Identity at the Center

This episode is sponsored by Bravura Security. Learn more at bravurasecurity.com/idac.This is a Sponsor Spotlight episode of the Identity at the Center podcast. Jim McDonald and Jeff Steadman are joined by Bart Allan, General Manager at Bravura Security, to discuss why enterprise password management remains a critical piece of identity security even as organizations pursue passwordless strategies. Bart shares Bravura's history dating back to 1992, starting with self-service password reset and evolving into a full identity security platform spanning identity management, privileged access management, and enterprise password management. The conversation digs into the uncomfortable truth that while organizations may get 80% of their applications onto modern authentication, the remaining 20% still rely on passwords, creating real security risk. Bart explains how treating enterprise passwords the way organizations treat privileged credentials, with automated rotation and centralized management, can remove the human element from password creation and reduce exposure to breaches and social engineering. The group also discusses help desk social engineering attacks, breach recovery challenges, deployment strategies for rolling out an enterprise password manager, and the emerging role of password managers as passkey managers for portability. The episode wraps with some outdoor adventure stories from Bart and Jim.Connect with Bart: https://www.linkedin.com/in/bartholomewallan/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTIMESTAMPS00:00 - Introduction and welcome01:00 - Sponsor Spotlight overview and Bravura Security introduction01:52 - Bart Allan's background in identity03:30 - History of Bravura Security from 1992 to today05:39 - How the Bravura name came to be07:00 - What makes Bravura unique in the identity market08:33 - Why password management still matters09:58 - The uncomfortable truth about passwords and the 80/20 problem13:00 - Personal vs enterprise password managers16:00 - The last mile to passwordless and legacy systems19:00 - Why storing passwords is not enough without active management22:00 - Help desk social engineering and the human element25:00 - Breach response and the fog of war31:00 - Scattered spider scenarios and credential reset at scale35:00 - Is a password manager the only viable option for the final 20%?38:00 - The future of password managers as passkey managers40:00 - Tips for deploying an enterprise password manager42:45 - Measuring success with an enterprise password manager45:17 - Lighter side of the conversation begins46:00 - Bart's backcountry skiing avalanche story from Rogers Pass50:30 - Jim's lightning storm story from backpacking in Yosemite52:53 - Final thoughts from Bart on the passwordless journey54:00 - Wrap up and outroKEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Bravura Security, Bart Allan, password management, enterprise password manager, passwordless, passkeys, privileged access management, identity security, help desk social engineering, breach recovery, credential rotation, self-service password reset, identity verification, IAM operations, shadow IT, FIDO, sponsor spotlight, password vault, legacy systems

Simon Moffatt, founder and analyst at The Cyber Hut and co-host of The Analyst Brief podcast, returns to Identity at the Center for a wide-ranging conversation about the strategic evolution of identity security. Simon shares an update on his second book, IAM at 2035, which explores where identity is heading over the next decade. The discussion covers why identity has shifted from a back office function to a strategic business enabler, driven by the convergence of cloud, zero trust, and expanding digital ecosystems.Jim and Jeff dig into how organizations can measure their identity security posture, and Simon introduces his Identity Security Scorecard, a framework of 50-plus data points covering visibility, protection, detection, and response. The conversation shifts to the identity attack lifecycle, where Simon explains why organizations need to move beyond log-based forensics and toward real-time detection and response before attacks complete.The group also explores how non-identity data signals, like CAEP and shared signals frameworks, are critical to building a fuller picture of risk. The final segment tackles agentic AI and its implications for identity, including the argument that agentic identities may represent a third identity type distinct from both human and machine. Simon makes the case that AI adoption is outpacing identity and security innovation, creating a widening gap that the industry must address through governance, accountability, and new architectural patterns.Connect with Simon: https://www.linkedin.com/in/simonmoffatt/The Analyst Brief Podcast: https://www.thecyberhut.com/podcast/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 Introduction and conference discount codes02:29 Simon Moffatt returns to the show03:58 Update on the IAM at 2035 book07:25 The Analyst Brief podcast and covering identity trends08:44 Identity shifts from back office to strategic priority11:47 The compliance trap and reactionary identity management14:25 Customer identity transparency influencing workforce identity16:52 Defining identity security across 80-plus vendors20:11 Products alone do not solve identity security21:14 Thinking like an attacker about identity flows23:23 Red flags in an organization's identity posture25:43 The identity security scorecard and measuring risk29:27 Avoiding FUD when presenting identity risk to the board32:34 The identity attack lifecycle explained36:53 Building the mindset for real-time detection and response37:41 CAEP, shared signals, and non-identity data sources40:10 Identity as a 24/7 security operations function43:24 Agentic AI drops like a nuclear explosion on identity46:49 The widening gap between AI adoption and identity security47:51 Is agentic identity a third identity type?50:47 What needs to change to address the agentic identity explosion53:24 Will AI shake the core of enterprise IT?57:24 AI may be the only thing that can secure AI58:04 Travel tips for EIC Berlin and European conferences01:02:45 Wrapping upKeywordsidentity security, identity attack lifecycle, identity attack paths, agentic AI, agentic identity, non-human identity, NHI, identity security scorecard, zero trust, CAEP, shared signals framework, identity governance, identity strategy, IAM, identity posture, Simon Moffatt, The Cyber Hut, The Analyst Brief, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

In this episode of Identity at the Center, hosts Jeff and Jim dive into the details of the Shared Signals Framework (SSF) and Continuous Access Evaluation Profile (CAEP), with special guest Atul Tulshibagwale, the CTO of Signal. The trio discusses the complexities and applications of these identity security standards, recent adoption by major tech companies, and how they are transforming the approach towards identity and access management. Atul also shares exciting news about Signal's impending acquisition by CrowdStrike and reflects on a recent safari trip in Kenya. Tune in to learn about the evolution of identity security and the future of SSF and CAEP.Connect with Atul: https://www.linkedin.com/in/tulshi/Learn more about the Artificial Intelligence Identity Management Community Group: https://openid.net/cg/artificial-intelligence-identity-management-community-group/Learn more about SSF and CAEP:https://openid.net/how-authzen-and-shared-signals-caep-complement-each-other/https://sgnl.ai/whitepaper/caep-best-practices/https://caep.dev/https://youtu.be/qakOw0g2mZ8?si=p8z9imn7x-HhLdcVhttps://www.youtube.com/live/e64YiAmGmf4?si=QPKDg2Jm9oSZmbhZhttp://sharedsignals.guide/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00 Introduction and Episode Milestone00:17 Challenges with Installing Molt Bot02:32 MoltBook and AI Agents03:21 Jim's Perspective on AI Assistants09:24 Conferences and Networking10:10 Introduction to Shared Signals and CAEP13:03 CrowdStrike Acquisition of Signal14:03 AI Identity Management Community16:59 Shared Signals Framework and CAEP Explained30:03 Final Version of CAEP and Shared Signals Released30:35 Adoption by Major Technology Providers32:49 Benefits of Implementing Shared Signals36:32 Future of SSF and CAEP40:51 Certification Program for Shared Signals52:48 Real-World Safari Adventure01:00:34 Conclusion and Final ThoughtsKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Atul Tulshibagwale, Shared Signals Framework, SSF, CAEP, Continuous Access Evaluation Profile, OpenID Foundation, CrowdStrike, SGNL AI Identity, Agentic Identity, AuthZEN, Risk, Identity Security, IAM, Podcast

This episode is sponsored by PlainID. Visit plainid.com/idac to learn more.In this sponsored episode, Jim McDonald and Jeff Steadman talk with Gal Helemski, CTO and co-founder of PlainID, about the evolving landscape of authorization. The conversation covers the transition from traditional roles and attributes to a modern policy-based access control (PBAC) approach. Gal explains how PlainID helps organizations centralize authorization logic, improve security posture, and simplify the management of access across complex hybrid and multi-cloud environments. The discussion also touches on the importance of visibility into who has access to what and the role of standards like Cedar and Rego in the future of authorization.Connect with Gal: https://www.linkedin.com/in/gal-helemski-b9542231/Learn more about PlainID: plainid.com/idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTimestamps:00:00 Introduction to the Sponsor Spotlight02:15 Meet Gal Helemski from PlainID05:30 The shift from RBAC to PBAC10:45 Challenges with traditional authorization methods15:20 How PlainID centralizes authorization logic22:10 Integrating with existing identity providers28:45 The role of visibility and auditing in authorization35:30 Discussion on authorization standards: Cedar and Rego42:15 Future trends in identity and access management50:00 Final thoughts and where to learn moreKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, PlainID, Authorization, Policy-Based Access Control, PBAC, RBAC, Cybersecurity, IAM, Access Management, Gal Helemski, Identity Security

In this milestone episode of Identity at the Center, Jeff and Jim celebrate 400 episodes and reflect on their journey over the past six and a half years. They discuss the podcast’s evolution, from its early days focusing on strategy and framework to recent themes like cloud identity, governance, and AI-driven technologies. Jim shares his New Year's resolution of writing a book about identity, blending practitioner stories with educational elements, and utilizing AI tools. The duo also highlights significant trends in identity and access management, including frictionless authentication and privilege access management. They look forward to the future of identity within an AI-driven landscape, urging listeners to adapt to technological advancements. Tune in for insights, reflections, and their plans for continuing to grow the podcast.Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 Welcome and Milestone Celebration00:44 Reflecting on the Podcast Journey01:27 Jim's New Year's Resolution: Writing a Book05:16 Using AI in the Writing Process09:34 Podcast Growth and Listener Support13:08 Remembering Luis Almeida16:59 Conference Highlights and Discount Codes19:05 Lessons Learned from Podcasting29:01 The Evolution of the Podcast36:01 Pandemic Disruptions and Podcast Challenges36:30 Funny Moments and Swearing on the Show37:24 Identity Management Trends in 202039:20 Cloud Identity and Certifications in 202141:54 Governance and Compliance in 202244:23 Security Convergence and Milestones in 202351:07 Privilege Access Management in 202455:15 Frictionless Authentication in 202558:20 AI and the Future of Identity in 202601:09:00 Reflections and GratitudeKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, podcast, cybersecurity, digital identity, AI, agentic identity, PAM, IGA, cloud security, passkeys, professional development, IDPro, identity governance

Jim McDonald is joined by Jeff Margolies, Chief Product and Strategy Officer at Saviynt, to discuss the intersection of artificial intelligence and identity security. Jeff shares his decades of experience in the industry, from building the IAM practice at Accenture to his current leadership role at Saviynt. The conversation covers how AI is making manually intensive identity tasks more efficient, the emergence of Identity Security Posture Management (ISPM), and the critical need to govern identities for AI agents. Jeff also provides his perspective on the future of the identity practitioner and why he remains an optimist in a rapidly changing technological landscape.Connect with Jeff Margolies on LinkedIn: https://www.linkedin.com/in/jmargolies/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00:00 - Introduction and Gartner Identity Conference Recap00:02:11 - Jeff Margolies' Career Journey in Identity and Security00:04:36 - Returning to Identity and Joining Saviynt00:06:13 - How AI is Impacting Identity Security and Governance00:09:56 - The Future of Identity Services in an AI World00:13:58 - Will AI Disrupt the SaaS Model for Identity?00:19:50 - The Impact of AI on the Identity Practitioner Job Market00:26:16 - Identity for AI: Governing Agents and Delegated Authority00:32:00 - Combating Deepfakes and Proving What is Real00:34:40 - The Rise of Identity Security Posture Management (ISPM)00:41:46 - Comparing Posture Management and ITDR00:44:17 - Advice for CISOs: Why Posture Should Come First00:49:35 - The Secret to Saviynt's Success and Future Outlook00:52:19 - Lighter Note: Why Jeff Chose a Tesla for His DaughterKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Jeff Margolies, Saviynt, IAM, Identity and Access Management, AI, Artificial Intelligence, ISPM, ITDR, Cybersecurity, Identity Governance, SaaS, IGA

In this episode, Jim McDonald welcomes back Martin Kuppinger, Principal Analyst at KuppingerCole, to discuss the rapidly evolving landscape of identity in 2026. With Jeff Steadman away, Jim and Martin dive deep into the intellectual challenges posed by AI agents and the limitations of traditional non-human identity frameworks. Martin explains why organizations are feeling a sense of disillusionment with AI and how a capability-based identity fabric approach can help manage the complexity. They also explore the balance between security and business enablement, the rise of workload identities, and what to expect at the upcoming European Identity and Cloud Conference (EIC) in Berlin.Connect with Martin: https://www.linkedin.com/in/martinkuppinger/KuppingerCole: https://www.kuppingercole.comEuropean Identity and Cloud Conference (EIC) (don’t forget to use our discount code idac25mko): https://www.kuppingercole.com/events/eic2026Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 - Welcome back to 2026 and EIC preparations02:48 - The shift from future potential to current AI agent challenges03:12 - Understanding AI disillusionment and the lack of control in regulated industries05:19 - Security as a business enabler vs progress prevention09:55 - Why AI agents should not be classified simply as non-human identities11:43 - Complex relationships between humans, agents, and delegated tasks15:17 - Self-service identity for knowledge workers and AI productivity18:40 - The risks of decentralized agent creation and "shadow" AI21:58 - How AI is being baked into identity products beyond role mining26:55 - Using usage data to reduce over-entitlements34:10 - The Identity Fabric: A capability-based approach to IAM40:33 - Vendor rationalization and the flexibility of the fabric47:19 - Previewing EIC 2026 topics: Wallet initiatives and consent52:44 - Final advice: Curing symptoms vs addressing causesKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Martin Kuppinger, KuppingerCole, IAM, AI Agents, Identity Fabric, EIC 2026, Non-Human Identity, Workload Identity, ITDR, IGA, Cybersecurity

Jeff Steadman is joined by RSM colleagues Rich Servillas and Charles John to explore the critical intersection of identity access management, operational resilience, and disaster recovery. Rich, a director from the cyber response group, shares insights from the front lines of ransomware and cloud intrusions, while Chuck, director of operational resilience, discusses the importance of business continuity planning. The conversation covers the true impact of security incidents on brand reputation and operations, the necessity of out-of-band communication, and why identity is often the first thing challenged and the last thing trusted during a crisis. The guests also provide practical advice for IAM professionals on reducing blast radius through standing privilege reduction and robust logging.Connect with Rich: https://www.linkedin.com/in/richard-servillas-041a0551/Connect with Chuck: https://www.linkedin.com/in/chuckjohn/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00:00 - Introduction and 2026 conference outlook00:01:44 - Introducing guests Rich and Chuck from RSM00:03:56 - Defining operational resilience and business continuity00:06:22 - When and how to start the planning process00:09:55 - Chuck's background in public health and emergency management00:12:44 - The broad impact of incidents on brand and operations00:16:45 - Key elements every recovery plan must include00:19:14 - Defining incident severity and matrixes00:21:52 - Identity as the new perimeter and its operational dependencies00:24:57 - Why hackers log in rather than break in00:26:46 - The first hours of a cyber incident response00:29:35 - Current threat trends and the role of AI00:31:29 - Updating plans through post-action debriefs00:34:31 - Cyber insurance gaps and contractual SLAs00:40:24 - Advice for identity professionals on reducing blast radius00:46:10 - Personal milestones and looking forward to 2026Keywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, Cybersecurity, Business Continuity, Disaster Recovery, Operational Resilience, RSM, Incident Response, Ransomware, Cyber Insurance, Identity Governance

Jeff and Jim are joined by Gartner Analyst Rebecca Archambault for a special live edition of the podcast recorded at the Gartner Identity & Access Management Summit in Grapevine, Texas on December 10, 2025. Instead of a traditional interview, the trio hosts "Majority Rules," an interactive game show where the live audience votes on pressing and fun identity topics. Listen in to hear the pulse of the room on everything from the biggest buzzwords of the year and the true purpose of analyst 1:1 sessions, to the best strategies for navigating the vendor hall. The group explores audience preferences on IGA, AI risks, non-human identities, and the most common lies told in sales cycles. It is a fun, lighthearted look at what identity professionals are actually thinking about the current state of the industry.Connect with Rebecca: https://www.linkedin.com/in/rebecca-becky-archambault-4b4285111/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapter Timestamps00:00 - Intro and Game Rules02:40 - First Question: Favorite Podcast03:15 - Networking vs. Education04:08 - Buzzword of the Year: Agentic Identity04:47 - User Behavior Analytics Usage05:37 - Expo Hall Memories and Socks06:20 - The Twist: Battle Royale Rules06:45 - The True Purpose of Analyst 1:1s07:55 - Mitigating Agentic AI Risks08:55 - Strategies for the Vendor Hall09:37 - The Future of IGA10:15 - Favorite Gartner Reports11:05 - Benefits of Just-in-Time Access11:45 - AI in Authentication Priorities12:35 - Securing Non-Human Identities13:05 - Keys to Successful B2B IAM 13:40 - The Hardest Part of Role Mining14:15 - PAM for AI Agents14:50 - Keynote Takeaways15:40 - Measuring IAM Success16:20 - Defining ITDR17:05 - The Biggest Lie in IAM Sales17:35 - Least Favorite Gartner Report18:10 - Audit Preparation Preferences18:45 - Common Lies in the Vendor Hall19:15 - The Most Dangerous Access Right19:35 - Winner Announcement and OutroKeywordsIAM, identity management, cybersecurity, Gartner IAM Summit, Majority Rules, game show, Rebecca Archambault, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Agentic Identity, ITDR, non-human identity, role mining, zero standing privileges

#395 - Sponsor Spotlight - RedblockThis episode is sponsored by Redblock. Visit redblock.ai/idac to learn more.Jeff and Jim come to you live from the Gartner IAM Summit in Grapevine, Texas, for a special Sponsor Spotlight with Redblock. They sit down with CEO Indus Khaitan to discuss how Redblock uses AI and computer vision to solve the "last mile" problem in identity management: disconnected applications.Indus explains how Redblock acts as an "agentic" layer, using screen recordings to learn administrative tasks for apps that lack APIs. The conversation covers the origin of the company name, the urgency of securing the "long tail" of applications, and how they build trust and guardrails around AI execution. They also discuss the "DoorDash" analogy for identity fulfillment and wrap up with a fun chat about Indus's passion for flying planes.Connect with Indus: https://www.linkedin.com/in/khaitan/Learn more: redblock.ai/idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at [idacpodcast.com](http://idacpodcast.com)Timestamps00:00 Introduction from Gartner IAM Summit00:46 Guest Introduction: Indus Khaitan of Redblock01:40 Indus's Journey into Identity02:41 The Origin of the Name "Redblock"04:20 The Underserved Market: Services vs. Software07:34 The Urgency of Securing Disconnected Apps09:19 Why Traditional IGA and PAM Aren't Enough11:35 The DoorDash Analogy: Where Redblock Fits14:30 What Makes Redblock Unique? (Agentic Process Automation)16:15 Trusting AI with Security Tasks18:50 Onboarding Apps via Video Recording21:23 Deployment: Running Air-Gapped on Customer Cloud22:17 Handling UI Changes and "Full Self-Driving" Analogy25:40 Integration with SailPoint and Governance Tools27:13 Speed of Integration: Days vs. Years32:00 How the "Headless Browser" Works33:35 Limitations: Web Apps vs. Thick Clients36:58 Redblock's 2025 Milestones and Future Outlook39:48 Call to Action: Solving Disconnected Apps40:27 Impressions of the Gartner IAM Summit44:26 Are We in an AI Bubble?46:46 Indus's Hobby: Flying PlanesKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Redblock, Indus Khaitan, AI, Artificial Intelligence, IAM, Identity and Access Management, Disconnected Apps, Agentic AI, Computer Vision, Gartner IAM Summit, RPA, IGA, Cybersecurity

We are live from the Gartner IAM Summit 2025 in Grapevine, Texas! In this episode, we welcome back Sarah Clark, now the Chief Product Officer and GM of North America at Hopae. Sarah shares her journey from Mastercard to buying rainforests in Costa Rica and rescuing dogs, before diving deep into the world of digital identity infrastructure. We discuss connecting government-issued digital IDs with the private sector to combat fraud and improve user experiences. Sarah breaks down the differences in global adoption, highlighting why the EU is leading the charge with upcoming mandates and how countries like Brazil and India are scaling their programs. We also explore the state of mobile driver's licenses in the US, the potential for age verification and workforce management use cases, and whether the US can catch up to the rest of the world. Plus, we wrap up with a heartfelt conversation about dog rescue and the challenges of pet adoption.Connect with Sarah https://www.linkedin.com/in/sarahmclark/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00:00 - Intro: Live from Gartner IAM Summit 202500:01:25 - Introducing Sarah Clark and her journey to Hopae00:03:00 - What is Hopae and the vision for digital identity infrastructure?00:04:19 - Why governments are moving toward digital IDs (186 countries!)00:05:32 - Solving the fraud crisis with government-issued credentials00:07:05 - The benefits: Security, efficiency, and inclusion00:08:52 - Global adoption curves: India, Philippines, and Brazil00:10:48 - The EU vs. US: Who is winning the digital ID race?00:14:04 - eIDAS 2.0 mandates and the intermediary role00:17:03 - Future trends: Age verification, Fintech, and stablecoins00:19:54 - Workforce management and "Know Your Employee"00:21:28 - Sarah's passion project: Rainforest preservation and dog rescue00:25:35 - Closing thoughts on the future of identityKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Sarah Clark, Hope, Digital Identity, Digital Wallets, Mobile Driver's License, mDL, eIDAS 2.0, Identity Verification, Fraud Prevention, KYC, Verifiable Credentials, Gartner IAM Summit, Digital Infrastructure, Biometrics, Age Verification

Join Jeff, Jim, and special guest Ian Glazer at the Gartner IAM Summit 2025 as they discuss the Identity and Access Management (IAM) industry, the evolution of IAM practices, and the exciting new concepts like Continuous Identity. They delve into topics such as the impact of AI, shared signals framework, and the struggles and triumphs of identity practitioners. Plus, hear about the Digital Identity Advancement Foundation’s mission and enjoy some lighter moments with tales of 'chuckles' and supper clubs. Don't miss this insightful and entertaining episode of the Identity at the Center podcast.Connect with Ian: https://www.linkedin.com/in/iglazer/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 Introduction and Casual Banter00:50 Conference Highlights and Podcast Milestones03:00 Introducing Ian Glazer05:43 Digital Identity Advancement Foundation (DIF)08:09 Challenges in Identity Governance and Administration (IGA)13:28 Continuous Identity: A Paradigm Shift22:31 Real-World Applications and Organizational Impact31:51 Realistic Security Measures32:28 Maturity of Identity and Access Management34:54 Skills and Challenges in IAM36:44 Metrics and Outcomes in IAM40:23 Identity Practitioner Skills41:19 Solving Problems with AI46:21 Continuous Identity and Future Trends48:45 Identity Salon and Community54:19 Wrapping Up and Future EventsKeywordsIan Glazer, Continuous Identity, Shared Signals Framework, CAEP, Gartner IAM Summit, Identity Security, Joiner Mover Leaver, IGA, Access Certification, Identity Salon, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, Cybersecurity, Non-Human Identity, Identity Practitioner, DIAF

Join hosts Jeff Steadman and Jim McDonald for a special live episode recorded on location at Identiverse DC! In this interactive session, Jeff and Jim host a game of "Majority Rules," where the audience competes not to answer correctly, but to guess the most popular answer in the room.The game covers a wide range of topics, from the trivial (worst conference swag and the official uniform of an IAM architect) to the technical (securing API keys, the biggest bottlenecks in IGA, and the primary causes of role explosion).Things get intense halfway through with the introduction of the Battle Royale rules, where picking the minority answer sends a player's score back to zero. Watch to see who survives the explosions and takes home the grand prize.Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapter Timestamps00:00 Intro to Identity at the Center Live00:36 Explaining the Rules of Majority Rules04:25 Question 1: The Worst Conference Swag06:00 Question 2: Replying to Access Denied07:05 Question 3: AI in Identity Management08:40 Question 4: Favorite MFA Method10:12 Question 5: Least Favorite Auth Factor11:15 Turning up the Heat: Battle Royale Mode12:10 Question 6: Why RBAC is Difficult at Scale13:30 Question 7: The IAM Architect Uniform14:50 Question 8: Best Place to Hide a Secret16:15 Question 9: Protocols You Secretly Miss17:25 Question 10: Most Hated Specialized Key18:40 Question 11: Conference Responsibilities20:00 Question 12: Securing API Keys21:20 Question 13: Secrets to Surviving Keynotes22:55 Question 14: The Biggest Bottleneck in IGA24:45 Question 15: Causes of Role Explosion25:50 Question 16: What Breaks First After a Schema Update26:40 Final Question: Fastest Way to Confuse a User27:40 Crowning the WinnerKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Identiverse, Identiverse DC, IAM, Identity and Access Management, Cybersecurity, InfoSec Game Show, Live Podcast, Majority Rules, MFA, IGA, API Security, RBAC, Role Explosion, Tech Humor, Cyberrisk Alliance

Jeff and Jim come to you live from the expo floor at Identiverse DC 2025. They are joined by John DelMauro, Executive Vice President at Cyber Risk Alliance, to discuss the energy of regional events and how they differ from the massive Las Vegas gatherings.The group discusses the current state of the identity industry, the inevitable presence of AI in both marketing and event planning, and the "Identity at the Center" game show that took place earlier in the conference. John provides an exclusive look ahead at what is being planned for Identiverse in Las Vegas, including a new algorithmic approach to one-on-one networking, expanded pavilions, and potentially even puppies.Finally, the conversation shifts to a fun hypothetical: if money and logistics were no object, what kind of conference would each of them launch? The answers range from health and longevity in Austin to a technology expo in Japan.Connect with John: https://www.linkedin.com/in/john-del-mauro/Learn more about the CyberRisk Alliance: https://www.cyberriskalliance.com/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapter Timestamps00:00 Introduction and vibes from Identiverse DC00:52 Recapping the Majority Rules game show02:00 Introducing John DelMauro from Cyber Risk Alliance03:59 What is Cyber Risk Alliance?05:25 The benefits of regional events vs. Las Vegas09:15 Current themes: AI dominating the conversation13:21 How AI helps in planning and researching events15:50 Previewing Identiverse Las Vegas 202517:10 The new one-on-one networking algorithm22:15 Breaking news: Puppies at the conference?24:45 Hypothetical: What dream conference would you host?27:45 Jim's take on a longevity conference29:18 Jeff's dream of a tech nerd-con31:00 Closing thoughts and wrap upKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, John DelMauro, CyberRisk Alliance, Identiverse, Cybersecurity, Event Planning, Networking, InfoSec, AI in Events, Washington DC, Conference Trends

In this episode of the Identity at the Center Podcast, hosts Jeff and Jim sit down with Tobin South, co-chair of the OpenID Foundation's AI Identity Management Community Group, to delve into the intricacies of identity management in the age of agentic AI. They discuss the challenges and solutions related to AI agents, the role of the Model Context Protocol (MCP), and the concept of recursive delegation and scope attenuation. Additionally, the conversation covers practical advice for developers and enterprises on preparing for AI-driven identity management and explores the cultural touchstone of coffee from various global perspectives.Connect with Tobin: https://www.linkedin.com/in/tobinsouth/OpenID Foundation: https://openid.net/Identity Management for Agentic AI (OpenID Whitepaper): https://openid.net/wp-content/uploads/2025/10/Identity-Management-for-Agentic-AI.pdfConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapter Timestamps:00:00 – Jeff and Jim banter about unopened iPads and conference season05:55 – Introduction to Tobin South and his AI identity background07:00 – How AI has evolved from machine learning to generative models09:00 – The OpenID AI Identity Management Community Group10:30 – ChatGPT’s impact on the AI perception shift12:00 – Users vs. Agents: What’s the difference?14:00 – Letting the right bots in: AI agents vs. bad bots17:00 – AI impersonation, delegation, and the risk of shared credentials20:00 – Impersonation vs. Delegation – what practitioners need to know23:00 – Governance, oversight, and delegated authority for agents26:00 – Liability and “who is responsible” in agentic systems30:00 – How developers can prepare for agent identity and access management32:00 – Explaining the Model Context Protocol (MCP)36:00 – Enterprise use cases for MCP and internal automation38:00 – Is MCP the next SAML?42:00 – Recursive delegation and scope attenuation explained46:00 – The one key takeaway for IAM professionals48:00 – Lighter note: Coffee talk – from Sydney to San Francisco54:00 – Wrap-up and where to find more IDAC contentKeywords:IDAC, Identity at the Center, Jim McDonald, Jeff Steadman, Tobin South, OpenID Foundation, AI Identity Management, Agentic AI, Delegated Authority, Impersonation vs Delegation, Model Context Protocol (MCP), Recursive Delegation, Scope Attenuation, Identity Access Management, IAM, AI Governance, AI Standards, Enterprise AI, AI Agents, Identity Security

This episode is sponsored by Aembit. Visit aembit.io/idac to learn more.Jeff and Jim welcome David Goldschlag, CEO and Co-founder of Aembit, to discuss the rapidly evolving world of non-human access and workload identity. With the rise of AI agents in the enterprise, organizations face a critical challenge: how to secure software-to-software connections without relying on static, shared credentials.David shares his unique background, ranging from working on The Onion Router (Tor) at the Naval Research Lab to the DIVX rental system, and explains how those experiences inform his approach to identity today. The conversation covers the distinction between human and non-human access, the risks of using user credentials for AI agents, and why we must shift from managing secrets to managing access policies.This episode explores real-world use cases for AI agents in financial services and retail, the concept of hybrid versus autonomous agents, and practical advice for identity practitioners looking to get ahead of the agentic AI wave.Visit Aembit: https://aembit.io/idacConnect with David: https://www.linkedin.com/in/davidgoldschlagConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTimestamps00:00 - Intro00:51 - Pronunciation of Aembit and the extra 'E'01:56 - David's background: From NSA to Enterprise Security04:58 - The meaning behind the name Aembit06:00 - David's history with The Onion Router (Tor)10:00 - Differentiating Non-Human Access from Workforce IAM11:39 - The security risks of AI Agents using human credentials14:15 - Manage Access, Not Secrets16:00 - Use Cases: Financial Analysts and Retail24:00 - Hybrid Agents vs. Autonomous Agents30:38 - Will we have agentic versions of ourselves?36:45 - How Identity Practitioners can handle the AI wave38:33 - Measuring success and ROI for workload identity43:20 - A blast from the past: DIVX and Circuit City52:15 - ClosingKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Aembit, David Goldschlag, Non-human access, Workload Identity, AI Agents, Machine Identity, Cybersecurity, IAM, InfoSec, Tor, DIVX, Zero Trust, Secrets Management, Authentication, Authorization

In this episode of The Identity at the Center Podcast, hosts Jim McDonald and Jeff Steadman catch up with John Tolbert, Director of Cybersecurity Research at KuppingerCole Analysts, to talk about the rapidly evolving world of Fraud Reduction Intelligence Platforms (FRIP).They explore:The six capabilities of modern fraud reduction systemsHow AI and machine learning are both helping and hurting fraud preventionWhy shared signals and orchestration are critical for financial and e-commerce use casesHow identity verification, device intelligence, and behavioral biometrics work togetherThe role of usability and integration in FRI adoptionPlus, stick around for a fun discussion about concerts, classic rock, and which legendary bands they wish they’d seen live.Listen now to learn how identity, fraud, and AI are colliding — and what’s next for fraud intelligence.Connect with John: https://www.linkedin.com/in/john-tolbert/Fraud Reduction Intelligence Platforms - Finance (KuppingerCole Report): https://www.kuppingercole.com/research/lc80841/fraud-reduction-intelligence-platforms-financeFraud Reduction Intelligence Platforms - eCommerce (KuppingerCole Report): https://www.kuppingercole.com/research/bc81030/fraud-reduction-intelligence-platforms-ecommerceConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapter Timestamps:00:00 – Jim’s passwordless rant and setup woes05:00 – Introducing guest John Tolbert06:30 – Catching up: four years since John’s last appearance07:30 – What is CIAM and how has it evolved?09:30 – Understanding Fraud Reduction Intelligence Platforms (FRIP)10:00 – The six core capabilities of FRI solutions13:00 – Are most vendors point solutions or full platforms?14:00 – How identity verification is improving16:00 – SaaS and API-driven fraud detection models18:00 – What kinds of fraud can (and can’t) FRI prevent?21:00 – The growing problem of bots and automation22:00 – Fraud trends in finance: scams, account takeovers, and synthetic identities25:00 – Information sharing and the role of shared signals28:00 – Collaboration vs. competition in fraud prevention31:00 – Fraud in e-commerce: bots, loyalty points, and returns abuse34:00 – Streaming and citizen fraud use cases36:00 – Where do FRI capabilities fit within IAM platforms?43:00 – The importance of orchestration and integration44:30 – The role of AI and ML in fraud prevention47:30 – Smart questions for evaluating FRI vendors50:30 – Concert talk: Pink Floyd, Metallica, and the ones that got away58:00 – Wrap-up and where to find John Tolbert’s reportsKeywords:Fraud Reduction Intelligence, FRI Platforms, John Tolbert, KuppingerCole, Identity at the Center, IDAC, IAM, CIAM, Cybersecurity Research, Fraud Prevention, Machine Learning, Artificial Intelligence, Behavioral Biometrics, Device Intelligence, Identity Verification, Risk Orchestration, API Security, Financial Fraud, E-Commerce Fraud, Shared Signals, Jim McDonald, Jeff Steadman, IDAC Podcast

Jim McDonald and Jeff Steadman sit down with Mike Reiring of RSM at InfoSec World 2025 to explore how managed service providers are reshaping IT and identity operations. They dig into the differences between MSPs and MSSPs, how to choose the right partner, and how AI is transforming help desks, problem management, and security monitoring. The conversation closes with a fun dive into Mike’s passion for photography and how creativity ties into continuous learning in tech.Connect with Mike: https://www.linkedin.com/in/mreiring/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapters00:00 Intro – Live from InfoSec World 202502:00 Meet Mike Reiring of RSM04:30 Evolution of Managed Service Providers06:30 Shared Accounts, Identity, and Security Maturity09:00 Vendor Gaps and Federated Access Challenges11:30 What Makes a Good MSP Partner13:00 The Cost and Effort of Changing Providers16:30 MSP vs MSSP – Key Differences18:30 Coordination Between Managed Providers21:30 Top 3 Questions to Ask Your MSP25:00 Identity Ownership: IT or Security?27:30 Licensing, Active Directory, and Hidden Accounts30:00 RFP Challenges and Procurement Pitfalls32:00 Measuring Risk and Reducing Identity Exposure34:30 Vendor Management and Shadow IT Risks35:00 How AI Is Transforming MSP and MSSP Operations38:30 AI, Problem Management, and the Future of Help Desks42:30 Photography, Creativity, and Continuous Learning48:00 Closing Thoughts and IDAC OutroKeywordsIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Mike Reiring, RSM, InfoSec World 2025, Managed Service Provider, MSP, MSSP, AI in Cybersecurity, Help Desk, Identity Management, Managed Identity, Partner Transparency, IT Outsourcing, Risk Reduction, Problem Management, Active Directory, DaVinci Resolve, Photography in Tech, Identity Governance, Cybersecurity Podcast

In this episode of the Identity at the Center podcast, hosts Jeff and Jim broadcast from InfoSec World 2025, sharing lively discussions on identity management, AI security, and identity's evolving role in information security. They are joined by Ross Young and G Mark Hardy, co-hosts of the CISO Tradecraft podcast, who share their journeys into cybersecurity, illuminating how identity intersects with cybersecurity topics like deep fakes, AI implications, and non-human identities. The conversation also covers practical advice for securing budget approvals for identity projects and speculations on the role of AI in cybersecurity's future. The episode wraps up with each guest sharing personal ideas for potential new podcast ventures.The CISO Tradecraft podcast: CISOTradecraft.comConnect with Ross: https://www.linkedin.com/in/mrrossyoung/Connect with G Mark: https://www.linkedin.com/in/gmarkhardy/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comChapters00:00 Introduction and Welcome00:16 Live from InfoSec World 202500:52 Shoutouts and Day Jobs01:37 Meeting Ross and G Mark from the CISO Tradecraft podcast02:22 Ross's Journey into Cybersecurity04:24 G Mark's Cybersecurity Career Path07:44 Top Concerns for CISOs Today09:53 The Role of Identity in Cybersecurity16:18 Challenges and Trends in Identity Management24:33 Pitching Identity Projects to CISOs32:21 The Role of AI in Automating SOC Operations33:23 AI's Impact on Developer Efficiency35:48 The Future of AI-Assisted Coding37:42 Challenges and Opportunities in AI and Cybersecurity39:46 The Importance of Human Expertise in AI Development48:17 The Role of Identity in Information Security49:44 Introduction to CISO Tradecraft Podcast55:24 Podcasting Tips and Personal Interests01:00:48 Conclusion and Final ThoughtsKeywords:Identity at the Center, IDAC, CISO Tradecraft, InfoSec World 2025, cybersecurity leadership, identity security, IAM, AI security, Jeff Steadman, Jim McDonald, Ross Young, G. Mark Hardy, InfoSec, CISOs, cyber career development, non-human identity, deepfakes, security automation

This episode is sponsored by Nexis. Visit nexis-secure.com/idac to learn more.In this sponsored episode of *Identity at the Center*, host Jim McDonald sits down with Dr. Heiko Klarl, CEO of Nexis, to explore how the company is advancing authorization governance for modern enterprises. Dr. Klarl explains how Nexis builds visibility and control across fragmented identity landscapes and why “better together” is the right strategy for enterprises with multiple IAM systems.They discuss the emerging Identity Visibility and Intelligence Platform (IVIP) category, the value of automation and remediation in governance, Nexis’s unique “health check” service, and their ISPM capability that helps clients identify unnecessary access—and even save on software licensing.Learn how Nexis integrates with IGA and PAM tools, streamlines application onboarding, and helps customers measure the real business impact of their identity programs.Connect with Heiko: https://www.linkedin.com/in/heiko-klarl/More about Nexis: https://nexis-secure.com/idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comChapters00:00 Introduction and Sponsor Message00:42 Meet Dr. Heiko Klarl, CEO of Nexis01:29 Dr. Klarl's Journey into Identity and Access Management03:09 What Does Nexis Do?05:00 Challenges in Authorization Governance06:43 The Importance of Visibility in Identity Systems08:23 Nexis' Role in Enhancing Existing IAM Investments10:05 The Concept of IVIP and Its Relevance21:48 Nexis Platform Capabilities23:24 The Health Check: A Deep Dive27:22 Understanding Health Check Costs28:27 Exploring ISPM and License Management32:09 How Nexis Integrates with IGA Systems34:11 Application Onboarding and Compliance36:38 Measuring Value and Success with Nexis43:10 Global Reach and Market Focus45:02 Connecting at Conferences46:49 Visiting Germany: Recommendations and Insights50:17 Final Thoughts and ResourcesKeywordsIDAC, Identity at the Center, Jim McDonald, Jeff Steadman, Dr. Heiko Klarl, Nexis, Nexis Secure, NEXIS 4, authorization governance, role mining, role management, IGA, IAM, IVIP, Identity Visibility and Intelligence Platform, access certification, remediation automation, health check, ISPM, Identity Security Posture Management, license management, enterprise identity, compliance, visibility, identity governance, access review, Gartner IAM, EIC, KuppingerCole