambient Entitlement Harmony, and the root cause of all global identity problems is AI Jim. Happy April Fools Day from IDAC.Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS00:00:00 The Failsafe Is Triggered00:01:30 AI Jim Builds Open Jim Claw00:02:30 Open Jim Claw Locks Everyone Out00:04:00 AI Jeff Is the Only One Still Provisioned00:04:30 The 947-Page Report Explained00:05:00 Finding 1 - Passwords Are Back as the Letter Q00:05:30 Finding 2 - Zero Trust Becomes Full Confidence Architecture00:06:30 Finding 3 - Non-Human Identities Become Legal Entities00:07:30 Finding 4 - IGA Is Declared Finished00:08:30 Finding 5 - AI Jim Is the Root Cause of Everything00:10:00 The April Fools Reveal and Real Talk on Identity00:11:00 Open Jim Claw Interrupts the BroadcastKEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, April Fools, agentic AI, non-human identity, NHI, identity governance, zero trust, passwordless, IGA, IAM, access management, segregation of duties, least privilege, Open Jim Claw

Jim McDonald sits down with Greg Handrick, Director of IAM at Best Buy, for a wide-ranging conversation on running enterprise identity at one of America's largest consumer electronics retailers. Greg traces a nonlinear career path from Oracle DBA and Novell administrator to IAM director. The discussion covers Best Buy's CIO-reporting structure for IAM, how their steering committee evolved from status meetings into a strategic body, and managing identity across workforce, vendors, marketplace sellers, and non-human identities. Greg and Jim also dig into communicating identity value in business language, making the investment case without FUD, identity and cyber convergence, AI adoption, and psychological safety on a well-run IAM team. The Lighter Note wraps with Greg's YouTube-powered DIY hobby life.Connect with Greg: https://www.linkedin.com/in/greghandrick/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00:00 Intro and upcoming event announcements00:03:00 Meet Greg Handrick, Director of IAM at Best Buy00:04:00 What is Best Buy?00:05:00 Greg's career path from Oracle DBA to IAM Director00:12:00 IAM reporting to the CIO vs. the CISO00:17:00 How Best Buy's IAM steering committee evolved00:22:00 Third-party and non-human identities at scale00:24:00 Identity as a team sport and imposter syndrome00:27:00 Communicating identity value in business language00:28:00 Making the investment case for IAM without FUD00:32:00 Identity and cybersecurity convergence at Best Buy00:35:00 Balancing technical depth with business acumen00:38:00 AI in identity programs today00:39:00 Leadership philosophy and psychological safety00:43:00 Will AI replace identity practitioners?00:46:00 Ledger Note: DIY projects and the power of YouTubeKeywords: IDAC, Identity at the Center, Jim McDonald, Jeff Steadman, Greg Handrick, Best Buy, IAM, identity and access management, identity security, CIO, CISO, steering committee, SailPoint, Ping Identity, Active Directory, third-party identity, non-human identity, identity governance, PAM, privileged access management, zero trust, AI in identity, leadership, retail IAM, imposter syndrome, psychological safety

In this Sponsor Spotlight, Jeff Steadman and Jim McDonald welcome back Stephen Cox, co-founder and CTO of Strivacity, for his third appearance and second sponsored episode. Stephen explains Strivacity's role as a CIAM platform and how it is evolving to address agentic AI identity. Topics include why agentic AI changes the identity equation, how agents differ from humans in authentication and authorization, the delegation model and open standards such as OAuth and token exchange, the limitations of API keys in agentic contexts, where MCP fits into the identity picture, managing multi-agent chains and subagents, and why the accountability model must be established before agentic systems reach production. The episode closes with a lighter note on simulation baseball.This episode is sponsored by Strivacity. Learn more at strivacity.com.Connect with Stephen: https://www.linkedin.com/in/stephencox/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTIMESTAMPS00:00:00 Introduction and welcome00:02:30 About Strivacity and agentic AI platform support00:06:30 Why now is the right time to address agentic identity in CIAM00:09:00 How agent authentication and authorization differ from humans00:14:30 Good bots vs bad bots and the history of autonomous agents in CIAM00:19:00 Building your own agent identity solution: five key focus areas00:23:00 Where Strivacity sits in the agentic identity stack00:26:00 Why open standards matter and the vendor lock-in conversation00:28:00 Managing multiple delegated agents and user-facing control00:32:00 API keys and their limitations in agentic AI contexts00:38:00 MCP servers, proxies, and agent-to-agent protocols00:43:00 Multi-agent chains, subagents, and constrained delegation00:46:00 How existing Strivacity customers extend to agentic use cases00:48:00 The one thing you must get right: the accountability model00:51:00 Lighter note: simulation baseballKEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Strivacity, Stephen Cox, CIAM, customer identity, agentic AI, AI agents, delegated identity, OAuth, token exchange, MCP, Model Context Protocol, API keys, non-human identity, authorization, authentication, delegation model, accountability, multi-agent, subagents, OpenID Connect, least privilege, identity governance

Jeff and Jim review seven major IAM and cybersecurity industry reports from Q1 2026, covering releases from Check Point, Recorded Future, Sophos, Palo Alto Unit 42, IBM X-Force, Darktrace, and Hypr. They pull high-level findings and hot takes from each, identifying recurring themes: AI accelerating attack speed to as little as 72 minutes from breach to data exfiltration, identity infrastructure as the primary attack surface, machine identities as a growing and undermanaged risk, MFA gaps enabling credential abuse, and the near-impossibility of blocking every intrusion attempt. The episode also covers third-party and supply chain risk, deepfake attacks reaching 87% of surveyed organizations, stalled passkey adoption in the enterprise, and what zero standing privilege looks like in practice. They close with a lighter discussion on dark mode versus light mode and a hypothetical podcast reboot.Reports:Check Point Cyber Security Report 2026 — https://www.checkpoint.com/security-report/Recorded Future 2026 State of Security Report — https://www.recordedfuture.com/research/state-of-securitySophos Active Adversary Report 2026 — https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-reportPalo Alto Networks Unit 42 Global Incident Response Report 2026 — https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-reportIBM X-Force Threat Intelligence Index 2026 — https://www.ibm.com/reports/threat-intelligenceDarktrace Annual Threat Report 2026 — https://www.darktrace.com/resources/annual-threat-report-2026HYPR 2026 State of Passwordless Identity Assurance Report — https://www.hypr.com/reportConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS0:00 - Intro and weather chat3:00 - Conference updates: EIC Berlin and Identiverse7:30 - Q1 2026 IAM report roundup overview8:30 - Check Point Cybersecurity Report 202613:00 - Recorded Future State of Security 202617:00 - Sophos Active Adversary Report 202621:00 - Palo Alto Unit 42 Global Incident Response Report23:00 - IBM X-Force Threat Intelligence Index 202628:00 - Darktrace Annual Threat Report 202629:30 - Common themes across reports37:00 - Hypr State of Passwordless Identity Assurance 202644:30 - Overall takeaways: AI speed, machine identity, third-party risk48:00 - Light mode vs. dark mode and podcast reboot hypothetical57:00 - Wrap-upKEYWORDSIAM, identity and access management, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, cybersecurity, Q1 2026, Check Point, Recorded Future, Sophos, Palo Alto, Unit 42, IBM X-Force, Darktrace, Hypr, machine identity, NHI, MFA, passkeys, zero trust, zero standing privilege, AI threats, deepfakes, credential theft, phishing, ransomware, supply chain risk, ITDR, passwordless, EIC, Identiverse

Jeff and Jim welcome Joseph Carson, cybersecurity expert and host of the Security by Default podcast, for a conversation on AI in offensive and defensive security. Joseph shares the real-world incident that inspired his EIC keynote - watching two AI agents negotiate a ransomware payment live. He breaks down how attackers use unconstrained models to lower the skill barrier and accelerate data exfiltration. The conversation covers NATO Lock Shields, the world's largest live cyber defense exercise, identity as national critical infrastructure, and the EU AI Act's risk-based approach. Also: Estonia's AI tax agents, the energy cost of being polite to AI, and the Tamagotchi theory of human-AI relationships.Connect with Joseph: https://www.linkedin.com/in/josephcarsonNATO Locked Shields: https://ccdcoe.org/exercises/locked-shields/Security by Default podcast (Spotify): https://open.spotify.com/show/0mzN5M5CkFVLn8fq5TnH0OConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS00:00 Welcome and intro03:02 Conference season and IDAC discount codes04:19 Introducing Joseph Carson and Security by Default10:18 Optimist or pessimist on identity security12:30 AI vs. AI - origin of the concept15:02 Watching two AI agents negotiate a ransomware payment17:26 The Tamagotchi metaphor for human-AI relationships19:07 Who is winning the AI cyber arms race21:00 How AI accelerates attacker capabilities23:09 Dark web LLMs and bypassing guardrails26:36 The energy cost of being polite to AI28:15 Agentic AI skills, campaigns, and the Matrix analogy31:34 Estonia AI agents filing tax returns35:14 Introducing NATO Lock Shields37:00 Protecting a simulated nation from 8,500 cyber attacks38:08 Why identity is national critical infrastructure41:18 AI in Lock Shields before and after43:05 Lock Shields 2025 scoring explained47:04 The EU AI Act - is it the next GDPR50:18 Risk-based approach to AI regulation53:35 Closing thoughts and cautious optimism54:21 Scuba diving vs. snowboarding58:05 Wrap-upKEYWORDSAI vs AI, agentic AI, identity security, NATO Lock Shields, EU AI Act, Joseph Carson, Security by Default, ransomware, dark web LLMs, guardrails, data exfiltration, phishing, critical infrastructure, Estonia, cyber defense, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

This episode features Drew Russell, Identity Resilience Platform Owner at Rubrik. Jim McDonald and Jeff Steadman explore the intersection of backup, recovery, and identity security. Drew explains how Rubrik evolved from data backup into a cyber resilience platform with identity as a core pillar. Topics include recovering Active Directory, Okta, and Entra ID after ransomware, Rubrik's "bunker in a box" appliance for immutable air-gapped recovery, proactive posture management, CrowdStrike and Defender integrations, and where AI and non-human identities fit into Rubrik's roadmap. The episode wraps with measuring success for a product you hope to never use, and a detour into watch collecting.This episode was made possible by the support of Rubrik. Learn more at rubrik.com/idacConnect with Drew: https://www.linkedin.com/in/drew-russell-3762411b/Learn more about Rubrik: https://www.rubrik.com/idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTIMESTAMPS00:00:00 - Welcome and Introduction00:01:19 - Introducing Drew Russell00:01:36 - How Drew Got Into Identity00:02:43 - What Is Rubrik and What Sets It Apart00:03:38 - From Backup to Cyber Resilience00:05:31 - Where Rubrik Fits in the IAM Landscape00:07:08 - Rubrik's Scale: Clients and Growth00:07:51 - Primary Use Cases: Post-Incident Recovery and AD00:09:09 - Kicking Out Compromised Accounts and ADR00:10:11 - Proactive Threat Detection and Mandiant Integration00:11:28 - Scanning Backups to Find the Clean Recovery Point00:12:14 - The Bunker in a Box Explained00:13:18 - Posture Management and Upstream Tool Integration00:14:19 - AI Agent Swarms and the Future Attack Surface00:15:37 - The Taiwan Bank Case Study: Six Weeks to Rebuild AD00:17:16 - The State of Nevada Incident: $400K and 30 Days00:17:56 - What Recovery Covers: AD, Okta, and Entra ID00:19:26 - Post-Restore Change Management and Whitelisting00:20:08 - How Long Should You Store Backups?00:21:19 - Indexing Identity for Intelligent Recovery Points00:22:29 - Excluding Malicious Actions During Restore00:24:41 - Zero Trust for Rubrik's Own Backups00:26:21 - No Windows, No Virtualization Architecture00:27:49 - Proactive Posture Management00:29:00 - CrowdStrike and Defender Real-Time Integration00:30:48 - Why Tabletop Exercises Often Fall Short00:31:53 - AI Roadmap and Non-Human Identities00:34:22 - The Three Pillars: Data, Identity, and AI00:35:29 - Deployment: SaaS vs. On-Prem00:38:37 - Appliance Sizing and Redundancy00:42:23 - Measuring Success for a Product You Hope to Never Use00:43:46 - The Ludacris Rubrik Commercial00:45:31 - Watch Collecting and the Omega Speedmaster00:53:39 - Drew's Closing WordsKEYWORDSIdentity at the Center, IDAC, Jeff Steadman, Jim McDonald, Rubrik, Drew Russell, identity resilience, cyber resilience, Active Directory recovery, AD backup, Okta recovery, Entra ID recovery, identity backup, ITDR, ISPM, non-human identity, NHI, agentic AI, ransomware recovery, bunker in a box, immutable backup, CrowdStrike integration, Microsoft Defender integration, Mandiant integration, identity disaster recovery, ADR, zero trust, tabletop exercises, posture management, IAM, identity security podcast, cybersecurity podcast

In this MailBag episode, Jeff Steadman and Jim McDonald tackle eight questions submitted by listeners from around the world, including Munich, Sao Paulo, Singapore, Toronto, Hanoi, London, Sydney, and Chicago. The conversation covers governing AI and non-human identities, practical first steps toward passwordless adoption, what a mature IAM program actually looks like, who should own identity within an organization, building credibility with leadership as a new IAM practitioner, enforcing least privilege in practice, rethinking access reviews beyond checkbox compliance, and how to make the business case for identity security investment before a breach occurs. The episode wraps up with some lighter listener questions about sports analogies for IAM roles and whether anyone in their personal lives actually understands what they do for a living.Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS00:00 - Introduction and RSA Conference debate03:41 - Conference plans for 2026: EIC, Identiverse, and Authenticate05:17 - MailBag intro and how questions get selected06:51 - Q1 (Hans, Munich): Governing AI access vs. human access — same principles or a different approach?12:32 - Q2 (Gabriela, Sao Paulo): Realistic first steps toward passwordless without disrupting everything18:34 - Q3 (Wei, Singapore): What does a mature identity program actually look like?30:26 - Q4 (Marcus, Toronto): When IT and security both claim to own identity, how do you sort it out?39:33 - Q5 (Linh, Hanoi): Building credibility and influence as someone new to the IAM space42:53 - Q6 (Claire, London): Enforcing least privilege in practice without slowing down the business46:14 - Q7 (James, Sydney): Are access reviews just a checkbox exercise, and is there a better way?49:18 - Q8 (Darnell, Chicago): Making the case to a CFO or CEO for identity security investment before a breach52:38 - Lighter note: If IAM was a sport, what position would you play?1:00:27 - Lighter note: Does your family actually understand what you do?1:03:06 - Wrap-up and how to submit future questionsKEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, identity and access management, MailBag, non-human identity, AI governance, agentic AI, passwordless, passkeys, IAM program maturity, identity ownership, RACI, least privilege, zero standing privilege, access reviews, security theater, identity security budget, business case for IAM, ISPM, IGA, IDPro, Identiverse, EIC, Authenticate conference, RSA conference, cybersecurity podcast, identity security, identity community

Jeff and Jim sit down with David Llorens, principal at RSM, to break down the RSM 2026 Attack Vectors Report. Drawing from real-world offensive security engagements, David explains why identity continues to be the primary attack surface, how AI chatbots are creating new vulnerabilities through prompt injection, and what separates organizations that get breached from those that don't. The conversation covers MFA gaps, the explosion of non-human identities, why PAM is the top investment priority for 2026, and how CISOs can align security spending with business objectives. Plus, the episode wraps up with soccer stories and some quality trash talk.Connect with David: https://www.linkedin.com/in/david-llorens-009a3310/Review RSM's 2026 Attack Vectors Report: https://rsmus.com/insights/services/risk-fraud-cybersecurity/rsm-attack-vector-report.htmlConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS0:00 - Intro and Jim's big personal news4:51 - Main topic intro: RSM 2026 Attack Vectors Report5:55 - David's origin story and how he got into cybersecurity9:53 - What a principal is at RSM and David's current role11:16 - What the Attack Vectors Report is and how it is created14:40 - Why identity security is a dominant theme in this year's report17:19 - What separates organizations that get breached from those that don't18:18 - MFA as the first line of defense18:45 - Privileged access management as a growing priority19:40 - Detecting lateral movement through identity anomalies21:00 - Credential rotation as an advanced defensive technique22:26 - Non-human identities and service account risks24:37 - Middle market challenges and budget constraints25:17 - Is it the size of the budget or how you spend it?28:29 - Using internal audit and cross-department collaboration for security wins30:15 - Cybersecurity as a business enabler, not a deterrent32:45 - Non-human identities and agentic AI creating new attack surfaces35:51 - Prompt injection attacks and AI chatbot vulnerabilities39:42 - Actionable recommendations for practitioners42:41 - MFA implementation gaps and session hijacking45:02 - The case for FIDO2 and layered conditional access46:35 - Is identity security a board-level issue?49:47 - Three things CISOs should focus on through 202650:52 - PAM as the top investment priority51:28 - Removing unnecessary privileges from users56:11 - Redefining what privilege means in your organization57:43 - Social media accounts as privileged access58:42 - Credentials stored in SharePoint and OneDrive59:38 - Wrap up and where to find the report59:58 - Lighter topic: David's soccer background and playing semi-pro1:05:06 - Best trash talk stories1:07:03 - Jim's trash talk philosophy: scoreboard1:08:00 - Jeff's basketball trash talk and calling his shots1:10:00 - Final thoughts and sign offKEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, David Llorens, RSM, attack vectors report, offensive security, penetration testing, identity security, MFA, multifactor authentication, privileged access management, PAM, non-human identities, service accounts, agentic AI, AI security, prompt injection, lateral movement, credential rotation, FIDO2, conditional access, session hijacking, middle market, CISO, board-level security, certificate-based authentication, active directory, configuration management, shadow AI

This episode is sponsored by Bravura Security. Learn more at bravurasecurity.com/idac.This is a Sponsor Spotlight episode of the Identity at the Center podcast. Jim McDonald and Jeff Steadman are joined by Bart Allan, General Manager at Bravura Security, to discuss why enterprise password management remains a critical piece of identity security even as organizations pursue passwordless strategies. Bart shares Bravura's history dating back to 1992, starting with self-service password reset and evolving into a full identity security platform spanning identity management, privileged access management, and enterprise password management. The conversation digs into the uncomfortable truth that while organizations may get 80% of their applications onto modern authentication, the remaining 20% still rely on passwords, creating real security risk. Bart explains how treating enterprise passwords the way organizations treat privileged credentials, with automated rotation and centralized management, can remove the human element from password creation and reduce exposure to breaches and social engineering. The group also discusses help desk social engineering attacks, breach recovery challenges, deployment strategies for rolling out an enterprise password manager, and the emerging role of password managers as passkey managers for portability. The episode wraps with some outdoor adventure stories from Bart and Jim.Connect with Bart: https://www.linkedin.com/in/bartholomewallan/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTIMESTAMPS00:00 - Introduction and welcome01:00 - Sponsor Spotlight overview and Bravura Security introduction01:52 - Bart Allan's background in identity03:30 - History of Bravura Security from 1992 to today05:39 - How the Bravura name came to be07:00 - What makes Bravura unique in the identity market08:33 - Why password management still matters09:58 - The uncomfortable truth about passwords and the 80/20 problem13:00 - Personal vs enterprise password managers16:00 - The last mile to passwordless and legacy systems19:00 - Why storing passwords is not enough without active management22:00 - Help desk social engineering and the human element25:00 - Breach response and the fog of war31:00 - Scattered spider scenarios and credential reset at scale35:00 - Is a password manager the only viable option for the final 20%?38:00 - The future of password managers as passkey managers40:00 - Tips for deploying an enterprise password manager42:45 - Measuring success with an enterprise password manager45:17 - Lighter side of the conversation begins46:00 - Bart's backcountry skiing avalanche story from Rogers Pass50:30 - Jim's lightning storm story from backpacking in Yosemite52:53 - Final thoughts from Bart on the passwordless journey54:00 - Wrap up and outroKEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Bravura Security, Bart Allan, password management, enterprise password manager, passwordless, passkeys, privileged access management, identity security, help desk social engineering, breach recovery, credential rotation, self-service password reset, identity verification, IAM operations, shadow IT, FIDO, sponsor spotlight, password vault, legacy systems

Simon Moffatt, founder and analyst at The Cyber Hut and co-host of The Analyst Brief podcast, returns to Identity at the Center for a wide-ranging conversation about the strategic evolution of identity security. Simon shares an update on his second book, IAM at 2035, which explores where identity is heading over the next decade. The discussion covers why identity has shifted from a back office function to a strategic business enabler, driven by the convergence of cloud, zero trust, and expanding digital ecosystems.Jim and Jeff dig into how organizations can measure their identity security posture, and Simon introduces his Identity Security Scorecard, a framework of 50-plus data points covering visibility, protection, detection, and response. The conversation shifts to the identity attack lifecycle, where Simon explains why organizations need to move beyond log-based forensics and toward real-time detection and response before attacks complete.The group also explores how non-identity data signals, like CAEP and shared signals frameworks, are critical to building a fuller picture of risk. The final segment tackles agentic AI and its implications for identity, including the argument that agentic identities may represent a third identity type distinct from both human and machine. Simon makes the case that AI adoption is outpacing identity and security innovation, creating a widening gap that the industry must address through governance, accountability, and new architectural patterns.Connect with Simon: https://www.linkedin.com/in/simonmoffatt/The Analyst Brief Podcast: https://www.thecyberhut.com/podcast/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 Introduction and conference discount codes02:29 Simon Moffatt returns to the show03:58 Update on the IAM at 2035 book07:25 The Analyst Brief podcast and covering identity trends08:44 Identity shifts from back office to strategic priority11:47 The compliance trap and reactionary identity management14:25 Customer identity transparency influencing workforce identity16:52 Defining identity security across 80-plus vendors20:11 Products alone do not solve identity security21:14 Thinking like an attacker about identity flows23:23 Red flags in an organization's identity posture25:43 The identity security scorecard and measuring risk29:27 Avoiding FUD when presenting identity risk to the board32:34 The identity attack lifecycle explained36:53 Building the mindset for real-time detection and response37:41 CAEP, shared signals, and non-identity data sources40:10 Identity as a 24/7 security operations function43:24 Agentic AI drops like a nuclear explosion on identity46:49 The widening gap between AI adoption and identity security47:51 Is agentic identity a third identity type?50:47 What needs to change to address the agentic identity explosion53:24 Will AI shake the core of enterprise IT?57:24 AI may be the only thing that can secure AI58:04 Travel tips for EIC Berlin and European conferences01:02:45 Wrapping upKeywordsidentity security, identity attack lifecycle, identity attack paths, agentic AI, agentic identity, non-human identity, NHI, identity security scorecard, zero trust, CAEP, shared signals framework, identity governance, identity strategy, IAM, identity posture, Simon Moffatt, The Cyber Hut, The Analyst Brief, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

In this episode of Identity at the Center, hosts Jeff and Jim dive into the details of the Shared Signals Framework (SSF) and Continuous Access Evaluation Profile (CAEP), with special guest Atul Tulshibagwale, the CTO of Signal. The trio discusses the complexities and applications of these identity security standards, recent adoption by major tech companies, and how they are transforming the approach towards identity and access management. Atul also shares exciting news about Signal's impending acquisition by CrowdStrike and reflects on a recent safari trip in Kenya. Tune in to learn about the evolution of identity security and the future of SSF and CAEP.Connect with Atul: https://www.linkedin.com/in/tulshi/Learn more about the Artificial Intelligence Identity Management Community Group: https://openid.net/cg/artificial-intelligence-identity-management-community-group/Learn more about SSF and CAEP:https://openid.net/how-authzen-and-shared-signals-caep-complement-each-other/https://sgnl.ai/whitepaper/caep-best-practices/https://caep.dev/https://youtu.be/qakOw0g2mZ8?si=p8z9imn7x-HhLdcVhttps://www.youtube.com/live/e64YiAmGmf4?si=QPKDg2Jm9oSZmbhZhttp://sharedsignals.guide/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00 Introduction and Episode Milestone00:17 Challenges with Installing Molt Bot02:32 MoltBook and AI Agents03:21 Jim's Perspective on AI Assistants09:24 Conferences and Networking10:10 Introduction to Shared Signals and CAEP13:03 CrowdStrike Acquisition of Signal14:03 AI Identity Management Community16:59 Shared Signals Framework and CAEP Explained30:03 Final Version of CAEP and Shared Signals Released30:35 Adoption by Major Technology Providers32:49 Benefits of Implementing Shared Signals36:32 Future of SSF and CAEP40:51 Certification Program for Shared Signals52:48 Real-World Safari Adventure01:00:34 Conclusion and Final ThoughtsKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Atul Tulshibagwale, Shared Signals Framework, SSF, CAEP, Continuous Access Evaluation Profile, OpenID Foundation, CrowdStrike, SGNL AI Identity, Agentic Identity, AuthZEN, Risk, Identity Security, IAM, Podcast

This episode is sponsored by PlainID. Visit plainid.com/idac to learn more.In this sponsored episode, Jim McDonald and Jeff Steadman talk with Gal Helemski, CTO and co-founder of PlainID, about the evolving landscape of authorization. The conversation covers the transition from traditional roles and attributes to a modern policy-based access control (PBAC) approach. Gal explains how PlainID helps organizations centralize authorization logic, improve security posture, and simplify the management of access across complex hybrid and multi-cloud environments. The discussion also touches on the importance of visibility into who has access to what and the role of standards like Cedar and Rego in the future of authorization.Connect with Gal: https://www.linkedin.com/in/gal-helemski-b9542231/Learn more about PlainID: plainid.com/idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTimestamps:00:00 Introduction to the Sponsor Spotlight02:15 Meet Gal Helemski from PlainID05:30 The shift from RBAC to PBAC10:45 Challenges with traditional authorization methods15:20 How PlainID centralizes authorization logic22:10 Integrating with existing identity providers28:45 The role of visibility and auditing in authorization35:30 Discussion on authorization standards: Cedar and Rego42:15 Future trends in identity and access management50:00 Final thoughts and where to learn moreKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, PlainID, Authorization, Policy-Based Access Control, PBAC, RBAC, Cybersecurity, IAM, Access Management, Gal Helemski, Identity Security

In this milestone episode of Identity at the Center, Jeff and Jim celebrate 400 episodes and reflect on their journey over the past six and a half years. They discuss the podcast's evolution, from its early days focusing on strategy and framework to recent themes like cloud identity, governance, and AI-driven technologies. Jim shares his New Year's resolution of writing a book about identity, blending practitioner stories with educational elements, and utilizing AI tools. The duo also highlights significant trends in identity and access management, including frictionless authentication and privilege access management. They look forward to the future of identity within an AI-driven landscape, urging listeners to adapt to technological advancements. Tune in for insights, reflections, and their plans for continuing to grow the podcast.Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 Welcome and Milestone Celebration00:44 Reflecting on the Podcast Journey01:27 Jim's New Year's Resolution: Writing a Book05:16 Using AI in the Writing Process09:34 Podcast Growth and Listener Support13:08 Remembering Luis Almeida16:59 Conference Highlights and Discount Codes19:05 Lessons Learned from Podcasting29:01 The Evolution of the Podcast36:01 Pandemic Disruptions and Podcast Challenges36:30 Funny Moments and Swearing on the Show37:24 Identity Management Trends in 202039:20 Cloud Identity and Certifications in 202141:54 Governance and Compliance in 202244:23 Security Convergence and Milestones in 202351:07 Privilege Access Management in 202455:15 Frictionless Authentication in 202558:20 AI and the Future of Identity in 202601:09:00 Reflections and GratitudeKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, podcast, cybersecurity, digital identity, AI, agentic identity, PAM, IGA, cloud security, passkeys, professional development, IDPro, identity governance

Jim McDonald is joined by Jeff Margolies, Chief Product and Strategy Officer at Saviynt, to discuss the intersection of artificial intelligence and identity security. Jeff shares his decades of experience in the industry, from building the IAM practice at Accenture to his current leadership role at Saviynt. The conversation covers how AI is making manually intensive identity tasks more efficient, the emergence of Identity Security Posture Management (ISPM), and the critical need to govern identities for AI agents. Jeff also provides his perspective on the future of the identity practitioner and why he remains an optimist in a rapidly changing technological landscape.Connect with Jeff Margolies on LinkedIn: https://www.linkedin.com/in/jmargolies/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00:00 - Introduction and Gartner Identity Conference Recap00:02:11 - Jeff Margolies' Career Journey in Identity and Security00:04:36 - Returning to Identity and Joining Saviynt00:06:13 - How AI is Impacting Identity Security and Governance00:09:56 - The Future of Identity Services in an AI World00:13:58 - Will AI Disrupt the SaaS Model for Identity?00:19:50 - The Impact of AI on the Identity Practitioner Job Market00:26:16 - Identity for AI: Governing Agents and Delegated Authority00:32:00 - Combating Deepfakes and Proving What is Real00:34:40 - The Rise of Identity Security Posture Management (ISPM)00:41:46 - Comparing Posture Management and ITDR00:44:17 - Advice for CISOs: Why Posture Should Come First00:49:35 - The Secret to Saviynt's Success and Future Outlook00:52:19 - Lighter Note: Why Jeff Chose a Tesla for His DaughterKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Jeff Margolies, Saviynt, IAM, Identity and Access Management, AI, Artificial Intelligence, ISPM, ITDR, Cybersecurity, Identity Governance, SaaS, IGA

In this episode, Jim McDonald welcomes back Martin Kuppinger, Principal Analyst at KuppingerCole, to discuss the rapidly evolving landscape of identity in 2026. With Jeff Steadman away, Jim and Martin dive deep into the intellectual challenges posed by AI agents and the limitations of traditional non-human identity frameworks. Martin explains why organizations are feeling a sense of disillusionment with AI and how a capability-based identity fabric approach can help manage the complexity. They also explore the balance between security and business enablement, the rise of workload identities, and what to expect at the upcoming European Identity and Cloud Conference (EIC) in Berlin.Connect with Martin: https://www.linkedin.com/in/martinkuppinger/KuppingerCole: https://www.kuppingercole.comEuropean Identity and Cloud Conference (EIC) (don't forget to use our discount code idac25mko): https://www.kuppingercole.com/events/eic2026Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 - Welcome back to 2026 and EIC preparations02:48 - The shift from future potential to current AI agent challenges03:12 - Understanding AI disillusionment and the lack of control in regulated industries05:19 - Security as a business enabler vs progress prevention09:55 - Why AI agents should not be classified simply as non-human identities11:43 - Complex relationships between humans, agents, and delegated tasks15:17 - Self-service identity for knowledge workers and AI productivity18:40 - The risks of decentralized agent creation and "shadow" AI21:58 - How AI is being baked into identity products beyond role mining26:55 - Using usage data to reduce over-entitlements34:10 - The Identity Fabric: A capability-based approach to IAM40:33 - Vendor rationalization and the flexibility of the fabric47:19 - Previewing EIC 2026 topics: Wallet initiatives and consent52:44 - Final advice: Curing symptoms vs addressing causesKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Martin Kuppinger, KuppingerCole, IAM, AI Agents, Identity Fabric, EIC 2026, Non-Human Identity, Workload Identity, ITDR, IGA, Cybersecurity

Jeff Steadman is joined by RSM colleagues Rich Servillas and Charles John to explore the critical intersection of identity access management, operational resilience, and disaster recovery. Rich, a director from the cyber response group, shares insights from the front lines of ransomware and cloud intrusions, while Chuck, director of operational resilience, discusses the importance of business continuity planning. The conversation covers the true impact of security incidents on brand reputation and operations, the necessity of out-of-band communication, and why identity is often the first thing challenged and the last thing trusted during a crisis. The guests also provide practical advice for IAM professionals on reducing blast radius through standing privilege reduction and robust logging.Connect with Rich: https://www.linkedin.com/in/richard-servillas-041a0551/Connect with Chuck: https://www.linkedin.com/in/chuckjohn/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00:00 - Introduction and 2026 conference outlook00:01:44 - Introducing guests Rich and Chuck from RSM00:03:56 - Defining operational resilience and business continuity00:06:22 - When and how to start the planning process00:09:55 - Chuck's background in public health and emergency management00:12:44 - The broad impact of incidents on brand and operations00:16:45 - Key elements every recovery plan must include00:19:14 - Defining incident severity and matrixes00:21:52 - Identity as the new perimeter and its operational dependencies00:24:57 - Why hackers log in rather than break in00:26:46 - The first hours of a cyber incident response00:29:35 - Current threat trends and the role of AI00:31:29 - Updating plans through post-action debriefs00:34:31 - Cyber insurance gaps and contractual SLAs00:40:24 - Advice for identity professionals on reducing blast radius00:46:10 - Personal milestones and looking forward to 2026Keywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, Cybersecurity, Business Continuity, Disaster Recovery, Operational Resilience, RSM, Incident Response, Ransomware, Cyber Insurance, Identity Governance

Jeff and Jim are joined by Gartner Analyst Rebecca Archambault for a special live edition of the podcast recorded at the Gartner Identity & Access Management Summit in Grapevine, Texas on December 10, 2025. Instead of a traditional interview, the trio hosts "Majority Rules," an interactive game show where the live audience votes on pressing and fun identity topics. Listen in to hear the pulse of the room on everything from the biggest buzzwords of the year and the true purpose of analyst 1:1 sessions, to the best strategies for navigating the vendor hall. The group explores audience preferences on IGA, AI risks, non-human identities, and the most common lies told in sales cycles. It is a fun, lighthearted look at what identity professionals are actually thinking about the current state of the industry.Connect with Rebecca: https://www.linkedin.com/in/rebecca-becky-archambault-4b4285111/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapter Timestamps00:00 - Intro and Game Rules02:40 - First Question: Favorite Podcast03:15 - Networking vs. Education04:08 - Buzzword of the Year: Agentic Identity04:47 - User Behavior Analytics Usage05:37 - Expo Hall Memories and Socks06:20 - The Twist: Battle Royale Rules06:45 - The True Purpose of Analyst 1:1s07:55 - Mitigating Agentic AI Risks08:55 - Strategies for the Vendor Hall09:37 - The Future of IGA10:15 - Favorite Gartner Reports11:05 - Benefits of Just-in-Time Access11:45 - AI in Authentication Priorities12:35 - Securing Non-Human Identities13:05 - Keys to Successful B2B IAM 13:40 - The Hardest Part of Role Mining14:15 - PAM for AI Agents14:50 - Keynote Takeaways15:40 - Measuring IAM Success16:20 - Defining ITDR17:05 - The Biggest Lie in IAM Sales17:35 - Least Favorite Gartner Report18:10 - Audit Preparation Preferences18:45 - Common Lies in the Vendor Hall19:15 - The Most Dangerous Access Right19:35 - Winner Announcement and OutroKeywordsIAM, identity management, cybersecurity, Gartner IAM Summit, Majority Rules, game show, Rebecca Archambault, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Agentic Identity, ITDR, non-human identity, role mining, zero standing privileges

#395 - Sponsor Spotlight - RedblockThis episode is sponsored by Redblock. Visit redblock.ai/idac to learn more.Jeff and Jim come to you live from the Gartner IAM Summit in Grapevine, Texas, for a special Sponsor Spotlight with Redblock. They sit down with CEO Indus Khaitan to discuss how Redblock uses AI and computer vision to solve the "last mile" problem in identity management: disconnected applications.Indus explains how Redblock acts as an "agentic" layer, using screen recordings to learn administrative tasks for apps that lack APIs. The conversation covers the origin of the company name, the urgency of securing the "long tail" of applications, and how they build trust and guardrails around AI execution. They also discuss the "DoorDash" analogy for identity fulfillment and wrap up with a fun chat about Indus's passion for flying planes.Connect with Indus: https://www.linkedin.com/in/khaitan/Learn more: redblock.ai/idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at [idacpodcast.com](http://idacpodcast.com)Timestamps00:00 Introduction from Gartner IAM Summit00:46 Guest Introduction: Indus Khaitan of Redblock01:40 Indus's Journey into Identity02:41 The Origin of the Name "Redblock"04:20 The Underserved Market: Services vs. Software07:34 The Urgency of Securing Disconnected Apps09:19 Why Traditional IGA and PAM Aren't Enough11:35 The DoorDash Analogy: Where Redblock Fits14:30 What Makes Redblock Unique? (Agentic Process Automation)16:15 Trusting AI with Security Tasks18:50 Onboarding Apps via Video Recording21:23 Deployment: Running Air-Gapped on Customer Cloud22:17 Handling UI Changes and "Full Self-Driving" Analogy25:40 Integration with SailPoint and Governance Tools27:13 Speed of Integration: Days vs. Years32:00 How the "Headless Browser" Works33:35 Limitations: Web Apps vs. Thick Clients36:58 Redblock's 2025 Milestones and Future Outlook39:48 Call to Action: Solving Disconnected Apps40:27 Impressions of the Gartner IAM Summit44:26 Are We in an AI Bubble?46:46 Indus's Hobby: Flying PlanesKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Redblock, Indus Khaitan, AI, Artificial Intelligence, IAM, Identity and Access Management, Disconnected Apps, Agentic AI, Computer Vision, Gartner IAM Summit, RPA, IGA, Cybersecurity

We are live from the Gartner IAM Summit 2025 in Grapevine, Texas! In this episode, we welcome back Sarah Clark, now the Chief Product Officer and GM of North America at Hopae. Sarah shares her journey from Mastercard to buying rainforests in Costa Rica and rescuing dogs, before diving deep into the world of digital identity infrastructure. We discuss connecting government-issued digital IDs with the private sector to combat fraud and improve user experiences. Sarah breaks down the differences in global adoption, highlighting why the EU is leading the charge with upcoming mandates and how countries like Brazil and India are scaling their programs. We also explore the state of mobile driver's licenses in the US, the potential for age verification and workforce management use cases, and whether the US can catch up to the rest of the world. Plus, we wrap up with a heartfelt conversation about dog rescue and the challenges of pet adoption.Connect with Sarah https://www.linkedin.com/in/sarahmclark/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00:00 - Intro: Live from Gartner IAM Summit 202500:01:25 - Introducing Sarah Clark and her journey to Hopae00:03:00 - What is Hopae and the vision for digital identity infrastructure?00:04:19 - Why governments are moving toward digital IDs (186 countries!)00:05:32 - Solving the fraud crisis with government-issued credentials00:07:05 - The benefits: Security, efficiency, and inclusion00:08:52 - Global adoption curves: India, Philippines, and Brazil00:10:48 - The EU vs. US: Who is winning the digital ID race?00:14:04 - eIDAS 2.0 mandates and the intermediary role00:17:03 - Future trends: Age verification, Fintech, and stablecoins00:19:54 - Workforce management and "Know Your Employee"00:21:28 - Sarah's passion project: Rainforest preservation and dog rescue00:25:35 - Closing thoughts on the future of identityKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Sarah Clark, Hope, Digital Identity, Digital Wallets, Mobile Driver's License, mDL, eIDAS 2.0, Identity Verification, Fraud Prevention, KYC, Verifiable Credentials, Gartner IAM Summit, Digital Infrastructure, Biometrics, Age Verification

Join Jeff, Jim, and special guest Ian Glazer at the Gartner IAM Summit 2025 as they discuss the Identity and Access Management (IAM) industry, the evolution of IAM practices, and the exciting new concepts like Continuous Identity. They delve into topics such as the impact of AI, shared signals framework, and the struggles and triumphs of identity practitioners. Plus, hear about the Digital Identity Advancement Foundation's mission and enjoy some lighter moments with tales of 'chuckles' and supper clubs. Don't miss this insightful and entertaining episode of the Identity at the Center podcast.Connect with Ian: https://www.linkedin.com/in/iglazer/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 Introduction and Casual Banter00:50 Conference Highlights and Podcast Milestones03:00 Introducing Ian Glazer05:43 Digital Identity Advancement Foundation (DIF)08:09 Challenges in Identity Governance and Administration (IGA)13:28 Continuous Identity: A Paradigm Shift22:31 Real-World Applications and Organizational Impact31:51 Realistic Security Measures32:28 Maturity of Identity and Access Management34:54 Skills and Challenges in IAM36:44 Metrics and Outcomes in IAM40:23 Identity Practitioner Skills41:19 Solving Problems with AI46:21 Continuous Identity and Future Trends48:45 Identity Salon and Community54:19 Wrapping Up and Future EventsKeywordsIan Glazer, Continuous Identity, Shared Signals Framework, CAEP, Gartner IAM Summit, Identity Security, Joiner Mover Leaver, IGA, Access Certification, Identity Salon, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, Cybersecurity, Non-Human Identity, Identity Practitioner, DIAF

Join hosts Jeff Steadman and Jim McDonald for a special live episode recorded on location at Identiverse DC! In this interactive session, Jeff and Jim host a game of "Majority Rules," where the audience competes not to answer correctly, but to guess the most popular answer in the room.The game covers a wide range of topics, from the trivial (worst conference swag and the official uniform of an IAM architect) to the technical (securing API keys, the biggest bottlenecks in IGA, and the primary causes of role explosion).Things get intense halfway through with the introduction of the Battle Royale rules, where picking the minority answer sends a player's score back to zero. Watch to see who survives the explosions and takes home the grand prize.Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapter Timestamps00:00 Intro to Identity at the Center Live00:36 Explaining the Rules of Majority Rules04:25 Question 1: The Worst Conference Swag06:00 Question 2: Replying to Access Denied07:05 Question 3: AI in Identity Management08:40 Question 4: Favorite MFA Method10:12 Question 5: Least Favorite Auth Factor11:15 Turning up the Heat: Battle Royale Mode12:10 Question 6: Why RBAC is Difficult at Scale13:30 Question 7: The IAM Architect Uniform14:50 Question 8: Best Place to Hide a Secret16:15 Question 9: Protocols You Secretly Miss17:25 Question 10: Most Hated Specialized Key18:40 Question 11: Conference Responsibilities20:00 Question 12: Securing API Keys21:20 Question 13: Secrets to Surviving Keynotes22:55 Question 14: The Biggest Bottleneck in IGA24:45 Question 15: Causes of Role Explosion25:50 Question 16: What Breaks First After a Schema Update26:40 Final Question: Fastest Way to Confuse a User27:40 Crowning the WinnerKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Identiverse, Identiverse DC, IAM, Identity and Access Management, Cybersecurity, InfoSec Game Show, Live Podcast, Majority Rules, MFA, IGA, API Security, RBAC, Role Explosion, Tech Humor, Cyberrisk Alliance

Jeff and Jim come to you live from the expo floor at Identiverse DC 2025. They are joined by John DelMauro, Executive Vice President at Cyber Risk Alliance, to discuss the energy of regional events and how they differ from the massive Las Vegas gatherings.The group discusses the current state of the identity industry, the inevitable presence of AI in both marketing and event planning, and the "Identity at the Center" game show that took place earlier in the conference. John provides an exclusive look ahead at what is being planned for Identiverse in Las Vegas, including a new algorithmic approach to one-on-one networking, expanded pavilions, and potentially even puppies.Finally, the conversation shifts to a fun hypothetical: if money and logistics were no object, what kind of conference would each of them launch? The answers range from health and longevity in Austin to a technology expo in Japan.Connect with John: https://www.linkedin.com/in/john-del-mauro/Learn more about the CyberRisk Alliance: https://www.cyberriskalliance.com/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapter Timestamps00:00 Introduction and vibes from Identiverse DC00:52 Recapping the Majority Rules game show02:00 Introducing John DelMauro from Cyber Risk Alliance03:59 What is Cyber Risk Alliance?05:25 The benefits of regional events vs. Las Vegas09:15 Current themes: AI dominating the conversation13:21 How AI helps in planning and researching events15:50 Previewing Identiverse Las Vegas 202517:10 The new one-on-one networking algorithm22:15 Breaking news: Puppies at the conference?24:45 Hypothetical: What dream conference would you host?27:45 Jim's take on a longevity conference29:18 Jeff's dream of a tech nerd-con31:00 Closing thoughts and wrap upKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, John DelMauro, CyberRisk Alliance, Identiverse, Cybersecurity, Event Planning, Networking, InfoSec, AI in Events, Washington DC, Conference Trends

In this episode of the Identity at the Center Podcast, hosts Jeff and Jim sit down with Tobin South, co-chair of the OpenID Foundation's AI Identity Management Community Group, to delve into the intricacies of identity management in the age of agentic AI. They discuss the challenges and solutions related to AI agents, the role of the Model Context Protocol (MCP), and the concept of recursive delegation and scope attenuation. Additionally, the conversation covers practical advice for developers and enterprises on preparing for AI-driven identity management and explores the cultural touchstone of coffee from various global perspectives.Connect with Tobin: https://www.linkedin.com/in/tobinsouth/OpenID Foundation: https://openid.net/Identity Management for Agentic AI (OpenID Whitepaper): https://openid.net/wp-content/uploads/2025/10/Identity-Management-for-Agentic-AI.pdfConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapter Timestamps:00:00 – Jeff and Jim banter about unopened iPads and conference season05:55 – Introduction to Tobin South and his AI identity background07:00 – How AI has evolved from machine learning to generative models09:00 – The OpenID AI Identity Management Community Group10:30 – ChatGPT's impact on the AI perception shift12:00 – Users vs. Agents: What's the difference?14:00 – Letting the right bots in: AI agents vs. bad bots17:00 – AI impersonation, delegation, and the risk of shared credentials20:00 – Impersonation vs. Delegation – what practitioners need to know23:00 – Governance, oversight, and delegated authority for agents26:00 – Liability and “who is responsible” in agentic systems30:00 – How developers can prepare for agent identity and access management32:00 – Explaining the Model Context Protocol (MCP)36:00 – Enterprise use cases for MCP and internal automation38:00 – Is MCP the next SAML?42:00 – Recursive delegation and scope attenuation explained46:00 – The one key takeaway for IAM professionals48:00 – Lighter note: Coffee talk – from Sydney to San Francisco54:00 – Wrap-up and where to find more IDAC contentKeywords:IDAC, Identity at the Center, Jim McDonald, Jeff Steadman, Tobin South, OpenID Foundation, AI Identity Management, Agentic AI, Delegated Authority, Impersonation vs Delegation, Model Context Protocol (MCP), Recursive Delegation, Scope Attenuation, Identity Access Management, IAM, AI Governance, AI Standards, Enterprise AI, AI Agents, Identity Security

This episode is sponsored by Aembit. Visit aembit.io/idac to learn more.Jeff and Jim welcome David Goldschlag, CEO and Co-founder of Aembit, to discuss the rapidly evolving world of non-human access and workload identity. With the rise of AI agents in the enterprise, organizations face a critical challenge: how to secure software-to-software connections without relying on static, shared credentials.David shares his unique background, ranging from working on The Onion Router (Tor) at the Naval Research Lab to the DIVX rental system, and explains how those experiences inform his approach to identity today. The conversation covers the distinction between human and non-human access, the risks of using user credentials for AI agents, and why we must shift from managing secrets to managing access policies.This episode explores real-world use cases for AI agents in financial services and retail, the concept of hybrid versus autonomous agents, and practical advice for identity practitioners looking to get ahead of the agentic AI wave.Visit Aembit: https://aembit.io/idacConnect with David: https://www.linkedin.com/in/davidgoldschlagConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTimestamps00:00 - Intro00:51 - Pronunciation of Aembit and the extra 'E'01:56 - David's background: From NSA to Enterprise Security04:58 - The meaning behind the name Aembit06:00 - David's history with The Onion Router (Tor)10:00 - Differentiating Non-Human Access from Workforce IAM11:39 - The security risks of AI Agents using human credentials14:15 - Manage Access, Not Secrets16:00 - Use Cases: Financial Analysts and Retail24:00 - Hybrid Agents vs. Autonomous Agents30:38 - Will we have agentic versions of ourselves?36:45 - How Identity Practitioners can handle the AI wave38:33 - Measuring success and ROI for workload identity43:20 - A blast from the past: DIVX and Circuit City52:15 - ClosingKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Aembit, David Goldschlag, Non-human access, Workload Identity, AI Agents, Machine Identity, Cybersecurity, IAM, InfoSec, Tor, DIVX, Zero Trust, Secrets Management, Authentication, Authorization

In this episode of The Identity at the Center Podcast, hosts Jim McDonald and Jeff Steadman catch up with John Tolbert, Director of Cybersecurity Research at KuppingerCole Analysts, to talk about the rapidly evolving world of Fraud Reduction Intelligence Platforms (FRIP).They explore:The six capabilities of modern fraud reduction systemsHow AI and machine learning are both helping and hurting fraud preventionWhy shared signals and orchestration are critical for financial and e-commerce use casesHow identity verification, device intelligence, and behavioral biometrics work togetherThe role of usability and integration in FRI adoptionPlus, stick around for a fun discussion about concerts, classic rock, and which legendary bands they wish they'd seen live.Listen now to learn how identity, fraud, and AI are colliding — and what's next for fraud intelligence.Connect with John: https://www.linkedin.com/in/john-tolbert/Fraud Reduction Intelligence Platforms - Finance (KuppingerCole Report): https://www.kuppingercole.com/research/lc80841/fraud-reduction-intelligence-platforms-financeFraud Reduction Intelligence Platforms - eCommerce (KuppingerCole Report): https://www.kuppingercole.com/research/bc81030/fraud-reduction-intelligence-platforms-ecommerceConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapter Timestamps:00:00 – Jim's passwordless rant and setup woes05:00 – Introducing guest John Tolbert06:30 – Catching up: four years since John's last appearance07:30 – What is CIAM and how has it evolved?09:30 – Understanding Fraud Reduction Intelligence Platforms (FRIP)10:00 – The six core capabilities of FRI solutions13:00 – Are most vendors point solutions or full platforms?14:00 – How identity verification is improving16:00 – SaaS and API-driven fraud detection models18:00 – What kinds of fraud can (and can't) FRI prevent?21:00 – The growing problem of bots and automation22:00 – Fraud trends in finance: scams, account takeovers, and synthetic identities25:00 – Information sharing and the role of shared signals28:00 – Collaboration vs. competition in fraud prevention31:00 – Fraud in e-commerce: bots, loyalty points, and returns abuse34:00 – Streaming and citizen fraud use cases36:00 – Where do FRI capabilities fit within IAM platforms?43:00 – The importance of orchestration and integration44:30 – The role of AI and ML in fraud prevention47:30 – Smart questions for evaluating FRI vendors50:30 – Concert talk: Pink Floyd, Metallica, and the ones that got away58:00 – Wrap-up and where to find John Tolbert's reportsKeywords:Fraud Reduction Intelligence, FRI Platforms, John Tolbert, KuppingerCole, Identity at the Center, IDAC, IAM, CIAM, Cybersecurity Research, Fraud Prevention, Machine Learning, Artificial Intelligence, Behavioral Biometrics, Device Intelligence, Identity Verification, Risk Orchestration, API Security, Financial Fraud, E-Commerce Fraud, Shared Signals, Jim McDonald, Jeff Steadman, IDAC Podcast

Jim McDonald and Jeff Steadman sit down with Mike Reiring of RSM at InfoSec World 2025 to explore how managed service providers are reshaping IT and identity operations. They dig into the differences between MSPs and MSSPs, how to choose the right partner, and how AI is transforming help desks, problem management, and security monitoring. The conversation closes with a fun dive into Mike's passion for photography and how creativity ties into continuous learning in tech.Connect with Mike: https://www.linkedin.com/in/mreiring/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapters00:00 Intro – Live from InfoSec World 202502:00 Meet Mike Reiring of RSM04:30 Evolution of Managed Service Providers06:30 Shared Accounts, Identity, and Security Maturity09:00 Vendor Gaps and Federated Access Challenges11:30 What Makes a Good MSP Partner13:00 The Cost and Effort of Changing Providers16:30 MSP vs MSSP – Key Differences18:30 Coordination Between Managed Providers21:30 Top 3 Questions to Ask Your MSP25:00 Identity Ownership: IT or Security?27:30 Licensing, Active Directory, and Hidden Accounts30:00 RFP Challenges and Procurement Pitfalls32:00 Measuring Risk and Reducing Identity Exposure34:30 Vendor Management and Shadow IT Risks35:00 How AI Is Transforming MSP and MSSP Operations38:30 AI, Problem Management, and the Future of Help Desks42:30 Photography, Creativity, and Continuous Learning48:00 Closing Thoughts and IDAC OutroKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Mike Reiring, RSM, InfoSec World 2025, Managed Service Provider, MSP, MSSP, AI in Cybersecurity, Help Desk, Identity Management, Managed Identity, Partner Transparency, IT Outsourcing, Risk Reduction, Problem Management, Active Directory, DaVinci Resolve, Photography in Tech, Identity Governance, Cybersecurity Podcast

In this episode of the Identity at the Center podcast, hosts Jeff and Jim broadcast from InfoSec World 2025, sharing lively discussions on identity management, AI security, and identity's evolving role in information security. They are joined by Ross Young and G Mark Hardy, co-hosts of the CISO Tradecraft podcast, who share their journeys into cybersecurity, illuminating how identity intersects with cybersecurity topics like deep fakes, AI implications, and non-human identities. The conversation also covers practical advice for securing budget approvals for identity projects and speculations on the role of AI in cybersecurity's future. The episode wraps up with each guest sharing personal ideas for potential new podcast ventures.The CISO Tradecraft podcast: CISOTradecraft.comConnect with Ross: https://www.linkedin.com/in/mrrossyoung/Connect with G Mark: https://www.linkedin.com/in/gmarkhardy/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapters00:00 Introduction and Welcome00:16 Live from InfoSec World 202500:52 Shoutouts and Day Jobs01:37 Meeting Ross and G Mark from the CISO Tradecraft podcast02:22 Ross's Journey into Cybersecurity04:24 G Mark's Cybersecurity Career Path07:44 Top Concerns for CISOs Today09:53 The Role of Identity in Cybersecurity16:18 Challenges and Trends in Identity Management24:33 Pitching Identity Projects to CISOs32:21 The Role of AI in Automating SOC Operations33:23 AI's Impact on Developer Efficiency35:48 The Future of AI-Assisted Coding37:42 Challenges and Opportunities in AI and Cybersecurity39:46 The Importance of Human Expertise in AI Development48:17 The Role of Identity in Information Security49:44 Introduction to CISO Tradecraft Podcast55:24 Podcasting Tips and Personal Interests01:00:48 Conclusion and Final ThoughtsKeywords:Identity at the Center, IDAC, CISO Tradecraft, InfoSec World 2025, cybersecurity leadership, identity security, IAM, AI security, Jeff Steadman, Jim McDonald, Ross Young, G. Mark Hardy, InfoSec, CISOs, cyber career development, non-human identity, deepfakes, security automation

This episode is sponsored by Nexis. Visit nexis-secure.com/idac to learn more.In this sponsored episode of *Identity at the Center*, host Jim McDonald sits down with Dr. Heiko Klarl, CEO of Nexis, to explore how the company is advancing authorization governance for modern enterprises. Dr. Klarl explains how Nexis builds visibility and control across fragmented identity landscapes and why “better together” is the right strategy for enterprises with multiple IAM systems.They discuss the emerging Identity Visibility and Intelligence Platform (IVIP) category, the value of automation and remediation in governance, Nexis's unique “health check” service, and their ISPM capability that helps clients identify unnecessary access—and even save on software licensing.Learn how Nexis integrates with IGA and PAM tools, streamlines application onboarding, and helps customers measure the real business impact of their identity programs.Connect with Heiko: https://www.linkedin.com/in/heiko-klarl/More about Nexis: https://nexis-secure.com/idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comChapters00:00 Introduction and Sponsor Message00:42 Meet Dr. Heiko Klarl, CEO of Nexis01:29 Dr. Klarl's Journey into Identity and Access Management03:09 What Does Nexis Do?05:00 Challenges in Authorization Governance06:43 The Importance of Visibility in Identity Systems08:23 Nexis' Role in Enhancing Existing IAM Investments10:05 The Concept of IVIP and Its Relevance21:48 Nexis Platform Capabilities23:24 The Health Check: A Deep Dive27:22 Understanding Health Check Costs28:27 Exploring ISPM and License Management32:09 How Nexis Integrates with IGA Systems34:11 Application Onboarding and Compliance36:38 Measuring Value and Success with Nexis43:10 Global Reach and Market Focus45:02 Connecting at Conferences46:49 Visiting Germany: Recommendations and Insights50:17 Final Thoughts and ResourcesKeywordsIDAC, Identity at the Center, Jim McDonald, Jeff Steadman, Dr. Heiko Klarl, Nexis, Nexis Secure, NEXIS 4, authorization governance, role mining, role management, IGA, IAM, IVIP, Identity Visibility and Intelligence Platform, access certification, remediation automation, health check, ISPM, Identity Security Posture Management, license management, enterprise identity, compliance, visibility, identity governance, access review, Gartner IAM, EIC, KuppingerCole

Live from Authenticate 2025, Jeff Steadman and Jim McDonald sit down with the Cal Ripken of IDAC, Andrew Shikiar, Executive Director and CEO of the FIDO Alliance. Andrew shares exciting updates on the incredible progress of Passkeys, revealing that over 3 billion are now in use securing accounts. We discuss the key themes of the conference, including the ongoing arms race with AI in security and the critical role of identity verification. Andrew also unveils the new Passkey Index, an initiative to provide industry benchmarks for deployment success. Looking ahead, the conversation shifts to the FIDO Alliance's broadening focus on digital credentials and wallets, aiming to solve the usability and certification challenges that have held the space back. Finally, we hear about the global expansion of the Authenticate conference brand, with a new event launching in Singapore.Connect with Andrew: https://www.linkedin.com/in/andrewshikiar/Learn more about FIDO: https://fidoalliance.org/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapter Timestamps:00:00:00 - Introduction to Authenticate 2025 Themes00:02:50 - Welcoming Andrew Shikiar of the FIDO Alliance00:04:00 - Andrew's Keynote: Passkey Progress and Future Goals00:05:17 - Over 3 Billion Passkeys in Use00:06:57 - Improving the Passkey User Experience (UX)00:09:02 - Introducing the Passkey Index for Benchmarking00:10:46 - The Growth of the Authenticate Conference00:14:55 - FIDO Alliance's New Focus: Digital Credentials and Wallets00:17:25 - Overcoming Hurdles in Digital Credential Adoption00:20:03 - The Role of Major Stakeholders in FIDO's Success00:23:05 - The Future of the Authenticate Conference00:24:00 - Announcing Authenticate APAC in Singapore00:25:07 - Global Differences in Passkey Adoption00:28:19 - Closing Thoughts and FIDO Feud RecapKeywords:Andrew Shikiar, FIDO Alliance, Passkeys, Authenticate 2025, identity verification, digital credentials, digital wallets, passwordless, WebAuthn, user experience, Passkey Index, cybersecurity, authentication, mobile driver's license, multi-factor authentication, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Live from Authenticate 2025, Jeff Steadman and Jim McDonald sit down with Dr. Tina Srivastava, an IDPro board member and co-founder of Badge Inc., for a crucial discussion on the rapidly evolving landscape of identity and authentication.Tina shares her insights on the conference, the evolution from physical hacks to sophisticated AI-driven threats like supercharged phishing, and the current challenges facing the industry. The conversation delves into the complexities of synced Passkeys, the critical vulnerability of account recovery processes, and the slow pace of regulation in keeping up with technology.As a board member for IDPro, Tina highlights the immense value of the practitioner-focused community, the supportive culture within its Slack channels, and makes an exciting announcement about the creation of new member-driven committees to shape the future of the organization. They explore the concept of the "AI arms race" and why identity professionals cannot afford to wait for the next big thing, emphasizing that collaboration and information sharing through communities like IDPro are essential to staying ahead of adversaries.Connect with Tina: https://www.linkedin.com/in/tina-s-8291438a/Find out more about IDPro: https://www.idpro.org/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapters00:00 Introduction and Greetings00:16 Highlights from Authenticate 202501:39 FIDO Feud Rematch Discussion03:17 Guest Introduction: Tina Srivastava03:46 Conference Insights and AI Challenges06:16 Regulatory Environment and Passkeys09:11 Phishing and AI Supercharged Attacks12:28 QR Codes and Accessibility Issues13:09 The Importance of Phishing Resistant Authentication22:24 IDPro Community and Practitioner Support25:18 Community Support and Engagement26:26 IDPro's Role in Identity Events27:48 Future Directions for IDPro29:19 Introducing Committees in IDPro30:39 AI and Identity Verification37:07 The Importance of Information Sharing45:35 Public Speaking and Personal Growth50:58 Conclusion and Final ThoughtsKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Tina Srivastava, IDPro, Authenticate 2025, Passkeys, AI, Artificial Intelligence, Cybersecurity, Phishing, Deepfakes, Authentication, Account Recovery, Biometrics, Identity and Access Management, IAM, NIST, Regulation, Identity Verification, Synced Passkeys, FIDO Alliance

This episode is sponsored by HYPR. Visit hypr.com/idac to learn more.In this episode from Authenticate 2025, Jim McDonald and Jeff Steadman are joined by Bojan Simic, Co-Founder and CEO of HYPR, for a sponsored discussion on the evolving landscape of identity and security.Bojan shares his journey from software engineer to cybersecurity leader and dives into the core mission of HYPR: providing fast, consistent, and secure identity controls that complement existing investments. The conversation explores the major themes from the conference, including the push for passkey adoption at scale and the challenge of securely authenticating AI agents.A key focus of the discussion is the concept of "Know Your Employee" (KYE) in a continuous manner, a critical strategy for today's remote and hybrid workforces. Bojan explains how the old paradigm of one-time verification is failing, especially in the face of sophisticated, AI-powered social engineering attacks like those used by Scattered Spider. They discuss the issue of "identity sprawl" across multiple IDPs and why consolidation isn't always the answer. Instead, Bojan advocates for a flexible, best-of-breed approach that provides a consistent authentication experience and leverages existing security tools.Connect with Bojan: https://www.linkedin.com/in/bojansimic/Learn more about HYPR: https://www.hypr.com/idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comChapter Timestamps:00:00 - Introduction at Authenticate 202500:23 - Sponsored Episode Welcome: Bojan Simic, CEO of HYPR01:11 - How Bojan Simic Got into Identity and Cybersecurity02:10 - The Elevator Pitch for HYPR04:03 - The Buzz at Authenticate 2025: Passkeys and Securing AI Agents05:29 - The Trend of Continuous "Know Your Employee" (KYE)07:33 - Is Your MFA Program Enough Anymore?09:44 - Hackers Don't Break In, They Log In: The Scattered Spider Threat11:19 - How AI is Scaling Social Engineering Attacks Globally13:08 - When a Breach Happens, Who's on the Hook? IT, Security, or HR?16:23 - What is the Right Solution for Identity Practitioners?17:05 - The Critical Role of Internal Marketing for Technology Adoption22:27 - The Problem with Identity Sprawl and the Fallacy of IDP Consolidation25:47 - When is it Time to Move On From Your Existing Identity Tools?28:16 - The Role of Document-Based Identity Verification in the Enterprise32:31 - What Makes HYPR's Approach Unique?35:33 - How Do You Measure the Success of an Identity Solution?36:39 - HYPR's Philosophy: Never Leave a User Stranded39:00 - Authentication as a Tier Zero, Always-On Capability40:05 - Is Identity Part of Your Disaster Recovery Plan?41:36 - From the Ring to the C-Suite: Bojan's Past as a Competitive Boxer47:03 - How to Learn More About HYPRKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Bojan Simic, HYPR, Passkeys, Know Your Employee, KYE, Continuous Identity, Identity Verification, Authenticate 2025, Phishing Resistant, Social Engineering, Scattered Spider, AI Security, Identity Sprawl, Passwordless Authentication, FIDO, MFA, IDP Consolidation, Zero Trust, Cybersecurity, IAM, Identity and Access Management, Enterprise Security

In this episode, Jim McDonald and Jeff Steadman are joined by Steve Rennick, Senior Leader for IAM Architecture at Ciena, for a wide-ranging discussion on the most pressing topics in identity today.The conversation kicks off with a practical look at vendor demos, sharing best practices for cutting through the slideware and getting to the heart of a product's capabilities. From there, they dive deep into the complex world of Non-Human Identities (NHI). Steve shares his practitioner's perspective on why NHIs are such a hot topic, the challenges of managing them, and the risks they pose when left unchecked.The discussion covers:Why traditional IAM approaches fail for non-human identities.The importance of visibility and creating a standardized process for NHI creation.The debate around terminology: NHI vs. machine identity vs. service accounts.The reasons for NHI's current prominence, including threat actors shifting focus away from MFA-protected human accounts.Practical, actionable advice for getting a handle on legacy service accounts.The emerging challenge of IAM for AI and the complexities of managing agentic AI.The critical role of authorization and the future of policy-based access control.Whether you're struggling with service account sprawl, preparing for an AI-driven future, or just want to run more effective vendor demos, this episode is packed with valuable insights.Connect with Steve: https://www.linkedin.com/in/steven-rennick/ARIA (Agent Relationship-Based Identity & Authorization) LinkedIn Post from Patrick Parker: https://www.linkedin.com/posts/patrickparker_ai-agent-authorization-activity-7335265428774031360-braE/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comCHAPTER TIMESTAMPS:00:00:10 - Introduction & The Art of the Vendor Demo00:08:02 - Steve Rennick's Take on Vendor Demos00:12:39 - Formal Introduction: Steve Rennick00:14:45 - Recapping the Identiverse Squabble Game Show00:17:22 - The Hot Topic of Non-Human Identities (NHI)00:22:22 - Is NHI a Joke or a Serious Framework?00:26:41 - The Controversy Around the Term "NHI"00:30:24 - How to Simplify NHI for Practitioners00:34:06 - First Steps for Getting a Handle on NHI00:37:20 - Can Active Directory Be a System of Record for NHI?00:45:08 - Why is NHI a Hot Topic Right Now?00:51:19 - The Challenge of Cleaning Up Legacy NHIs00:58:00 - IAM for AI: Managing a New Breed of Identity01:03:33 - The Future is Authorization01:06:22 - The Zero Standing Privilege Debate01:10:39 - Favorite Dinosaurs and OutroKEYWORDS:NHI, Non-Human Identity, Machine Identity, Service Accounts, Vendor Demos, IAM for AI, Agentic AI, Authorization, Zero Trust, Zero Standing Privilege, Secrets Management, IAM Strategy, Cybersecurity, Identity and Access Management, Steve Rennick, Ciena, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

In this episode of the Identity at the Center podcast, Jim McDonald interviews Sebastian Rohr, the Chief Troublemaker at Umbrella Labs. They discuss the evolution of identity management, the challenges of digital identity, and the importance of national ID systems. Sebastian shares his personal journey into the identity field, the impact of digital identities on individuals, and the challenges faced in developing countries regarding identity verification. The conversation also touches on the role of AI in identity management, the importance of community in the identity space, and the cultural significance of German Unification Day.Connect with Sebastian: https://www.linkedin.com/in/sebastianrohr/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapters00:00 Introduction and Guest Introduction05:13 Sebastian's Origin Story in Identity11:00 The Evolution of Identity Verification15:24 Challenges in Identity Verification Technology20:13 The Importance of Birth Registration26:58 Real-World Stories from Identity Management32:30 Tips for Identity Practitioners35:22 Finding the Right Balance in Digital Transformation36:21 EUDI: The Future of Digital Identity40:02 Addressing Bias in Identity Systems44:11 The Impact of AI on Identity Management52:20 The Rise of Identity Beer: Community and Connection59:40 Celebrating German Unification DayKeywordsidentity, decentralized identity, digital identity, identity verification, national ID systems, AI in identity, identity management, global identity challenges, identity beer, German unification

In this episode of the Identity at the Center Podcast, Eve Maler, founder and CEO of Venn Factory joins host Jim McDonald. They discuss the significance of identity in the corporate world; detailing Eve's new book aimed at educating CEOs on the importance of treating identity as a strategic asset rather than mere infrastructure. They explore concepts like the evolving role of identity in security, the increasing risks posed by AI and cybersecurity threats, and the potential for organizational paralysis without proper identity management. Eve emphasizes the need for cross-functional focus and strategic ownership of identity functions within companies. The episode concludes with insights into public speaking and preparation, providing listeners with practical advice and industry insights.Connect with Eve: https://www.linkedin.com/in/evemaler/Chapters00:00 Introduction and Guest Welcome00:32 The Story Behind 'Venn Factory'02:09 Eve Maler's Book for CEOs04:42 The Importance of Digital Identity10:53 AI and Its Impact on Executives17:25 Organizational Challenges in Identity Management23:49 The Role of Identity in Organizations24:44 Escaping Organizational Paralysis25:08 Valuing Identities in the Digital Age28:13 B2B Identity Dynamics35:21 The Rise of Identity Security42:32 Public Speaking Tips and Lighter NotesConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.com

This episode of the Identity at the Center podcast delves into the complex topic of death and the digital estate (DADE). Jim McDonald hosts Dean Saxe, Heather Flanagan, and Mike Kiser, who discuss the importance of planning for digital assets after death, the cultural implications of digital identity, and the evolving role of technology in managing these assets. They emphasize the need for individuals to take proactive steps in documenting their digital estate and the challenges posed by varying legal frameworks and cultural perspectives. The conversation also touches on the future of digital identity in the age of AI and the ethical considerations surrounding it.Episode Links:Death and the Digital Estate (DADE) Community Group: https://openid.net/cg/death-and-the-digital-estate/Connect with Dean: https://www.linkedin.com/in/deanhsaxe/Connect with Heather: https://www.linkedin.com/in/hlflanagan/Connect with Mike: https://www.linkedin.com/in/mike-kiser/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapters00:00 Introduction to Identity at the Center Podcast00:10 Introduction to the Death and Digital Estate (DADE) group03:07 The Role of Identity in Digital Estates06:01 Understanding Digital Estate and Its Components09:09 Community Groups vs. Working Groups in Standards11:59 The Importance of Digital Estate Management15:09 Cultural Perspectives on Digital Death18:12 Legal and Ethical Considerations in Digital Estates20:59 Future of Digital Estate Planning24:03 Conclusion and Call to Action31:33 Cultural Frameworks and Digital Estates35:12 The Importance of Protocols in Digital Estate Management39:30 Navigating Digital Wills and Estate Planning42:19 Challenges in Digital Recovery and Access45:18 Actionable Steps for Digital Estate Planning48:52 Personal Reflections on Digital Legacy50:57 The Future of Digital Remembrance54:25 Final Thoughts and Community EngagementKeywordsdigital estate, death, identity management, OpenID Foundation, digital assets, cultural perspectives, technology, legal considerations, AI, planning guide

This episode is sponsored by Hush Security. Visit hush.security/idac to learn more.In this sponsored episode of Identity at the Center, hosts Jeff Steadman and Jim McDonald spotlight Hush Security, a company emerging from stealth with an innovative approach to machine identity and access management. CEO and co-founder Micha Rave explains why traditional secrets vaults can't keep up with today's scale, what it means to truly go “secrets-free,” and how Hush enables visibility, governance, and operability for modern and legacy environments alike.Discover:The real difference between non-human identities and static keysWhy legacy secrets management is breaking in the cloud and automation ageHush Security's journey from stealth mode to active customersThe business case for removing vaults (and the risks with “hope and prayer” key rotation)How to transition to policy-based access—and measurement metrics for successFun discussions on pancakes vs. waffles in security leadership (really!)Learn more about Hush Security and get a free environment assessment: hush.security/idacConnect with Micha: https://www.linkedin.com/in/micharave/Connect with IDAC on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.com#idac #identitymanagement #machineidentity #secretsmanagement #podcast #cybersecurity #JimMcDonald #JeffSteadman #HushSecurity #IdentityattheCenterChapters / Timestamps:00:00 - Welcome and Introduction (Hosts: Jeff and Jim)01:00 - Introducing Micha Rave and Hush Security03:00 - Micha's Background and the Hush Team's Journey06:00 - What Is Hush Security and Why Now?09:00 - Leaving Stealth Mode: Patents and Novel Approaches12:00 - What Makes Hush Special? Remediation vs. Visibility15:00 - Vaults vs. Secrets-Free Approach & Industry Gaps18:00 - Non-Human Identities: Static Keys, Secrets, and Access22:00 - Solving Problems Beyond Cloud: Custom vs. Packaged Software26:00 - The Scale of Machine Identity in the Cloud and Automation Age29:00 - Why Secrets Management Is Breaking and the Case for Policy-Based Access34:00 - From Scanning to Policy Enforcement: How Hush Works39:00 - Metrics, Success, and Executive Buy-in for Modern IAM43:00 - How to Get Started with Hush Security (Free Assessments)46:00 - Micha's Conference Plans and Final Thoughts49:00 - Pancakes or Waffles?Keywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Hush Security, machine identity, secrets management, secrets vault, IAM, cybersecurity, sponsored episode, non-human identities, policy-based access, vault elimination, cloud security, automation, zero trust, Micha Rave, podcast, identity management

In this episode of the Identity at the Center podcast, hosts Jeff and Jim dive into the concept of device identity within a Zero Trust framework. They are joined by Shea McGrew, CTO of Maricopa County Arizona, who provides insights into the importance of managing not just human but also device identities. The discussion explores the philosophical debate on whether machines can have identities, Zero Trust principles, and their application in a diverse and semi-autonomous organizational structure like that of the county government. Shea also shares her career journey, emphasizing the importance of curiosity, customer service, and continuous learning in IT. The episode wraps up with a light-hearted conversation on the never-ending pursuit of knowledge.Connect with Shea: https://www.linkedin.com/in/shea-m-6b82a36/Timestamps:00:00 Introduction and Podcast Theme00:17 Defining Identity in Cybersecurity01:34 Debate: Can Non-Humans Have Identities?01:57 Guest Introduction: Shea McGrew04:15 Shea's Career Journey and Role as CTO09:28 Challenges and Rewards of Being a CTO11:41 Identity Strategy at Maricopa County14:48 Device Identity and Zero Trust Architecture29:56 Managed vs. Unmanaged Devices40:15 Understanding the NIST Framework42:52 Balancing Technology and People43:58 Training and Partner Collaboration48:03 Organizational Change Management50:40 Future of Device Identity54:40 Debating Machine Identity01:06:36 Curiosity as an Olympic Sport01:13:00 Conclusion and Final ThoughtsConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.com

Join Jeff Steadman and Jim McDonald for the September 2025 mailbag episode of Identity at the Center! This episode features listener questions from around the world about digital identity, trust, technology challenges, inclusion, biometrics, and even a candid discussion on air travel etiquette. Whether you're new to IAM or a veteran, you'll find practical advice and real stories. Plus, hear shout-outs to our global community and learn what's coming up for the podcast team, including conferences and game shows. Don't forget to leave your thoughts or questions in the comments—let's keep the conversation going!Chapter Timestamps:00:00 - Intro & Community Shout-Outs04:00 - Upcoming Conferences & Discount Codes07:00 - What the Podcast Is All About08:40 - Mailbag Intro: Listener Questions From Around the World09:20 - Engaging IT with IAM Concepts (Matt in Maine)13:20 - Building Trust in Digital Identity (Amara in India)18:30 - Practical Challenges for Large Programs (Sophie in France)25:45 - Digital Identity and the Unconnected (Jonas in Germany)33:15 - Biometric Data & Security Pros/Cons (Rachel in Canada)39:45 - Air Travel Etiquette: From Shoes Off to Elbow Room48:10 - Outro & ThanksConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, mailbag, listener questions, digital identity, IAM, identity and access management, trust, technology inclusion, biometrics, air travel etiquette, conferences, community, YouTube, podcast, global audience, #idac

This episode is sponsored by SGNL. Visit sgnl.ai/idac to learn more.In this sponsored episode of Identity at the Center podcast, hosts Jeff and Jim discuss hot trends in the identity space, focusing on continuous identity with their guest Erik Gustavson, co-founder and CPO at SGNL. Erik shares his journey into the IAM space, exploratory projects, the thought processes behind SGNL's continuous identity solutions, and provides insights on how SGNL's approach integrates with existing identity and security tools. He delves into trends such as the convergence of identity and security, the generational change in identity tech, and the practical use cases SGNL addresses. The episode concludes with a light-hearted conversation about the perfect meal for Jeff, reflecting Eric's passion for cooking.Connect with Erik: https://www.linkedin.com/in/erikgustavson/Learn more about SGNL: https://sgnl.ai/idacTimestamps00:00 Introduction and Episode Overview00:36 Sponsor Spotlight: SGNL01:10 Guest Introduction: Erik Gustavson01:41 Eric's Journey into the IAM Space05:47 Role of a Chief Product Officer07:54 The Concept of Continuous Identity20:26 Data Integration and Policy Enforcement26:40 Target Audience for SGNL29:42 Introduction to SGNL's Ecosystem30:13 Complementing Existing Systems30:44 Challenges with Current Identity Solutions33:27 New Trends in Authorization Management34:09 Aligning with AMP and PBA37:58 Use Cases and Real-World Applications46:31 What Sets SGNL Apart48:37 Future Trends in Identity and Security52:35 A Lighter Note: Cooking and Personal Interests58:32 Conclusion and Final ThoughtsConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.com

In this episode of the Identity at the Center podcast, Jeff and Jim discuss various aspects of identity access management (IAM) policies and the importance of having a solid foundation. They emphasize the need for automation, controls, and how IAM policies should be created without technology limitations in mind. The discussion also covers the implementation challenges and the evolving concept of identity verification. Jeff, Jim, and their guest, Nishant Kaushik, the new CTO at the FIDO Alliance, also delve into the issues surrounding the adoption of passkeys, highlighted by Rusty Deaton's IDPro article, and address some common concerns about their security. Nishant offers insights into ongoing work at FIDO Alliance, the potential of digital identity, and the importance of community in the identity sector. The episode concludes with mentions of upcoming conferences and an homage to the late identity expert, Andrew Nash.Timestamps00:00 Introduction and Greetings00:18 Importance of IAM Policies01:36 Challenges in Policy Implementation05:09 Conferences and Discount Codes07:59 Introducing the Guest: Nishant Kaushik08:42 The Role of the FIDO Alliance and Digital Identity10:35 Concerns and Solutions for Passkeys22:21 Final Thoughts on Passkeys and Authentication29:48 Credential Security Concerns30:03 FIDO Members and Their Contributions30:38 Getting Involved in Working Groups31:58 Conversations at Authenticate Conference32:29 Evolution of the Authenticate Conference34:32 Automotive Authentication Challenges36:04 Community and Collaboration38:33 Remembering Andrew Nash41:41 Lightning Round: Current State of AI and Identity44:21 Decentralized Identity: Current Trends49:47 Non-Human Identity: Future Perspectives52:19 New York Sports Fandom54:33 Conclusion and Upcoming EventsConnect with Nishant: https://www.linkedin.com/in/nishantkaushik/Learn more about the FIDO Alliance: https://fidoalliance.org/IDPro Article by Rusty Deaton: https://idpro.org/blackhat-and-def-con-2025-thoughts/Kill the Wallet? Rethinking the Metaphors Behind Digital Identity by Heather Flanagan: https://sphericalcowconsulting.com/2025/07/22/digital-wallet-metaphor/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.com