#345 - IDAC Mailbag - April 2025 Edition

And then you've got to scan AQR code and then you've got to type that code in. And then you've got to type the next code in. And it's just, it's a really terrible user experience. It's, it's secure more than an SMS. But when you start putting hoops in front of people and it makes it difficult to register, it's, it's the old abandoned shopping cart scenario, like, OK, this, forget this, this is taking too long. I'm going to either not do MFA or I'm going to default to a

less secure model. Yeah. Well, OK. I mean, you're right, you're right. I know I'm going to isolate that and that's going to become, you know. Yeah, you're going to have a short out there where I was just like you say something, I'm just like, you're right, you're right. This is identity at the center. If it has anything to do with IAM, This is the go to podcast now, your host Jim McDonald and Jeff Stedman.

Welcome to the Idea Ethos Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Happy Monday morning. Hey, how are you? It's it is Monday morning. I know and I'm all my second cup, so I'm starting to get my act together a little bit. But you know, I spent the

weekend kind of working on an assessment project for one of our clients, like assessing the maturity of the IM program. And I kind of thought back like, where do you, where is the value? What is the value of what I'm

doing? Where's the client going to benefit from this information looking at things and say, all right, this is a maturity on like a maturity scale of like 0 to 5 is kind of the common, the common consulting maturity CMO, my if you will, what it where do you see the value in doing an exercise like that? Well, I think it's helpful to take a step back at certain points and say, OK, how are things going? What are we doing, what are we

missing? We get buried a lot in operations mode and just kind of day-to-day. And so I think there's value of periodically, maybe it's once a year, maybe it's every other year, maybe it's more frequent, kind of depends on the maturity I guess where you're at. And I know how quickly the the environment is changing, but yeah, I mean, take a step back and say, hey, how are things going? This is kind of like a it's kind of like a recap episode of your favorite show, right?

OK, what do we miss? Are we on the same page? And then let's set the, set the, set the new frame to go forward. Yeah, yeah. And I, I feel like I've been doing these for, you know, 1213 years of doing identity consulting. And I think everybody wants to start off with this assessment, but I start questioning myself sometimes like, OK, why is what I'm doing important? What is the value that's going to come out of this? And I came up with really three things that the exercise really

helps with. And the first one is just kind of the the point in time to say, this is where we were on such and such a date. We had somebody come in, do a maturity assessment around like how well do we govern our program? How do we do, how are we doing with identity life cycle, how are we doing with authentication so that you can then snap that line again three years, five years down the road to see how much progress you've made.

The one thing I will say to keep in mind is that, you know, you snapped that line today, 3-5 years down the road thing that the line in terms of what is like a level 2 maturity is going to change. So looking back at some decks from you know, a decade ago and looking at some of the assessment around authentication, there's a lot of stuff around you should really need to use multi factor authentication. You should not. That's a whole strategy you should all.

Strategy. Well, you know what the time is like, people were like, you know, do we really need that? And I think you know, there's no mention of password list, no mention of pass keys, things like that, or. Quantum or AI or any of the buzzwords this you know that we're seeing now. Yeah, no distributed identity, nothing. So I, what I'm saying is that the, the line, you know what it takes to be like at any given level of maturity, that line moves over time.

You know, just having MFA everywhere, there's no longer like, Oh yeah, you got your, all of your ducks in a row. I'm not knocking MFA or saying you shouldn't have MFA everywhere. What I'm saying is like it, it's not what it was 10 years ago. Well, even the methodologies have changed, right? It's like SMS used to be the gold standard, now it's the. People make fun of it. Almost. Yeah, well, it's easy to exploit, but again, you know, we're dealing with a curve of

progress. As things go up, things become more, more or less secure depending on what's going on. The world. Turns out SMS is totally unencrypted and there's plenty of back doors. And if I don't know if you've ever read about SMS behind the scenes, it's like basically like an unencrypted channel that everybody has access to if if you're like a telco operator.

Oh yeah. I mean, that's why they they tell you now if you're doing cross-platform texting that you should just assume it can be read. Exactly. So, OK, so the second thing that I came up with is that it gives you an idea of prioritization. So if you say this is your current maturity, this is your target maturity and you'll cross the landscape of all your different areas of IAM capabilities, you start to highlight like, oh, we need to be at level 4 maturity.

That's where we're going to have our our program where it's like coming along. And right now we're at a level 1 maturity. So that that becomes maybe it just helps highlight the area focus, if it wasn't clear to you already, or maybe it starts to just, you know, kind of support what you already suspected. So that's the second thing is

prioritization. And then I think the third thing is going through the exercise, documenting how things are in the current state just provides justification for why you need to make investments. So it's kind of the detail behind the assessment. So it's the exercise spits out

all these things. You know, I, I think the way you kind of the, the way I've always approached getting to an assessment is like doing workshops, meeting with people who are the stakeholders, people who are doing the IEM program on a day in and day out basis. Plus the people who, you know, manage or oversee information security, human resources, all the areas that plug into the identity program and getting

their opinions. Pulling all that together really kind of shows you where you ranked today in terms of, you know, when you match up. Here's how we do I, here's what we expected. If I, you can kind of start to put together where you rank from a maturity perspective. Yeah, you get all those inputs from different areas, and it's a good opportunity also to celebrate wins and victories,

too. It's like, hey, look how far we've come based on where we were, you know, a year ago or six months ago or whatever it may be. Or even if you're regressing, right, if your program really hasn't moved at all in three years, you can show that, hey, the, the industry continues to move, the hackers, the bad guys continue to move. You know, things like 0 trust, even though maybe they existed, not many people were doing it before. Now everybody's doing it.

There's a reason behind that. We're falling behind just by not doing anything, just by not investing. Yeah, That might be a tough discussion to have is if you're in charge of an IM program and to report back and say, well, we're not better at having nothing's moving, why are we doing this? So you've got to be careful on

that messaging. I've seen a lot of times where you're dealing with some maybe a new IM program manager and they've inherited this beast and they actually want lower scores because they want to reflective reality that, you know, this has been under invested, under invested isn't going to to work here any longer. And now we need a strategy to go from under invested very immature to a future state. That's a lot different. I get your point though.

I mean, you know, you know, who wants to get a report card of all CS and DS and maybe some FS if you're the one responsible for pulling it together? Yeah. So hopefully, hopefully it's going better. But there is value obviously in sharing that message because I think a lot of people run into organizational change being very difficult to actually move forward with things.

And, you know, I think you and I both find as we, you know, talk with, you know, our clients and stuff like that is most people know what they want to do, what they should be doing, but they're encountering the roadblocks above or to the size of them as preventing progress. Could be budget, could be resourcing, could be timing, you know, whatever it may be. I think sometimes the value of an assessment is it gives you a little bit of a CYA to say, OK, we told you where we're at now.

Something happens and it has to do with this thing that we've assessed. You can't just say you didn't know about it. Every organization is making a conscious decision on on the risk they're going to accept. And sometimes that acceptance of risk to their security is by not doing anything. They're not funding it, they're not resourcing it, they're not treating as a priority. So hey, you know the IM program told the right people and the decision was still made not to do anything about it.

OK. That's a risk decision. I've always thought exactly the way you just laid out there, you know, it is a little bit of CYA, but it's not just CYA. It's you know, you're doing your job because you don't get to make the decision of we're going to spend $1,000,000 or we're not

going to spend $1,000,000. I think you make the case, you showed that here are the risks doing something about these risks in terms of mitigating them as a cost associated either make the investment or you don't make the investment. You live with the risk and accept it where you spend the money. But you don't get to do both. You don't get to not spend the money and have the risk go away. Now that would be magic if that if that were to to take place.

So a lot of people working weekends, maybe I don't. Yeah, well, I mean, I am as a 24/7 job. You know, it'd be nice if the threats and the risks would schedule themselves like any other calendar appointment, but. Well, they do seem to schedule themselves. They happen on Friday night and they happen before long holiday weekends. Yeah, because they know people are going to be out of the office and sure, it's a smart time to make an attack or or whatever. Maybe. So take advantage of that.

Exactly. All right, Speaking of CYA, I'm

going to give you a couple seconds here while I read off our discount codes for the upcoming conferences. You can take a sip of your coffee. So this is the last week that you're going to be in the US. You're heading off to Berlin for the Cooper your Coal conference coming up. So for those who are so inclined, May 6th to the 9th, Jim and I will both be at the European Identity and Cloud Conference put on by Cooper your

coal. If you use the code ID AC25, MKO, better use that code quickly because conference is only a couple weeks away at this point. So you want to use that, get 25% off and hope to see a lot of friendly faces there. I think we both got some identity or plans while we're in the area. And Jim, ahead of time, you're going to Norway, so I think you're going to do one there. I think there's a river cruise that we're both signed up for while we're there.

So a lot of fun activities and I'm looking forward to seeing a lot of friendly faces. So we got that and then just a few weeks later, we've got Ideniverse in Las Vegas. So that's June 3rd, the 6th. And if you use the code IDV 25-I D AC25, that'll get you 25% off. We'll have both of those codes in our show notes as well as on the homepage at idcpodcast.com so people can check that out. Jim, you and I are getting very close to getting Ideniverse kind of finalized.

I, I'm going to go ahead and just put out there, we are going to kick off the Expo hall opening night. I think Tuesday night, whatever that is, sort of first on deck in the Expo hall. We're going to be reprising the Family Feud style game show that we did at Syndicate last year. I think right now we're still have a working title of Identimatch for legal purposes and for trademark purposes. So we're working on putting that together.

But we got about 1/2 hour that we'll do another kind of game show. You're going to be a team captain, I'm not sure who the other team captain is going to be yet, but hopefully you're working with that person and also figuring out who your team mates are going to be as part of that. And then we'll have, you know, judges and, and things like that to kind of help us out. But looking forward to to bring in that Tide universe for the first time. I'll be team captain, You'll be

Steve Harvey, right? I will be Steve Harvey Standen, shorter, less mustache version of Steve Harvey. I'd probably you're going to tone it down a little bit in terms of the clothing, right? Yeah, I don't have any like long yellow Sport coat, you know, suit jacket type things. So you'll probably see me in my, in my, you know, blue Sport coat with AT shirt. Yeah, well, we're joking around the other day. I think it was Steve Harvey that, you know, mess up during the Miss Universe pageant and

said the wrong person won. I mean, that's like the ultimate, like I, I, you hate for it to happen that somebody who somebody gets defined by one mistake that they made. But I don't know, Steve, Charlie outlived that. Maybe it's just stuck in my head. Well, he's got so much other stuff that he does, I don't think. I mean, that's just a blip of all the things he's done. So I if I'm Steve, I'm not too worried about that. It's like, yeah, whatever it happens. Yeah, right.

So that's going to be exciting. We got some podcast episodes and I think there's a bunch of stuff going on in the ID Pro Slack channel. So definitely want to check out ID pro.org and coordinate with those folks. I think some people are going to the John Wick experience at Area 15 earlier in the week. I'm actually going to go later in the week with my brother and check that out. But lots of stuff going on, so hopefully we see lots of

friendly faces out there. Yeah, I feel like we're going to be pretty busy there. You and I are both facilitating panels. We're doing that. I Dennis, squabble. I like that name too. Yeah, it's kind of cool, right? I I remember just doing like a synonym for feud and squabble and match both came up.

So yeah. So we'll be doing those two things and then we're going to record a few podcasts and I think we're going to try to do like just men on the street and capture some video to have some things to throw on our YouTube channel. But overall, I mean, we're going to be couple of working dudes. Typical conference for us, man. Yeah, well, I hope people will stop by and just, you know, say hi, maybe do like men on the street. We're not going to make it into anything commercial.

So they kind of like push your company's and you know business that's probably not kosher for the channel. So we'll we'll leave it at that for now. That's what sponsor spotlights are for. So donate early, donate often. That's how we get off to these conferences. That's right. That's right. And we will have a spot on the shelf floor somewhere I believe will be sort of like on the entrance off to the side of where the Expo hall is.

Not quite exactly sure yet, but the CRA team has been a lot of fun to to work with and especially Shirley, she's kind of. Been. Shirley Yep. So OK, so that is all the meandering and Babble upfront. Why don't we get to our main thing today, which is mailbag? So we've been getting a lot more

emails, LinkedIn messages, carrier pigeons, SMS texts with with questions and things like that. So we've got a handful for today and this one is going to be 100% listener base from all around the world, including our lighter note at the end. So people want to stick around for that. So I think, Jim, the way that will handle this is I'll read the question, you tell me your thoughts on it and then I'll chime in if I have anything to add and we'll just kind of go through that.

Does that work? Sure. And by the way, I did cheat and I looked at the questions. OK, well, that's fine. Like we want to be. Able to have like 15 minutes of mental preparation. OK, so let's start with Robbie from India. Are passwords ever really going away or are we just stuck with them forever? Kind of a this is AI feel like this is a very gym question. Like this is a very downer. Let's let's open things up with a downer. Let's see if we can rescue Robbie from the doldrums.

Are passwords ever really going to go away? So I think at some point, yeah, the, you know, you stop typing into a keyboard. So, you know, Speaking of password, how's that any different than doing like a Face ID or thumbprint? But one thing I found to be true in IT is that things that are old keep coming back. You know, things that were done in the mainframe mirror, like come back and everybody thinks it's just new.

So I can see some people in a board room 30 years from now, maybe on a Zoom call say, hey, I've got an idea. Why don't we just come up with something that people, it's like a secret that somebody has in their head and then to get into our app or whatever they're calling in those days, you just give the this thing, we'll call it a password. Yeah, So I can see it coming back. But so maybe we'll never get rid of them.

But I think the instantiation of passwords that we see today, they're only going to go away because interface change, because, you know, it just becomes easier to build an application, build a system, and to use some other form of authentication other than a password. I don't think teams are going to build systems that don't use passwords because they understand the Security benefits of not using passwords. Yeah, I think, I don't think

passwords ever really go away. I think they get obfuscated and hidden behind the scenes and it will be some sort of password or password like mechanism, whether it's certificates or other types of you know, keys that might might be behind the scenes. So I think the the interaction with them will definitely change, but I don't know if it actually goes away. And like you said, I mean legacy systems are going to be out

there. They use passwords and retrofitting a mainframe, it's maybe not feasible and maybe doesn't make sense. So I hate to say it, they're probably around for a while, but I think the usability of them will definitely increase, especially as we, you know, come together on standards and things like that.

And it might not, it might not look and feel like a password, which is OK as long as it's secure and there is a, a process, you know, that that goes along with that to make sure that is secure and usable and all that good stuff. Do you think that passwords are the password situation today is that they're more usable or less usable than they were 10 years ago? Define usable because we've gotten more complex from a password strength meter. Yeah, no, we've gotten more complex.

I, I, the, the, I don't think I can't be more specific with the question because it gets into the answer, which is that we've got more complex, but we have to change them less frequently. But The thing is, it's like everywhere you go, the password standard is different. So if you think about it like all the different websites you use, some of them do make you change it every so often. You can't reuse passwords, You can't use 2 letters that are the same in a row.

Like where do people come up with these stupid rules? Yeah, all these pattern stuff or my favorite my my my least favorite right now actually is your password must be between 8 and 20 characters, no more, no less. And you're in this little box. So if you want to have a long password, which is, you know, secure and, or use pass phrases, right? And things like that, 20 characters is really limiting to be able to do that. So you're, you're artificially impacting the security of your

system. And that might be a system limitation, right? We can't, this field can't have more than that because of whatever. But I it's, it's, it's gotten out of hand, I think. So I, you know, I'm not going to throw any of our fellow, I am practitioners on the bus, but I use a retirement site where they don't allow special characters. So you can't use a dash, you can't use an exclamation point or a hashtag or any of those things that I think make the password more complex.

And they have a minimum strength of eight characters. So it's like, come on. And this is a site where you go to manage your retirement funds money. I, I just think it's absolutely ridiculous. Like if you're going lazy. Way to address an injection attack. That's that's the way I look at it like, OK, if there's, if you're, if you're, if you're, you know, if you have a problem with an injection attack, OK, I

get it right. There's certain characters that need to be, you know, obfuscated, moved away, restricted, whatever it may be. But to say you cannot use any special characters in a password, again, it's it's, it's not security, it's security theatre. And then and then the the MFA is SMS. So you, yeah, put those things to those two things together. It's like you got to be kidding me.

Yeah, I don't know if we answered Robbie's question, but I think you and I agree that the password situation needs to get better. But I the, the silver lining for me again, is I think the interaction with it changes and becomes more behind the scenes and plumbing versus, you know, the first thing you see when you visit a website or an app, login into your ID and password. Yeah. And for the practitioners out there, what are the takeaways? It's all right, move forward passkeys.

It's use stronger authenticators than SMS. At least make those things an option. You know, if your users want to default to SMS, and maybe the problem is that 95% would, but you should at least give people the option to use stronger security mechanisms, Yeah, and get away from using passwords on on your app, especially if you're you're protecting is like highly secret. Yeah, I I would like to see a better way to do push notifications and authenticator type apps and kind of things

like that. It's a very clunky experience. If you're not a, you know, I am person, you have to kind of explain, oh, you've got to download the Google Authenticator or the Microsoft Authenticator or, you know, the I800 other authenticator apps out there. And then you've got to scan AQR code and then you've got to type that code in and then you've got to type the next code in. And it's just, it's a really terrible user experience. It's, it's secure more than an SMS.

But when you start putting hoops in front of people and it makes it difficult to register, it's it's the old abandoned shopping cart scenario. OK, this, forget this, this is taking too long. I'm going to either not do MFA or I'm going to default to a less secure model. Yeah, OK. I mean, you're right, You're right. I know I'm going to isolate that and that's going to become, you know.

Yeah, you're going to have a short out there where I was just like you say something and I'm just like, you're right, you're right. Yep, Yep. OK, let's go to Sarah from the United Kingdom. What's one thing in IAM you wish more companies would prioritize but often don't? You know, it's interesting. So this is one of the ideas that I actually thought of bringing up dirt as my opening tirade or my opening rant, if you will. So let me ask you a question, user experience, Wayne.

If you go into an organization, they're very like doing things very manually. Maybe they're very decentralized and they've got a lot of onboarding forms that end users use. They fill out the form to onboard somebody, they send it in, and then magically the person shows up and all the access is there. There's a bunch of people behind the scenes making it all happen, but from an end user experience. End user experience is quite

good, right? They fill out the form, they e-mail it away, and then somebody takes care of the problem. I don't know if it's good. I think it's average and here's why. Why am I filling out a form in the 1st place? You know the person's coming, you know you're going to pay them hopefully, so they should be in some system somewhere. Why am I still having to fill out a form in the 1st place?

We've defaulted to. Oh well they default onboarding user experience is a manager or an HR person or somebody an admin goes in and says oh Jim is starting today on board him. Like why are? Why is I am the last person to know about that? Let's say, I mean, let's say we're in a very automated version and we say, all right, Jeff is the manager. He hires somebody and you know, all right, the person comes from the HR system.

We give them the birth rate rolls, they, you know, I'm sure you had to request a laptop for them and maybe a phone and phone number etcetera. Anyway, all that goes through now what about the more advanced? So you know, they're going, you hire somebody to do podcast, podcast video editing. So they're going to need XY and Z. That's different than the average user. There's no role to find for this job. So where's the owner's go?

Does it go on you that you have to go out to the ITSM or go out to an IAM system to request all this access? Or does somebody supposed to contact you like, or does the person just show up and they can't do the job until? So to me it's it's those are not a good user experience. Having one form to go to, to say, all right, you know, this new person starting and they need a laptop and they're going to need all the software. Maybe I'll just type it into the

notes. I'm not saying it's the most efficient way or the right way, but from a user experience perspective, it's like, oh, I just had to fill out one form and they showed up and pretty much they were right off and. Working well, I think the user. So it sounds to me like you want to prioritize the user experience, which you know, I can find no fault in that. No, no, no actually. So here's my counter intuitive is, you know, maybe we have to de prioritize the user experience.

Why would you de prioritize the user experience? Walk me through that. Gym logic.

Yeah, right. So I. Tied the user experience to in that situation where it's just one word form they e-mail around. So de prioritize it from the standpoint of like we're not going to do that anymore, but prioritize it from the perspective that you have to mimic at least as good of a user experience as what existed with the manual form. I mean, if you're trying to replicate manual processes with your automation tools, I think you're thinking about this in

the wrong way. The whole point is to be more data-driven. You know, you know someone's coming on boarded, you know, and they're in the work day system or whatever your HR platform is, take that data and do stuff with it. You spent money on automation, so automate like what's the problem here? Stop, stop, stop making busy work for people, managers, HR people. Stop making fill out forms.

Now I know I'm being probably a little bit pie in the sky Ultra Stickler may be, but if you have the technology to automate and you've got the data and you think the data is in a good enough spot where you can't automate, automate. Don't do it half ass. Yeah, no, I think maybe I was trying to be a little overly creative with the answer here,

but you can't take a step back in terms of the user experience. I, I part of that user experience is psychological. In other words, sucky. You're the manager and you wouldn't know that when the your new, your new hire shows up that he or she is going to have everything they need. They're going to have their laptop, they're going to have all their tech, but they're also going to have all the access

that they need. You should at least kind of go through and like be able to see in kind of a dashboard setting. Like here's all the things they need that they're going to get from an automation perspective, and here's all the things that maybe do need to be requested. Maybe after you go through that list, you're like, oh, Adobe Premiere is not on that list. I got to make sure that they get Adobe Premiere. But do they need that day one? I'd argue maybe not.

How many people hire and are doing their full job within seconds of onboarding? Usually the first couple days is, you know, going through onboarding training or company training or, or things like that. Then maybe I'm making an argument for prioritizing 0 standing privilege or just in time privileges. Yeah, we're talking about getting access to a whole bunch of things that they may or may not even use right away.

So why not be more dynamic with that decision and say make it more self-service? I mean, we all know how to use Amazon and buy stuff. Nobody taught us how to do it. But if I want to go in and, you know, get a new camera, I can click up a couple buttons and it'll be delivered to me pretty quickly, you know, within a couple days for the most part. Why not take that same model and make it more self-service for those people say, oh, I'm going to be doing some video editing.

OK, which video editor do you want to use? Adobe Davinci Final Cut. You know XYZ, whatever it may be, select the one you want, click the button and boom, it provisions it. You have the tools from an automation standpoint. I think your bill won being overly creative now. OK, So what's the answer? Like what is the one thing you wish companies would prioritize

but often don't? Because we went, you went down the user experience role and then I'm not sure if you argued it for or against that the prioritization. I think, I think I may try to be creative by arguing against it, but I think in the end of the day, I argued for it, which was, you know, you have to kind of think about it from multiple aspects and make sure that you're not taking a step back

with automation. Because I think our minds are wired toward let's say things that are manual, automate them. That's not always a better user experience if it's not well thought through. Yeah. And I think sometimes we we stop automating, we say, oh, that's good enough, forget it. And then you start leaving, you know, systems on the table from like an integration standpoint to, to further that automation and automation can be done much

different things. Doesn't have to mean like fully on board, fully off board and everything is, you know, In Sync, right? In this magical world. There's the reality of things come in and I think you can kind of find what what a win looks like. I would argue something else for prioritization.

I think that's actually running your IM as a program strategically instead of quarter by quarter, month by month, fiscal year by fiscal year and not really having a strategy or plan of where you're where you're going. So I would like to see more companies think about identity from more strategic terms, especially at a program level.

What are you trying to do? What are your objectives, you know, from a program perspective versus oh shoot, we got to get this thing in because it's next quarter or it's this app is going live and we're band aiding everything over the time. And I think that tends to lead to overly complex IM environments and the governance isn't there for policies or

standards or even procedure. And so I'd like to see more of the people in the process side of IM have more focus rather than just, hey, we slapped a technology on it and that'll fix everything. Yeah, I, you know, I also think when people are putting to you that their IM strategy, some people are wired to think that a strategy is a list of products and an IM strategy is not a list of products. It's that that must play a role but a few process and

technology. And I know this sounds cliche, but it's as true as ever with I am. Yeah, that's a good sound bite. We'll just leave it there. Got that one out now as well. All right, let's go to our friend Carlos from the USA. How do you see AI really

impacting identity governance in the next few years? What is hype versus reality? Welcome to this portion of AI at the Center. You know, I, I really think that where AI is going to make the differences for the ability for people to kind of not have to know how to do things, but just to go into some kind of interface and say, this is what

I'm trying to accomplish. For AI to figure out what they need and they get to the right place, perhaps interpret the the queries that they're making and turn them into action. I think identity is hopefully there's something that people don't have to do every day so they forget, you know, if a couple weeks pass between business to IM systems, where to go to do things. And I think AI could be a huge

help in that. So kind of it is from a user experience perspective, I think that's probably one of the biggest areas that you're going to see AI show up because I think a lot of the the back end things that you could have AI do. I think people are afraid to touch right now. They're afraid to turn over to AII. Don't you know? One thing I've always been concerned about is like, does AI know the boundaries of what data it can include in terms of

returning a response to a query? And I feel like a lot of developers or product companies, they're actually, they are afraid of that. So I think we're going to see AI show up the earliest is from an end user perspective on kind of more or less the basics of finding things, being able to query but be but limiting that pretty significantly.

Yeah, I I'd agree with that. I think we're already, you know, we've talked to several companies already that have integrated AI and generative AI specifically for like natural language queries, right, or things like that. And I think you end up in a spot where I think it will impact the user experience first. Because I think that's the safest place theoretically to to impact.

Because I don't know if we're yet to the spot where we would trust an AI to configure itself to be secure without somebody looking at the code, the workflow, the configuration or whatever it might look like to actually make sure that it makes sense, it's doing the right thing. So I do think of things where it is more accessible, right? I, I've forgotten most of the sequel that I would have used, you know, 20 years ago to, to query a database looking for

data in my IGA platform. You know, at this point, I should be able to go into a system and say, show me all the users that have access to this application or show me all the users that do not have MFA enabled or show me all the people with this specific, you know, privileged entitlement, you know, whatever it might be. That's all just reporting. And I think that's, that accessibility is going to make it easier to do things with the data that we've been sitting on.

So I think, I think AI is extremely impactful on that side. And that's what's coming 1st. And then you will start to see behind the scenes, you know, and, and there's companies already working on it, right, to configure their tools, Hey, set up a connection to this application and my IDP or my IGA or my privileged access management system or wherever it may be.

So I, I think I, I don't think it's, I think it's a little bit of hype right now because I think people are excited about the opportunities, but I think it's going to quickly turn into reality. The question will be, does the reality match the hype and how to quickly does that become truth? Because I think in 50 years, most I am platforms, if they're even going to be, I implied so at that point are going to be almost self-sustaining. They're going to be a service that you buy.

And this is the way it works and AI or whatever, right? Machine learning language. Things take behind, take place behind the scenes, do the work, and you're you. Everyone at that point is an end user of the tool, like very few admins. For listeners and for practitioners, do you think that if you're not using AI in some way in your job now that you're falling behind, Are there things that you would recommend to practitioners that you need to

get good at this thing? Yeah, I think you need to. It's like anything else, read off on it, experiment with it, play with it, understand the benefits and the potential drawbacks. I mean, there's no shortage of AI tools out there now, right? Between Open AI and Google and you know, all the different models out there, Anthropic, etcetera, they're all pretty darn good. And this is the worst that it will ever be.

It's only going to get better. Tomorrow's going to be better than it was today and so on and so on. So I think understanding how you can leverage it for any number of reasons, whether it's, you know, helping write a report or helping analyze data or, you know, things like that, you know, definitely you want to stay on top of it.

I think where I would be concerned about is when I start to hear, well, we just have AI doing all the work and there's nobody checking it to make sure that it's good. That's the part where we're not quite there yet.

And we need to have people who understand their space, you know, whether it's authentication or authorization or governance processes, right, or whatever it may be, somebody still has to check that to make sure that that is still correct because AI still hallucinate and they go off the off the deep end sometimes. And so you need people who know their stuff to call out the AI or whatever you're using, right,

to make sure that it's good. So it doesn't absolve people in the IM world of not knowing their stuff. You still have to know your stuff. Yeah, I commented on a A blog article because the focus group put out a blog article. They're an analyst firm and they attempted to use AI to put together an analyst paper.

And I think what they found, which is what I find a lot with AI, is it does a fantastic job in terms of putting together the shell, in terms of putting together kind of a lot of words. And kind of like, oh, man, if you just looked at it without actually reading all the detail, you say this is very good. But then when you get into the detail, it's like it's not very creative. The date is old, things like that. And yeah, I mean, is that what

you find as well? Yeah, I mean, I think this is where different models have different strengths and they continually are improving things like that. I think I find some of the AI services are better at report generation, writing skills, basically. Others are better at analyzing the data and putting it together in a way, and others, you know, are just better at interpreting actions. So I think there's still a long ways to go for all the different AI services, but it's exciting.

I'm, you know, I'm on record as being a fan for it. It's going to be used for. Things that probably shouldn't be used for, but I think in the in the end it's going to be a very valuable tool for a lot of folks. Do you have any of the expensive subscriptions? No, I stick with the $20.00 a month. Once I know that there's like $200 versions out there which I don't, I don't think those are worth it for me.

I think those are probably more for, you know, developers maybe, or people who are really taking advantage of it. And I subscribe to multiple ones. So, you know, between Gemini and ChatGPT and some other ones, that's enough for me. So I'm probably spending, you know, half that for a variety of services. But I think it also gives me an opportunity to look at different models and leverage the appropriate model for what it is I'm trying to do. So yeah.

And, and, and look, those prices will come down at some point, you know, they'll get the the models themselves will become cheaper and more efficient to run. So costs will come down, which theoretically gets passed on to us as consumers and then it becomes the, you know, bundled as part of a service, whatever it may be. But I don't, I think this is a, a real cash grab for a lot of

these companies. So it's going to be very interesting to see when, when and how does the, the economic model of a subscription to an AI update or change over time? Is it just, hey, this is the new streaming platform, you know, we all have like 8 different video services that we use. Is this now another thing where it's like, this is just another subscription that we're all going to be tied to And, you know, it gets better theoretically over time and maybe there's a war at some point.

It's like, OK, well, you know, is it Netflix versus, you know, Disney Plus? Or is it Anthropic versus open AI right? Or whatever it may be. Have you seen anything with Apple Intelligence lately? I mean, I've seen their attempts at it. I I'm not impressed with what they put out so far. I think they're, I think they're actually late to the game on this. It is it's, I don't, I would say

it's not good at the moment. It's so it's so, so basic compared to what you can see and do with some of the services out there, especially if you look at Android phones and what they've done with integrating like Gemini into the OS and things like that. It's just, it's just further along, you know, I have no doubt Apple will catch up at some point and move beyond parlor tricks like image playground and, you know, stupid stuff like that, that doesn't really

matter. So I, I think they're behind and I think they're doing their Apple thing. They're being cautious. They don't they're not inventing the scenario. What they're going to be really good at is refining how it gets used and how it's integrated,

things like that. So, you know, I think we're still a couple years from where Apple probably should be when it comes to integrating AI. But if you want a glimpse of it, fire up an Android phone and go into, you know, Gemini and Google Assistant and and that that kind of change over is happening. It's it's pretty neat. Yeah, very cool. There's your AI at the center. All right, all right. Let's go to Isabel from France.

How can smaller companies with limited budgets still build a strong IM program? I love this question because everybody, nobody has enough money or resources to get things done. Most of the organizations you know, that I've seen are, you know, scraping by or have to justify every dollar and cents. So Jim, how can a smaller company with a limited budget still build a strong IM program?

Yeah, since I have to answer this first, I'm, I'm actually picking on something you said earlier about the IM program. And you know, if I put my program manager hat on, it's about identifying where you spend that small budget, right? So there's not one blanket that's like spending on authentication or spending on identity governance or privileged access. It's figuring out where are your needs and making that case and then be able to paint the risk

landscape. So having a strong I am program manager is probably the first investment to identify where the rest of the money goes. Yeah, I think that's good. I think really setting the stage for your program, what are your policies? What are your standards? What can you do with what you have?

You know, I work with a few different nonprofits and typically they don't have a ton of money and so they can't afford, you know, IGA tools, privileged access management tools and, you know, user and entity, you know, behavior analysis, right, and ITDR and all the buzzwords. So a lot of it is trying to figure out, OK, well, what can we do with what we have? And a lot of that falls back to inventory. I mean, it doesn't cost money, you know, to you don't have to buy a tool, I guess to, to

inventory things. You probably have some things that you can already do to say, OK, well, let's at least get user extracts, extracts, you know, from different systems and know who has access to what. You know, there's, there's things you can do. It's going to be painful in the real world if there's an incident or you know, maybe onboarding is a real pain because you have to go and log into 200 different systems and see, you know, if that person

exists there. And that's where human error comes in. You forget to do a system where it may be or onboarding same way. It's like takes forever. It's a real challenge. And I think, I think it starts with the program itself, people and process the technology should be third on that list.

And hopefully as the organization grows or matures, you know, they're, they're investing right size technologies versus and hopefully proactively before there's a problem that forces them to to invest in it. Yeah. So you so often hear though, as you talk to companies like we're a Microsoft shop, and this isn't to blast Microsoft, but is that the right approach? Well, I mean, they have a lot of capability. So yeah, it can absolutely be the right approach.

If you're already on Office 365 or Microsoft 365 and you know, you are a window shop, right? All that stuff, there's plenty of tools that come along with Microsoft to help you manage it. Now, is it 100% coverage? Does it do it the way you wish it would do it? Probably not, right? I think that's where you see add-ons and third parties and all these other products come in to kind of help fill those

voids. But this is where you decide, OK, well, how do we match up our people and process to line up with the tools that we actually have? Boy, it'd be really great to have Cyber Ark, right? Or Beyond Trust or Delinea or whatever it may be, but we can't afford it. So how do we take advantage of PIM and Entra to do some things, you know, use the tools you've

got? I, I think, I think there is, there is things you can do to to match up your people and process with what you've got as best as you can. Yeah, that's a great answer. I know I'm going to isolate that one as well. All right, let's go to our last question. This is from Anders in from Norway. I like this question and Jim, I'm very curious to see what you're going to answer this one

is what's your dream guest to have on identity at the center? You can pick anybody you want, living or dead. Who would you like to have on as a guest for the show? I'm. Going to put somebody who I actually tried to get on for a guess when he was still with us, Kim Cameron, he has seven laws of identity. I mean, this is an identity podcast, right? So if I answer Abraham Lincoln or something, it's a little like, well, that wouldn't make a whole lot of sense.

Kim would have. Been this podcast doesn't make a whole lot of sense anyway, it would fit right in. True, that's how I would pick. So Kim Cameron, I'm going to go a little bit different direction. I would like to have more large company CEOs and Csos because they're the ones that are really controlling what is happening in the real world from an identity standpoint, budget, resourcing

and things like that. And I think if we can put our our message and get into, you know, the minds of some of these folks that are controlling the budget and understand what their triggers are, that's going to be super helpful for people. So I would like to have more, you know, executive level people explaining to us why or why not to invest in this thing called digital identity. Whether you're a vendor, right?

I'm, I'm sure there's, you know, there's, there's large companies that we've tried to have on in the past that, you know, just haven't been responsive on that. And that's fine. But I would like to have, you know, really the, the, the executive viewpoint come on more because I think if we can start to speak their language, that might help folks out there make a decision or help help them make their decisions and on how they want to present their investment asks right from a,

from a identity standpoint. And that doesn't have to be just technology. It could be, hey, we need another person because I'm, I'm falling behind here, or we're not delivering the service we need to or it's not secure or whatever it may be. Yeah, I'd like to hear if they agree that identity's at the center. So if you're talking about a siso of like a Fortune 10 company or something, we talk about identity, the center, like are we, are we in our echo chamber just talking to each

other and all agreeing? I think so. I mean, how can we not be right? This is an identity podcast. We're talking about identity things. We're not a mass market podcast where, you know, we're the first thing, unfortunately, that people don't turn on, you know, when they're a commute for, you know, millions of people out there. We got a lot of listeners but and, and viewers, but they're they're in the identity space or cybersecurity, right adjacent, right, things like that.

So there is a lot of education and training, I think to be done still for the the public. And I have a a real good friend of mine, Jay, we were talking, you know, the other night about MFA and he's like, you know, what's that? I was like, Oh yeah, yeah, this is other thing, right? Yeah. We take MFA for granted and there is not a lot of awareness at the general public level who are not in the space. So how do we educate those folks? You know, how do we, you know,

bring them into the fold? How do we design solutions that are secure by design for them and usable and they don't even have to think about security. Should they be thinking about security? Maybe, maybe not. Is that our job as identity people to do that? Yes, it is. So how do we smooth that over? Bad answer, Jeff, you make that clip. I'm not going to, I'm not going to answer like that one.

OK, why don't we go ahead and wrap up this episode with a lighter note from Sophie from New Zealand? I think this is a cool question. So if IAM was a superhero, what would its superpower be? So this concept of identity and access management has somehow taken life and is now a superhero. Or you know what a super villain, let's call it. Either way, what would the superpower be for that superhero or super villain? So we know there are, I am superheroes.

We've run into them all the time, right? A lot of identity programs would just completely fall apart if it weren't for the superheroes. A lot of times it's because companies have under invested, so people have to kind of become superheroes and work crazy hours and things like that. So I'm going to talk about those people and what would be the special skill that would be able to take the things over the top for them. And it would be if they didn't

have to sleep. So the I am superhero superpower would be Sleepless woman or sleepless man and they can stay up 24 hours a day working on I. Wow, that sounds like a really crappy superpower. I'm not saying I would want it, I'm just saying that would be the superpower that the real world I am superheroes was probably it was supercharged their ability. OK, I'm going to go with more of a a super villain in this state and just confusion.

The the concept of confusion and being able to say what is I am really good at confusing people and befuddling them and that could be any number of things, right? It could be for the end users. They don't really know how to do this thing. Why do I have to put a password that's 8 to 20 characters can't use any special characters, can't have two numbers in a pattern, right?

It's super confusing, right? Or maybe it's us and the identity side is like, oh, we have 80 new acronyms every year for all these different services. Did you mean this one or that one right? And so I think confusion is like the superpower of I am. And the hero opposite of that is someone who can clarify that confusion, someone who can distill messages down, simplify them to make them easily understood. That's the that's the opposite side of that yin Yang coin.

Yeah, well, yeah, yeah, man. So I actually, I, the one of the most frustrating things to me is like, you know, you've logged into whatever application, say you flew an airline, but it's been 15 years. And so you go in and you try to log in and it says, sorry, you know, go ahead and reset your account or it doesn't. That basically doesn't recognize your username, your e-mail address. So then you go through and you try and register using that e-mail address. So sorry, you can't reuse an

e-mail address. Oh my God. I guess I'll give you. Yeah, I I guess I will just register as a guest. Yeah, or the favorite 1 is like you can't, you know, you try to reset your password and you type it in and it won't take it and then you go, OK, well, I guess I have to reset my password because it's because. You can't reuse your. Right. And then say oh you can't, your password can't be the same as the current password. Like what? Yeah, that's a there's a meme out there for that.

And it's like the guy with all the numbers flying around the said, yeah, that's, that's pretty good. So there you go. That is the I am confusion supervillain striking again. Like what is going on here? Why doesn't this make sense? So hopefully other I am heroes come in to save the day and clarify things. OK, well, I want to thank all of our listeners who sent that

stuff in. We, you know, we get a lot of messages. We try to respond to the ones we can, some of the ones we save up for episodes like this. So I think we're already at like maybe 2, maybe 3 mailbags for this year, which is great. I'd much rather answer questions from people than, you know, try to come up with something innovative every week because this is the real world of I am.

So it's like, all right, well, we're going to have those conversations as well, but let's hear from people and what are the challenges or what are they, you know, want our viewpoints on and stuff like that. And, you know, our opinions can certainly change. And I'm sure if we look back on the podcast, it's the time. Cancel as you like to say, Jim, you know, in 10 years from now, they're like, oh, can't believe you guys were talking about that kind of stuff.

What Cavemen. All right, so let's go ahead and leave it there. Let's see. Visit the show on the web, IDC podcast.com, like and subscribe. That is super helpful for us. Share it with folks out there. Visit our YouTube channel, like and subscribe that as well. I noticed our YouTube shorts have kind of taken on a life and yeah, maybe that's better format for YouTube.

We'll always have our full episodes up there, but you know, we try to have somewhere between one and three minute clips there that we that we do for each episode throughout the week. And then send us your comments, thoughts, prayers, wishes, curses, whatever, you know, send us out on LinkedIn. Jim and I was happy to connect with folks out there. And yeah, so with that, we'll go ahead and leave it for this

week. Thank you for watching and or listening and we'll talk with you all in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.