#348 - The Identity Data Dilemma: Martech, Adtech, and IAM with Eve Maler

What I chose to do for the South by Southwest audience was, you know, I talked a little bit about zero Trust and how they say assume breach, right, which is a good assumption for both people and organizations. I suggested as well, they need to start assuming tracking. So assume breach, yes, assume tracking, absolutely, which is, you know, that's not a piece of advice that's sort of actionable other than making you think before you share things you don't want to get out there.

You know, the other joke that might be made, and especially given where Identiverse is held these days, you know, what happens on the Internet stays on the Internet. So, so like being aware is sort of the first thing in terms of doing something about it as an individual that can be really

tough. There are things you can take on board that require some friction in your life to do, and that's not something I generally want to ask people to do when it comes to identity professionals and what we can all do to support the efforts to give people more choice, give people more transparency when they are consumers of businesses and when you work for those businesses. I think we have to, you know, if we take ID Pro's vision seriously, we have to try it and

do that. And that requires understanding the value that is being created for the business of each of those pieces of data. So when you were talking about data governance, Jim, I totally agree. The way that a privacy professional would see that is it's kind of a risk assessment for each piece of data collected. What I think we've been forgetting is the value assessment. This is identity at the center if it has anything to do with

IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman.

Welcome to the Identity of the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Oh, not so bad yourself. Doing great. So I've got a theory I've been working on, which is that we are at a current point, which is the widest gap between laggard I am and next Gen. I am. So we got Yvonne today as everybody knows, right? It's in the title of the of the show surprise. We're going to be talking a lot

of next Gen. stuff. I think every once in a while we're like, we've run into a project and it's something like, yeah, the way we do access is we've got this Word document and we fill it out and it says make Eve like Jeff. And then we just do that. And you're just like, oh boy, you gotta be kidding me. And I think we're at the widest

gap. I think that that first scenario isn't really that far from what you'd find maybe in more places 20 years ago, but now the the next Gen. is non human identities, it's the decentralized identity. So there's all these new areas that are cropping up and it's getting more interesting and like how does this all this new technology fit into what we're doing? But there's unfortunately still organizations that are struggling with that basic blocking and tackling.

So, OK, so I think I know where you're going with it. I don't know if I agree though, only because you and I in our day jobs, we see pretty much the worst of I am right, you don't call identity consultants and things are going great, right? It's like all I need help with something and a lot of the companies that you and I deal with, would you, I don't know if

I would call them laggards. I would call them average as far as IA maturity goes, because there are still a lot of organizations, too many that still haven't made investments that I would call like basic IAM technologies. And I think of things like identity governance, you know, to help with automation and things like that. And I think of, you know, privileged access management

tools. And then, you know, I think the most investment that's happened over the last five to 10 years has really been more on the authentication side, especially when COVID hit, it was like, wow, everybody's working from home and remember how we didn't have MFA. Well, we'd better sure have it now.

So let's get that rolled out. And so I think authentication has sort of become relatively standard, but I don't know if I would call laggard and next Gen. just knowing how many companies haven't even caught up to the what we what you were kind of referring to as like the laggard part. I think that's pretty average. It's far rarer that I see like next truly next Gen. I am, and I don't mean like a fancier IGAI. Think of things that are more

like API based. They're using things like shared steel framework or Cape or, you know, other types of orchestrations that are almost UI less. It's it's orchestration, it's policy based, it's adaptive, right? And it's using data rather than and just another way to collect a form on somebody, whether it's a word form or a ServiceNow form or whatever it may be.

Like I see getting rid of that touch point as really sort of the next Gen. and then using the data off that to do policy based decisions, risk based decisions, right? Things like that. Yeah. I think that you're right about the authentication piece. I think that's where a lot of organizations have put their investment. I think that by laggard, you can say laggard in terms of investing in other areas that

are also important. Privileged access management in terms of user management in terms of, you know, on the external side where you have a lot of people trying to penetrate. But I also think when you talk about some of these next Gen. things like non human identity management, when like like decentralized identity, you can't even worry about those things until you get the basic blocking and tackling done, right.

Well, you could worry about it. I don't know if you can do anything about it, but you can certainly worry about it, that's for sure. But let's look non, you know, NHI non human identity, right? It's it's sort of like the identity topic du jour for the year 2025 and probably towards the end of 2024 is when it first really kind of got into the limelight. But it's not new. Non human identities have been around forever.

I mean, there's service accounts that have been around forever, you know, go back as far as the mainframe, right? And I'm sure even before that, right punch cards, you know, probably had some of that too as well.

So when we say non human identity, I think all we're, I think what we've started to do is recognize that these identities do need to be managed as well, whether they are a carbon based life form behind it or not, or if we want to, you know, debate the semantics of account versus identity. The problem is not new. It's almost like saying, well, identity's the new perimeter. It's been the perimeter for like 25 years, 30 years. So it's just, it's, it's getting

hot right now, which is cool. Like, Hey, I'm not going to knock it. Like that's great for people in the IM space, but I, I, I don't, I don't know if I agree with like that's like the future. I think it's the now and it's the has been, not has been. That's probably what I want to put it, the history, but I hopefully that makes sense. I'm not saying it goes away. It's definitely going to be part

of the future as well though. I, I kind of feel like non, you're right in terms of non human identities have been around for as long as we've been in IT, but the problem has grown, right. So there are more devices on the network. The device has more importance in terms of the overall authentication picture, for example. So there's the device side of it, but then there's also the workload side of it, which I

think you referenced. Sure, you have service accounts, but you also have robotic process automation. You also have people doing things with like Kubernetes and Docker and infrastructures code and, you know, managing your cloud environment. And so when I start to think about those things, look, if you have an organization that's like using word forms and copy as are you probably doing a lot with Docker, well, I don't know. There might be other people like

we put our money there. We want to make our infrastructure hum, or we hire somebody who's like a whiz kid and they're going and doing those things. And they might be wearing dockers. So there you go, there's your docker container. There you go, you pulled it all together right there. I think I know where you're going with it. Like, OK, yeah, I mean, that makes sense. I just, it's like, I think sometimes we forget about the average population. And I don't mean that

negatively. I mean where most people are from like a company perspective, a maturities protected, a very capability perspective. There's just a lot of companies that are still kind of scraping by. And I mean, you and I know this, right? We talked to a lot of really smart people, like, yeah, they know what they should be doing, but they don't get the funding to do what they want to do. Or, you know, their strategic investments just aren't there yet to, like, modernize or

improve things. And it's painful. And that's why I refer to all these I am heroes out there that literally make the company work through sheer effort and will in spite of, yeah, I have to send a fax to get an account to me. I mean, like, it's 2025, but that still happens. It's crazy. Yeah, so I'll be interested to hear what Eve has to say. Is the this chasm or this gap between laggards and next Gen. I am. Is it worthy of a Venn chart? We'll find out.

I, I, I mean, we, we, we probably already know the answer to that. So for sure we're recording this a little bit advance. I'm going to tear it on the 4th wall a little bit. We have not yet gone to EIC, but we're trying to make sure we have content to kind of carry over EIC and our vacations and things like that. So for people who are listening, just know that we are still yet to go there and, and he's been gracious enough to join us and

give us kind of a preview of, of what she's going to talk about. But don't forget we still have an Identiverse discount code. We're going to be there. We're going to be just doing some cool stuff. So if you visit us there in Las Vegas, June 3rd through the 6th, if you use the code IDB 25-I D AC25 to get you 25% off, it'll be in our show notes. And it's also on our homepage, IDC, podcast.com. If you just Scroll down and it'll be right there.

But the cool thing we're doing and and we've started to, to get this out there is we are bringing the Identis Squabble game show to the Identiverse Conference.

So if you are familiar with what we put on at the Authenticate conference late last year with their help, we are, we are rebranding it slightly at least for the identity of the Center to Identis Squabble. I'm going to be the MC slash game show host and Jim's going to be a team captain and I think we're going to do IDAC versus ID pro. So I think we've reached out to Heather and she seemed to be in for it. You guys are going to pick your own team mates. Neither of you will be able to

see the questions in advance. Only I have access to that. So I'm creating a a list of identity questions, non human questions, and maybe some Vegas questions to kind of keep things fun. We'll probably have time for maybe 3 or 4, but we're going to be kicking off the Expo sort of reception party that Tuesday night when things kind of open up for that kind of stuff. So I'm looking forward to that and hopefully people will come out and see that.

I'm trying to make it also a little more audience interactive. So maybe we'll have like life lines that we can do where, you know, if people aren't sure of answers, they can ask the audience, right? Or things like that. So I'm very much looking forward to that. Jim, do you have your teammates lined up yet or are you still working on that? No, I still have to work on that. So I I mean, you just announced news that I wasn't even aware of. So Heather has agreed to be Team

ID Pros captain. I mean, yeah, you should check your e-mail. Well, I'm hey man, I've got some other things going on. Sorry. There is nothing more important than I, Dennis. Squabble, Jim. This is the most important thing happening in the entire world in the next, let's call it month. Two months. I know. Not just for me, I mean for the entire world. Exactly. Yeah. So I'd AC versus ID pro. I think I reached out to Eve and I think that she's not going to be there, right, Eve?

I'm going to be there for a little while. I'll probably have to miss Identisquabble, but I really like saying identisquabble. Yeah. Can I just say? I don't know if there's any reason to go to the conference if you're going to miss Identisquabble, but I'm just saying I'm. Sorry to miss that part. I want T-shirts out of that though. There ought to be T-shirts. There should be T-shirts. Well, maybe we can make it a recurring thing. And, you know, we'll see.

We'll see what we can do. It's fun. You're not going to learn anything, but you're going to have fun and be entertained. So that's kind of the point of it. All right, let's let's formally introduce Eve. She's a digital identity futurist and strategist. She's the Co inventor of XML, SAML, UMA and maybe other things that I'm not aware of. Privacy by design ambassador. She's a board member.

She's one of the IM rock stars of the band ZZ off. She's the president and founder of Ven factory and this is her seventh time on the show. Welcome back, Eve. It is a delight and a mystery at the same time. That's how we like it on here. We don't know what we're doing. Seventh time on the show. I think I mentioned before we hit record that you're approaching Andrew Shikiar, A Fido Alliance fame, who I think is the current record holder.

I'm sure we'll get Andrew on later this year as we kind of get closer to the Authenticate conference. But you've been very generous with your time. You are actually. And and Jim talks about this royal time. I don't know if he's ever mentioned it to you. You're like our first big get for the show and we were so excited. It was like, Oh my gosh, like Eve wants to do the show. Like does she know who like what we're doing?

And, and you probably do and that's fine, but you're you're very generous with your time and joining it to us. We'll never forget that. It was kind of the ones like, oh, you actually could get some people on this show that people have heard of. You had all the signs of

greatness even then. Well, flattery gets you everywhere in this show, so, you know, I'll take it anytime we can get it. It was October the last time you were with us and I think actually you recorded maybe that one with Jim, because I think I was travelling. And so we've been kind of talking about things in there. But I'd love to understand what's new in your world since the last time you were on back in October. Gosh so much. I mean you know I've been

growing ven factory. I've got some exciting new clients preparing 1/3 white paper that I've written with a co-author for the first time. We're hoping to launch it in a kind of an e-commerce site that I I'm working on putting up and I got this great opportunity to go speak to South by Southwest about identity. That is so cool.

I mean, how how crazy is that to have, you know, like an identity talk at South by Southwest. I joke about like, hey, they should make a, you know, let's turn ideas into a Netflix show. But I mean, that's pretty close to the same kind of concept, right? I mean, what was it like being at South by Southwest? It it's fun. It was fun for sure. I did have an experience like 10 years ago where Joni Brennan was involved and a few other folks from the identity world. We were talking about IoT

privacy back then. And so they've had some representation of, you know, great tech topic topics over time. But like, I wanted to be sure to reach a whole bunch of folks who might not have identity context at all, even though they said, you know, don't be too high level, you know, I, I didn't want to leave people behind, you know, So, so I really just tried to cover why individuals should care, why businesses need to care and provide advice for everybody. So yeah, I had that opportunity.

It was it was awesome. And, and just being in the, you know, the zeitgeist of South by and walking around Austin with a bunch of other folks hearing music from every corner that, you know, it doesn't suck. I mean, that's totally like Rockstar, you know, mentality, right? At that point, it's like, all right, we're going to hear from Eve, but I am. And then here comes this major band. I'm somebody I actually recognized from the movies walking down the street.

Yeah, it's kind of like that. I love your website. I think it's fantastic. It's one of the one of the more well designed ones that I've they've come across. I want to know how do I meet the star of Ven factory.com? And by that I mean your adorable puppy or dog that is in your like, welcome video. Sabrina. Yeah. You know, she's way more popular than I am. I should have had her join me today. I'm happy to introduce you to She cares about about identity, but she doesn't know why.

Now, did she have a rider to get into that video where they're like, you know, only carrot biscuits and green beans or, you know, something like that? Like, what was the what was her union rate to have her, you know, be the talent on air? Extra TREATS, basically. That's right, you can't say the word out loud because it'll. Summon well trained yeah you're CAMP you can't say WLK I'm. Flying in, you're like treats. Do we hear treats? No. It's a great website. I encourage people to go check

it out. I love the video. Anytime I think I see a dog on camera with like, people, it's like, all right, yeah, I'm in. Sign me out. Who doesn't love dogs and who doesn't love Venn diagrams? So the answer to your question before is yes, of course. I'm sure there is some sort of chart that can be made. Is it a is it a Venn diagram when the circles completely overlap? I mean it's like who loves dogs and Venn diagrams? Like it's the same people.

I mean, there is that ID pro Slack channel that's all about Identi pets. So, you know, I think there's probably a pretty good close to to overlap, perfect overlap among the populations. I will say this though, so if you show me the the latest Venn diagram that you're working on, it looks different. It wasn't like 3 intersecting circles, right? It's kind of like a. Correct. I don't know, it looks. More like a. It looks more like a, I don't know, Sr. 71 Blackbird kind of shape.

Now you're speaking my language. Yeah. Blackbirds are an awesome jet. Yeah. I used to have a poster of that on a wall at one point. Yeah, they're pretty, pretty cool. Icky. Yeah. It turns out you can't do sets if, if you're comparing sets and

you have more than three sets that you want to compare, you can't use circles. It's just sort of impossible. So you either have to have sort of rounded ellipses or you have to have kind of blocks, or you can be more creative than that. And so it's a four set then, because I'm comparing 4 things. And it's all about kind of stakeholders and reasons to do identity. And you know, I, I, I think there's four basic reasons to do identity.

And the problem is everybody in the organization, not to mention just regular human beings who who have a stake, who care in the results. So is this research that we'll see at some point, like where's this in the life cycle of the generation of it? Yeah, You know, I shared an early version of it I think at EIC previously and I've done some more work. It's definitely going to be in the EIC talk. So you know, people who may be watching this afterwards will have seen, but I'll be sharing

it from stage. It's turning out to be very productive for me to be able to see what advice that I can give. Not just tech vendors about like well, who's your buyer persona kind of thing, but also enterprises around how to make sure that you have the right representation and have the the highest bandwidth possible conversation around, you know, who who cares about the outcomes and how to succeed and how not to have somebody working against you, perhaps accidentally or

perhaps not. Accidentally. I mean, that's the kind of stuff that I think people eat up because I mentioned I am heroes early on. And you know, the, the, the, the sad and unfortunate truth is most of us are operating underfunded, under resourced. Like there's just so much that needs to get done. And so anything you can do to, you know, help convince the right people to say this is an investment that is worthy.

Yeah, as much information you get on that, it's not going to be the right answer for everybody, right? But I think that the more inputs we get into that, you can take this out if you're listening and shape your message to whatever is most appropriate, you know, for your organization. So. Totally. And you were talking about sort of laggards versus next Gen. You know, there's a lot of pull by clever people, innovators, you know vendors who are trying out new solutions.

There's a lot of pull towards stuff that is just completely new and it's hard to absorb. And, you know, I've spent a lot of time, you know, working with kind of the sell side. And, you know, this is not meant to be pejorative towards anybody. But like, I think vendors live in the future because they've got to do that pull. They have to imagine, you know, what went wrong and how to solve it. And they have to kind of be out there and enterprises live in the past.

And it's not sort of a bad thing. It's more like, you know, if you think about the population of cars, I don't know in any one country in the US, there's going to be a distribution of ages of those cars, which is one of the things that makes connected car and IoT hard. Same thing with enterprise infrastructure. It represents buying decisions, you know, of 20 years, of 50

years, of 100 years. So of course the average age of that stuff is going to be older and it's why you have to deal with legacy and have Shim APIs and all the rest of it. So it's just the nature of the thing. And that's where you get a lot of overlap too, like you're trying to buy a product that is future facing, but oh by the way, can it also support COBOL or Rack F? Totally. I mean, I think there's been some move off of AS4 hundreds, you know, among the banks over

time, but not 100%. Right. I still see tons of insurance companies using, you know, a mainframe in the basement runs their entire operation. And it's, it's, it's crazy how much how, how much some of these technologies have just lived longer than they probably should have, but they do because they are serving a purpose. And there hasn't been that key reason like, OK, now we've got to go. Yeah, yeah.

This is the conversation that often happens about, you know, are you selling vitamins or a painkiller? And you know, if there's some big pain, OK, well, now there's a motivation and you can effect change and take care of tech debt and do all the rest of it. That's such a good analogy.

And hopefully they're like Flintstone vitamins and they taste good. I know we want to get into the EIC talk you're going to give here, but I do want to ask you about an earlier conversation we had way, way, way back and that was around like personhood credentials. Any news in that area that that we should be kind of picking up on? From my perspective, there's a couple of interesting things. First of all, I'm seeing more and more folks who are in the verifiable credentials game.

Also the biometrics game offering personhood kind of services, right or personhood credentials delivered into wallets. So I'm starting to see that there's some uptick in, in adoption around that kind of technology. The other thing that I've been noticing is along with Dean Sachs and Mike Kaiser, I'm kind of, I call myself the junior Co chair of the three of the the death of the digital estate group, the Dade Group.

And we've been having kind of an interesting conversation around do you need personhood information about somebody who's passed away? So you know, we talked about is a person. So I guess that sort of was a person, you know, really did have a real world presence. And these are things that are hard to solve because you're not, not to be crude about it, you're like not doing liveness detection in that case, right? So these are important pieces of

information. And what we've been learning about kind of like the, I guess, looking at the government agency infrastructure of the world around, like how do you sort of inform important other downstream services that somebody has passed away? Like it's, it's by no means a clean system with good data. It's, it's a mess. So those are some of the considerations that are that I'm sort of coming across as I look across the landscape.

So it's interesting that that that viewpoint of is a person is in current tense, was a person as in past tense, which leads to me there is a also probably going to be a will be a person as in future tense. So how do you manage something that is past, present and future? And I guess what does personhood mean? Like can you define that? Is it as simple as it's a human being, or is it beyond that? There's different levels of what

kind of information can be delivered about this notion. 1 The most obvious to us, you know, having been in the industry for a long time, is kind of full identity verification. So you're saying it's not just a random person, You're saying it's a person who really lives in the real world and this person presenting this credential matches to that known real world person. That's identity verification. It's a kind of is a person, it's

just very specific. There are other levels where it's more like this entity in front of me trying to operate this service or this application is is really alive, is really operating it in the moment, which is, you know, on the other end of that continuum and sort of in the middle is things we see with like age assurance where you're doing age estimation that's a kind of is a person of a particular category.

And so wherever you have things like age restricted purchases, you know, there's laws around age restricted purchase of a whole bunch of different things. In fact, in my South by Southwest talk, I was showing how, you know, one state is, is thinking about age restricting skin care. Another one is age restricting, I don't know, other beauty products. It's kind of weird. So, so you can ask, you know, is a person older than 18?

It's kind of a species of personhood because it's less specific than anyone in particular. Does personhood extend to non persons? So this idea of, you know, AI and agentic AI and all these other bots and service accounts and non human identities, I feel like there should be a way to verify those credentials as well. So yeah, this really is the Venn diagram AI versus the, you know, XYZ application, whatever it may be. Is there a space for non personhood in addition to personhood?

I could swear that one of Dave Birch's newsletters had one of those wonderful cartoons about this, like, you know, swear you're a bot or something. And that's, that's kind of, I mean, we'd call that attestation right in the IoT world or device or, you know, other non human entities. And attestation of something is, you know, it's definitely a thing. And I, I, I think it could be

valuable. You know, we have software statements and things like that that we can use to assess whether it's really the client app that we thought it was, for example. So I think that it does generalize across beyond humans, although as usual human versus non human, say authentication, it's going to look different and care less in the non human case about user experience. So good. Let's talk about your EIC talk

at one-on-one level you're talking about stakeholder management, which you know depending on what you're into that might not sound super interesting, but you're really talking about it in terms of this application in customer IM, which I think, OK, that all starts getting interesting because you're talking about these all these different stakeholders outside of the technology space. And even more than that, you're focusing on this space called or these spaces called martech and adtech.

So all this starts to make you get really interesting really fast. Let's start with what are martech and adtech because those might be new terms for people. Yeah. So martech is a very important tech stack that marketing folks run. And I would say the basis of it is kind of marketing automation, the ability to send out all those messages to, you know, that are personalized, that get people to buy, that get people to go on to the buyer's journey. We've all experienced this.

Often times we talk about it from the privacy perspective of being sort of stocked. But of course, a lot of us also welcome this personalization in these digital products, in these experiences. So martech is marketing technology basically. And so anybody who's ever, you know, in a Siam circumstance, you might have had to connect to marketo and there's a whole bunch of, you know, folks who do what they do. That's part of it.

Adtech is where you get into the, the data, data brokering marketplaces of the world, the things that make you be tracked with cookies or other similar technology and have you as a kind of heuristic fuzzy picture of a human, be presented to these systems so that they can call it retargeting. Where, you know, that's how their ads get served to you and

are personalized to you. And you're like, I swear I was just talking about this, you know, in, in the neighborhood of a, of an echo device yesterday and suddenly I'm getting ads for the thing I was talking about. You know, that's how that's happening basically. So they very much care about identity by the way, but not they don't see it at all in the way that we see it. And it's kind of more expansive.

There's even a standard in the space, kind of a standard in industry driven standard called unified ID 2 dot O that I see very little talk about in our industry, but it's literally based on top of open ID connect. And so in the Venn diagram of that world and this world, that's one thing that's like right in the center. But like, I don't think anybody's really aware, you know, certainly on our side about it. So this has tied a lot to like e-commerce level CIA. I'm right.

Who are the stakeholders that we're talking about? Who are the the the main participants? It's, I would say, you know, you're, it starts at the CMO and might be like a chief digital officer or something like that

as well. So, you know, we have data lakes when we think about the security aspects of identity, you know, we're interacting more and more with SoC teams like, you know, we can talk about identity security and all the new acronyms and things like that, where there's some interesting tussles between the identity world and the security world and where identity even lives in security.

But when it comes to this Siam world and the fact that marketing and customer data management people own the proposition and by the way they're making a lot of money for that whatever company, that's where we really have to care about the stakeholder question because I was looking up, you know, so ID Pro has a great vision state on the website and it talks about the disciplines of digital identity and access management are globally seen as vital and

vibrant counterparts to privacy and information security. That's great stuff. We don't have all the data or all the use cases in our purview to be able to really execute to that 100%. So that's why I think it's important to kind of start to empathize with the whole marketing side of the world and the customer data side of the world because they absolutely have pains and needs around

things and identity going well. You know, looking at your average description of Siam and all the things that it can do, but they just don't know where to go to do better. And certainly they don't know where to go to do better at some of the privacy aspects. They, they, they interact a lot with privacy professionals, with privacy leaders. But again, there's, you know, separate goals and sometimes

competing goals there. Is your research and your work focusing on consumers or customers of say a martech or ad tech platform? Or is your research more about how to run a mar tech grad tech platform from an identity perspective? I guess I'd say where I came into this picture, it started with the whole EIC 2024 thing where I went up there and said consent is dead and started to have a bunch of conversations about that.

And, you know, having been able to lean on a lot of great research that's been done, so for example, by Internet Safety Labs, of which I'm a board member, I have to say that and some other folks like Cracked Labs puts out a huge amount of great research. And it's so looking at all that stuff, I was sort of like, wow, did you guys know this identity resolution thing is scary. It's, you know, heuristically figuring out people and it can do it really well.

And it has nothing to do with somebody logging in and confirming that they're them. So it started there and then it proceeded to what advice can I give identity practitioners and identity leaders about this situation? And so in the, in the, the paper called Consent is Dead that I ultimately wrote, there's advice about that. And then I got the opportunity to go speak to a bunch of customer data people and Martech people.

And that was super interesting. I had to really rethink everything and approach things from the perspective of really doing the work of empathizing with them. And one of the things that I'll share in the EIC talks, so people may have seen this already, is there's a, a great value framework that's been put together by a kind of marketing wizard guy, Kyle Martinovich, the CDP value framework that's customer data platform. And that's something that didn't

exist. CDPS didn't exist, you know, back when, you know, we were all coming up with O auth and open ID connect, but but it's existed for, you know, last 10 plus years. And then everybody has one. Any, you know, organization of any size that's consumer facing has one. And so here I was talking to these folks who care very much about that value framework, but wouldn't have known where to slot in the identity value that they can get by working with identity people.

So that's some of what I'll be sharing. Yeah, I mean, I'm going to make up a fictitious scenario, but let's say I sold training, right and I was able to get data from Martech platform on where Eve lives. Say you're coming to my website. Now I know where you live, I know maybe something about your educational background and I know something about your browsing history, So what you've been looking at. So now I can build my portal to have a specialized set up offerings.

That seems to me that all those different things lead to kind of like a data governance question. Who owns those various pieces of data? And then that branches out to, well, who are the stakeholders? Who are, you know, making the decisions around which of those data elements can be shared, which we can use for what, what source of information we use to

overwrite those. I think you made mention to me that you know there's like 2000 attributes that are tracked about you that are kind of like these are just known like everybody who uses the Internet, these are these are had on you.

Yes, basically that's true. And, and that stat is just so crazy like to us hearing how how identifiable we are, even if we didn't, you know, consciously share that information or the right to, to have it be known. The average Siam profile, you know, the average record might have 20 attributes. And the profiles they have on you that you may not be participating in are really at that two orders of magnitude like 2000. And you can be identified, you

can be tracked. You know, these are when we start talking about surveillance and a whole bunch of unpleasant things. But the world is working this way now. And it's, by the way, working this way in Europe now despite GDPR and all the protections that we think that they have kind of, you know, at higher levels than maybe some other jurisdictions. So what do you do about this because I think it's AI think part of this is an awareness issue.

So I was talking with a friend of mine over the weekend and he was blown away when I showed him the ads preferences in Facebook and all the things that knew about him. And he was not even aware that all this stuff was taking place behind the scenes. And I feel like that is pretty average. That's pretty common, right? Unless you're in this space and you really care about it, chances are you're reading the, you know, the ula that flashes

on the screen. Yep. Except I just want to use the thing that I want to use. What do we do about this? Because there is so much data out there. And what happens if that data somehow gets poisoned? If it's incorrect data or wrong data, how do you correct it? How does it not impact, you know, an algorithm somewhere that either denies you or shows you things that you don't want to see or, you know, offensive or whatever it may be? Like what can we do about this?

I mean, GDPR is one of the, you know, pieces of legislation that gives people the right to go correct data that's incorrect. But it's pretty onerous to do, right? And I will say when I was asked that question after I finished up talking about consent is dead last year, I was stuck for an answer. What do you do?

What I chose to do for the South by Southwest audience was, you know, I I talked a little bit about zero trust and how they say assume breach right, which is a good assumption for both people and organizations. I suggested as well. They need to start assuming tracking. So assume breach. Yes, assume tracking absolutely, which is, you know, that's not a piece of advice that's sort of actionable other than making you think before you share things

you don't want to get out there. You know, the other joke that might be made and especially given where Identiverse is held these days, you know, what happens on the Internet stays on the Internet. So so like being aware is sort of the first thing in terms of doing something about it as an individual that can be really tough.

There are things you can take on board that require some friction in your life to do, and that's not something I generally want to ask people to do when it comes to identity professionals and what we can all do to support the efforts to give people more choice, give people more transparency when they are consumers of businesses and when you work for those businesses. I think we have to, you know, if we take ID Pro's vision seriously, we have to try it and do that.

And that requires understanding the value that is being created for the business of each of those pieces of data. So when you were talking about data governance, Jim, I totally agree. The way that a privacy professional would see that is it's kind of a risk assessment for each piece of data collected. What I think we've been forgetting is the value assessment. It's not done on a sort of datum by datum basis at all. I think it's possible.

I know of some technologies that enable that kind of thinking, but it surely requires all the different stakeholders to get together to agree on what's the model and who's responsible. Like if you could actually say we store this piece of information, it's worth X to us, but it costs us X plus something, Well now you can make an ironclad ROI case for not collecting it anymore, putting it on the edge, making it decentralized maybe. You know, I wonder if choice is

the keyword here. You mentioned it earlier. I was OK, well, you know, what do we do about this? And I don't know if there's actually a good answer for that, right? I mean, it's just all this data is out there. It's out of your control for the most part. Is the future of data management when it comes to things like privacy and all these meta attributes that people are collecting, is it choice?

Is it as simple as yes, I will allow you to use my data in exchange for this and because the service I find is valuable and you know like Google Maps is a great example. Nobody. You know, most people I say walk around or have in their glove box actual physical maps anymore. It is far. Rare. Right. I mean, I grew up the age of, you know, you had a physical map. I lived in Northwest, you know, or northeast Illinois in Chicago area. So I had one for Wisconsin too, right?

And so I would have this map collection. Now it's Google Maps or Apple Maps, or, you know, whatever your mapping solution of choice is. But those are free products in quotation marks. You're the product at that point, right? It's your data that you are trading in exchange for the use of their service. So I think the awareness of, you know, when, when you kind of say that to somebody who doesn't think in these terms is like, oh, it's free. No, it's not like you're the product, right?

Like it's, it's collecting data by you. It's it's helping feed the algorithm that says where there's a traffic jam on Google Maps by the number of phones, right, that are lined up at A, at a, like you're contributing to it, but you're also getting a benefit out of it. And I think you've got the choice at, at that low. You can either choose to use Google Maps or Apple Maps or not. But a lot of these choices get hidden behind menus and really they're a false choice.

Are you really going to walk around physical maps? Sure. And. There and there's some abuse in that, right? You know, there's kind of they talk about dark patterns or deceptive patterns of like, you know, making it easier to make one choice over another. And you can like sort of create a straight line to the business model from that. And that's something I've advocated for a long time and it's starting to be picked up in some places.

Is the privacy policy really should be an explanation of the business model and what out of the three ways that you could pay for the service, money, data, attention, eyeballs, are they actually leveraging? And you know, you'd think it'd be a simple thing of, well, you could do one or the other. But then we had this whole sort of pay or OK scandal around, well, are we leaving some people out because they can't afford to pay to have privacy? So these are, these are

unresolved questions. I think in the meantime, we can get sort of more incremental, incrementally improved systems that do respect choice. You know, I do believe privacy is context control choice and respect. Those are, you know, hard things for a for an organization to really sign up to all at once. But I think it's possible if we work with the counterparts that are in charge of making money off of data, plain and simple. Yeah, I have an example.

So I was going through some old mail and I get an updated privacy policy from my auto lender. And it had a like, here's how we use your data. And one of the things was we share it with third parties. Yes. And then it was whether or not you could control it. The answer was yes. And I was like, I'm going to save this. I'm going to go tell them not to share my data. And then I thought, like, am I actually going to spend the time to go and do that? It seems like it would be a drop

in the bucket. Yeah, right. And they probably aren't instrumented to do it well. And how do you prove that they did it? These are some of the questions. So we've been looking at it like there's, there's ways to solve some of these, but the first thing you got to do is assess the appetite of that organization to change if you're working from within it, right?

You know, if you're working on some identity program within it, you can start to ask how open are they to something a little bit more innovative and turning away from the direct monetization of the personal data. And there are cases where that's possible, but there's kind of a maturity ladder there. And I think you need to sort of be responsive to what's possible there, otherwise you're banging

your head against a wall. You know, and I feel like, OK, your mind goes to, well, we need more regulation. But then you get regulations like everybody has like their cookie policy now. It's like you can either accept it or beat it. And it's like, so you just say accept or you try and click close it without answering or something like that. So I don't know if more regulation is the answer. In fact, I'm pretty sure it's not because I think more regulation. Led to. Be getting that, yeah.

I mean, usually anything that that comes out of that is, you know, an idea that's not going to work very well And then after it's out there like you're, you know, you wind up like doing it and it's ineffective. But Jeff, read up a scenario earlier, which was, are you getting these spam? I'm not even sure if it's on this call. We, we talk so much, but it was, you know, I keep getting these spam SMS messages that I owe money for toll roads.

And like, I'm not worried if they're saying, hey, you were in San Francisco last week, so you might want to buy, you might want to go to Joe's Sourdough House. I'm OK with that. That doesn't bother me. What bothers me is like the low end spam, like nobody it it the scam spam I would call it. Totally. And like how? Do you smishing if I could block that? Click the link.

Yeah, I mean, if I could block that, I'm sure everybody's sitting there saying something similar, Like if I could block that, I'd be I'd be a little bit happier in life. The answer is very simple. Just don't use text messaging, right? I mean, that's. That's the kind of friction fill thing. Right. But it's not realistic, right? We, we, we've grown to depend on these services. I mean, we get MFA through text messaging. So, you know, I mean we, we. Shouldn't we?

Shouldn't. But it's still better than nothing, right? I. Mean, and this is a case where by the way, you know, when I was saying enterprises live in the past. So, you know, there are still organizations that are putting in place MFA with SMSOTPS right now that haven't even, you know, deployed it yet. And yet it's already been deprecated in the land of, you know, folks who follow NIST 800-63. So like, you know, some things get get they degrade in quality over time.

And yet if it takes a while to put in place the program, you know, two of my banks have been rolling out voice authentication and I want to say defakes. Like they just sort of missed the whole moment. We just did an entire AI episode, so it's it's gotten crazy. Yeah. And actually I heard that from some people that we sound better on the AI version, so I'll keep that in mind. All right, well, now I know. Yeah, exactly. I'll just script every single

episode from here on out. That is my goal, though. Like I have an ulterior goal is at some point I'm going to have, you know, AI voices of Jim, you and I, and maybe even a guest if I can get them to agree to it. That's going to be virtually indistinguishable and the only thing you'll know is that there's no Oz. You know those little things, you know, you breathing into the mic, you know, like all that

stuff. But I read a paper today that there is actually a new AI model that includes those things in it. Oh boy. And so of. Course there is. At some point, you're not going to know. And people will be directing their AI agents to go listen to the episodes and then where will we be? So, so, E, let's get back on track you.

One of the things you told me was that you've been encouraging your clients to look at identity services as a product. So yes, tell me a little bit about what that means. So you know, if you have services that are available internally for app owners and others marketers, whoever who depend on those services, you got to be thinking about all the different customers for your product.

And one of the trends that I've seen over the last few years is they're actually product managers in charge of identity and what it's delivering to the kind of internal ecosystem market. So this is where that four set then actually comes in. So for for those who are product managers, you'll be aware of the jobs to be done kind of methodology where you're really looking kind of under the covers of what people say they want out of a product.

You're looking at what they actually need, kind of the end state of what they need. And that's where I sort of came up with the four things that I think identity delivers to different parties, protection, personalization, payment and things people want. So the four PS So I think that it's possible to find all the different use cases. So security protection, privacy protection, fraud protection, all of the kind of cross sell and upsell.

And you know, this whole CDP value framework that I was talking about, all the things that the marketeers want out of things that connect with identity. You can start to sort out what's important and you can sort out who it's important to by looking at those four things and their intersections. So being that this is the go to podcast for the identity practitioner, I want to ask you #1 you know, from a practitioner perspective, what do we need to

know about this topic? The stakeholder management when it comes to CIM and, and you know, specific to thinking about this e-commerce situation where we have the martech and the ad tech element to it, what do we need to know? And then do we own it? Is that IMS to solve or what is our role? Sometimes the identity team owns some of this and sometimes it clearly doesn't. It's interfacing with others who have the primary responsibility.

And this is where, you know, I'm going to say racy chart because it's just sort of the easy, you know, go to framework for this one of the. I was fucking a ven chart. I mean, there is a been, but like you have to, this is how you start sorting out like who kind of really owns what and who cares about what and to what level they care about it. And I would say you need to start looking at each of the use cases. So like I've seen a bunch of RFPs where all the use cases are broken down.

And the interesting thing to me is they don't necessarily break

down on along product lines or on stakeholder lines. Like, you know, the one example I always sort of reach for comes more from identity versus security as opposed to this marketing conversation. Like, you know, your CIO is going to care and their folks are going to care a lot about fast, efficient, accurate provisioning. It's the people who are risk facing who care about fast, accurate deprovisioning. Are you looking at a different product? No, so that's kind of the

challenge. And so like I was, I was just talking to some folks, a bunch of seesos who were talking about the, you know, is the identity team part of your security team? And what they were seeing was about 50% are, and I don't know if that tracks with your experience, but it just shows the challenge of trying to sort through, well, do you own it? Well, up through the chain I do or directly I do.

Or, you know, how does the SoC team interact with the identity team when we've got this whole new identity security landscape? Those are some of the questions you can start to sort. I think my my experience with those contracts with Jeff was saying earlier were like the clients that I've worked with. So usually when I get called in to kind of like herd the cats, it's because the IM person is the leader.

The IM person is trying to get all these stakeholders together to do some sort of digital transformation or something like that. One of the the biggest topics that I find that needs to be done is that you have all the people who are more than happy to represent their lane. Informational security will represent the lane of security and and the risk side of the house and IT fast, efficient, secure. We're using the right platform, we've got the right infrastructure, marketing.

I just want to sell more stuff and somebody's got to get all that to OK, there's only going to be 1 website, not three different websites, for example, a website. But then also, I think one thing that you've got to do if you're like trying to hurt all these people is get them to be empathetic to the needs of the other groups because they're, it's like everybody's swimming in one pool. There's no, you know, you guys stay over here, you guys stay over there. It's all just one body of water.

Yep. And This is why even with all the AI tools to help things, you know, it comes down to human relationships, even working within an organization. And I, I don't see a way to really change that. We're going to have to talk to each other and we're going to have to figure it out and we're going to have to clarify some things that are still kind of squishy. Yeah. So, you know, I think a lot of what we're talking about, it sounds a lot like identity security. And what are your thoughts

there? I mean, like identity security definitely seems to be kind of this new concept, which I think we're all trying to wrap our heads around. Is it actually indifferent or we just talked about the same stuff differently? You know, I'm glad that this is the stakeholder conversation is happening more in earnest now.

It's, you know, couldn't come at a better time because we do need to contribute with identity to the security conversation more than ever because there's problems more than ever, right? And so that's the challenge that identity have has in that it's not, you know, if it really is an internal product to a whole bunch of stakeholders, it's doing something important and it's one of those things that's supposed to be securing things better. But what happens when it's a

source of insecurity? That's like, embarrassing. Let's. Just call it a bit. So that kind of dual nature of identity has been the challenge. And I think what's coming to the fore is we, we do have new technologies, we have AI, people are using graph, we're, we're getting better visibility across kind of the identity of state. And that's enabling us to have better solutions to closing gaps, tying up loose ends, doing a good job of whatever it was

we're doing in the 1st place. So so I kind of like that we've got these new augmentations of capabilities that are just just giving us better sight over everything the the arguments about like what is ITDRA thing like that's all over now. We we seem to have some agreement, rough agreement in the industry around, you know, what does ITDR mean? What does ISPN mean? But I like identity security as a bucket, as a kind of a sub bucket.

Yeah, I like identity security as a bucket because it's pushing the identity practitioner to think about more than just what's in their lane. But I, where I, I stop is that I don't think this puts these things in our lane just because we have to be aware of them, just because we have to contribute to, to them, say something like logging, alerting, or, you know, defending their perimeter.

All these things because they used an identity element now doesn't make them something that the identity practitioner owns. Just like, you know, in the olden days when we ran all of our stuff on servers, just because we put our identity software on a server didn't mean that we own the server, right? The infrastructure team owns the server.

Just because we contribute to policies and standards doesn't mean we own, you know, that the the governance processes around, you know, turning those into controls and you know, testing those controls, that's owned by the audit team. We always had to work with other people. We need to know how their lanes operated to some extent. They need to contribute to some extent, but it doesn't mean we

own those things. I think identity security almost like it's like, put it this way, there's all these companies that identity conferences now saying we're, you know, identity security. So the people who go to identity conferences are mostly identity practitioners, right? This was the conversation I was just having is like, well, where, where are these tools being used? And so far I'm seeing kind of an even split between explicit identity teams and like sock teams, right?

Cause and in a way that's elevating identity to a new level of visibility for the CISO. And, you know, the, the, the Cheeto conversation seems to have subsided a little bit. But, you know, I do see Ciso's having a lot more knowledge, direct knowledge about identity needs and problems and solutions. So I mean, it can't, can't be a bad thing, right? We were a small town. We're growing into a bigger city. You know, those, those are, I

think, good things. But we do have to have that conversation maybe in each organization about, you know, well, what's the, what's the structure of who owns what? Let me just talk about it. Well, I wonder if the it's time for a macro discussion around the space of identity, because I hear identity risk and I hear a qualifier. Oh well, we care risk. I hear identity, security, another qualifier. I only care about security, identity, privacy and consent. More qualifiers.

Is it just identity? And then I start to think as well as a digital identity. No, Digital is another qualifier. Right, the website is identity right? And, and now we start to get into, you know, physical identity, right? Or you know, you know, you're you're a human being identity, right? Stuff like that. And I just every time I hear something identity, it's some sort of qualifier identity at the center. Guess what? Qualifier.

You're part of the problem. But honestly, I mean, This is why, you know, if you're going to have a shared service and if the service is going to be shared widely enough, it's going to touch every part of the organization and be subject to all of those kind of sharing forces more than anything else. And that's something we haven't really looked in the eye as a challenge until recently. And I'm, I'm glad of that

conversation, right? It's like, let's figure out what it's valuable for all the things it's valuable for. For every company, it's going to be a little different actually, And that's OK. But you know, there's value in a service that's so widely used to do so many things. Just means that the picture looks a little diffuse when you when you hand out ownership for any one piece of it. Well, maybe it's time to have an identity team, not an Infrasac

team or an infrastructure team. And that identity team probably has a broad set of skill sets that takes it across any number of areas. I don't know, right? I mean, there's any number of ways that we can slice this one out, but I every time I hear something new in identity, it's like, OK, it's a new concept, right? We one of the episodes we've done in a lot of fast is what's

the difference between digital identity and identity and access management and. I remember that one. We had 48 different answers from 48 different people, right? Yeah, but mine was right. Oh, well, of course, yes, because the context in which you were answering it was right. And that was the big thing was like, OK, it depends on who you're talking to and blah, blah, blah. And so, OK, so now it's identity security.

I'm going to guess in six months to a year, somebody's going to start calling it identity risk or some other juicy acronym that we can kind of rally behind. That's great. I like to just get to the space of, OK, we're in identity. We do identity things. And so that encompasses all of this stuff, usability, risk, privacy, consent, governance, laws, regulations, right? All that stuff is really under the identity umbrella. That's a big umbrella. It is. That's what it looks like.

That Venn diagram looks like an umbrella. There you go. See, that's how we tie it all together. So so I asked you, we we asked you all the hard questions about identity, or maybe they're easy,

depending on how we want to go on this. We want to end the show on a lighter note. And the question I've got for you is a would you rather question? So would you rather have a one minute conversation with yourself from the past? Or one minute conversation from yourself in the future. Every time I look back on my past, I think, gosh, I, I don't know, 10 years ago, six years ago, 50 years ago, whatever. I was clueless. I didn't know anything. Well, at least you're saying that then.

I'm still saying that now. I was like, I don't know what's going. On I'm still yeah, I mean, anytime In the past, I was definitely more clueless than I am now. So my vote is I want to have a one minute conversation with myself in the future. And what would you tell yourself would it be? Here's a stock tip. By Apple.

I was just rereading an old Ray Bradbury short story called Night Call Collect where it's an old guy, last one guy stuck on Mars who keeps getting called by his younger self on the phone. That sounds cool. It is cool and sort of frightening. It keeps making me think like AI agents and delegation on behalf of stuff. You know, these are the things, the questions it's bringing up in my mind. But like, would I rather have been the young guy or the old guy?

And I think thinking about the story, so maybe some of the watchers listeners will know the story. I mean, I'd rather be the young guy because everything looks great for the future and all the possibilities are still there. So I when I'm asking myself a question, am I the young younger me or the older me asking the question? She doesn't make me think too hard. Well, that's why I said maybe it's the harder question out of all this stuff. Let's go back to the identity

stuff, that stuff we know. Jim, what about you? Would you talk to yourself from the past or talk to yourself in the future? And I'm going to exclude talk to yourself in the current because I know you already do that. Yeah, I definitely do that. I'm going to go with my future self because I'd rather get advice. I mean, sometimes I wish I was younger again. I could do certain things over again, but I don't know if I don't, what would I have more money or things like that?

Yeah, I certainly I could have set that up. But, you know, one minute you could do it. Exactly what you said. Invest in Apple. OK, so now you have more money. Is that what would make your life better? You don't. Everything that happened between your younger self and now, you're here now. So you didn't die in a car accident or something like that. You couldn't avoid that by by going and visiting your old, your younger self.

Now, if you're sitting there and like something had happened to you and you're like, OK, I got to say, don't get it on that plane to, you know, wherever because that would be like really bad. That's what ruined your life. I don't have one of those like moments. I guess you got a series of beds decisions that I've made over. Time like starting a podcast and trying to do one that episode

every week. I think talking to myself from the future would yield me like, OK, you know, there's let's say I talked to 80 year old self and I'm 50 now I've got some advice for like what should I do for the next 30 years? Maybe I would fuse yourself and say buy Apple. I don't know, right? But it might be like, hey, retire younger or do these things or don't quit working at at don't retire at 55. I don't know. But I'd like to have that advice now. So I. Think this is an interesting

question. I think it's, it's are you, are you satisfied with your past really kind of determines and your I guess, and your current state would really determine whether or not you want to talk to your future self or your past self. Like do you go back in time essentially and try to correct a mistake or position yourself better from wherever you currently are? Or are you in a good spot right now and you want to make sure you stay in that good spot or get to a better spot, you know,

in the future? Maybe that's where you talk to your future self. I just thought of a sci-fi twist to this. So let's take that same question and let's say you can choose, right? You can go as far back or as far forward as you want and everybody can do it, but you can only go as far forward as you are alive. And so some people like, oh, I'll go 30 years in the future and they don't get a phone call or 10 minutes in the future. They don't get a phone call,

right? That knowledge of something is going to happen in my future between zero and X number of days of when I decide I want to receive that phone call. How does that affect the rest of your life? There's like the questions we face. Do we do we do genetic testing to find out? That's like Twilight Zone stuff right there. This is like an episode. Of White Mirror, Black Mirror. Yeah, I still haven't watched a new season yet, so I'm, I'm, I'm

behind on that one. But yeah, for, for those Black Mirror fans, this this is turning into a Black Mirror episode or a Twilight Zone. Oh dear. OK, I, I feel like I absorbed some of Jim in that one because I, I took it maybe down a little bit downer from it so. Yeah, dark man. I've got just the upper you need. Do you want to meet the real star of impactors? Let's get.

Sabrina on here while you're going to get we we, she was very disappointed about a lot of the privacy and consent talk that we were talking through. And you could tell that she really wanted to join the conversation as you were kind of getting there. But oh, there she is, Sabrina. Your fans await. Starofgunfactory.com, star of now of the Identity Center YouTube channel. Is she a Chihuahua 6? And 1/2. 6 1/2 and what kind of. Doug Pomeranian, Chihuahua miniature poodle.

She's a Pomchi poo. And she's a sweet girl. She looks a lot like one of my my puppies. It was an Australia dog and or Carolina dog, I should say, looks like an Australian shepherd, Shibu, sort of like that. And it has the same kind of colorings and stuff like that. So I, when I was researching, you know, for this episode and I went to your website, I saw that video. I called my wife downstairs. I was like, look, this is the best part of this website,

right? Here I had to do it with her because otherwise she was like interfering with the shots. So you know, that way she helped me. Well, dogs are always welcome on this show, right? Awesome. You're always think of when I see a Chihuahua Sierra Taco Bell. OK, I don't know how we can top that. So let's end with Sabrina and Eve. Thank you so much for taking the time with us. We're going to have a bunch of links in our show notes.

Connect with Eve on LinkedIn, visit her website, thenfactory.com, Venn, factory.com. Say hello to Sabrina as you click that video on the front. And yeah, our discount codes are always on our homepage, IDC, podcast.com, Like and subscribe, share with friends, share with enemies, doesn't matter. As long as people are listening, like and subscribing, don't really care. And yeah, that's it. We'll go ahead and leave it for

this week. Thank you, Eve. Thank you, Sabrina. And we'll talk with you all in the next one. Take care. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.