#326 - IAM in 2025 with Martin Kuppinger - podcast episode cover

#326 - IAM in 2025 with Martin Kuppinger

Jan 20, 20251 hr 5 minEp. 326
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

In this episode of the Identity at the Center podcast, hosts Jeff and Jim welcome Martin Kuppinger, Founder and Principal Analyst at KuppingerCole, for his fifth appearance. The discussion delves into the evolving intersection of AI and identity, emphasizing the critical need for reliable identity verification as technology advances. The conversation also touches on the future of identity systems, including the potential of decentralized identity solutions and the role of AI in enhancing identity management. Martin shares insights on the European identity landscape, promoting reusable identity verification and highlighting emerging trends such as policy-based access and natural language interfaces. The episode wraps up with travel tips for Berlin and a look ahead at the European Identity and Cloud Conference (EIC) 2025.


Chapters

00:00 Introduction to AI and Identity 02:09 Welcome to the Identity at the Center Podcast 02:15 Upcoming Events and Personal Anecdotes 06:18 Guest Introduction and Main Discussion 07:03 Identity Verification Trends and Challenges 10:04 The Future of Identity Verification 23:27 Enterprise Use Cases and Solutions 28:05 AI Agents and the Future of SaaS 28:59 Introduction to Martin the Chatbot 29:23 The Role of AI in Enhancing Search Functionality 31:05 AI's Impact on Various Industries 31:49 Challenges and Limitations of AI 34:10 The Future of AI in Identity Management 40:40 Leadership Compass for Access Governance 45:28 Microsoft's Strategy in Identity and Security 56:19 Travel Tips for Germany 01:03:01 Conclusion and Final Thoughts


Connect with Martin: https://www.linkedin.com/in/martinkuppinger/

The 2025 Identity Fabric and IAM Reference Architecture: https://www.kuppingercole.com/research/an80978/the-2025-identity-fabric-and-iam-reference-architecture

Webinar Recording: Identity Fabric and Reference Architecture 2025: Future-Proofing your IAM

Access may require registration and maybe a KC membership (for the report).

Information about KC Memberships: Membership Packages | KuppingerCole


European Identity and Cloud Conference 2025 - Use code idac25mko for 25% off: https://www.kuppingercole.com/events/eic2025?ref=partneridac


Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com


Keywords

Identity Verification, AI, EIC 2025, Digital Identity, Trust, Decentralized Identity, User Experience, Onboarding, Security, Technology Trends, AI, identity management, access governance, data extraction, future trends, Germany travel tips, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Martin Kuppinger

Transcript

So how do we do ensure that this all is kept under control? I think this entire field, I tend to call it a identity. So the intersection of AI and identity is still a pretty much a wide space on our technology map. We see a lot of start-ups around AI security nowadays, but I think we need start-ups around a identity. It seems to me that technology, the functionality is going to blaze way past security. So it happened with cloud infrastructure, I think, and I think it'll happen again.

I think the fall back will be some sort of leveraging legacy permissions, which we already know are not good enough. I think that's maybe what you're referencing. You have these super users administrate system administrators. Does that mean the System Administrator can start using AI to find out all kinds of information about the company or information they they shouldn't

have access to? Even think about someone having access to the AI. Which all, by the way, brings us back to the initial theme, identity, verified identities. So is it really Martin using the AI? And what is the AI supposed to do in the context of Martin? And if it's not Martin or if someone is is using the AI in different contexts, there might be way more information that is to discuss or even if the AI is is sort of constrained in what it can do in the context of the individual.

I think this is a very interesting field to think about for 2025. This is identity at the center if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Steadman. Welcome to the Identity of the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Doing great. This episode is going to drop on January 20th, which is also the same day as the college football national championship game.

So in honor of that, I wore my Georgia Bulldogs T-shirt. But. Unfortunately, the Georgia Bulldogs will not be playing in that game. But I, I can always dream. There's always next year. You're you're a Chicago fan. You've got to be used to saying that by now. Well, I am a Chicago fan. I don't really follow college football, so I could care less

what's going on there. But I am a Chicago Bears fan and, well, you know, there's always next year has been our our phrase throughout the last 40 years. So. So, yeah, I can advise that. You know, when you stood up there for a second, I thought you were like going to like flash us or you had like, you know, your chest pain or something like, like a super fan. I'm a little disappointed that we didn't get to see that side. Are you trying to drive people to YouTube or what? Yeah, exactly.

Yeah. Hey, anything we can do to go viral, Jim, come on, do it. Do it for the views. Yeah, right. Yeah, we'll we'll talk about identity, we'll talk about AII. Think that'll have to drive our views for now. Yeah, let's focus on the conversation, but I think before we get to that, let's talk about EIC 2025 because you and I are going to be there for the first time in Berlin, Germany. It's May 6th, the 9th. And like I mentioned, Jim and I will be there.

We've got a discount code for everyone who is willing to show their support and partake in that. The code is ID, AC25 MKO and I get you 25% off. Don't worry about remembering that right now. I'll have it in our show notes and you'll be able to find it easily on our website. It's right on our home page. So I'm looking forward to that first time in Berlin.

We're going to ask our guests some questions about that probably towards the end of our conversation around what should I be doing Berlin, first time there, but I'm looking forward to it. What about? You, Jim. Oh, I can't wait. I've never been to Berlin either. I've also never been to Munich, which I think is where EIC was in past years. So maybe in the future if it's moved to Munich, we'll get to go there as well. But I'm excited. I've never been to Berlin.

I've been to Frankfurt. That's about it. So yeah, you know, I love experiencing new cultures and I love German food. There's a German food restaurant near me at home. And, you know, I'm kind of bored. I get the Schnitzel every time. But I do that at at every restaurant. Once I find what I like, I kind of stick to it. Yeah, I'm the same way with chicken and waffles. So maybe we'll see how that works. You're way ahead too. You've already like booked your flight. I have not.

And I'm still my wife and I was trying to figure out how we're going to do all this because she's probably going to join me out there. And then, you know, we're planning on trying to hit other areas. So we I have not even, we have not even figured out what we're going to do yet. And so I know I'm behind where you're at right now, Jim. Yeah, I'm going to be out there the week before flying into Oslo, meeting a bunch of identerati and Oslo the the local identerati.

I haven't figured out exactly what we're going to do after that, but I'm thinking we're going to, I'm leaning toward like an urban vacation, right? So this is like a vacation week, definitely meeting folks from Norway the first couple of days.

And then we weren't sure if we're going to drive through the countryside of Norway, which is absolutely spectacular from what I've seen in YouTube and things like that, or we're going to go to Stockholm and Copenhagen. That's kind of option 2. I guess there's a third wild card option, which I don't know what that is, but if we do Stockholm and Copenhagen, I'd like to try to find local identity in those locations.

So if you're listening and you live near those cities or in those cities, reach out to me on LinkedIn. I'd love to, you know, meet and have a beer. I'm sure you'll have stickers with you too, right? Oh, of course. Yeah, you gotta stock up my bag all. Right, well, why don't we get to our guests? He is the founder and principal analyst with Koopinger. Cole, welcome back to the show for the 5th time, Martin. Really #5 already?

#5 Yep, for joining me look, we always like having you on it seems like we have you on every maybe like 9 to 12 months kind of seems to be kind of the, the thing you've been very gracious along with EIC to invite Jim and I to come out there and we're looking forward to again our first time being there. We have actually a lot that we want to cover today. So I'm not going to ask you about your background on that stuff because you've been on the show five times.

Go back and listen to previous episodes of Martin if if that's what they interest you. But why don't we just jump right into it? Because if there's a lot of topics that people are interested in and seem to be gaining steam in this space, and the first one is identity verification, It seems like the last couple confidence I've been to Gartner Identity Week and last year's Identiverse seem to have much more prevalent prevalence of these types of

identity verification tools. And I think it's starting to pick up at least in the US, especially around things like fraud and being able to after identify who's on the other end, right? Kind of the know your customer type thing, but it seems to be expanding. I'm curious from your perspective as someone who really knows, you know, the IM space at large, where do you see the identity verification market? And how does this look for 2025? Do you think it is still

ascending? Is it sort of reached a peak or are we kind of in a stable platform now? Yeah. So before we come to that, maybe just a few comments on Germantowns. OK. So Berlin, Berlin is great. It's its largest town. It's it's a bit actually, but it has has has something Munich also nicely off the mountains close to it, etcetera. Frankfurt, we we may discuss about it, but I personally believe the place to be a

Stuttgart where I live. I'm just as a little adword for my hometown, really, really nice town, but clearly a lot of nice places. If you ever travel in Germany, let me know. I usually know some quite nice places to go in Germany and Europe. Anyway, identity verification, it is essential because at the end of the day of everything we do in security or most we do in security at least. And when you look at zero trust, for instance, it starts with identity.

It's Martin using a device to authenticate. But is it really Martin? And I think this is the big question behind identity verification. This is really Martin. Can we assure that it is him or someone or something else? So, so identity verification is important that we, we need different levels of assurance for depending on what we are doing. So it's not everything is based on a super, super strong

verification there. There clearly are different levels and we have this in, in the concepts or level of assurance etcetera. So it's, it's nothing fundamental in you. I personally believe that that we're will see a strong uptake. We definitely will see a strong uptake over here in Europe because when the EU digital identity wallets, UDI wallets come out in 2026 or a bit later, then a verified identity will be an essential element within this decentralized identity and wallet concept.

So we will need to do the verification. We also, I think we need to move forward and this is what, what, for instance, decentralized identity will allow to, to be able to reuse identity verification. We need to make it also or simplify it. Especially what I really don't like is, is everything where, where you have a human involved in the verification. So because these things tend to be cumbersome even for me and I would say I'm, I'm a somewhat experienced IT user.

And if, if I feel this is this is really cumbersome and complex, then it's probably not an ideal solution yet. So yes, we, we need to do it. The question I, I would raise is how will will this look like in the future? So, So what do do we do? How we do we reuse it?

Maybe at some point when you look at all the shared signal stuff, maybe even have enough or sufficient signals that we can be assured that it is Martin because it's a device, it's the location, it's the things that are done, etcetera. Maybe we can at some point use signals and maybe even that need to authenticate in a traditional manner anymore. So I think there are a lot of things we can can think about, we can discuss where we are just still at the beginning.

So I think identity verification is a market that will grow because we need it. We need a short identity, but we need to also to to make it very smooth, very simple and reusable. Because, as I've said, the most annoying thing is if you have to go through cumbersome processes again and again and again. Yeah, right. It's an interesting how you started off with the focus on

levels of assurance. My first use case that I ran into regarding identity verification was with the university in the US and actually I don't think that it was University of Texas, right? So all people who are on campus had to show up and present their driver's license or some other government issued ID in order to get a school ID and then in order to get a set of credentials or I'm sorry, to elevate their credentials so they can access certain applications. This was around the 2013

fourteen time frame. So this was quite a while ago, 10 years ago. The all that was not a big deal because it was all very pre COVID and it was a very on premise group of people. However, they did have satellite locations. I believe one was in Israel and the folks there in Israel, they, they still had to go through this identity verification process, but they couldn't fly all the way to Austin, TX to do it. So required like faxing and you know, scanning their IDs and

things like that. So it became such a, a cumbersome process for those folks. Now Fast forward to today, you talked about the process where we do identity verification for, you know, in the United States, we have to do it for submitting our taxes online or to, you know, to access the IRS website. It, it can be very cumbersome. I mean, the process itself is pretty smooth, but if it can't recognize your ID or doesn't recognize a match, then it needs

to go to a human. You might have to wait 45 minutes to get in with a human. It's very cumbersome. So kind of in my book anyway, it's like the the level of assurance we'd like to have identity verification for anything that's more than maybe social media. Yeah. But it's too cumbersome. Yeah, and interesting. You know, when you take your IRS use case, it is something you must do. When you apply for a job, it's something you want to do or for the university, for the higher education.

But if you go to e-commerce, you trust may say, OK, then I go somewhere else. If you go to, if you deal with Tychos, with banks, all these use cases. So if bank account opening is too complex with the one bank, you go to the next one. Maybe these are things where where it's really about the business. In some scenarios it is just that you're obliged to do it. So they they, they, so to speak, a government can afford to keep it complex because people must do it, others can't.

And so we need to make it to simplify it. I think this is this is a very important point, but you bring up also an interesting aspect when I go back to my keynote, I think it was last year's Eici talk about decentralized identity. And one of my samples was a flow that goes from the sort of the initial verification to access to IT systems when you're working for instance, as a

consultant at a, at a customer. So, so you have the verification, your wallet and then you can onboard to an employer because you have a verified identity. In that case, you can do the onboarding to the employer. That employer adds additional verifiable credentials like you're at coping and Co analysts, you're the principal analyst or a principal analyst with that information. Then you may say, OK, I'm in a project at company X and the company X then says, OK, you're employed there.

You're you're really Martin Copinger. They have the data, which saves them, by the way, a ton of money when you you also have been working at consulting at other companies. And sometimes you you spend really hours for just getting a badge. You can automate everything. You can simplify this process and you don't pay advice for a consultant half a day for nothing. That doesn't make sense, but you can we can avoid it. And then then you could say, OK.

And right now, Martin isn't this project and this role. And in an ideal world, the access to whatever the tools, the websites, the information would be granted automatically based on all the attributes, 0 friction by just one identity verification, real massive process, cost savings, higher security, all doable. So we need it and we need to get much better on that. And we we need, I think again,

back to the level of assurance. What, what, what I feel is also around the UDI wallet frequently is, is the challenges that a lot of people, especially in Germany being a bit more paranoid on that side. Maybe on average we're thinking about always the highest level of assurance. We don't need the highest level of assurance for everything.

We need to only for very few use cases, even in government interactions for many of the things we don't need the highest level of assurance we can do today a lot of things where we don't need the the highest level of assurance. And that that is where we should think about what is it really? How can we do this created. But clearly if we have a reusable verifiable identity in place, it's super powerful. What I fear is that we end up with 100 wallets from 100 banks.

Doesn't make sense. It just doesn't make sense. Don't go for individual wallets, go for reusable identities. Yeah, that's where I, I share that same fear because at any given point people are going to trust or not trust any of these wallets. And so what's the point of having multiple wallets, the whole point of one wall and to keep everything if I have to carry around 7:00 or 8:00 or 10 different wallets that totally defeat the purpose.

Now we just created another version of the password. And that's what I'm, that's what I'm most afraid of in this decentralized sort of idea is trust at any given point, and I'll just speak on the US side, half the population doesn't trust the government, doesn't matter who's who's in charge. The other half doesn't like that. So, you know, if government isn't an option, then what is? Is it education? Well, not everybody is an education. Is it healthcare?

Not everyone, at least in the US, has healthcare. Is that finance? Not everyone, you know, may have the same financial, you know, access things like that. So I am concerned about that, about that just like you mentioned, Martin. I honestly I I've heard don't believe that we only will have one wallet. It will be probably more than one wallet. And we also probably should should think about is not really as a wallet because there will be so much in that.

It's way too big for a wallet. It's it's, it's, it's really more than that. It's a drawer or or even a a set of this. But I believe that we will have more than one, partly for the trust reasons. You may use the government one only for the things where you deal with the government, but you don't want to have many. So the number will be, I will personally believe a relatively low number. It's not a lot about us. I could envision that that we will see also very much purpose

built. Well wallets like a travel wallet that not only sort of holds the information but helps you managing all the travel etcetera, which could be interesting business case things like that. I think this is this is probably more likely to happen when we look at this this world of of of wallets. The the other thing is trust. I think what we also should think about is. How can we build trust?

We can't build a trust by having one sort sort of one strong proof, OK, we trust the government or not. And we could also say if we have a lot of college signals again that hint in the same direction, you also can build trust because I think that's not exact mathematics because there are there are overlaps there. So, but at the end of the day, if, if one signal has a 90% probability, it also means it has a 10% probability of failing.

If you have a 2nd signal that also has a 10% probability of failing and these are these are not overlapping, then the probability of failing would be not 10% but 0011 percent. So if you have many signals and combine them and they hit in the right direction, this is clearly a lot of algorithm stuff etcetera and thinking about how do you do it properly but and what is when when some signal hints in the opposite direction. But basically, you can't build a lot of trust on weaker signals

if you have enough of them. I think, what can I think the only thing that can build trust in the current world is openness, Open standards, that you can't go and hide things behind the scene, that there is some kind of agreed upon standard. Maybe there's some independent third party or multiple third parties that verify that this wallet meets the standard. So I wanted to. Again, again, again, the standard is one thing, but then you have a verified identity in the wallet.

The wallet complies to the standard, but do you trust the verification? That's again the point. Who was the verifier? If you're that, that's maybe something, you know, if we if we go through the verification more than once, so we have a reusable identity, but we have three independent verifications in the same wallet, then then you know, someone can pick and say, OK, I don't trust that party. But oh, if this and this also verified it, then it probably is

correct. So that might be the way we we should think about it. That's right. You know if. You're if. You're talking about like age verification or something like that. Whether or not you trust the government, you probably trust the driver's license that says the person's 21 that can buy this bottle of liquor or something like that. So you might not inherently say I trust the government with all my private information.

Yet we, most of us go and get government issued IDs because you can't do anything in the world without it. You touched on the enterprise use case for identity verification. I, I feel that's something that has always resonated with me where I could bring in a new employee. No lives, nowhere close to an office. You know, I know I've joined companies and not gone to offices for the first year or more without going to one of the physical locations.

I've always thought like if you could do the identity verification process for those people especially, but also like to fill in. You know, we have a form in the US called I think it's the I-9 where it's like basically you get into the tax system that hey, you now work here and all that. The data is the same. If you could bring that and just plug it in.

I think that the idea is great, but I don't see many companies saying, all right, that's a big enough of a problem for me to go out and buy a product to solve that issue. Even if I have a lot of employees, say 100,000 employees, I probably don't have a big enough of A use case in one central HR system where you know, that wouldn't be an

integration nightmare. Now, however, if it was a feature of a product that I already own, I might flip the switch and start using that feature, at least for some subset of the use case. So long way of getting to my question, which is identity verification. Is it a standalone product or should it be, or a feature of something else like your identity management system? Service short answer. So you had this long questions or I decided for the? Yeah, yeah, the answer is

fantastic. I almost missed it. You must be a service that can be consumed and integrated. Yeah. So a service that can be consumed and integrated into your onboarding, however that takes place. Correctly. OK. So I don't think that it makes sense to to build take the technology again and again and again. So my colleague Annie currently is working on the leadership composite identity verification and I think her her preliminary list was in this 300 plus vendor

range. 300 plus vendors. OK, wow. OK, so and and all doing it a bit different. So, so selecting the ones and and saying, OK, this is the ones we look at all AT and and this leadership compass is not not an easy thing. Yeah. OK. So this gets speed.

Thank you. So I think what you're basically talking about is like orchestrating some kind of onboarding workflow to tap into a third party service that would then, you know, verify the credential, redirect back, let the company know the person's BeenVerified, etcetera. Unless you do it with decentralized identities, which would be definitely for the future the smartest way to do it. OK, so Speaking of the.

Future that that would be I I believe the smartest, smartest way to do it and you know it. It's like like you have have whatever a batch, a corporate batch etcetera for entering the building etcetera. You also can either add something to a wallet makes more sense or or issue your corporate wallet if you already want to go down that path. But but it's still then you, you do you have ways to do to do that in a in a smart manner and re reuse things.

And then the service would be basically serving sort of the, the ones who are issuing the credentials into the wallets or to the holder correctly. I think it's also something we we need to be very, very precise on the, the the basic decentralized anti model is not a wallet model. It's a issuer to hold or to verifier, but the wallet is trust the technical means to hold verifiable credentials. So we anyway put way too much emphasis on on the wallet and

not on the holder. And that's also why I believe we, we should think always about people having more than one wallet, having the same credential, multiple wallets that are giving them the choice, because this is really the holder focused on the thinking, which makes more sense than the wallet thinking of today. Interesting. So I've been wanting to figuring out how to bring up this topic. So I've been watching a lot of videos lately around AI agents.

The idea is that the AI agents are, you know, like people. They can do things, but they're also like applications. I saw a video with Satya Nadellam, the CEO of Microsoft, talking about AI agents. He says AI agents are going to replace SAS. That's a that's a big statement. By coming from him, I put some trust in that, right? I mean, he's a visionary. It gets me to also think, you know, I'm going to shortcut to, OK, go to a lot of identity conferences. Every product is now AI enabled.

I noticed on your website, All right, I'm sorry, on one of your announcers, Cooper Cole's now AI enabled as well. So in November, you announced Martin the Chat bot. I was wondering if you could tell us about Martin the Chat bot. Yeah, so, so first I have to say it. It wasn't me who announced it and it wasn't me who came up with the name. So. So when I heard about that, they they intend to call it Martin. I said, Oh no, come on.

But yeah, I gave up on this conversation basically, to be honest, our cooking a call website, we we hadn't a good search functionality for many, many years. It was really, really not good. So I myself tended to use Google or Bing to look for content on our website. Right now I only use our search function because it's it's really great. So we had have a new search functionality. We have to chat bot which provides as a relies on ALM model and it uses this retrieval

augmented generation thing. So it it uses the the content we have on the website which is in a lot of places like like YouTube etcetera, which is really a ton of content in different formats to provide the answer.

So this is basically what what we did and I think it simplifies really the access to our information, which is also very important because you're pushing out this membership and then or pushing the membership model more these days, enabling people to get access to all of our research in a very flexible manner. So, so I think if you, if you clearly, if you have this membership, then you also should enable people to find what they need to get the answers they

need. And talking to this virtual Martin Chile is one element in that. While the membership also offers a lot of other benefits, like the ability to talk to the real market and even things like that, which may even be more interesting. But I think it, it makes very clear where I see AI it it's in that sense of augmenting intelligence, it helps people to

do things better. Like the like it doesn't in most areas where we use AI and and assistance system and a vehicle, which is usually in some way AI powered, basically augments the driver, helps doing the job of a driver in this case, safety, for instance, better. So yes, that's there. To your point around will AI replace SAS? I think it's, it's, it's a bit of an oversimplification.

Sorry, Sacha, because there are elements which you clearly can do better and different when it comes to looking up data, when it comes to to accessing information etcetera, searching for information, combining information out of different sources, there's a clear advantage. But there are a lot of things which are really form based processes like invoicing, stuff like that, which are commonly run a SAS, which probably will not be easily replaced.

But you don't have that kind of innovation that, you know, a lot of things we do with IT, service management, for instance, basically, at least we'll run through a very different interface and I'll see, see some interesting start-ups these days, for instance, in the identity management space, which come up with, in fact, AI layers that allow you to, to get all what you need, like the report, the data, the stuff out of your world with a simple natural language query.

So these are things. And we, we are also covering some of these vendors in our new format, the rising star format, where we look at, at vendors that are very innovative, young, relatively small, but, but growing and, and have a very strong product market fit. And this is where we already covered one or two of these because I think this is another area where, where I see a huge potential for that.

So I I think it will not replace everything, but it will clearly have a huge impact, especially when it comes to getting data out of all these sources we have. Yeah, I kind of feel like if Martin and I came up, here's one thing you have to do. If you're an identity, you have to come up with the right acronym. So I came up with an acronym for you. I'm not saying it's the final one, I just thought of it. MARTN stands for Machine and AI Research Trained Neuro Network

and was a tough one, right? Neuro Network was the IT buzz term for a while and never became anything right so. Maybe you, you, you. You just say nerd. There you go, trained nerd because like a person.

But here's here's my thought. So you take you're, you're taking Cooper Cole's complete body of research or whatever you have in terms of research, and then you let the AI loose on it in terms of learning it. Now, one thing, I don't know if you heard the study that that happened recently where they said they, they took sick patients and they had a doctor analyze them to come up with, you know, here's what illness you have and here's the treatment plan.

They had an AI do it and they had a doctor with an AI. And that was the order that they or I'm sorry, the order that finishes the most accurate was AI was the most accurate. The doctor by himself or herself was the second most accurate. The third most accurate was the doctor with the AI. So potentially the doctor over ruling the AI and inserting the wrong answer and it got. Or or or or or not really trusting the AI and things like that.

I think for AI we need a very proper quality assurance. So we need to to look at the results. I've heard the belief that humans add a value to AII think there are things where AI is excellent, There are things where AI is horrible. So for instance, when when I use the the bottom on the KG website, then then the links are

correct. When, when I ask ChatGPT to generate a list of links to some research of co.com, then there's a bit of a tendency of ChatGPT to hallucinate and coming up with links where I would say, hey, these are great research topics. We should do that. But all of them lead to an four O 4 message not found. So I think I think I, I, I would be careful with with studies which say that the AI is always the best. I think a well trained AI in, in medicine definitely provides a,

a huge value. And, and so I think there, there are really use cases where, where, where it's super, super powerful to, to just bring up an anecdote and that everyone may like that anecdote or the theme of the anecdote. But I, I am, I'm in an age where you have to do a colonoscopy. I think it's the term every couple of years. Some of you may have undergone that already. And, and I did this, this time being awake.

So there was this huge monitor, there was the doctor that was me and I could visit it and I could then see situations where the AI hinted on something. So there was nothing severe or anything by that, but the AI hinted on something which the doctor didn't spot. And so AI done right in medicine

is, is super powerful thing. And I found it by the way, I found it super, super interesting to do to do this awake because it, it's really, really interesting, I believe, but not everything likes the the, the sort of doing colonoscopy being awake anyway, I think that there there's a huge value, but we also know, I think everyone of us using AI knows that sometimes results are better, sometimes they are

worse. So, but I, I, I think if, if we, we, we should learn to, to make the right use of it. I think this is the, this is the point if, if a good doctor will understand where it delivers value and where he or she still is needed with, with the other knowledge. And the other thing is creating something new. Thinking beyond this is or is not really the domain of something that relies on existing data. So it's refactoring, combining, lesser than inventing.

It can't help in inventing, it cannot help in creating things. But it I think they're still plated for for humans. Yeah, I I kind of feel like AI, if you give it enough information, it can learn the information and kind of have rate values and rate answers better than a human can, just like a calculator can perform better than any human when it comes to doing mathematical equations.

I also think so I, I thought about the Martin the chat bot and number one, it's available 24 hours a day, right? So your clients can get in there and they can answer questions 24 hours a day. But I was interested to see whether you would say that the chat bot could replace the analysts in those terms in terms of answering questions for your customers or if you thought because I I think when it comes.

To I think. It's research level, yes, I think that is what where it's really about deep interaction workshop really where it's about generating new ideas very, very rapidly. Like I do for instance, when we do, we do when we run advisory workshops etcetera. Then it's, then it's really that I think it's, it's a, it's for a lot of standard questions, wonderful and even complex

standard questions. But really there's a point where where the human interaction, the conversation, the, the, the thinking also adds to the So I, I don't see that I, I will be replaced. I, I think it's great not to that there's something which does a lot of work, but there's also an area where I believe it's relatively difficult to replace a smart analyst. Hopefully I'm smart and and so, so, so I think that's at the end. As of that, I think it's about using it the right way.

Yeah. So I wanted to switch topics a little bit because around the same time, November time frame, you guys released the Leadership Compass for Access Governance. You released Leadership Compasses throughout the year, but specifically Access Governance, which is more or less like what some folks call identity governance, but, you know, doing recertification of access that's already been provisioned. This is a market that has been

in existence for a long time. Is there anything exciting here? You know, I think the the perspective on what, what someone perceives as exciting, they are, they're very different. So clearly probably exciting is a big term here. So it's basically what we did. We released on leadership commerce, on IGA identity governance and administration. Then we released another one on IHED identity and access governance, which is basically a

subset of the broader IGA field. And we just did a separate one because we still see in the market demand by a lot of organizations for, for specialized IHE solution. Basically we we see even the demand for two types of IG.

So uses the general purpose IG so to speak that are more on the IGA side of things serving sort of every type of application to a certain level, providing role management, recertification also usually some level of access request and approval, stuff like that, auditing, analytics, blah, blah, blah. And then we have the the other specialized form which really focuses on the the ERP, the line of business applications.

So the stuff which is frequently called Application Access risk management or whatever the ARMARA A/C application access control application. Talking like SAPGRC. Something like SAP Access Control which is commonly referred to as SAPGRC, but isn't named SAPGRC.

But yes, totally correct. So, so this is, this is really funny in some, some way because this product, the name changed many years ago, but I, I would say it's still the, the vast majority calls it SAPGRC and that SAP access control.

And then by the way, SAP has another second product in this domain as well as the cloud IAG cloud identity access governance, which is the sort of the the, the, the the pure product to SAP access controller TRC covering it different systems at a bit in a bit of a different form. So for free coverage, you would probably need pose. So we have we have this need for specialised solutions still.

And that is the reason why we did the leadership combust that for instance, companies that have an A legacy or let's say long established to avoid this actually term legacy. A mature identity provisioning solution blaze for for many years a day may may see the need for quickly adding some more access governance capabilities, for instance for regulatory compliance for that type of organizations that there's a need for specialized IH solutions.

Yeah, I, I've seen a lot of the new vendors in the space focus on I AG or access governance, identity governance as a kind of stepping stone toward becoming a full-fledged IGA solution. I think that's what we're going at. But they tend to have some kind of specialized focus on governance. So it's the use of AI or the ability to drill down and say who has access to what data elements. It is something different than just, you know, roles, entitlements there.

The other end of the spectrum is large identity vendors or large vendors that have an identity product that are saying, oh, that's a gap in our solution. Now we need to do IGA and, and from what I've seen, mostly they provide governance over what's in their data store, what's in their directory. So I think of Okta, I think of Microsoft. I'm actually wondering what your your view is on how much progress Microsoft has made in this area.

You know, to the extent that you know, where are they heading and how far are they into that journey. Yeah. So I think we we must not underestimate Microsoft's never a good idea. I think history tells that Microsoft is sort of is enduring also in what they are doing. So they they have have a long term stretch in identity and security is a very important field of business nowadays for Microsoft.

When you look at the entry suite of products, the PureView products, etcetera, it's, it's really I think about 40 plus products they have in the identity and security space that also contribute quite significantly to Microsoft revenue. And Microsoft has a ton of developers working on these products. So they're working on that. I think we, we, we should be just clear that Microsoft As for as some of the other large vendors don't have the strategy of deep integration with a lot

of proprietary other solutions. So they they usually rely on standards or partners, external parties doing the deep integration with some exceptions, which I think is fair. And I think which leads also to to solutions that might be very, very capable for certain types of organizations, certain types of sizes or organizations, certain types of complexity, but also leaves room for others for specialists that provide more capabilities, more depths,

etcetera. So when when I look at most of the the end user organizations, I talked with them, many of these have Microsoft or Google or someone else in in place from the very large sort of IT vendor software vendors, but usually complement this in certain defined areas with other solutions, especially when when these are larger organizations than this is very common. I think this this also fits very

well. So we were just yesterday, so given the time of the recording, so just mid January, we we released our newest version of our identity fabric and of our AM reference architecture. And I think these are paradigms and approaches that clearly show how that you usually will have more than one component and that orchestration that integrates a

key element. So also for our upcoming leadership composite identity fabrics, which will be published around EIC, I'm currently working on that identity orchestration gets a much higher value because at the end of the day, even while you when, when you say some say this is whatever my preferred vendor, you usually will have other components from the past or to fill gaps. And then orchestration is a very essential capability to bring all these bits and pieces together.

Also sometimes to have fall back solution. So So what happens if your your primary IDP goes down for a while? Or if you need to move away from your primary IDP? You have your fall back that at least helps your your critical applications running. Yeah. I mean, that's the basic pillar of business continuity, right? Is that question everything? So you mentioned there that you have a piece coming out. If you provide us a link, we can put it in the show notes.

Mark, you've been super generous with your time. I did have one other question which I was going to ask broadly, but I'm going to narrow it down. And so we're sitting here January 20th, look ahead to 2025. But I'm only going to ask you to pick out like one thing to really focus on what is one of the the hallmarks of 2025, that in 2026, we're going to say 2025 was the year of you fill in the blank. OK. What is the hottest theme? I think very visible non human identity management, a lot of

stuff going on there. So you could argue that also came up in 2024 already. I will think we'll see more more around policy based access. We'll see. This is maybe the 2026 decent resident when all the wallets, the EU, the initial identity wallets come out. So a couple of scenes there. So is that there anything totally entirely new? I, I think what we, what we see maybe from the things we don't have on the radar that much yet, that is something we already touched.

I think we will see a ton of innovation when it comes to natural language interfaces for existing types of applications. Also an identity management and cybersecurity etcetera. Where we have these are separate solutions or layers on top that allow us to to, to simplify a lot of tasks by just saying, oh, I need access to that. And that's searching for which roles and entitlements do I need. This is my task. I want to do the task, give me

the access. And then the system asks the manager, oh, is this already something Martin should be allowed to do? Oh, only until only for the next three months. He's just a temporary replacement done that. That will be, I think probably of the things we, we don't have to measure.

The radar will be one of the, the areas that will be big in 2025 beyond the, the stuff we, we, we commonly have on our radar already, which also, by the way, will raise some interesting questions like least privilege for AI or for Atlantic AI. So and and that will be something which is, which is very interesting because it depends on in which context is the ancient working for which purpose. There are a lot of elements which will make this way more dynamic, I would say.

So what is the least privilege needed to answer a question in a rightful manner for Martin? I think no one's thought about this before, at least as I I didn't, but I think this will be a a really interesting area for Iami. Didn't think about it in terms of least privilege for AI, but I've been really focused on, OK, well, how do you secure the AI? So you're the CEO, somebody else's an analyst in your company, Do they have access to the same data today?

No. With AI or how will AI determine what data Martin can access or or if your employees? Yeah, that's that's the one thing. And the the other thing is how do we ensure, you know, if we haven't, if you have a chanting AI that is work that is used by a lot of people, how do we ensure that we don't have super users there which are way too powerful. So how do we do ensure that this all is kept under control? I think this entire field, I tend to call it a identity.

So the intersection of AI and identity is still a pretty much a wide space on our technology map. We see a lot of start-ups around AI security nowadays, but I think we need start-ups around a identity. It seems to me that the technology, the functionality is going to blaze way past security. So it happened with cloud infrastructure I think, and I think it'll happen again. I think the fall back will be some sort of leveraging legacy permissions, which we already

know are not good enough. I think that's maybe what you're referencing. You have these super users administrate system administrators. Does that mean the System Administrator can start using AI to find out all kinds of information about the company or information they they shouldn't have access to? Even think about someone having access to the AI. Which all, by the way, brings us back to the initial theme, identity verified identities. So is it really Martin using the

AI? And what is the AI supposed to do in the context of Martin? And if it's not Martin or if someone is is using the AI in different contexts, there might be way more information that is to discuss or even if the AI is is sort of constrained in what it can do in the context of individual. I think this is a very interesting field to think about for 2025.

Yeah, I was thinking the exact same thing of we started off the conversation with identity verification and now we're ending it essentially with identity verification. And we talked about AI in the middle and a bunch of other stuff. And I was thinking the exact same thing as, yeah, this, this, this contextual awareness, this identity awareness of who is making the request.

Or maybe you know what is making the request because it could be a non human identity querying another non human identity. What are the rules for the different data sets that each can have access to and the types of queries it can makes and it work. We're back to identity verification is OK. Well, how do we make sure whoever's on the other side of the phone, the API, the text, whatever it is, is authenticated to do that transaction and the type of transaction you're trying to do?

I was thinking the exact same thing, Martin, when we were talking. Why don't we go ahead and wrap up? Martin, you have a gesture time, but I do want to pick your brain for just a couple minutes. You started off mentioning Stuttgart. It is my first time to Germany other than the Frankfurt Airport on a way over to Chennai, India. So I'm not going to count that because I never left the airport.

But if I'm going to Germany for the first time and I know I'm going to be in Berlin for a week, what is something that I have to do as a first timer in Berlin? And then from there, would you recommend I go South to like Munich or Stuttgart, you know, kind of go southwest or go north and sort of Oslo and Copenhagen or go West to like, you know, Brussels or Amsterdam or think something like that? Like what would be your recommendation?

Yeah. So, so it depends a bit of whether you want to stay within in Germany or whether you want to do Europe in three days or something like that. I, I, I think that that, that is a, that is a big question. So I, I, I think all, many of the places you've mentioned take Paris way more to the South, Rome and all the other wonderful Italian towns, etcetera. They, they, they, they deserve more time. So, so I, I, I wouldn't try to

squeeze in too much of that. I think when, when you're in Berlin and you say, OK, I stay within Germany. So I, I just, and then I think the first question was, so it's for trim. It's very clear trim needs to go South in Germany because trim is into good German food and the food on average is becomes better on average when you go Southwest and Germany. So probably I'll get some comments on that by people who live in other regions. But but basically I would say that that is the direction

Southwest in tendency. You have a lot of good restaurants in other areas as well. But so that's the standard and generic food. So if you go to the local, the traditional local food, then I would say the Swabian food. So this area around that is probably best one. That's where I live, by the way. So if, if you're, if you're into landscape, then there are, there are plenty of nice places, but I think it's probably more that you say, OK, which towns are, are really beautiful to visit.

The, the actually the, the typical touristic traditional towns, Heidelberg, Rotenberg, etcetera. If you like that, if you're up to that. As I said, I'm, I'm a fan of Stuttgart. It's full of hidden secrets, which makes it a bit more, more difficult for visitors. So there are some, some wonderful things, Mercedes museum, perfect museum, which are very visible. There's for instance, the the 1st TV tower in that has been built out of concrete.

So it's the frost worldwide in Stuttgart, it's not the tallest anymore, but it's the 1st and it ever will be the first. So things like that when you other towns, Hamburg is great. I, I learned to laugh during the pandemic when we were not weren't allowed to travel abroad. I learned to laugh some areas of the Baltic Sea, but that's probably more for when you want to do a bit of a longer vacation at the coast. There's this region which is called fishland ducks things very complicated.

Basically it has has been three islands which converged over time due to floods, etcetera, which is a wonderful area. So, so really a lot of things to be Munich, yes, no doubt. Can be very interesting. So I think a lot of lot of interesting places and it really depends a bit on what what your preferences are, how much time you have, what you want to see and to you and and also the the ones listening to the podcast. If you want travel tips to Germany, which are biased, sure.

I I admit that I'm biased and my bias goes a bit towards the card and some other towns, then I feel free to reach out to me. And that's a fact. If you go picture my, one of my absolute favorite towns is Paris. Martin Will EIC be back in Munich in the future? I have no clue. So I'm, I'm, I'm not in the organization team of the EIC anyway.

So I don't know whether we will go back to Munich, really no clue about it. OK, Jeff, I guess my, my input, I've been to Germany a couple of times that I've been to Frankfurt. But one thing that stood out to me that I know I'm going to do is go to, I think I'm getting the term right, like a beer hall, you know, with the the raised tables and they bring out these big glasses of beer and it's a very German experience. There are beer halls in the US and some of them were very much like that.

But I figure like if you get the real experience in Germany and then you go back to the US, you can compare and contrast. I, I, I, I have to admit, I think the last time I have been in a beer hall probably is about 15 to 18 years ago and the second last probably more than three decades or so. So I, I, I think they, they, they are, they are, you find them especially in the, some of the Bavarian areas where if the weather is good, always would prefer a beer garden or the beer

hall. So when you're can go outside that, that's really cool. But they are they are probably a bit more Bavarian overall. You're giving me a lot to think about here. And you, you may more Americans there than Germans. That's. What I was wondering if it's more like a a tourist thing than a local thing. I think it started as a local thing, This phrase it has. Been taken over, but gotcha. OK, All right, why don't we go ahead and leave it for this week? But what we don't like.

Anyone else in trouble here? Martin, you're always suggesting your time and really do appreciate you joining us. And again, thank you for the invite out to Berlin. We're looking forward to seeing in a couple months and finally give you a fist thump of gratitude for being on the show so many times and sharing your knowledge.

It'll be an interesting year. I, you know, with between AI identity verification and everything in between and I'm, I'm, I'm continually excited by all the innovations that are still happening in the identity space. I think there's this idea. It's like, oh, well, we've been doing identity for so long. Like, you know, where does it go to next? There's always something new to learn, something's going to change, etcetera. So it keeps it fresh, which is, which is always what I enjoy

about this industry. So thank you so much for sharing your thoughts with us. Thank you for inviting me and looking forward to finally meet you in person in Berlin. Oh, we, we will hope, hope to not disappoint, right, Jim? Let's go ahead and wrap it there. Thank you so much everyone for watching and, or listening. We'll have links in our show notes for discount code for EIC as well as connecting with Martin on LinkedIn.

You can share your thoughts about the, the, the, the current state of beer halls or beer gardens or anything else I'm sure that that Martin has talked about today. And you can find us on the web, idacpodcast.com. And yeah, so thanks for watching and or listening and we'll talk with you all in the next one. Thank you. Bye. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon.

But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android