#361 - Identiverse 2025 - Sean O'Dell on Harnessing CAEP Abilities with Event-Driven Identity

This is identity at the center. Welcome to the Identity at the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? How bad yourself? Doing great. Here are 2025. Feels like there's so many people to thank. There is there's a lot of people definitely give a shout out to Shirley. She's behind the scenes MVP. So Shirley, if you're listening,

this is it's all possible because a lot of the work that she put in to help us get this going. Yeah. And RSM sums here, yeah. RSM. So we got some banners for that. We have a nice little banner for like identity at the center that's behind our guests. And yeah, it's been a very cool. I think we're slowly but surely starting to figure this out a little bit. Have you gotten any negative

comments that we have AQR code? No, I don't think anybody actually scans it. I have no idea if they do or not. So it just seems like an interesting idea to put up there and maybe maybe help somebody, I don't know. Yeah, it's been really cool. A lot of our listeners have been here this week and just stopped by the booth, said hi, told us to listen to the podcast and that they find just to be a big service. And it's just like, wow. Which is the best part of doing

this. So they tell some people to listen. So it definitely means a lot any time someone comes up and just takes the time to say, hey, you know, thanks for listening. And I'm always curious to like where they find us because we don't advertise. So it's like, hey, well, someone told me about it or whatever maybe. So super cool. I think the other thing that makes the conference seem so great was all the people who volunteer to speak and be on panels and kind of like pay it forward.

And one of our past guests, our guest today is one of those

people who paid it forward. And why don't you introduce, I don't want to steal your, your role on the podcast. Now you're doing so well. Yeah, Let's get to our guest. His name is Sean Odell and he is here of his own free will.

His opinions are his own, right? All that legal stuff. Like we're just talking to Sean at the moment, right, Sean? Yes, Sir, you got it. OK, so Sean, tell us a little bit about like you were with us before, a couple times actually, but for a brief kind of intro like what is it your your day

and job is? Do a lot of stuff with identity security both in consumer and and workforce at at the Walt Disney Company specifically focusing on continuous identity management at at at Disney and a plethora of other responsibilities is all the way over on the consumer side. And every other domain you can think of is workforce. So SSOIGA, Pam, make stuff happen. Figure out figure out tough problems and the plethora of integrations a company that size gives you on a daily basis.

It is so much fun. So much fun. Excellent use of the word plethora.

For example, we actually had a panel today. So I moderate the panel that you were part of as a, you know, the main kind of driving force behind us. Let's be honest, why don't we start there? Let's recap the panel and it was called bringing it all together, harnessing the capabilities with event driven IAM. Pun intended. Pun intended. Yeah, for sure. So tell us what was the panel about? Sort of give us kind of a synopsis of it for people who weren't able to be there.

So we we started off First off, the panel was absolutely great. I think the the way you handle it was absolutely fantastic. The layout was great. So you are when you go in the right way, because flatter will get you everywhere with me. So I. Appreciate that more stickers, more stickers my pocket. We set it up pretty nicely. The first part was giving background and contacts like what, what is Cape, what this use case is, what's a real, what's a real, what's a real example?

Which then flowed nicely into asking all the panels to Ansel Toshi Begwali. We got Mike Kaiser, Beta, Andrew

Cameron from GM and myself and we all played off each other very well. And we had very disparate examples that all resonated. And we, we kind of covered like what we wanted to cover like in the 1st 15 minutes. And then the audience just took off the questions. It was like we threw away all the agenda. It's like, well, we had an idea and they're like, well, they hit all the topics and we wanted to hit on the agenda just by asking

questions. So that tells me a lot that people are starting to really embrace the event driven approaches here. And the, the the conference here is coming really full circle with embracing like 5 key disciplines like the consumer identity, sorry to say it, AI. We almost made it the entire time. Too about 6. Seconds left. 6 seconds left. Was that 50 minute panel? Yep. And Andrew Cameron. Andrew Cameron.

Yeah, Andrew Cameron. Ian said, I don't want to say it, but I said we did AI. So they had kids, kids identity meant non human. They had AI think it was citizen identity. And there was one more and but it, it said it was a nice non Venn diagram, Venn diagram from

Andy. But it just highlighted the importance that the, the main 2 buzzwords here are NHI and AI. They really are. But the foundational pieces to making that safe, secure reality and realizable is you need event driven. You need to have a continuous identity paradigm to get to the realization and the controls of what AI can give you and the security you can have with all of your what I like to call as workload. I am not NHI because I just the way I am is they're all

workloads. I follow Martin Copinger and what Eric Wallstrom's doing over in Gardner. Like I like workload. I am as a as a generic term because almost everything's a workload, a machine, your device, your laptop. So we're viewing off topics and continuous, but I want to want to pull it back to where the foundation for a lot of things is data and that's continuous. That's event driven. So I think I think the panel was

fantastic. Some of the questions that I, I, I heard from the audience was, and I was really shocked, Jeff, it was more, how do I implement this? What do I do? If they were very, it was very, it was, it was technical. It wasn't like, oh, give me the boxes and arrows. It was more like, like a great question was about rate limiting and thresholds and throughput. And I was like, wow, like then they all looked to me and I'm like, well, I guess I'm answering this question and then

you. Were you were the only one who sort of raised your microphone they. All were like, I'm like, OK, got it. But the answer and I gave her the answer and she just was like, yeah, but, and she kept pressing on it and I'm like, so you really want to. Then Otle took, took a stab and

then Andrew took a stab. But then it what it came back down to was the data that you're going to be using in these security event tokens with continuous identity gives you the ability to to be less chatty with tokens for an example. And I thought it was very, it was a very good distinction that by, by by harnessing and utilizing this paradigm continuous identity, you have less tokens flying around the wild because you're, you're being more precise.

Like I can give you all a token for 24 hours and not worry about it. Because if I have all these detective controls happening in the background and integrations that if you look suspect or malicious, I can just say, oh, Jim's cool, Jeff, you look suspect. I'm just, I'm just going to revoke your session. But that's one token versus having to always do token refresh, token refresh, token refresh. So I thought that was a really good example.

And she understood this spot on, which is I'm, I was, I was so happy, so happy because the maturation levels raising more and more like when we first talked about Cape. Yeah. I want to ask you if there was a difference in mindset or what did you notice from the one we did last year, which I think was more presenting this idea and sort of getting people up to speed versus this year where a year has goals. Now it's like, OK, how how much

more real is SSF and can we? Can we go back one more year to 23? So when I first presented it, I had to give them the breakdown like here's what a JWT looks like, here's the data in it, here's why you use it. In 2024, we did that awesome panel and it got better. But then even this year, but it was more yeah, the background, we understand it, the use case. Cool. But now they're like, how do it tell me how to use this? Like I, it's almost like you, you want this more.

How do I get it? They were looking for, for prescriptive guidance on it. And it, it made me very, it made me very happy because we put a, we put a lot of hard work into this in the, in the standards bodies and even with working externally with, with companies like like Octa and Apple, that it's becoming a reality. And even at the last Gardner interop, I mean, 30 plus people came, came to interop and test it out. That's huge.

I think, I think MM Kaiser was saying on on stage that he's never seen adoption that quipped that fast. And I was just, I was floor. So I mean, I know Otto's excited about it. I am Shane, our other working group Co chair is excited about it. Everyone is. We bring it up a lot with like vendors and asking them what is their plan to support SSF.

And and I always ask. And I think that's, that's probably one of the more important things you can do is like customers of of these products that say, what are you, what are your plans to support shared signals framework? Because are you going to? Correct, because it is my requirement as your customer exactly. I want to communicate that way more.

Customers who do that, the faster it gets out to road map adoption, which then drives interoperability and then hey, guess what, we're sharing signals. Sharing is scaring right? Exactly 1 of the other fun takeaways from it. Was it it naturally? I mean, if I'm off base here, but it naturally progressed from capabilities into Cape into like data. It's a natural progression. Like to do this you need data foundations and it just it was interesting and someone asked a

question. I forgot who it was, but it was more of who owns this. And I know you were like, I'm

sorry, what? That was Blot. Yeah, yeah, that's right. It was. Yeah, I know you. You hopped on. You're like I got, I want, I want it on this one and it and. It's such a loaded term though, I know. What do you mean by ownership? So we all said it depends. And Otto said it depends. And I'm like, yes. And what it came down to is I think I think you called that out like it's it's politics, one reason.

And then Otto said everyone. And then I think Andrew, Andrew Cameron was like whispered stakeholder. And then he's like, yeah, it makes sense. But I think that was like, that was the question that sparked like 15 hands. So it was, it was awesome to say. It really was. I was flattered. I was flattered to actually be there. It was a really good question.

And I think this is something that gets overlooked a lot is, you know, you go off and buy tools and you build programs and all kinds of stuff and it's like, OK, well, what are the rules and responsibilities within your IEM program? And a lot of the stuff is not technical, it is agreement and whatever political structure your organization runs in to say, OK, here's how we're going to collectively operate tending things forward. Was there anything that surprised? You for the.

Conversation today like was there something that's like oh, I didn't think about that or was it kind of was it kind of what you were expecting the questions because I felt like it made my job way easier so thank you to everyone. Audience to ask a question was we spent 30 minutes I think straight on questions for the audience after a quick like, hey, we're gonna level set real quick for like 10-15 minutes and then it was just Bang, Bang, bang questions.

No, I think it, I think earlier I covered it. The only thing that surprised you was that they were they were above a baseline. I was talking about that and they were really above water, which is good. Nothing, no question. Really, really shocked us at all. Pretty much. There was an interesting 1 towards the end about relevancy, context and efficacy of signals. That was a I'm sorry, yeah, Signals. It was a very, that's also a

very loaded question. And the, the TLDR bit was can you trust external signals in your, in your platform to emit more? And the answer is no. If there, there are points of data and it's all relative to where if that's your only source, that's all you have the answer to your own question. But if, if it's one out of many, do you have five sources? And that one is like, is it a 20% weight? Is it a 5% weight? And it, it's subjective. I can't give you the answer.

You can't give him the answer. Only his data could give him the answer. So I think that was, that didn't shock me, but it was very much like, oh, they're thinking that way now, which is good. Yeah, that ownership question I thought was very bad and I think you heard it super well because I think it's a loaded term most what you called. It I don't think it was a gotcha question. I think it was a general. It was. It was a genuine. It was a genuine.

We have to address this side of the software it. Was like a help me understand this exactly. Yeah. You got into a discussion about policies and Mike talked about federation. So I, I was trying to picture exactly what he meant. Was it that each end system will, you know, take the event signals and apply policies to them and they will have a framework for policy decision making, policy enforcement? Or will there be some kind of middle tier layer that does that

for the applications? I think you can have both, but I think what Mike was talking about was if if I integrate with your system, for example, I send you a prescriptive action that says we have an agreement that you're going to action on this. The policy in your system says when I receive a session revoked token, I take this action. That's a policy because you're saying intake maps to this thing.

You're actually building what Otso and I joke about, which is that capability matrix, that's policy. So if if say, for example, let's say Jeff sends you a signal and you're like, that's just information because I may not trust Jeff stuff, but our agreement is I am your IDP. I'm telling you revoke this session, your policy and your app, which is a very loaded turn to say it's more like a rule. Whenever I get a token from Sean, my job is to revoke this session. That's where you're talking

about Federated policy. Because then from a transmitter perspective, when I send you something, I have my own policy that says if I get these signals coming in from disparate sources and and their risk scores over a tolerance. My policy says if signal of this type session revoke is malicious and the scores over 90, I have to embed a token to these systems and you're one of them. That's my policy. That's your policy. That's what I think Mike was talking about with Federation's are there.

So where do you where do you see the decision being made on which signals which events to send to which applications? So for example, we've talked about, you know, Mike Lazar presenting South Point, we're talking about South Point A we've integrated into this framework. I mean do you send him every signal or send self on every signal that you have in the database?

It's a great question and I think the way you the way you would have it as a as a transmitter, so it actually goes back to the question Blatt asked is who owns this? So take him into a context like if you have one company that has a, an Uber transmitter that is going to be for all the workforce, right? Their policy would be that anything to do with provisioning, life cycle management or even access management.

You could send that to an IGA platform where the platform could start doing embedded already example workflows where they act as an appliance. So we actually covered that too in the panel, which is like, thank you. Great, great, great setup right where this fabric of signals that you ingest from all these things you have these things popping off them as appliances like IGA platforms being one of them Pam platforms being one of them ID PS being one of them.

The way you target events and event types is intrinsic to the domain. So a lot of words great. So breaking it down very easy if it's a provisioning events or a life cycle events or even a data change events IGA. So if my if my attributes change about me, maybe I send a skim event to my IDP and my IGA platform. However, if my IGA platform informs my IDP of the change, I send it to one spot and it federates out to the other ones federation. So it's very it's very dependent

upon the given integration. So it's a long answer to say it depends. But like Cape Ones applications on 100% IGA ones, you could even like, let's be honest here, if it's a hard enough event where you're prescriptive and you say a session revolt because it's really bad. Like if, if Jeff has access to like the world, not only do you want to revoke his sessions, I want to remove all his access. And you can do that in many ways.

But let's say you have an IGA platform and you're all in on it. I send the same token to your IDP to your IGA platform. Your IDP says I'll kill your real time sessions and your IGA platform does admin things that it says, oh all your roles you have all your gone that way. You are essentially marked as an adversary, not in a bad way, but someone's acting as you so they're impersonating you. So you were considered an adversary at that point. Great question. Great question.

Thank you. It seems like most of the conversation I'm hearing is like the signals would come from within your enterprise. But is there a thought that signals would come from maybe partners you federate with signals come from big tank, Yes, OK. So it's actually. I think this could actually be a product that's out there, right where somebody's going to say I'm going to create the biggest, baddest database of signals.

And just like you have a, you know, have I have I that owns breach password list or any of these other data services, this could end up being another. Product am I on notice? Exactly, right. Exactly. Yeah. Something like that could could take place. Absolutely. Yeah, it's, it's a great question. And the best way to phrase it is you're creating, you're ingesting a lot of data points, right?

So you have your internal because it's your data, but you can integrate with external systems that do endpoint detection to be vendor agnostic. Those could be perfect, they could be bad. But like the other guy was saying, and they'll also one of the last questions in the panel, it was do you trust them? How? How? How? Efficient are they are they, are they legitimate? So you should definitely get external sources of trust. So like EDR platforms 100% should you go after social

providers in the workforce? Probably not. But it is very much a mixture of internal and external because not not only that, like, I mean, this is just public knowledge. Like Octa has this in their platform right now. They they support Kate, they support it both ways. You can send to them, they send back to you. Like that's, that's what everyone should aspire to be is you're both a transmitter and a receiver. Because say it again, sharing is caring, right?

How do you get around privacy concerns, that kind of thing? That's that as it does a tough question. And I and I think the way you have to do that is if you share with your SAS providers, it's essentially your data. So it's a little bit easier in the workforce. Same thing goes for ER platforms. But if I ever wanted to share with like an external company, yeah, there's, there's standards out there for that.

Like in like in an open ID, there's, there's a thing called, is it AP pit, pairwise student anonymous identifier. That's where it's just a mapping table that says this is, this is, this is Jim. Let's say your ID is 1 and 2, but to them, you're gonna be 456789. That way you only ever share that identifier. That way if they see something anomalous about you, they send over your 789789, which I know is 2. That's the way you can do privacy sharing.

That's one example. There are plenty of use cases for those of you listening or watching that you'll be like,

yeah, but what about, of course, they're all there. But in the lot of time that we have, that's an easy example to say that's how you could interoperate and be privacy aware because I'm really like like Mike is, I'm really big on privacy, really big. It's outside of our panel. What are those have you seen here that had a verse that has been, you know, sort of in support of shared signals

framework shave. Are you seeing the love outside of our little bubble of our panel or are there other things that are taking place? We're saying, OK, we help. We still have some work to do to either educate or inform or. But, you know, drive that adoption and get more vendors on board. So the vendor adoption is always there, like you should always tell your vendors, this is what I want, this is what I want. And the only way they're going to do it is by listening to you, right?

You the users, not you, Jess. Vendors get on board. It was the the keynotes were pretty interesting. Andy had a good one. Laughter Andy was really good

too. And they, they're calling out that continuous identity is needed. And what even is more surprising now is the you need an event driven architecture that that was like when I sat back in my chair, filled my hands off my head and I had a possible legs and I was like, OK, this is good. This is good. When you when you see more than one person say it who isn't in your direct circle of everyday talk, it's both reassuring, ratifying and relieving.

It's very much relieving because when more people say it like it's when one person has an idea, it's an idea. Once you have it, it's a collective when 345, it expands out, then it gets, it gets exponential. That's called adoption, right? And I, I think it, it was very, very evident that I still think continuous identity is foundational to a lot of things like workload and AI and stuff.

But if you look at the pace AI is going and the pace that we're, we're, we're allowing automation to, to do our jobs, the amount of data that needs to be correct is insane. And I, I said this in my, in my talk, in my workshop, and I'm

going to say it again tomorrow in my, in my session where AI is not ready for our data because our data is not ready for AI. It's just not. What do you mean? A lot of data that companies have are either stale, outdated, or they're 12 hours old or a day old. AI doesn't wait for an hour or 12 days to make a decision. It's like, oh, look, I can go solve this problem over here with this data set. That's it's as accurate, right? Go Then you're then some viewers are this is going to be like,

well, there's hallucinations. I know that. But if you're taking action on hallucinations, caveat emptor, right? Yep. So you've mentioned about workload identities. I remember when we bring he brought it up, I said non human identities which raises your ire. There you go. That's another good word we got higher. Higher plethora brought to you by the dictionary. Brought to you by the

Encyclopedia Britannica. There you go. No one. Is it about that non human identity terminology that you don't like? It's too broad, that's all. The classification is too broad. You can get you can get into into devices, you can get into workload, you know, to machines. I, I like a classification that's that's much, much simplistic. So Eric Wahlstrom and and Martin from company during coal, they've coined the term workload. I am and I haven't seen much pushback on it.

And I, I had the same thought, not talking to either of them a year and a half ago. And it just like were I do my work, we call it that. And it's just NHI is just more like it's a, it's a buzzword, but it's like, oh, NHIS, what does that mean? Is it your phone? Is it your device? Is your laptop? Is it a Lambda? Is it a workload? Yes, the answer is yes. Exactly. So that's why I think everything could be a workload. You use your laptop to do something, which is a workload,

right. A machine does something which is a workload, right. It's just the generalization works. But NHI is like, I just, I personally don't I like workload versus that cause Eric's a pretty smart guy, Martin's a pretty smart guy and they, they tend to get it right. And if two birds say something and I'm like, it makes sense, the same way tends to work out that way that you have a triangle of like a triangle of trust because we're not in that movie, but like circle of trust,

right? Could. Join. Triangles of success exactly could join triangles of success. I just. It makes worse sense honestly. It just does so I disagree. Not in theory, in just the semantics of this. And I feel like non human identity is fine. It's not any, it's, it's not new. I think that's the most important thing. It's like, it's not like not human identity started last week. Like it's years old we had. Punch cards, you know, all these things have been operating

machines, identities. What I think of it is more is, yeah, I think it's a little bit marking term and I think that's probably OK because we need to help people understand because they don't understand the word workload, a normal person, right? And we are not normal. People. So I'm asked you a question, then you don't. You don't. You don't agree. Love opinions. What's a giraffe? What's a what? A giraffe. A giraffe. It's an animal. Is that a non human identity?

Yes, we've already made a decision that a human is a human, and if you're not a human, it's something else. Now again, semantics. Could we say there's another subclassification of exactly, you know, carbon based life form? And I was. Waiting for you to go there, right? Versus non carbon based life form. It's NCBH. It's kind of a. Potential term right now, and it's a hot 1 to the moment. Yeah. I mean, think about ITDR. It's like all of you predicted to talk about last year.

It's definitely toned down this year. Why is that? I'm not sure. Maybe it's just that you have a tendency to say this is the hot thing and get on it. By the way, I don't think giraffe is an identity if what you're talking about is they put a chip in under a skin and it's a. That's a machine editing a device identity of some sort of. Tracing chip, then every piece of inventory is an identity and

then it's like. Well, see we're getting into semantics again of can a non human have an identity versus not. And we've had this discussion before about between the difference between an identity versus an account and I don't know if we. This is great to watch. This is great to watch. I love it. Yeah. Yeah. But I feel like in my defense it's it's NHI, not human identities literally into things so. Here's the one that I think is about to like really become a hot topic is continuous

authentication. Because we're starting to talk to organizations that are coming up with different form factors, seeing keep you authenticating rather than just logging in, you have to be wearing some kind of proximity device. You're emanating. That authentication, you know

what that is? That's continuous identity. That's Cape, Absolutely. Yeah. So before Cake was Cape, it was continuous off indication, sorry, since authentication. But then Cave came around to where continuous authentication is too chatty. It's always check, always check, always check. Whereas even if you were a device for proximity, as long as your device is on and emitting A emitting a signal, pun intended, that's a way to check relevancy, right?

But continuous authentication, which I think you're right, Cape and continuous identity is going to be pivotal and foundational. So what we want to do in to your NHI, to my workload, I am to AI, but it is a hot topic and I, I, I think a lot of companies are so struggling to get it right because they're, they're looking at things like I got to get more factors. I got to get this, I got to get stronger factors. You do crawl, walk, run, but in in the the walk and run phase,

you, you got to get your data. Your data is what matters. Because if you don't understand your, your data population, what they're doing, how they're using it, you're going to build that policy and make probably make more investments in things that may not accomplish what your business got, what your business task is. I used the word may not, is or are or will so. What? Also creates a a brand new threat factor to protect against. OK, We've put a lot of our data

into this thing. What are we doing to protect it? Correct. It's going to be really attractive for people to want to get. We're going to protect it with AI. That was a joke. I solved it 100. Percent more AI. So I've been, you know, thinking about this shared signal framework. It feels like it fits within this concept of identity fabric. It feels to me like you need to have your arms around the identity of a, say, human, but also the device.

So when you talk about kind of like what is necessary from a device identity or device management perspective, what is it that? Where is kind of the baseline to be to be successful with the shared signals framework? Do you have to be somewhere in that journey or is it wherever you are it can help you? Start small, pick the smallest use case, the small, the smallest implementation with the smallest blast radius and just try it out.

So I we actually in the workshop, we left our participants with your homework is to go try this, whiteboard it out and start at the smallest scale. Just try it one time, get it all together and do 1 revocation. When you see it work one time, it is so intoxicating. You're just like, wow, I want more of that 'cause I know, I know when I see other, I see, I see others do it and it's you just see like the the giddiness. They're like, oh, that can that

can happen. It's good, but you have to start small. You have to you really do. And from a from a device perspective, you don't need to have like, oh, the INEMI number, the device Idi mean heck, your laptop. I mean, if it, if it's your laptop with an user agent and an ID and you, it's good enough. I mean, the odds of you being able to do things with your laptop, that's your personal one and not managed.

Slim to none. There are companies working on that to support SSF, but it has to be a managed device or you have to be logged into your browser of choice for them to actually do that because they can't just be public like, oh, I know, just laptop or Vulcan. That doesn't work that way, not yet. What is the smallest peripheral concept you could do? Can I do this in a spreadsheet? Is Access database still a thing or would you recommend like

something a little more modern? Graph database Neptune, Something like that. Like do you mean? How quickly could I establish this central source of data? Because I know people. Out there like well. We can use it in their spreadsheet. Could that be a source? I it if it is, you have to be able to action on the source, which means you have to have. You could hook it up to Visual Basic and do some API calls. Bubble gum and chicken wire and duct tape.

I mean that you you don't really need data to test this out. There's a great open source 9 owned by any company website called cave dot dev, CAEP dot dev DEV and I think I think Kaiser has shared signals dot guide GUIDE in there. You can put in everything you need in a, in a fake target system that you can see what, what would happen. I mean, it, it, it sounds crazy, spin up a, a brand new tenant of your choice fake and go try it out for efficacy. And it is. It is super, super easy to do.

Super easy. So we're a vendor agnostic podcast, so I'm not asking you to endorse anybody that you hear you've walked the episode for. Did anybody jump out like whoa that's cool solution? I mean you did specific area. Oh. Like there's a whole NHI

Pavilion, is it Pam, is it IGA? Is it some sort of authentication? Or you pull out a company name. I mean, what time? I walked a floor and it's there's a lot of AI and HI here the the soup du jour is I can secure your MCP server with a proxy and a gateway and authorize it. That is like everybody has that now here it's like great, stop talking to me about that, right.

But from from what I've seen, what's what has stood out here is there's not a lot of people Avengers wise that are looking at the bigger picture of continuous and they're chasing they're chase they're chasing AI and NHI, they're chasing it. And what's gonna really be unfortunate is that year and a half purchased these tools, these things that these things to secure your platforms without the backing of the data. It's it's not gonna work the way you want it to.

But that's your point though. What I have seen is there's, there's a lot of focus on identity verification here. I kinda like that now. Like there's some companies here to remain agnostic, but identity verification is becoming a thing now finally. That should have been a thing three years ago. That probably was a thing three years ago. But people are starting to realize that this North Korea thing is a problem, right?

Not the country, just the, the whole you've all right, we've all, we've all read the articles, but it's, it's that to me set out there's, there's more than more than one vendor doing that here now. And I'm like when? That's a real interesting area because it started off really as government kind of vendors and focus, right, of trying to prevent fraud and how do you make sure the right services are getting to the right people and things like that.

But then it was like, OK, finance usually is a leading indicator of people adopting that. And now it's starting to get further down. I mean, you can see it now. It's like, OK, well, I'm calling a help desk. How do I know that Sean calling me and not AI Sean or someone tripped fishing me? Because chances are, fishing is going to be the way you're going to get breached because that's what's going to. Happen statistically and with what Google.

Google's VO3 just released. Which is crazy scary. Like if you had not played with that yet, Oh my, you just so it's it's super. Cool and super terrifying. And it just. And it's just that glimpse. Is that what we say? This is the worst it will ever be. It's gonna be better tomorrow. Better and better and better. All right, great, great question. I mean, that's I saw identity verification is like, wow, I'm like good 'cause that keeps me up at night. I mean, I think it's going to be

helpful. I think what I think you have to think about is the credential management self and then who do you, where do you get them from and how do you make sure that everyone has access to it. That's all stuff I think that will eventually get figured out. But I think there is there is that authenticity that needs to be established of OK, who am I talking to and. It's like do this good way right? Proving me you're you.

Blink if you're. Blink 3 times if you're you, but then on one foot exactly right, yeah. I feel like we could go on and on and on, but we do want to wrap this up. Sean, it's always great having you here on the show and I really enjoyed your panel. Thank you again for inviting me to be part of it. I'm just trying. To keep up. I'll say it out loud. You did a great job with it. I always look to you for like help and you always you take thoughts very well and you're like I got you.

So thank you so much Otto. Same thing loved it.

Mike and Andrew's like Jeff did a great job. So I'm thank you so much. I appreciate. It I think it's like I said, I think moderating is the easiest thing. I had a conversation with Grace Kluke, who is a Diev org winner for us. I caught her in the hallway and she did a panel and we we had a little bit of a discussion of us is moderating harder or easier? He says being on the pedal itself. And I said, well, for me in moderating is easy because.

So I just. Turned the questions over to smart people and said OK, you guys answered these questions and in our session today was awesome because literally 30 minutes of like straight audience questions like yeah, go to this person over here, go to that person over there and. You should ask also about this because he moderated the FC panel and I it's like ask him what you thought about it was harder to moderate or be on a panel because I think it's

harder to moderate personally. Well, here we. Go. That's our call to action, you know, Put in the comments below whether you think moderating or being on the panel is better or not. So what I think is funny, though, is like, go to the different panels of sessions and I'm like, that person has been on the podcast that everyone on the stage today in your panel has been on the podcast. No surprise, but it's. Pretty cool, yeah, you're. Andrew Cameron, session with

you. I thought you guys were going to geek out on EVs. I was like, man, is this, I think the center is, is it like EV now? What is it? It was, it was, it was, it was a great one. It was good. It was good. Well, all right, let's get out of here because I think we've got a bunch of stuff to do tonight. It's kind of another long day of Vegas, but I definitely appreciate you being on the show again for. Us, John. Well, what's that for having me? Thank you very much.

You guys are great. I'll have your show, your LinkedIn in our show notes as well as kate.devcaep.devandthenyeahieacpodcast.com. Like subscribe that stuff. Again, thanks to RSM, thanks to Identiverse for helping us out with getting us off the ground. And yeah, we'll talk with everyone in the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at

identity@thecenter.com. See you next time on Identity at the Center.