This is identity at the center. If it has anything to do with I am this is the go-to podcast. So if you're a beginner or an expert or anyone in between you've found your new home welcome to Identity at the center now your host Jim McDonald and Jeff Steadman Welcome to the identity of the center podcast I'm Jeff and that's Jim. Hey Jim. Hey Jeff, how are you? Not so bad yourself. Good. You're laughing because you see me smiling. As you know I got something funny.
Something do I don't know. It's funny. You've been on a roller of the whole bunch of Downers recently. So hopefully it's funny. Yeah, yeah. Well I think this one's kind of funny so I normally don't do this but I mean everybody knows this is the trust and identity talk with email or so even I got together a little bit earlier to talk about What we're going to talk about and we came up with an idea, which is that everybody's going to think we're going to talk about zero trust, right?
As part of trust and identity and we came up with a drinking game idea. So anytime someone says zero trust on this episode, you got to do a shot but if we're not talking zero trust that drink then nobody's gonna be drinking or is that the intent? Well, the idea is that I think somebody's going to say at some point but Yeah, I mean the intent. Probably best thing for you is not to be doing shots because I asked you about what you're going to do tonight. And by the way, it is Friday.
So it's Friday night and you're going to be working on statements work. So yeah, it's a funny Friday we shots. Yeah, I'm currently in Boston, still recording from a hotel room. And yeah, I will be working on what we statements of work, which is a good thing. That means that, you know, people are engaging with us to do stuff, not going to complain about that. Not the most exciting Friday,
but that's fine. And yeah, and then I fly home Saturday and then I think I turn around and fly back out on Tuesday, so I got a pretty busy schedule. Actually, for travel, I think I'm on the road, every week until the end of March right now and for those traveling men. Yeah, I'm a traveling man. And right now it's today is
February 17th. So I think when this goes out, I'll be a couple weeks later but that's probably, that's part of the reason why I'm traveling so much as we're recording kind of work around that travel schedule, so good times. Yeah, I was going to make. I was going to make a comment about your back. And being so cool for a hotel like most hotels on have ceilings that look like that.
It looks like you're out of a ski lodge or something, but as actually, it made me reflect on its on a couple calls this week with identity access management professionals. And it seems like 50% of people in identity and access management play instruments, primarily the guitar. And I mean, what better guests to have on the podcast that you may learn. When we're going to talk about, you know, playing rock and roll and doing identity and access
management. Yeah. ZZ off Fame. So, you know, it's cool to have her on and she can bring her golden pipes. I think to the, to the episode, before we get to that, we're going to be at Gartner in a couple weeks, right? So we're going to be onstage and hopefully having a very interesting and different show that maybe people are used to it Gartner, when we talked with, Enrique and Becky. It's on. I know you think it's going to go. I think it's doing a fantastic.
I mean a lot of the questions that the community of already sent our way are really good. I think, what your point you pointed out in an earlier episode which was the idea that a lot of the questions are coming from the same angle. So we're going to have to like combine those because we only have like a half hour on stage so we can ask 20 questions. But if we get three or four or five, really good questions, I think it'll be fantastic. Then, of course, hard questions.
Do not just softballs right, exactly. Yeah. Not like, like we do on the on the podcast, right, but it's gonna be more like Meet the Press. No, I mean, of course, professional of course Matic, right. All that stuff, but all that goes, hopefully questions that you haven't heard before asked. And answered, you know, millions of times before in different ways. Yeah. I'm trying to find another conference but good different. I'm excited about the
conference. I'm also excited about the idea to center community event that we're going to be holding on Tuesday night. So anybody is a listener of the podcast, regular listener, want to get out and meet Jeff and I meet other people who listen to the podcast, please reach out and make sure that we get you that registration link so you can sign up. I think space is going to be somewhat limited. So why should they get ahold of
you send a message on LinkedIn? I think the best way to send a message on. Tin. I mean, we might just through the link right on LinkedIn, but I'm a little worried about like that turning into some kind of like spam bot program. You know, we wind up getting I just kind of thousands of stuff like that.
Yeah, yeah, exactly. So, all those kind of things, but best case, I think, just reach out to me and you and, you know, anybody who's out there listening to the podcast on a regular basis, we'd like to confirm you anyway. You're personally invited. How about that? All right, why do we get to our topic which is trust in identity. We've got Eve. Mailer again, she's the chief technology officer at Ford Rock. Welcome back to the show. Eve, it is such a pleasure to be
here guys. It's and I guess I'm going to see you at at Gartner because that's kind of around the corner for me. Yeah, exciting stuff. And maybe if we get lucky, we might even hear. Sabrina who I hear is traveling with you. She is currently. Traveling with me. That's my little Pomeranian Chihuahua miniature poodle up. So we'll be lucky if we get to hear that. We always encourage our guests and their pets to come on. And we have yet to have one make a peep on the show.
So yeah, that's not that bad. Yeah. Now it now for sure it'll happen right? Well, so we were looking back into our many archives of shows now and you've been on the show now three and a half times. You were way back with us very early on episode number 48, we talked about um a episode 116, we talk through for Drought consumer identity breach report which is really fascinating
report. So I'm looking forward to the next one that comes out and then we did also obviously today but the half episode is the one we did around? What is the difference between digital identity and identity and access management? And we asked identity friends, you know what was their take on it and you were kind enough to send in a response? What I want to do now is actually play You said and this would have been 50 episodes. Now. Roughly so almost a year.
These are busy. Yeah, we're not so over here. So I'm going to play it and let's see what you said and then going to see if has your Viewpoint or answer change. Let me play that clip now. Identity language has been a contentious subject for a long time thinking back to the beginnings of iiw, the internet identity Workshop, the original effort by that Community was to actually Develop a lexicon comprehensive lexicon. It was tough going then and I think it's always tough going in this area.
How I see digital identity as a phrase is that it applies to the users of or the interactors with identity technology. And I see, I am as being about the implementation of identity technology in whatever guys. So, when it comes to digital identity, the kind of the user perspective, you know, most people interact with identity in a way that actually isn't all that Pleasant identity theft is probably the first thing that
comes to mind. And a lot of times that interaction is actually in an offline fashion versus an online runtime authentication. For example, fashion When it comes to I am that term itself is, is a bucket for a lot of other different things and sometimes they overlap. But I am sometimes there may be a little bit apart.
So identity management, kind of life cycle, considerations access management, really all the runtime considerations and also governance and administration which gets into the world of really operational things. And there's this phrase that I really like lately bolts, which is business, operational, legal Technical and societal.
So that's kind of the game that you get into when you talk about both the above, the water user considerations and the below, the water, implementer considerations one, of the things that I find when I just talked with ordinary people out there who don't do what I do about, what you could call the jobs to be done of digital identity. Is that all of the things people expect to get from this sort of Technology It cross Cuts would things businesses want as well.
You know, I have a new Venn diagram about this where, I think, in terms of protection, and personalization, and payment, and people, so there are unique needs among all of those categories and they cross cut quite a lot of things like achieving security is actually something that's welcomed by people. And by businesses, it applies across all of the identity language. Okay, so a couple things there, Eve one, I love that you called other people. Ordinary People not weirdos in
the identity space. Second of all has your thoughts on, you know what you said there? Change it all evolved or do you still think they hold true? Um, I I still represent those remarks I suppose, I would say my understanding of the of the distinction, between the user perspective and the implemented perspective has deepened.
Since you know since that time you guys know I run the Innovation Labs here at Ford Rock and and you know I've been working this great team and all last year we were putting together a kind of a fully articulated long-term Vision so that we could be the Change. We want to see in the world for our customers and for their users and the topics all broke out really neatly into identity users and identity implementers.
And I think, empathizing with users and interactors is something we can obviously do more of. It's one of the toughest things to do and when I go out to speak with our customers, who are, you know, there to tend to be large Enterprises, many of them have. June's for the next hundred years because some of them have been around 100 years. And you know here they are doing digital transformation and everything they kind of they do care a lot about the
implementation, right? They want to do that, right? But the reason they do it is for all the people who interact whether its Workforce or consumer or whatever. So I kind of find a split useful in my daily job, so that's good. So we're still on the same path. I thought was interesting about that. Clip was an end. I still say to this day when we, when we got all the answers back it seems like everybody in the The identity space had a different answer and I like them.
All right. I listen to them. Yeah, that's good, that's good. No, I agree with that one. Well, this works right them? No, I don't wanna Force Franco. Well, that's the interesting part, right? It was nobody was wrong. Like, I felt like everybody was right. And I think that sometimes, you know, speaks to maybe a little complexity sometimes and the Nuance that gets lost in identity conversations and that context matters. And you know, where do you?
You know, what is your definition of digital identity? Compared to I am, right? That was the question and everyone's got a different Viewpoint, what did find interesting, was the one person who sent in their response, Adam from Texas A&M, he's not an identity, vendor reseller consultant, right? He's running it in the real world as I'll call it. Yeah, yeah.
Doing identity for, you know, for real things and he had a totally different answer than everyone else again, not wrong, or not, right compared to everyone else's, but was just a totally different different definition. So It was fascinating. Correction. Yeah, how it all worked out. We're going to talk about trust today and I think before we get too far along, I'm not going to say the Z word because we're not talking about that.
Not only way to get drunk floor there, you know, pull over to the side of the road. You know, dude, do bad things or maybe and what I'd like to figure out first is, you know, that definition? What are we calling trust? Like how do you, how do you define it to people that you interact with it's so tough. I actually had a really good conversation with my bass player back.
When I was in Seattle about this, he was a psychologist by training and he defined it as just you know, sort of feeling like you had a guarantee of somebody's next behavior and it didn't necessarily mean good behavior like you know if somebody in your family you know constantly got drunk or whatever and you know, acted badly, you could trust that they were going to do something, right? And that's not necessarily a good thing. Thing.
I thought that was interesting, but in our line of work, you know, I think people sort of keep on trying to steer around the word because it just means so many different things to different audiences. We pick different words like Assurance, right? So recently I was, I was speaking, I guess was a TI C on what it means to package, ethics into a technology stack. And I had found a couple of different definitions and I think these are my two favorite
definitions. One of them comes from Rachel botsman, who's a, she's an expert in digital trust. And she did this Ted Talk on how we've stopped trusting institutions and started trusting strangers. And her definition was trust, is a confident relationship to the unknown. And I kind of like that one because I think, particularly, from the perspective of the individuals that we serve, so kind of like those identity users, I think it talks to what what they're looking for.
They want sort of certainty, some level of certainty, maybe it harks back to my bass player / psychologist. But there's another definition that I liked and I like to pair with it and this comes from my colleague, Alan Foster. You many folks know, and his definition is Trust is shared vulnerability, the consequences and I think this one's, it's important in a certain way, it puts an onus.
First of all on the non-person entities, in the equation, you can sort of, okay, if it's shared or you can even imagine like employee-employer relationship. You know, it has to be shared. That's what contracts try and do. It covers even business-to-business Notions of trust and it points. The way towards figuring out. This is one of my favorite subjects. The incentives in an ecosystem.
Because if you can figure out, who's involved, durable the consequences that incentivizes bad behavior. And I was thinking about this a little bit when I was listening to your great podcast with Sarah recently because you were, you guys were talking about the tension between enabling anonymity online for, you know, being able to make comments, you know, for people who are in tough situations and the desire to authenticate to protect against that invulnerability to
consequences. So that's what I like to think about. Well, what's the real job to be done here? Thinking about, you know, product management framework that I mentioned before you want to ensure that the real goal, the quarter inch hole in the wall versus the quarter inch drill bit in the situation is ensure, everyone has consequences for bad digital behavior and that includes four people which is why we authenticate now but you know there's people are proposing
different ways to do that. So if anybody who tuned in to this podcast, hoping to hear about trust between active directory, domains or I think technical like that is probably already stopped the episode, right? We're going to be talking about a different kind of trust. We're not going to talk about zero, trust drink up. This will be my third drinking game by the way, actually forth because I invented one about password list yesterday.
Okay, okay, well you're on the right show, so we're going to talk about trust in three different stovepipes if you will or three different context. So it's trust in the practice of I I am trust and bios and Trust in.
I am vendors and by the way you work for one of those so you're the perfect guest to talk about that but I think first and foremost, you know, we'd be we're going to talk about that trust in the practice of I am. And how could we not talk about self Sovereign ID and verifiable credentials? I think trust is a major thing that needs to be talked about in those two topics. Don't you? Just go ahead and riff. I mean I know this is something you think a lot about, I like riffing.
I don't play guitar though. Yeah. And and you know, you're referring to, you know, ad trust kind of trust domains people. Often in our line of work. Put things into buckets technical trust in business trust. And really, what, I think decentralized identity tries to do is to sort of marry those, in a way. I mean, like I was just talking to folks from the trust, overripe.
He Foundation where that's literally what they're trying to do. They have two stacks that unify, that's what they're trying to do. But like, even with technical trust in the mix, I can't help but get a little bit philosophical because you know if you look way back to kind of like the beanie of the really exciting blockchain conversation, that was my first drinking game, it was about making things quote trust list.
Some people put it that way. That was kind of how a lot of these conversations started and that is ironic with respect to that zero thing, trustless trust free now with zero. Hey I'm I got this shot right up to my lips at the moment. I am. So going for a drink Friday night, I don't write statements work. I'm just saying, guys, but it sounds like a lot of fun.
So, decentralized architectures generally are You know, they're making a pitch or evenly Distributing vulnerability to consequences and I might describe that as, you know more like resilient Mutual trust, write a better job of mutual, trust, something like that, here's the challenge and decentralized systems. There's always the possibility, indeed, it's kind of a likelihood that over time. Sometimes very quickly, you get what I call Insidious re
centralization. Which messes with the incentives in one way or another. So through exchanges through aggregated Services, you look at the crypto world and and you can imagine looking at that in light of decentralized identity verifiable credentials and so that verifiable credentials World. It kind of makes a run at being able to trust that it was something was issued properly. Some piece of information was issued by somebody you care about and you know exact yeah I'd go for that.
I leave that and also making Services more trustworthy. I can't say that without sort of air quotes in this particular show, for example, through a technique of revocation allowing somebody to like share piece of data and then pull it back in a technological sense. Not making a, you know, right of a razor request. You know, I'm saying, unfortunately, you know, even sharing a few little pieces of information are very likely to be correlated.
Well, it doesn't take much and that's a kind of Insidious re centralization that it's easy to kind of just sort of skip over in our thinking. So I think we still have a tough road ahead of us in improving things. We have to be very careful how we Implement and very careful how we set up systems and very careful how we setup ecosystems.
Yeah. How we Implement kind of segues into my next question or my next topic which was really thinking about organizations or I am practitioners trusting there. I deep he's so whether it's an on-prem product or a product in the cloud to authenticate users and to do it with high levels of certainty that there are systems laying the right people in. Not the not the wrong people, but there's an aspect of
configurability. So, even in the cloud, you can set your own password policy, things like that. So it's kind of a shared responsibility, right? It's not like how I trust them to do the job for me. There's still some of it that falls back on the practitioner the organization. Yeah. So our let me ask, are you thinking about work, force users when you talk about that or just all kind of any users. I think you could be any, I think it could be any.
So I mean obviously I think the responsibility does go in kind of all directions. And what's interesting is giving choice to end users, doesn't have to drain In assurance out of a system. I mean, that's one of the things that missed 800-637-8170 shared language about, you know the quality of what you know some authentication that's been made or the quality of all the backing systems.
And so I think that you can give choice in that context in a really interesting way and by the way, giving choice to users is a way of giving them that confidence. And I would say, allowing To trust you being trustworthy because you're all anybody really wants is convenience and value and control. So if you can give them some control while assuring yourself that you know, quality hasn't degraded in, you know, how you're testing them. I think that's super powerful. I'm not something.
You know, it's something we do actually inside for Dracula with our, with our own, how we log into our own systems allows, a great deal of choice including like Fido authenticators. So I put the fact that you're going to be on the show out on the ID Pro slack Channel and friend of the show Simon Moffat. Who by the way I'm sure you remember. As a former forgerock. Yeah, yeah. He's a friend of weird rock to me.
Yeah, friend of for drug to and he commented on that topic that I was mentioning that the user Trust of the IDP is an even more interesting question. And so my question is, how do Idps become more trusted by user. So how do you move that? Move that bar move that line and, you know, thinking of it from a practitioner perspective? I always go down to kind of like the basics. So, is this getting to the point of saying that if I have stronger controls by, you know, require things like MFA.
Now, I'm going to increase my level of trust with the user right? As is that kind of what he's getting. Being at or is there something beneath the surface? I thought it was an intriguing question and I really you know, shout out to Simon for a very intriguing question. I do think, you know, people aren't generally aware of. You know what an IDP is, they probably don't really know how to spell or capitalized.
IDP, they do have relationships with service providers and the service Predator might be in an IDP role, might be an architectural and the Paul's relationship with their service providers in their life. It's kind of changing and people are getting more suspicious cynical Savvy and there was a had a great opportunity to do a white paper along with one
trust. And one of the things that one of the stats that we were quoting from their this from a couple years ago, Edelman is the the pr agency, huge PR agency. And it does this annual trust barometer, which seems relevant to this conversation. Ian and so from a couple of years ago, they found that 60% of their upon the respondents were saying that their default tendency is to distrust something until they see evidence.
That is trustworthy. So that I mean that's kind of a number to put to my assertion and forty percent of the respondents said there are Brands they love but no longer buy from because they don't trust them. Now I'm one of those 40 percent at the high plurality, right? A recent survey for Magna and catch found that 74% of respondent Highly value data privacy. And this was about 20 percent 20 percentage points more than other modern, ethical issues of the day like sustainability.
And I think it makes sense to me because it like it could personally affect you, right? It can, it can mess up your life if you can't rely on some of these things. So I do think there's a role for how practitioners Implement these systems and there's an Awful lot to do with the experience design, which is part of implementation of identity. No question about it. It's also about ensuring there's auditability and transparency for some time.
Now, I've talked about this kind of, I don't know, modern data, privacy 2.0 pyramid of things that kind of make up privacy, and at the bottom is data protection. You know, that's what the original data protection directive in Europe was called, and What they meant by privacy but we piled more stuff on as requirements. So in a modern kind of GDP are and all of its cousins era data transparency. You know what you tell people,
you know about them. What you tell them you want from them is, it's, you know, becoming equally as important. It's starting to be mandated. And then, at that tippy top is data control. What controls do you? Give people? What choices do you give people? And all of that adds up to different kind of knobs and buttons. And you know switches that you can use to engender trust from people. That was a good question by Simon.
I think it very nuanced, I don't want to build them up too much because he also asked if you get royalties on sam'l Integrations and I was thinking like how amazing would that be? That would be amazing. But you know we wouldn't be talking to you if you were here World here have a standard and of course you know in 2001 when we finished version 1 of Sam We're like see our world here. It is, go use it, but you may now begin and it took to like 2005.
So I learned to listen that I live five years in the future but yeah, no royalties. That's why, you know, I'm sorry for you but it's lucky for us because we probably wouldn't be talking if you were anybody was, I guess that speaks to like just, you know, the open source of having Open Standards, why they were so important to not walk behind, you know, some sort
of cost I think. But I just thought that was funny that I mean, you know, I did write a book once sgml the precursor to XML but you know, we used in sam'l and other things and I did get royalties off of that and it wasn't enough to retire and I can assure you. Although with the advance I
bought a pool cue the time. I was playing a lot of Billiards, I'm not good, but that was what I chose to do and I was working for a company in Ann Arbor and I this was before all the constraints and I could like walk onto A plane with with a pool cue and Cody an arm. So it's kind of cool. My story of royalties. Yeah. No. That part kind of like if you were getting royalties from sam'l, it kind of reminds me of that scene in office space where Peters like you know, the penny
tray. Well, that's where people are taking full pennies. I'm only talking about a fraction of a penny. So yeah. Yeah. Out of two. So back on like my very simple level of thinking I think you kind of like went way deeper but I did have a follow-up to that which was I've heard people make this statement that having passed wordless somehow makes people feel like it's less secure. I think if somebody thinks is less secure that would reduce their trust.
So what do you think of that? I did have some experiences and this is back when I was at Forrester and I had some conversations with some Financial Services folks. And I think certainly experience is more recently, born this out as well. Certain folks that you're trying to protect like high-net-worth individuals.
For example, can become very suspicious if they just sort of silently get into their service and you know I had heard of hard tokens you know authenticators being used with that. If it population specifically to like give them confidence that everything was safe. I do think that it's going to end up being sort of experiential and generational over time. You know like the conversations I used to have with people on planes 10, 15 years ago about
what do you do? Well, you end up, you can talk to Sarah, you're here of users and passwords. I do that. It was like, then you have the conversation about how much you hate passwords and I kind of still happens now. But more often I run into, People these days who use password managers who have a password strategy and I've always likened it to.
Well, you have a house key strategy, you know, so more people have a password strategy because they see what's going on. They've gotten more Savvy about that and I do think that as a short as those service providers idps provide visible assurances to a user about. You know, it doesn't the personalization aspect, you know, in the little clip you play it.
I was You about this Venn diagram, where I've got, you know, protection and personalization and payments and people, it's personalization can be valuable mutually and ensuring that that person knows that, you know who they are, and they know who you are. And, like, you know, that actually is that helps you build the relationship between you that's valuable stuff. And so, I think there's lots of ways to do that and password list experiences.
As you know, we see them in their best expression with, you know, Really, well-orchestrated Journey will give those signals, I think so. I think it's going to be possible to do. I don't know. I was just talking with folks this week, saying, you know, how movies started to have this like, modern TVs, have this faster frame rate than they used to and movies. Start looking really weird. You know, they did it so they can capture Sports Action. And yet now it makes movies look
like a bad soap operas. And I really hated that and, you know, sort of argued with With my husband about like what frame rate we should set and will forever is how you knew you were watching a soap opera, because we do it different than anything else. I'm a high frame rate fanatic, I love 60 frames or more, but I get the purity of a 24 or 30. There were, there was also, like, you know, I'm thinking of like Monty Python sketch has because they only used film when
they went Outdoors to to record. So you can tell whether it's been doors, are not divorcing, just for that. But in any case, my point being People can get used to the new paradigm, I think. And I think, as long as those signals are there presented to them, I mean, authentication is moving to that direction that Bob Blakely called 20 years ago. You know, from authentication to recognition being recognized in a non-creepy respectful fashion is going to become the way of
doing things. And I think, you know, I was a skeptic ten years ago, literally ten years ago and a Couple months. When I was at Forrester, I wrote a blog post called, kill your password policies. Because remember, Matt Honan was on the cover of wired with the long read. That was about how he got hacked and passwords, or a nightmare and blah, blah, blah. And that was all true and it is true.
And my reaction then was, I think it's going to be really hard to root out static, shared Secrets really hard, so in in service of a better experience, get rid of those stupid password policies that are doing nothing, you know, bit strength is not helping us. Essentially.
And now we all know that and is took it out of 800 actually degree and so we're in a better place now and people have learned and now we're on to the MFA profiling bombing, but I do have to remind you, that Venn diagrams was the original. I am drinking game. So remember, diagrams were wasn't a drinking game around Venn diagrams. How did I just that one? Know. I'm kind of tongue-in-cheek saying that but it was like Venn
diagrams or everywhere. Are and like every I am conference right, people just love the Venn diagrams. Where were I would say identity sea shanties 1.0. So you know what this whole conversation gets me thinking about, like trust is really not a black-and-white issue, right? Because there are times where I had that low Assurance of requirement access to a website to, you know, Get access to my
son's baseball teams website. I will tell you though, when it says, do you want to save this credit card, like heck no? Heck, no. Do I want to see my credit card on this website? But, you know, just kind of that level of trust is not always the same. Whether you're talking about, you know, high risk assets versus low risk assets that you're trying to access and Lorraine all'd from the ID Pro slack Channel throughout a question. She wanted to get your thoughts
on the nist. 863 Dash C draft, For with draft revision, for which, you know, is the level of assurance guideline from nist. So what are your thoughts? Yeah, and that's great. Great question. We've definitely been digging into it. We're not done digging into it, you know. It's it's getting better and better for sure. You know I reference getting rid of the the appendix from from rev one. I think going to rev to the whole thing about.
Well make sure that it's you know super it strengthened and learn that, that wasn't, you know, in the top five list of things we want to do the initial thoughts that I have around ways to comment, mostly have to do with finding ways to give guidance around that, that notion of fine-grained, contextual adaptive intelligent Dynamic Assurance levels and for a long time, I've called this Ela a pie, like, he know, No.
How do you get into the cracks of the keyboard when it comes to level some assurance and and figure out how to make it more Dynamic? And that makes me first of all think AI as a technology and technique you to apply and maybe we'll talk more about that. But I actually went over to talk with folks who are familiar with one of our UK government customers, whose kind of in the same boat.
As, you know, the customers, the direct customers have missed to say, you know, we'll do you have any recommendations and what I Was this particular UK government customer has what they call a transactional risking model and I quite like it and it goes into more depth on transactions and sessions and on behavior and on operational rules and, you know, maybe that, maybe I'll come by rev 7. I don't know. It's like something that, you know, they keep on deepening.
But that's the that whole kind of dynamic - is remains a Hot Topic. Epic. It will continue be Hot Topic. So you mentioned AI, which is a hot-button word for me. I'm a big fan of all the different tools that have come out and the democratization of being able to leverage technology like that. And you mentioned by us and where are these tools being developed trained on right? It's being trained on. Let's take Jackie Beauty, right? We've been talk about this.
We should just call it a tie into Center at some point because we keep Check EPT has been, you know, basically learning from the internet up through, I think 2021 is what its data says good for and based on what it's been learning, there are still some questions around bias and where do you get answers from? And are they accurate? Which I think is probably the most important thing is, is the data fact or not Iran. A little experiment on myself. Typing, it ends, like, tell me about me.
First of all, it didn't know who I was like, all right, well, Thanks, dude. So they had to give the core processor, okay? Right. Say oh, I work at our SMI host, identity centers, they do that Jeff Steadman. Okay great cool. And then it started spitting out some stuff that some of it was not true. Apparently, I've been promoted apparently and I am a partner with ourselves, so Daniel run with it. Thank you very much, right? Yeah, exactly. I started skating.
Yeah, exactly. And then me being part of other industry. Groups identity ecosystem. Never even heard of that thing. I've certainly support idea, say, for example, but I'm not a member of it and it just leaves me down this path of okay well I you know it's one of those things where I get so excited as I call this is gonna be so cool and we when we figure it out and when we can trust it and that bias is still there that lack of transparency of where the data
is coming from. You know if it was something was like oh well this is where I pulled it from. For example, why can go and correct that piece of information So it's not citing it, which I think is a little bit different than what being has, Microsoft Bing has announced, and I'm in part of the beta. So I actually get to play around with a, you know, the the chat GPT integration within the Bing search which I would never use,
you know. Yeah. So I know Sydney the code name and they have actually taken a pretty unique approach where they actually site in the answer, where they're pulling the information from. So, it'll say, well here's the answer and then we'll give a little, you know, footnote Of say, okay. Well, this part came from this website and this other part came from this other website, but you're still dealing with.
Okay. Well, why did it pick that website versus another website and that bias that exists. And I'm just curious. What, where do you see this going from like a bias and a trust perspective on that. A I said the word because it seems like that's a little bit counter to what we want and security which is this binary decision, right? Either you're good or your bag and there isn't a yaxha between. I mean I think it's possible. First of all to So those are the last little thing.
You said, it's possible for us to start answering those questions of you're in or you're out in a more fine-grained way. And to change our decision more more often. And I think you know, there are different kinds of AI and large language models are a kind of AI that you know it's practically Mad Libs, right? It's filling in blanks and it's using the data that started out, you know, written by humans, who may have been incorrect, or lying, or whatever.
And so, it's not meant for the purpose of Of being true and we'd have to ask it to do a lot of things to assure ourselves, that something is true and there's a lot of usefulness. Even even with that, I mean there's plenty of, you know, I don't know, Junior reporters writing things, getting things wrong in needing an editor, right?
It's not, it's not so surprising the, the key, I think you put your finger right on it is there's a branch of a, I literally called explainable AI. Xai for short and I think it's really important if at all possible.
For adopters of AI technology to strive for explain ability, there's another term interpretability which means more like, you know, it's properly understood if you think about like meaningful consent guidelines and sort of like that, you know, did somebody understand what you're telling it where you got the information. So I think my colleague, Steve enema happened to just publish really nice post. On for drug community.
So community that for direct.com, if you want to check it out called creating trustworthy AI as it happens and he's partly relaying some of the good work that nist has done here. So they have a special publication 1270 towards a standard for identifying and managing bias in artificial intelligence and other work.
So it that special publication lays out a bunch of examples of, you know, concerning results in Ai and And where we come down on the advice and that post is, you know, yes, harm can be real familiarize yourself with explainable.
AI and interpretable, AI course, you have to make ethical management of consent around sharing data using data and the storage of data management, you know, data, governance a guiding principle and these are the sorts of things that will increase confidence in. I would say really every kind of AI. And so the kind of AI that, you know, we specialize in, I would call it helps intelligent decisioning and decisioning in identity is largely about
authorization, although not always, it could be finer grained, like, you know, allow them to cut a PO of this size but not that size or, you know, step up and test them harder if they try and do this other thing or in circumstances that look suspicious, you know, you That is a kind of funny, it's like turning my CEO friend. Raj talks about, you know, what seems like a dumb tool without that help can become a very smart tool. I mean, and even that means
explain ability. And and that's a, that's a stance. That's a principle that we uphold in what we do when you're doing any kind of decisioning and you always want to be able to sort of bottom out with the some sort of human oversight. So I recommend people take a look at that post just for like a just kind of an overview of current state of the art and get a Advice. Yeah, if you can send me the link, I'll be sure to add it to our show notes for people to check out.
Absolutely, I had a question and maybe it sounds stupid, but maybe it's not. Would we even recognize bias? How would we even recognize it? I think it's quite difficult, there's some the post relays, some some discussion there as well. They're from a different, I think from a different nests document if I'm not mistaken about the ways that people fool themselves, I mean, you know, A human beings are valued judgment machines.
So everything we do is intended to make patterns, see, patterns and quite often get it wrong or just, you know, the world is full of nuance for human beings and their brains. So, there's some good advice about, you know, sort of how not to fool yourself. And there's a, there's a concept in this is actually in the rationalist community which I
Sometimes frequent online. The concept is steel Manning, you know, like a straw man argument is kind of like a straw argument is. Well, it's too easy of the knockdown. That's, that's no tested. All Steel Manning is when you imagine the all the best Arguments for the thing that you hate or vice versa, you know, all the all the totally awful, you know, Chiller arguments against the thing you love and like do the work, do the work to
steal. Or implementation against that and then enemy transparent about what you found. I could sit here and gripe about AI all day because I and I do it all the time, but, you know, it feels like every call center you dial into these days is like answered by somebody who are answered by a an AI voice. I'm a person. I can understand complex. Question some join operator I want to talk to her. No no 000 and it's like Well I can really help you just give me your question.
Okay. Well I have questions about my bill. I'm sorry I didn't understand that. It's like, okay, operator needs us. I'm gonna pull my hair out anyway. Yeah, it's I mean that, that is exactly that sort of like the vocal uncanny valley of, you know, you just if you have that level of Suspicion going in, it doesn't help for them to keep going down that path. And they should just make it easy. Yeah, it's a human. Why?
I also think that it just it carries over to the next time you hear one of those systems as the phone and said, like poor implementation of Technology just bills, that lack of trust that you have for the technology, I guess that they can expend. As I think you're saying it can extend to sort of, you know, all service providers to all retailers to all everybody maybe to all employers. I mean, it's a heavy burden, and it's why being modest in our
aims is a good idea. When we deploy systems, Don't feel like on the chat GPT from heard. A lot of people talk about like a, this could take away our jobs, but I actually think that where a I could flip the script is actually just make us more productive because I find myself doing like routine tasks over and over again throughout my
day. If I had some kind of true virtual assistant that could be automated that it could just talk to me and I could tell it everything I need done, it could go and do it. I'd get huge value out of that. I would be much more productive. I spend my time researching and getting smarter. Yeah and I did. So a few months ago I was starting to generate all my weird illustrations in my talks and my presentations using Dolly to and they do get more and more.
I don't know hallucinogenic and and I was talking to somebody at work is like well this is just an affront that's not art. And I say well the same thing was said about photography in the beginning just so you know. Um, I actually find a lot of creativity and like, people have already written novels and illustrator, graphic novels with some of these things. And like, obviously the engine didn't come up with itself, we what comes after no code. This. This is what comes after, no code.
And that's a new kind of democratization that it's uncomfortable for, you know, the high Priests of whatever do that thing. It's very Fertile for folks who want to be able to do it because there's a lot of folks who need the results. You know, it's beneficial. Yeah, the example I always hear is the, you know, the electric light, put it out, put people out of business who went around
late street lights, you know? But at the end Humanity, I think that the potential of automation with AI, you know? If all you do is repeatable mundane tasks. Yes, I think you could. It's going to force you to Get out of that business and do something that actually should be more empowering. This is, I mean, this is kind of creative destruction, right? Yes, just automation, right? It's not. Yeah, it's just automation. Well, as we're talking about, right?
I mean, this is It's a species of automating. Something automating, and scaling something, and those are very powerful things and they can be used for ill as well as good. But and so you know, speaking of trusting, all these things, how do we make these systems that are starting to become so powerful? How do we get a level of letting them do more, rather than locking them down? And, and it's through, explain ability, interpretability openness transparency.
That's so before we completely go off the rails. I did want to hit this third area which was trusted vendors. Again, perfect person to have on here because as somebody who's the CTO for a company that creates cyber security software, you know, what is it? That is needed to build trust in your company and what can destroy that trust? Huh. This is where I'm tempted to
reach for that pyramid. I was describing before again because protection transparency and giving customers control I think are all really good elements of achieving that trust, you know. Lots of lots of things can go wrong. I think everybody knows when you're using a software vendor as a spender, whatever it is, it's understood that nothing is perfect.
However, to maintain the Chip, you need to have unassailable transparency, you mentioned the consumer identity breach report that I'd come on and talked about at one point. One of the things that we were watching last year. We published, we're working on the new one. The fifth. This will be our fifth annual
anniversary one. So you know, stay tuned, but we're watching breach notification, delays, lengthen, even as we see mandates, starting to encroach, to make you do it and like And the best way to be trustworthy is to have what I think an open Baby World, they call this compete, not comply mindset, how do you become a leader in in that openness how do you become a leader in doing better and I just think that's best way for some reason.
I feel like this is an area that companies just plain struggle with is getting the breaches. The breach notifications out the transparency, whatever it may be. I just In the Playbook happen, over and over and over again where, you know, here's one that was hand, okay, everybody, you know, everybody is going to get breached at some point, right?
How you handle it? I think is more important at this point because it back in my day, when you got breached it was game over, your company was done. Now, it seems like everybody's getting breach for some reason and it's not the, you know, the death knell that used to be but every it's just seems like every company sucks at handling breeches with period. Like they just, yeah, they're just not good at it. Did you just say back in my day? Back in my day? Yes, I did.
And you pulled that out of my lawn. Parse uphill in the snow both ways. Yeah, it's true. That more companies are getting experience with it and it's being sort of democratizing, the sense of it's not just the mega corporations, you know, having you know, their billions of Records breached its smaller players, smaller Enterprises. And we showed this actually in our, in our report last year. It's it is becoming a little bit like, you know, password knowledge, a fact of life.
And I think, what would really be killer is lack of good faith, transparency. And I almost feel like everybody should just put out a dirty laundry report monthly just to get into the Habit, it's making the same mistake twice and it's making the wrong choice, whatever that might be in configuration or whatever, be the easiest choice for their customers. So there's some commitments that any company can make there and survived some bad storms.
I feel like one of the areas that creates a vulnerability in this respect is Cloud delivered services. So identity is a service, for example. And I got, I think that's keeps, I am practitioners up at night knowing that they put trust in a company and that they may be running some software for example, like, like the solarwinds incident, right? I think that I'm not trying to pick on solar winds, but it's probably one of the biggest breaches of our career as a supply chain in incident that
affected. So many organizations while now I'm putting so much trust in identity as a service. They may be running software that gets hacked. They may get hacked themselves. You know, what's the? I am practitioner to do, you know, it's funny. I guess I'll mention the breach report again, just because what we found last year was that supply chain attacks, were up two hundred and ninety-seven percent. That's a big deal. And this is where all right, I guess it's time for drinking zero.
Trust architecture. Came up with, I mean, it is kind of right here for us on a Friday night for the listeners. Maybe this realism. There's but it came up with this concept of the s bomb the software bill of materials. And I really think that's a good idea because it sort of speaks this trend towards proper inventorying of everything.
You know, GDP are Requires, proper inventorying, a personal data, and that zero thing, really is starting to require proper inventorying of, like all the software that you're using in whatever guys. So I kind of feel like that is a way to start having that conversation.
Obviously General Supply Chain management, vendor management is that's what it sort of comes down to and and it can learn the lessons actually of some of the if you think about the Duration Assurance level work in this that allows for assessment of an IDC, to be of any sort of third party that you're working with and accreditation of assessors and all the rest of it. So, there's so much going on this base. I feel like we could talk for probably like ours.
And I hear a little like dangling. Maybe that's Sabrina's collars. Sorry. No, it's fine. I was really hoping this would be the time that we would get, you know, the pet on on cam and And I on the identities that are podcast but it is a document fed. I think speaking they got in fed, it is a Friday night, why don't we start to wrap things up so that you can get on with your weekend? I can get on with writing my statements of work which is super exciting. But before we go we do like to
end on a lighter note. We're all going to be in Dallas area Grapevine, Texas for Gartner, in a few weeks and that is your neck of the woods. So one looking forward to actually being able to give you a fist bump in real life but for the people who are, you know, Congregating down there who aren't from that area. What's a little-known place? That people should try to go out of their way to grab a bite to eat or drink or something like that. That we should check out while we're there.
Yeah. Oh there's a dog you're hearing. Yeah, sorry. So yeah I'm so excited. People are going to be in my neck of the woods and so I live really close to Grapevine and of course it's going to be at the Gaylord Texan so it's kind of I actually found out that the Gaylord Texan is the largest game. And for those who've been to Gaylord Rockies for identifiers. That's the smallest Taylor, just for the record.
And so what I would love to recommend to everybody is if you want some good barbecue and I'm going to say good barbecue experience, then I do recommend Hard Eight, there's one really not far. They keep the The Smokers going, like 24/7 and you walk up and you order by the pound. And it's just a super cool experience. And I also love, there's a town called Carrollton, and it's got some amazing Korean food. It's also not far.
And so, if you're going to reach out and experience the the general area, that's what I say you gotta do. Okay, well, you had me at 24-hour smoker. This is set it up. Hard hard eight, as in the number Ocho barbecue, so that's definitely going to be. The list for sure. What was the other? Uh-oh. Uh-oh. Yeah, exactly. I'm glad you got the reference. Okay, we're going to go ahead and get things wrapped up.
You know, Eve, you've been generous as always with your time with us. Super appreciate it. You coming on, especially on a Friday night and taking time out for us, and sharing your wisdom with us and the listeners are out there. I'll have links in our show notes to reach out to. You can connect with you on LinkedIn there Sabrina. Oh, what a good little puffer. Sorry guys. As you know, this is Audio Only, but we got to see. We got finally got to see some
remix. Yeah, so we'll have show that makes it our show notes. You can connect with Yvonne LinkedIn will have linked to forgerock. I did find this CTO Lounge on the for direct Community website. They actually has a few different articles on AI and stuff like that.
So yeah, do that and also explain a i.org so that if you're interested in sort of that area, you can kind of see what that's been working on and, of course, links for a gym and myself to connect on LinkedIn. If you Are you know looking for a very interesting conversation at Gartner. We're going to be on stage, you know, talking with Enrique I'm Becky send us your deepest darkest hardest questions for Gardner was a still time. Send it over to us.
Sent to us via LinkedIn and we'll try to get try to identify some themes and include that for part of the discussion will have their. So we'll go ahead and leave it there for this week. You can find us on the web identity at the center.com. We're also on Twitter at IDC podcast. And we'll go ahead and wrap it up there. Thanks everyone for listening, and we'll talk with you all in the next one. You've been listening to Identity at the center.
We hope you've enjoyed the show, make sure to like rate and review and we'll be back soon, but in the meantime, hit the website at identity at the center.com and find us on Twitter at idac podcast. See you next time on identity at the center