#395 - Sponsor Spotlight - Redblock

This is identity at the center. Welcome to the Identity of the Center podcast. I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself. Fantastic here at the Gartner I am Summit 2025 in Grapevine, TX. Yeah, so I refrained from mentioning the cowboy hat. I did that already a couple times, but here I am mentioning it again. Yeah, well, hey, what I'm in Texas do as the Texans do. Yeah, so we've got a special 1 today.

We are doing a sponsored episode with our friends over at Red Block. So we're going to get right into a second. But you want to learn about Red Block? It's Red Block dot AI slash IDAC. We'll have links in our show notes for people to check out, but let me go ahead and introduce your CEO, Indus Kai Tan.

Welcome to the show. Well a fantastic day at Grapevine, TX. It's such a beautiful hotel. I I wish my children and my wife was here. There are a lot of children and wives here. I think people are taking advantage of sort of like there's a Christmas kind of festive type holiday thing going on here. There's a build-a-bear workshop. So other than identity and access management, there are things for people to do. Kind of odd place to have a

conference in the season. Yeah, I think we'll probably be in Vegas next year, which seems a little more normal for like a conference, but. Vegas is not normal but for a conference. Yeah. So thanks for sponsoring this episode. We're going to learn about Red Block today. One of the things that we always like to find out is for our first time guests, and this is the first time being with us, is a little bit about sort of their identity journey.

How do they got into the world of identity or maybe security or maybe both. So let's start there. How did you get into the space of IAM or Digital Identity?

Well, I'm a programmer, I'm ACS grad and been dabbling with writing code and most recently I did a startup in mobile security that was like when iPhone 1 came out. And very interestingly, iPhone one would not authenticate against Active Directory. Active Directory, yes, and we built a business enabling organization and employees to access their internal resources. Cloud was not common back then. So their SharePoint and their, you know, files on on network

shares. That's when I came to know, oh this thing called Identity. And then that startup got acquired the Oracle and amongst other things, I was APM for one of the Oracle's Identity product for a period of six months. So I got my exposure in Identity and you know, lo and behold, I'm doing an Identity startup. So you're kind of an identity lifer now you're at Red Block or you started Red Block, or I just have to know. How did you come up with the name? Well the name has multiple

layers so November ish of 2023 when I got this idea that hey AI in its post LLM world is going to be multi model. So ChatGPT 3.5 comes out and it makes it very easy to recognize world objects. Not just a picture of a cat, which the AI reasons as cat, or a dog, the AI reasons as dog, but more context, such as if you show AI the picture of a lion and say, Oh yeah, that's a cat family without actually

decoding, it's a picture of cat. And then we thought, hey, how about we feed some screenshots of postures for web apps. And lo and behold, it just detects beautifully that, oh, on your Twitter screen, you have, you know, these access profiles that you should not have. And then we started experimenting and we thought, hey, why don't we build a workflow that converts human actions into AI driven flows. And then there was a big popular workflow too.

Let's not name them. And they had a blue box for all the flows going into a ticket. So, you know, something happens. And then of course, it goes to an ITSM where a human picks up. And then he said, hey, why don't we change this to a red color and the ticket goes to an AI driven human flow. That's one of the layers of multiple red teaming as an example, but that's one of. The yeah, that's neat.

So what is the underserved area or what is the market problem in identity today that you feel is underserved, I think?

I'll give you 2 arcs on this, the arc 1. And this is like a market answer, like a top level answers for every dollar in cybersecurity, you know, this $5 spent on services, operational, staffing, human labour and just getting things done like manually.

So if you look at the Tam of or the revenues of companies collectively IN2024220 billion ish last year, cybersecurity across the board, all products sold, sold, guess what the numbers are for services and people enabling those products, it's close to a trillion dollars. Wow. And hate to say this, but there is a laundry list of services companies and vendors and and people that serve this market. If you tease identity smaller section 3040 billion, close to $200 billion spent on services.

We thought, hey, how can we turn this into a category where services are now enabled using AI driven software. So that's the market we are going after. It's a bigger arc on the top. But if you look tactically from a buyer's perspective, they have a lot of work that gets stopped by a ServiceNow ticket or a JIRA ticket. So anything that you want to do in IT, automation or identity, at the end of the day, it's a fulfillment job which you and I will get, Hey, John, can you do this?

Hey, Jacob, can you fulfill this? We are essentially routing that ticket to AI and let AI fulfill that task. Instead of a ticket being fulfilled by human, AI fulfills that ticket. So with even with all the new spaces or you know, disciplines within I am that are starting to kind of sprout up, I still think the traditional approach is IGA access management or privilege access management. I think though even with good tools, it's lacking. What do you think?

It is lacking because if you look at the scaffold, ultimately it's about do you have enough coverage? Do you have enough visibility into your applications, your identities? If you do not, it doesn't matter whether IMIGA, Pam and now NHI and in future agents, your tasks will not be done, your visibility will not be there. So it doesn't matter whether you you move from one acronym to the

other. If you do not know how many apps you have, what identities are inside those applications and what entitlements are there, the gap is still there in the market. So you're spending all of this money to solve 10/15/20 percent of the problem where your back door, your front door is closed, but your back door, your side door, your garage door, your trap door for rodents still freely accessible. And you know, that's where we

are going after. I think you just touched on a little bit, but I want to talk about what is the urgency that you know from a business perspective, what is the urgency to go after this versus make investments in other areas of identity? So if you look at the last 10

years of ransomware attacks or account takeover, so starting from Target 10 years ago to Salesforce customer instance breach of last year, there's so much in news. Each of these companies had all the certifications, all the compliance, all the tools, all the money, the best of the people. This still got breached. So it basically reflects on us as a community that isn't there something that is not being served. And the gap there is that the urgency that's brewing.

If you give it another thought, adversaries are no longer breaching firewalls. They're no longer dropping malware on your laptop. They're simply logging in. So if credentials are the main primary vector, do you have aggregated data of all the identities and the credentials that are probably in the wild all the accounts that are in your systems? So I think the urgency is what are the apps that are not covered? What are the apps that are not governed?

And I hate to say this but Infosec community has a euphemism for this called last mile long tail. As if they don't matter. Great. But they do matter, because if you're sensitive data is in one of those apps and that gets breached, it's a vector to take over your infrastructure. So you talk about this gap, right? You've got these disconnected apps, you know, and you're totally right. You say, hey, let's solve for 80% of the problem, and what do

you do with that last 20%? So you talk about governance. There's a lot of governance tools out there already, right? We've got Pam, we've got IGA. If I'm sitting here with my

famous jaded see so hat, it's like, OK, well, why do I need another tool? Like why isn't Pam and IGA good enough? Is it just the way they're approaching it or is this like a new space? Like what are your thoughts on that? Yeah, it's it's a space that already existed. So if I dovetailed my previous part that irrespective of all the tools, all the all the technologies, all the certification, all the compliance breaches have still

happened. And there's definitely a gap in the market that we're not serving. We're trying to solve the same problem. We're trying to do visibility on the same things that are being visible. We're trying to build a better workflow for the things that we see, but we're not going after the areas that are unseen to us. I'll give you an example. So Okta we know as a, you know, IE governance and access vendor.

So they have this product called Okta Integration Network. 8100 ish apps are publicly listed there. That means vendors that have come in and you know, put their apps in there. If I tell you less than 5% of those apps have any automation of onboarding, off boarding changes and provisioning. The rest of the 95% are manual. It's wild, Wild West. So John joins your org, he gets access to everything that he wants. When he leaves, his access still lingers.

God forbid if those accounts are on Salesforce on Snowflake and a credential theft and a spray and pre attack compromises that nobody's paying attention. So it's a newer urgency that's brewing. Go after the areas that have not been seen. It's like my closet. My wife doesn't want me to open because hey, you don't know, babe, because we don't know what's inside. You got a goddamn open it. So you mentioned another area that is, you know, pretty common, right?

You talk about authentication and ID PS kind of getting in that space of controlling access to resources, where does Red Block fit into sort of like this triangle of opportunity slash sadness that exists between authentication, IGA and Pam? Is red block somewhere in those areas?

Is it something different? Is it a blend like Help me understand, Kind of like the positioning? So if you if you visualize this as a three legged stool, so leg one is your IMIGA Pam monhumanidity everything else, which is your visibility plane, which is your control plane, which is a workflow engine, which is a policy engine. And then the second leg is hundreds of micro legs which are the applications. So you have your sales force, your, your Zoom and your Slack and then 5500 internal

applications built by your team. So we come in between these two legs and enable flow of data to give you visibility into those 1500 and of course a control plane so that you don't have to file another ticket to take over access for a people who have left or do governance on those apps or change entitlements. So we kind of sit in the middle between the applications and the governance and identity vendors. If I give you a better analogy, think of Red Block as your DoorDash carrier.

We'll, we will take the order from you as a consumer, which is your identity tool and then go pick up that order from the restaurant, which is your apps and then without even looking into it and deliver this. And then of course the transaction happened. So kind of come in in the middle. So you got me at the DoorDash

because I'm a big fan. But when you said DoorDash, I started thinking, OK, well, this sounds a little bit like orchestration is you're kind of you're picking up something from one spot and then figuring out where it needs to happen with it and then dropping it somewhere else. Is that fair? Think of this as a last mile execution. Your DoorDash app is the orchestrator. It figures out oh go pick up from restaurant 1, then go pick up from restaurant 2.

Combine those two orders. Deliver it to me. So the orchestration engine is your door Dash app. The guy who's fulfilling is the person, the carrier. So we are the carrier. We're picking things up from these individual applications. Hey, give me all the identities, give me all the entitlements and the roles and API keys and credentials and deliver it to me. Boom, package it, give it to you and then say hey go do more tasks and then go do that. So now I'm thinking logistics.

Logistics is a great word. So yeah, like, tell me where to go, tell me what to do. We'll do this for you. You don't worry about you still give me that trigger. So we don't have intelligence of our own. I hate to say this, my team doesn't like it, but we are taking triggers from Sale Point, we're taking tickets from ServiceNow and then doing the job which is supposed to be done, OK. So let me keep my jaded CSO hat on. And you know, this is probably a

question a lot of people know. So what makes Red Block special, right? What do you think it is that makes your product, your service, you know, different from others that are in the marketplace?

So this problem existed for a long time. So if you look at the the last mile execution, the automation, you know, our PA vendors tried solving this. You know, if you look at finance as a larger category, you need to process invoices. So manually it's impossible to aggregate. So you put an RPA bot there, script it and you know, grab the data that colour has been kind of an implemented in identity user degree for user access review. So you need to aggregate

spreadsheets or user data. But RPA is scripted. It breaks when you know the UI changes. When the list of values simply changes, it breaks. It almost like writing a piece of code that has supposed to be executed. We are more, I haven't used the word AI yet, so we are agentic. So think of us as the way we work behind the scenes is we use computer vision. So the AI looks at the screen visually, just like you and me on the app and say, OK, what do you want me to do?

OK, here's the credential login. OK, what's next? Grab the list of users, packages a Jason and give it to me. So we're looking, the AI is looking at the screen and then taking decisions and then extracting the information or taking action and delivering it to you. And that's the differentiates us, the more modern, if you want to call it, there's no word around it. It's kind of being coined agentic process automation.

And yeah, that's where it is. OK, so you've opened up the box of AI and I've been thinking about, you know, when you kind of first talked about those. OK, how do I formulate this question? I'm going to put it rather bluntly. Can I, how do I trust the AI to do the right thing? Because now we're talking about security. And so it needs to be auditable,

it needs to be traceable. You need to be able to explain it, right? I think there's a lot of people out there who are interested in sort of like, Oh yeah, sounds cool, but how do I know it's making the right decisions? Great question. So when we started this, the demo version of the product that we have built now took us like a week, but took us a year to put those guardrails around it.

Because when you're doing something with identitysecurityyoucannothaveitgowrongitcannotdeleteawrongjohn@example.com, it has to be John, not Jon, if that's the name, example.com. So we've built a lot of algorithmic decision making. We built guardrails around it in terms of how AI navigates. And I'm going to tell you this, in our case, the AI does not make decisions. The AI is doing analysis. And this is when you dig deeper into the industry that we are going after, vendors or

competition. Oh yeah, you give the trigger the task to the AI and the AI will figure itself out and decide and take a decision. In our case, the algorithms, the the guard rails, you know, the workflow that have inside, they make decision. AI is the reasoning engine. It's helping navigate. It's, it's helping figure out what needs to be decided upon without AI deciding it. There's a lot more work done. Technically, we have filed close to a dozen patents on what we have built.

So it's not like indices skunk work in the garage and coming out and party, but a lot of work that has been done. I think the whole business case resonates with me where you stand up a lot of these tools and it's like what you have to, to get full value, you have to integrate hundreds of applications in an enterprise scenario.

So that's where I think Red Buck fits and maybe you can confirm that for me. But I'm also thinking from a practitioner standpoint like how do I get this thing rolled out? You talked about services in the beginning. So for a typical customer, what does it look like to get started and to actually start getting that value where it's like, OK, now I've went from I've got 5-10 applications integrated to I'm leveraging Red Block and I'm integrated to hundreds of

applications. And that's the challenge for traditionally like you know, we have customers that just bought a very popular IGA product and they are grappling with this

thought. They have 500 applications to be on boarded and they quote got a quote from a services vendor. It's a four year journey. So you essentially are waiting for four years to discover every piece of identity in your enterprise. You know, what's the analogy there? You're a company of 10,000 employees and you do not know the 999 thousands of them because it takes time to go interview and corral. So we come in and we onboard these apps and app a day.

The process is very straightforward. So let's say you have an app, let's call John's ERP engine app, right? What are the IID operations? Add user, remove user, change user and aggregate users. So for each of these IE OPS, you just record a 25 second video of how you and I as humans would interact with apps. So you log in, you go click on that add user button in an admin corner of the screen and that screen recording on any desktop.

It gets uploaded onto our studio and the AI crunches it for an hour and it builds a turn by turn navigation of what needs to

be done. How it would be done when a trigger from the governance tool or an access tool comes in in real time and then it'll perform an action almost like an API call going to the AI. It performs the action, confirms it and closes a loop with the governance sender or with the governance application, or with the Pam saying hey, rotate credentials on hundreds of CCTV cameras in the supply chain.

It'll take a trigger from the Pam, do exactly I had described, go log into each one of the CCTV cameras, admin console, rotate the credentials, push it back to Cam, push it back to the Pam's vault. Super cool. I think if I was listening to this podcast right now, I'd rewind about two minutes and have to listen to that again.

I think that seeing some kind of demo of what you just talked about where you know, the you basically create recordings of this administrative process, AI processes through that and then learns how to do it. It's like, that's the dream, right? It's like AI robots can take YouTube videos and learn from them. I think it's fantastic, Super cool. So I want to see a demo. Hopefully you have that posted on the red block dot AI slash IDAC.

We'll have the demo posted. And the kicker here is, which I didn't mention so far, all of this infrastructure runs not in our cloud, but in our customer's cloud. So we serve banking customers, we serve regulated industries. So we package the AI model, the platform as a virtual appliance and hand it off as a binary. And it runs air gapped on their own cloud or on Prem. So it doesn't push data to a commercial model, Open AI or Gemini or anybody else.

It's our model that is talking natively on Prem or in their own cloud does. That go for the training as well so. Goes for the training as well. OK. So let me make sure I understand this. For me to set up a connection, let's call it, you're watching my mouse movements, you're recording the screen. I say, OK, this is the button I

press to do this thing. And then the system learns what that looks like. And what happens if screens change, UI changes? Do I I have to retrain like that action again? Like how does you know what happens if it doesn't click the right button or it makes a

mistake? Like, you know, I feel like I'm the -1 for these are questions, I think, which is like, OK, well, now I'm looking at a screen that might potentially have sensitive information, a user Ida secret, you know, something it's going into like this screen recording. Like how do I safeguard to make sure that I'm comfortable as a SISO or any other risk person to say, yeah, I trust this thing. It goes back to the trust question I asked earlier about AI. So.

I'll break this down in two parts. Part 1. All of this training happens in your environment. So the the video that you just recorded for training the AI sits within your block. Storage gets destroyed after the AI learns it. It it's not needed, it's once. None of this travels to red blocks, infrastructure or outside of your Prem. Second, I'll give you an analogy. So if you drive a Tesla or any FSD you're not training on a

daily basis. It has the model that understands, OK, what's a pedestrian, You know, what's a cone, you know, what's a, you know, moving object. And it's navigating, deviating, maintaining the curvature of the road as it would need be. And same thing for the web app. Your colour of the button could change from blue to grey. The placement could change from left to right.

It doesn't require retraining because when the AI ingests the recording the training video for the first time, when it builds a turn by turn directions, it's not hard coded coordinates nor hard coded text of the button. It training itself based on the intent of the screen. What's the intent of the screen is to log in? Do I have the credentials, username, password, second factor, multi factor? What's the intent? Go to the next screen, go to an

admin section. So it's reasoning just like you and I. Let's say you and I are on a shopping site. We don't know where the checkout button is. We can start with the URL. OK, add, let's find the checkout button. OK, not on this page, go to the next page. AI is reasoning very similarly how you and I. So we've trained it just like the human behaviour on a page. See, Jeff, I think you asked that question, right? Because you're interested. It's like, wow, this is really

cool. We need more, we need to dig more. I'm thinking that. So this works in coordination with your existing identity infrastructure, IGA, your NHI solution, your Pam. And I think you talked about that a little bit. And I guess from what you said, the way I'm envisioning this is like you say, all right, I'm going to give Jeff XYZ access. You know, maybe in a manual environment you'd go out and issue an ITSM ticket and a human being would go out and do that.

But instead red box and pick up that quote UN quote ticket. And it's going to do that based on this training. There's still got to be some kind of integration, right? Some integration work with those IAM systems. So talk to us a little bit about that.

So we are a sale point partner, we're Savion partner, we work with Octa, work with Antra, Cyber Ark and others. And we when we started, we did want to replace your the Csos chess board. We are to come in and you know, be a little bit more strategic around which pieces, what pieces to move. So we integrate with, let's take

Sale Point as an example. We integrate the Sale Point as if it's a native app connected inside the Sale Point universe, so that if you're an admin, you're a user of Sale Point, your business is on a daily basis as usual. It would almost feel like that app, you know, John's ERP engine is just magically connected using this API inside Sale Point. So we work very closely.

So on the upstream side between Sale Point and Red Block is a very tight coupling basic conform to their you know connector framework and add an app as a new disconnected app

comes on board. So to your question, when you'll say a request for fulfillment of let's say removing a user sale point will happily send a trigger using an API call to us saying hey, for this app perform this action, which is remove a user for this attribute, which is the e-mail address, which is a unique identifier where blocks engine is going to take it and then perform the necessary AI automation behind the scenes to

remove the user. So it's just like a connected universe on the upstream side, but by virtue of the AI being brought in together. I guess sit here and ask, we

went through the why. I could just ask questions about the how all day because I am interested. I do need to understand again, so maybe we put this in a simple explanation as possible. So how is it that you know, traditional approach takes four years to get 500 apps integrated, but Red block can do it in how long? So traditional approaches, you know the numbers. So let's say you have a brand new sale point instance, you're a bank, you have 400 apps to go through, Sale point is going to

give. I'm just using sale point as a proxy to large IE universe. So governance vendors will have 150 odd apps that have connectors out-of-the-box, which means if you're lucky, the Venn diagram of what connectors are available out-of-the-box versus your 500, you'll probably have a match of 10/15/20. Boom, 10/15/20. Done. You have 400 to go. So then you put an RFP out, contact a services vendor to write connectors for those 400 apps.

Averages $10,000 to $20,000 per app over a period of four to six weeks. Lucky like a week now you're looking at millions of dollars looking at a two to four year timeline to bring those on board for us, we're not writing code to connect these applications in there's no JDBC, there's no Java. It's all driven by AI. So you record a video, upload it, and the time that is being set spent is for an analyst to confirm that the AI is behaving

exactly it's supposed to behave. And within a day or two, you're giving a test data, hey, remove these 3 sample accounts and the AI takes it, removes those 3 sample account, you're satisfied. Boom, you take that unique identifier off that particular app and then you add it in your governance application. So you know, say points in Cyber Ark or what have you, and then they're ready to take the

trigger. So, you know, when your certification campaign is ready to run, the aggregation process begins, a signal comes to red Block saying, hey, I need the list of 10,000 users with the entitlements. Boom, just an internal API call between Red Block and the governance and the, you know, response gets sent similarly for removal of a user. So the time is very shortened compared to the years that I would take. I'll give you a very specific example.

A customer that we're on boarding, they'll bring 150 apps next year. They had a three-year quote for close to 1 1/2 million dollars. So two-part question, let's talk about that model. Is there something like you go and help them kind of get kick started and then it's DIY And then also like for a mature client who's actually, you know, well into their program, how are they measuring the value, measuring their success? So it's DIY.

The first part is that we kind of help with the 1st 15/20/10 and do a knowledge transfer and then shadow them for a period of time. So we just gave a statement of work to another bank and that's what we're doing like 25 apps, we will do it for them and then shadow them for another 25 and then they take over from them there. The biggest ROI is at least the tangible ROI is time saved and IT ticket is 40 minutes to 2 days.

You know the numbers of 90 days like mindless AI is going to fulfill this in less than 3 minutes. So you could shrink the time to 70 to 80% on a aggregate basis, but in many cases on edge cases like by 99%. So time saved equates to money. 2nd, if you are a very large bank, you have let's say 90 apps under Sox or under compliance, you have to perform the aggregation.

You're moving data around, you have CSVS and then if there's a human error in one of the aggregated data, which is a CSV file, you have three strikes before you get penalized. So millions of dollars in penalties potentially are saved.

And I'm not even using reduction of threat vectors and attack vectors because a rogue account, an orphan account was disabled by AI. And let's be honest, the reason the ransomware or the adversaries are active, not because we don't have tools, but because we do not have time. We do not have time to go look into each and every corner and say, hey, have I covered all the identities? Have I covered everything? Now the AI is scanning and going

and fixing this. So. I'm going to ask maybe a stupid question, yes, because I'm

really curious about how this works. How does it do the work? It's not an API, It's not an API. So is it spinning up some sort of like virtualized environment to like replicate a human doing the work? It basically spawns A headless browser. OK, so let's take the say the governance example. You have request for a user removal from access tool. Let's take save Point as a governance tool. The API call from sale point travels to red Block, normal API, nothing fancy.

The moment it comes, we spawn. Of course, there's a lot of work done behind the scenes in terms of agent planning and all of them kind of glossing over. But the the crux is a headless

browser gets spawned. And this headless browser gets spawned based on the training that you'd we talked about earlier, based on the URL, say John's ERP engine.com gets launched, a set of credentials are fetched service accounts from a Pam and that the AI is essentially performing the tasks just like you and I would do, except there's no visual monitor, there's no display adapter. It's all being done in the memory somewhere in a data center. There's nothing running locally

on your laptop. There's nothing running adjoining the application where it is going. It's all running remote in a headless environment, and then of course the underlying models are helping decide what needs to be done based on the trigger that comes in. OK. And Jimmy hit it right in the head and was like, I feel like I can ask how questions all day long. My last, this probably isn't a

how question, but what are the limitations of this? Because you mentioned a headless browser, I think. OK, SAS yeah, makes sense. What about an on Prem application like an SAP or some other thing that is, you know, I would say not a modern application. Something like that. As long as that legacy app. So we have done some experiments. We have not released the product yet. If your mainframe can be proxied over a web browser, the AI can still read and extract information.

It does not do well when you're a chain stuff. Add attributes. So our current limitation is, and this is a road map we haven't thought through yet completely, can we solve for thick clients when you have a desktop application running in your local laptop or a survey environment? Right now our limitation is anything that is web navigable. If you and I as humans can navigate and solve the problem in a browser, bingo, Yeah, I will do it. OK.

And I appreciate understanding that because I think a lot of people say, yes, of course we can do it and then we'll figure it out later. But I think of like, you know, just kind of brainstorming. It's like, OK, well why not just spin up like a little virtual machine, you know, of a Windows or a Mac or a new Linux and run that thick client in the same way where it would be kind of like a browser type thing.

So I'm not an engineer, I'm just thinking, you know, rudimentary, but it feels like it's the art of a possible at that stage. I think it's very early. So if you look at I'm going to use the self driving as an analogy. So 10 years ago Elon announced autopilot. Of course, marketing jargon, but it did those three things very well. Put it the car in the autopilot. It will maintain the curvature of the laner Dr. it'll do adaptive cruise control. Second, it do a very fantastic

lane change. You like tap it up and like veer to the next one and then done third thing, it will park very well, like parallel parking Bingo. Like 10 years ago, unimaginable. But 10 years from now it is almost like I don't drive anymore 99% of the time unless you know, there's intervention because that's how it has it has it has become. I think we are at the early stage of AI driven automation. This is the first year. This is the first year of the autopilot.

And for you the hype is so much you can actually call it almost autopilot. I think we'll get there to the Nirvana stage in the next 5-7 years. So I appreciate the pun of AI driven and using the full self driving analogies. I think it's a great analogy because I remember the first time I had a Tesla a while back and the first time you turn on the autopilot, you're like,

whoa, I don't trust it, right? Because you might drive a little more on the left in the lane versus the right in the lane. But you know, it generally sits right in the middle of the lane and it follows the curves. But that first couple times when you turn it on, you're very nervous. At least I was like, all right, do I trust this thing?

But as I learned the system and understood, you know, the limitations and where it excelled, I got very comfortable with it. And yeah, it's a great feature. So I love that. I, I, I, I really like the analogy of the, of the FSD with the AI driven great, you know, great connection there. Let me ask you a little bit about 2025. Like, what do you think is like the biggest thing that Red Block has, like, really come out there and, you know, accomplished this year?

I think 25 started for us with a great bang in a way.

So we presented our first ever industry paper. So we built our own visual benchmark. So if you peel the onions of AI behind the scenes, it's all driven by how performing it is. You ask the guard real question how performing it is. And if I give and if you've probably seen some of the open AI benchmark, like yeah, it can now solve SAT it could, you know, clear the bar exam and

that those are the benchmarks. When we started this, there were no benchmarks for visual reasoning because, you know, red block is all about visual reasoning. We look at the page and and the AI decides how good or bad it is. So we presented our first ever industry paper for visual reasoning. I'm not going to go into details because it's going to take a whole side track because based on 2 very popular game shows,

but let's keep it for later. And that was like early this year in Abu Dhabi. I was there, we presented and then we launched the the product. So we went GA on April 29th, I think the first day of RSA, we announced the product. We announced the product, not just the product available. We actually took an NVIDIA GPU cluster at our booth, the whole of AI running air gap locally and doing the things I'm just describing like you know, JML

and AD user, aggregate user. And then we acquired the first set of early customers for us. I'm really thankful short of disclosing the names of some of the largest in the world working with us because they're very progressive in their minds. They have the problem that they have not been able to solve and a small team that became slightly larger. We now have like 14 people between Bay Area and Bangalore so can't complain about anything right now. So 2025 is like the coming out party, Yes?

What does 2026 look like? The winning party, the goal is to, you know, get this in the hands of at least 20 brand new customers. Many in conversations we have not talked about the how publicly yet and I'm short of almost stopping myself. Shall I say this? Shall I say this not because what we want to talk most is what is the problem they're solving. If you go to website, the mention of AI is in the ratio of the mention of security is at least 2-2 or five X.

The AI is not there that much. We talk about the problem that we solve. I think next year the goal is to talk a little bit more about how we do this and disclose some of the papers that we have filed, some of the IP that we have created. So that's the plan. We're going to say acquire more customers.

That's why I was saying. So if there's one take away that people should take away from this conversation, like what is the plea to or call to action other than, you know, visit the website redblock dot AI slash idac, right? We'll have there'll be stuff there you can learn more. But like what is something that's listening to this conversation? Like, all right, so I've just heard about this thing called. Redblock Now what if you have

applications that are not connected, applications that do not have APIs and you know Gartner is calling that category as disconnected apps? You know, talk to us, give us like a day and give us an app. We will get this up and running in our sandbox or yours and then perform these actions what you always want to do. But unfortunately you sent it to an IT ticket AI will fulfill it in minutes.

Instead of, you know, you're relying on somebody who's watching Netflix or on vacation, then it's going to come back and close the ticket. AI will close it in like 3 minutes. So you just, we're here at the Gartner Island Summit in Grapevine, TX Amazing, yes,

everybody's dream to come here someday. No, you presented yesterday. You've been at this conference now for a day and and change. What's your impression of the conference and tell us a little bit about your presentation. Yesterday. So I think we still at the what's the right word? I think we're still skeptic about the use of AI in identity. We still kind of walking tiptoe into this territory that, hey, can AI solve this problem or

not? Luckily, there's lesser of a negative chatter on AI doing damage, which was kind of relieving for me when I was at the keynote yesterday. It was a little bit more balanced versus the other any events I've been to. It was like or the the online chatter is how AI is going to do more damage.

The Terminator, I think the the my take away is we're still a little bit more skeptic, but just like any other new technology, be a typewriter, be it the Gutenberg press or be it the Tesla, self driving as humanity, you got to experiment. You got to figure out whether this is going to work for us. Of course there'll be bad actors, but we cannot stop innovating. But because of they're bad actors in the world, I think my impression is you'll be a little

bit more aggressive about this. You'll be a little bit more forthcoming about experimenting, adopting of tools. I mean, that's my take away from like day and half. Yesterday I talked about, you know, it was mostly how there's a gap in the market and how the attack surface is super exposed because there's more and more apps, you know, the explosion of apps. You know, you and I are old enough. I remember I had like 5 applications on my desktop. That was my word.

Now the team that I have, they have 50 applications, you know, SAS and internal. So that app explosion is the the driving force and then agents coming in. So you no longer are your one person doing the thing, you have 10 delegates doing the thing. So how are you going to manage all of this? Yeah. So what themes are you seeing or conversations you're having here at the conference that make you optimistic for the future?

I think there is some conversation around non human identity and how guardrails have to be input around agents that will access credentials. So I think people are thinking about it, people also thinking about permissions. So if I allow an agent to do a task, is it static? Is it dynamic? How can I do just in time? So I think they're thinking around on the edges of what should be the art of possible allowing AI to do the task, but with the guardrails and with the permissions around it.

So I'm very hopeful that as innovators, as an industry in general, will solve this problem and we'll get to it. However, my only worry is that we have not fully solved the human identity problem. I hope we accelerate that. What's not being emphasized enough? What are you concerned that we're not paying enough attention to? I think the privileges the are the the issue of over permissioning is still rampant. If I join a company, I need access to 25 systems.

I clamor. I Hume and cry and fight. I get 25 of those GitHub repositories. Just take that example. When I leave or when I change roles, I still have access to sensitive repositories and data. I think it's not enough attention being paid towards over permissioning privileges accumulating static privileges. I think that requires rethought all right. Final question. This is not a financial question. This is a question about, you know, from the perspective of the technology.

Are we in an AI bubble? We are, I think, I think this is

our human mind. I, I don't want to be negative about it. It's a human mind, right? There'll always be a group of people, all of us combined. They'll be excited about something that is new because as a kid we want to play with the toy, but then there are hundreds of kids wanting to play with the toy. So the toy manufacturers are out of control and hence there's a lot of money being pumped in on technology that's not proven. So which is good and bad. Good that it brings out the

best. Bad that the best ones do not have access or capital to let the technology see the light of the day. So if you are connected with me, I am running a fund of a billion. I will let you try that for a $10 million check. But am I doing disservice? Probably, yes. I should look out for other. I'm not saying anything against our relationship, but there could be better use of this money to invest in startups or technology to, you know, do a

better good study. So it has to be more controlled. It has to be steadfast rather than, hey, let's just go invest all the money possible. You've seen that story in in the web era, 96 to 99. Everything that was promised went out of business, but everything that was promised ultimately was delivered over the next 10 years after the bubble. So all the web, all the SAS, if we go back in time, Oh yeah, shared drives.

I remember startups that were raised hundreds of millions in shared drives went out of business. But what's proper now? Google Drive, Box and Dropbox born after the bubble. Well, blast of my past. I'm thinking of my zip drives that I used to have. Oh, yeah, I can store 250 megabytes on it. Oh my gosh, there's so much room now, right? It's been a really interesting conversation. I definitely want to like learn more about this. So again, go to the website, you know, red block dot IAI slash

IDAC. We're kind of getting to know each other before we hit record here. And we were talking about flying, like, literally flying planes. So I want to know how you got into, you know, being a pilot and what do you fly and when are we going to go flying? So every kid has the same dream,

all of us, right? I want to be a guy riding the fire engine. I want to be a pilot riding a plane. Guilty. I wanted to be a pilot. Yeah, all of us have the same dream. But you know, we get busy, life catches on, we get family, work catches on. And when I moved to the Bay Area, I grew up in India, of course, air travel. Now it's a Papa and I grew up with no air travel. And then when I moved to the Bay Area, I did not know I started living next to an airport.

So I live in East Bay in a small city called Dublin, which is like 1 1/2 miles from the Livermore Airport, which is a local Municipal Airport. It has two runways. Fantastic. Both of them are good use. And one fine day without telling my wife, I went on a Discovery flight and I was free. And then the flight ends very well and I registered for a flying class and for an offline training class where they teach you the theory.

So essentially, without telling my wife and my family, I started training for a pilot where I have to clear a written exam and an online and in air exam or behind the wheels tested zip code driving the car and low and both few years later, I I am now flying a single engine Cessna. So I'm like, yeah, normal single engine Cessna pilot, which can take one or two passengers and then not go out beyond 304 hundred miles of my local airport. So it's fun and you're most

welcome to join me whenever. Can they stay in the Bay Area? How long did it take you to get your pilot? License. I did, I think 6668 hours over a period of a year, OK. So I've been flying like flight simulators since I was in my teens, right? So I feel like, you know, there's, there's this, you know, feeling that if you've played video games, a lot of people there was like a study is like, well, you know, if the plane ever says we need a pilot, right?

Anybody who's played video games, like a flight game is like, yeah, I can fly a plane. I I think it's, I think it's so cool to have the time to be able to do that and the investment to be able to like do that. Like what's next from like a flight perspective? Do you go to a larger plane or are you like, I'm good with the Cessna and like tell me about like where the next part of the journey is? Do you have more than an hour on this? We could do it all the time. I was on it, yeah.

So what we've so the pilot journey is very similar to an identity professional journey. I'm just kidding. So the pilot journey is you basically, hey, I want to do a discovery flight. Then you become what is called a VFR pilot. So visual flying rules essentially you visually look at stuff. Of course, you have a map, you have a guide, you look at objects. You cannot fly within or inside clouds. It has to be 100% clear a day

before you can fly. So the next step is you get IFR, which is instrument flying rules. You can blind, not blindfold, but you don't probably look over the cockpit or the horizon. You can just look at the instruments and you can still fly because now you're using guided instruments and automation and helping and then

fly. The other part is you go from single engine to double engine, you go to jets, you go turbo profs, you go, you know, Boeing's and the larger jets, which is thousands of hours of flying, don't have patience, don't have time. That not becoming a professional pilot yet, at least not my bucket list. I think VFR to IFR is a very simple journey. It requires another probably 50 to 100 hours of investment. If you take another exam, you have to have another examiner in

the plane clearing you. And of course then you could fly anywhere. You could go above 10,000 because then visual flying as a rule and all that. So just follow I. Think it would be so cool, Jim, like, you know, we do consulting during the day like why don't we just fly to the client, right, rather than drive or take a commercial. It's like, hey, let's get a little plane and, you know, take off and. Nobody to bother you up in the air.

You just by yourself, if not your wife or your friends or your family, just aim for the sky, just going somewhere. I think the visual and the instrument guided a big leap, right? It's a big leap. From my understanding, most of the accidents are with the instruments, people not trusting them and and kind of like saying Oh no, they feel like they're flying in a circle or something so they go the other way, don't trust the instruments, and then

end up in an accident. Well, if you know the stats, most of the accidents are people trusting themselves too much. Most of the accidents are not on a bad weather day, but on a clear weather day. This is like a very jarring statistics from FAA. 56% of accidents are not in the air but near the airport, whether you're landing or taking off and some

obstruction. And the majority of them I don't have the numbers are on a very fine day because they Oh yeah, I can see through it and then relax, soak it in and next year something goes wrong. I always find it fascinating. You know, I fly a lot of out of the Atlanta airport a lot, you know, very busy. And when you hear about like planes colliding, you know, in the terminal and on the gates, you know, and, and stuff is like, these are giant planes. Like how do you mess that up so badly?

There's a distraction. I think as individuals we are more distracted, we're not paying attention. We have become like a goldfish brained and accidents have happened more recently than earlier. So can we get to full self flying at some point? I know a lot of, you know, commercial flights are automated to some degree, even with like iOS systems for instrument landings and stuff like that. Not every airport has that.

But, you know, we're coming to the point where, you know, an AI can essentially fly the plane for you as long as the instrumentation is correct, right? And the hardware is there. Like how far away do you think we are from like pilotless planes? I think pilotless planes are far away because especially on commercial side, if you look at let's take A380, a 350, Boeing 77 Sevens and the modern planes and Dreamliners, 90% of the flying is automated today because of the autopilot.

It has a plan fed in and it just guides itself on the way unless there's intervention. The landing and take offs are still very manual, very pilot intervened. Technology is there to automate it, but I think the rules and segregation in the last minute, you know the ATC intervening because there's a plane which is delayed in take off etcetera.

I didn't take time. I, I think it's OK in my mind, you still want, at least if I am one of the 150 passengers in my Southwest, I want the pilot to be there. You know, just like your Waymo or your Tesla. So Tesla still requires you to be sitting as a driver in Waymo. I'm sure you've taken Waymo's. The sheer fact that there's a steering wheel gives a sense of calm. And there was a discussion last week with someone, I forgot the

name of the person, he said. Oh man, if they could put a dummy there it would given me even more sense of calmness because it make my mind feel that somebody's there, although the dummy's doing nothing. Now I'm thinking of the movie Airplane with the dummy copilot inflatable that comes up. And this has been such a fascinating conversation. I feel like there's so much more. Again, so many hows like how this works, you know, we'll

point people to the website. It'll be in our show notes and things like that for people to check out, connect with you on LinkedIn, you know, that kind of stuff. So really appreciate you taking the time with us, sponsoring an episode, getting the word out. You know, this is the coming out party. Let's you know, cheers to a great 2026. And yeah, so we'll leave it there for this week. Thanks everybody for watching

and listening. You can find us on the web, IDC podcast.com, like and subscribe, do all that fun stuff. And yeah, we'll leave it there. Thanks for take care. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.