#398 - Solving the AI Identity Challenge with Martin Kuppinger

This is IDENTITY at the Center. Welcome to the Identity Center podcast. I'm Jim McDonald. Unfortunately, Jeff Stedman is under the weather today, could join us. And it's really his loss because we've got a fantastic guest, a return guest, Martin Kupinger. He's the principal analyst at Cooper Cole. You may just know him as Martin. So that's how I know him. Martin, welcome back to the show. Yeah, Trim pleasure of being back here and thanks for inviting me again. Absolutely.

And also, I guess it's welcome to 2026 for all of us. We're just getting back from the holidays and getting ourselves wrapped around, wrapped back into the identity space again and having to, you know, solve a lot of the same problems that we were in 2025. I want to talk about a lot of things. I guess I haven't seen you since EIC in 2025. We're also looking forward to being there again, Jeff, and I'll be there in 2026 in Berlin. I'm sure preparations are underway from your perspective.

They, they are so, so I'm not that much involved with the agenda work. So, so my, my works will start a little later on, mostly when, when it comes to. So I did a lot of, gave a lot of input to the for the agenda. But then when it, when we're getting closer to EIC, then the one thing will be scheduling. So it's always a tough thing to, to squeeze everyone in the tight schedule. And the other thing will be preparing my own presentations and talks. Well, I got to say it's, it's

just a fantastic time. Obviously if you're in Europe, it's the number one conference covering the identity space. If you're from outside of Europe, if you can make the trip, I highly recommend it. We had a fantastic time this past year. Looking forward to doing it again this year. And by the way, we will have a discount code on our website. I don't know if we have it out there yet, but look for it within the next couple of weeks if you're looking to register for the conference.

It'll save you some money. And we're going to talk about EICA little bit later in the agenda. But while I have Martin here, I want to pick his brain on a few topics. And Martin, I, you know, Jeff and I always say it's like, it wouldn't be identity at the center if we didn't talk about AI. And sometimes we joke around and call it AI at the center. But it's, I mean, this went from, I'd say this time last

year where it was like, Oh yeah, that's something that's going to happen in the future too. It's happening right now with the AI agents and companies building them and identity practitioners trying to figure out like, what is our framework? What is our approach for managing AI identity?

Yeah. And, and as we also see that there's a lot going on with AI, there's also, I think some, some disillusion starting when, when, when organizations feel they, they either don't have the, the results they that were promised at the very beginning or that they feel some things can't be

done easily. So because we, we hear this, especially in regulated industries that organizations are, are shy of deploying solutions agents, for instance, and, and within business processes because they feel they don't have, have enough control and sufficient control about these agents. And that means, yes, we have have an interesting challenge here. I I would dare to say in, in all the yeah, 35 plus years. I'm in the identity space right now.

This is the most, I would say intellectually challenging evolution I've seen over all these years. So it's an incredible amount of complexity and I think we need to be very careful of on one, on the one hand, finding short term solutions to to address challenges, but not believing that we have solved everything with the first whatever MCP server authorisation solutions, because this is trust a piece of the puzzle. So that that will be very

interesting. How can we deliver quick solutions that that help, but not sort of tapping in into the trap of thinking as oversimplifying the challenge? Yeah, not oversimplifying the challenge, but I also feel like we also have to make sure as practitioners that we are not stopping the business progress. We have to from obviously from

our, our main charter is securing the environment, but we also have to not be the progress prevention department. Where, where security is a really good in, I think we've proven that for decades that security is tends, tends to, to, to hinder business in, in, in progressing. And I think that's exactly the balance we need to find.

So how can we at the end of the day, I think this AI sometimes we're, as I've said, we businesses are in the situation that they feel they, they lack a certain level of security and control and governance to proceed in what they want to do in the business. So, so this puts us in some sense much more in an enabler role than ever before. Because I think from what I hear is that a lot of businesses are, are really, I would say, insecure about what they can do

and whatnot. And they feel a risk of losing control potentially. So that means that the, the businesses asking for a certain level of security and control, usually it is that they, they don't ask much they feel hinders them. In this case, it feels this is what they need to, to, to be able to proceed in their

initiatives. And, and I think from that perspective, it might be a better situation for security or cybersecurity identity people than than in most cases before where, where we were trust the the ones coming in and saying, Oh, no, we can't do it that way. And we need to make it more complex and slower and more expensive. In this case, it's really made me say, OK, if you do that and that and that you can at least sort of have a, a, a better, a

stronger risk control. And that that again goes back to what I said before. I think we need to find a good balance between solving certain of these challenges, the ones we can solve now. But we, we, we, we must not believe and and also not leave the impression that this is the finite solution already. Because to solve everything, I think there's so many pieces that will take us quite a while and it will require quite a lot of innovation.

We probably will need new types of standards or or improvements and product protocols and all that stuff to cover all the challenges. Yeah, I think that's exactly the way I was looking at. The problem too is that there's so many use cases. I think of myself as kind of a a productive employee and I want to build my own agents and what identity do I use or allow those agents to run under? Do I just give them access to run like me or run with my

credentials? Well, that's obviously a no, no. There's also the use cases where you're building enterprise level applications with AI. And I think the at least, I think the point that you're making is like trying to solve all these problems at one time. That's very difficult to do. Yeah. But but it's I think the the same challenge we have with with many other we had in many other

areas in the past. I think we need to sort of deconstruct this, this problem domain to smaller pieces, figure out solutions for the smaller pieces and then bring them together. But every, every, every element we, we, we address will help us in the overall security. We also probably will have points on use, but we then need, for instance, an over sort of an end to end governance. So not only saying, OK, we have a bit of security year and year

and year. We need an over over all governance across all the pieces, which then brings things together or which helps us understanding anomalies across the entire chain. And I think one of the big, so a couple of things. One thing is I think it's not a good idea to sink in the identities of AI agents is trust

a non human identity? I think so. I, I, I'm not a big believer in the term non human identity because I think it's an umbrella term that's we covers a lot of different things. So the, the real machine identities for IIOT or OT the, the workload identities, which some call machine identities. And then we have compared to workload identities, agents have a way higher level of autonomy, which means they are in many areas different.

What I think also comes into this, this or what adds to the problem domain is we we are used in in saying there's a human or maybe a workload accessing a system right now. We say, OK, there's a human or a non human that there's an agent that works on behalf that impersonates, that has been delegated to do whatever. There are very different ways to to, to between just the human and the agent. And that agent then can work with other agents.

There might be a chain of agents and then we have all the systems that these agents try to access to, to to respond to the requests. So it's, it's a, it's a much more networked, much complex relationship challenge than we had before, which also means, for instance, from an authorization perspective, we have, we have a lot of different points of authorization. So there is the agent to the MCP server, but there's also the the relationship.

This is an interesting authorization field between the human and the the agent. So that that is what where, where I always say, OK, you know, there there might be the, the situation that the agent can do more than the human will allow. So travel booking, the agent can book you any, any travel, but maybe the corporate policy says you're only allowed to go in hotels up to that price tag or you're only allowed to, to fly, fly economy or whatever else.

But it could be also the other way around that you, and we've seen these cases enough that someone asks, requests the agents to, to do things the agent is not entitled to do. So, oh, give, give, give me the construction plan for a nuclear

bomb or things like that. So I, I think we have way more complex relationships and authorization challenges and we, we can clearly mitigate a certain part of the risk, for instance by, by MCP server authorization handling it and probably, but it's just an element of the overall solution. Yeah, the MCP server, just thinking about that, that in the enterprise architecture perspective, there's an MCP server and it's managed by IT, right?

But if I am a knowledge worker, to use a very old term, I'm a knowledge worker and I'm building an AI agent to do something and I want to connect to services that let's just say I want to connect to work day, right? And I have a work day account. I can get into work Day and I can see certain screens and I just want to be able to take information from those screens and pull them into a

spreadsheet, right? I'm trying to create a very simple example, it seems to me, and I, I'm, I'm painting a very specific use case here, but do I have to go back to the enterprise and say, hey, I need the MCP server to connect to work Day so I can do these things? Or maybe Work Day is not a great example because most companies are probably connecting their MTP server to work Day. But maybe it's a a legacy business application.

But I teach the AI to do something to fetch my data so that I don't have to do that myself. I for day I come in and they populate some spreadsheet with all the information I need. I feel like I want to give it my credentials, but at the same time then it, you know, from a security standpoint that looks like I'm the one who's doing the clicking and all that. But actually it's the agent. So we should have an agent identity to do that.

This is kind of a theory of my own, which is that there should be some kind of self-service process to create a, an agent ID for me to do that rather than having to go through, you know, having one issue to me, etcetera. What are your thoughts and what is the the industry direction in terms of how to solve use cases like that where you have knowledge workers, you want them to use AI to be more productive, but then this security layer makes it almost impossible to do

it right. That's, that's a great tricky

question because I, as I said, I think that there did so many different scenarios behind that. So I, I think that the point is, is the knowledge worker using an existing agent, then, then it's a very different thing than when, when we think about.

I really hate this democratising term in in IT, especially in security if it's more that everyone can create own agents, which I think raises some some other questions first, like like how do we keep control about these when when someone does it sort of decentralised and and not within a sort of a managed environment. And I think, but especially for these areas, I think it makes a ton of sense to have identity and access and all the stuff as a service.

So I, I think the worst thing would be that that someone tells the agents what the agent is allowed to do. I think it's better than to consume it from from a from a service that is sort of centrally managed and sets the rights sort of limits and delivers the rights types of policies and identities to to agents that are are built decentrally. So I think the worst thing is, is having super user type of self constructed agents popping up at scale and without any control.

Yeah, I see your point. And I guess I, I, I don't fear that. In fact, I'm, I'm the, I could come from the other perspective because I'm working on a project inside of my company right now and it's a training project and I want to pull data from various different places to populate and to educate the ages. So I've got a kind of a scheme in my mind and it's like I understand it. I don't want to have to spin up the big project. I want to do like proof of concept and etcetera.

So, but I, I think this whole topic maybe ties back to what you're talking about with governance. So I've kind of feel like governance is all about setting the guardrails. It, it's the, the paper and pencil side to information security. And it would behoove, I think organizations to maybe start there where you have a governance committee or governance body that overseas AI.

What are the use cases that are relevant to your organization and what are the rules of the roads in terms of what people are allowed to do and what information security protocols apply? Is that where you're getting at with with governance was kind of like the rules on the road and the guardrails? You know, I think, I think maybe to explain my, my perspective, I have a quite some legacy in the

Lotus Notes Domino field where where hundreds frequently thousands of databases were constructed pretty much decently. And still still for many organizations still our challenge in migrating these. So no one knows what why no one knows what they are they are doing, which data is kept etcetera. So I, I think and, and, and maybe another, another point to bring in this, which may explain mass thinking.

We in, in many areas we have that situation that people, for instance, developers just want to do to solve a problem and security for them is not the first priority. And it's interesting to see that that approaches like OPA or them. Unfortunately, you're still relatively decentralized Hashicorp walls and others became very attractive because it removed some burden from from the developers by saying, I just can't consume a service.

And that means you have an option to bring these things under control to at least ensure what is to understand what is what is out there, how is it working? Where are your security risks and, and for instance, manage the identities, bring things under control. And I I think for when we create agents, then certain aspects should be also always be considered as a service. So it doesn't make sense that that decently everyone decides about whatever the access the agent should have to data.

I think that that is usually the the one who who owns the data. Should be the one who who decides about that access. Because if you want to solve the problem, you may go out to and and try to reach out to too many, too much data. And that in some sense multiplies because it's in the nature of the of generative AI to try to gain access to as much data as it can. So, so I, I think in that sense, it even multiplies with the sort of traditional over entitlement

challenges. And so, so I, I would say I, I would prefer something which goes more into a delivering identity, security, etcetera, as a service into that world of, of ancient development and ensuring that that agents, for instance, in some way maybe are registered with the organization, maybe even even beyond the organization to always understand which, which you can trust or not.

So I, I think there's a really good conversation where we talk about identity for AI, in other words, for agents, we also have the conversation of AI for identity. And what we're starting to see is a proliferation of basically almost every identity tool now has 50% more AI. But there are actually some tools that are bringing AI to

the forefront for identity. I think you're seeing it with one of our sponsors that we had on the past, the Yamans. They have a a chat interface to administer your IGA system to be an end user. We have a a recent sponsor on a red block where they use AI to kind of do that last mile of provisioning. So rather than opening a ticket, you train the AI so that it can go out and automate that

provisioning stuff. What excites you when you look at that this landscape of how AI is being baked into identity products? And one more comment that I'll make is that I feel like a year ago it was like, oh, it can AI can make these suggestions about whether to approve access or how much access a person could get. And I was never excited by that. But when I you know those two examples they just laid out like that shows me technology that just wasn't available in your

fast. Yeah. So I think many of the early sort of AI for identity type of solutions were not overly innovative. So my, my favorite example was whatever Rd. proposals and stuff like that. So everything around, I would say Rd. mining, hey, we did it with Excel 2 decades ago. So that's what was going to really, really the, the thing which, which which delivered an large added value.

So, so I think we start to see new things like, like, like all the, the augmentation or building, building connectors, which can be, can be massively simplified by, by AI, different types of you access of, you know, So when I go back a couple of years, I think I'm still, for many organizations, it's still one of these tells us that when the auditors ask for certain information that it takes them a lot long and it takes a lot of work to compile all that information.

AI can do that much faster, put together data from different sources, deliver the results, respond to, to certain questions. And I think that that's something where we see, see a benefit. I think we also see a lot of things. So I'm, I'm, for instance, not a big believer in all these bots that then pop up. And so a bit like, like a lot of the box. So you know, you're opening whatever your, your, your user interface and then the, the, it pops up and says, Hey, can I help you?

And you shut it down and then you click on the next link and it comes back and says, Hey, can I help you? Ideally placed very centrally so that you don't see what you really are interested in. So I think we need to we are just scratching different surface in many areas. So I would envision that that AAI understands when I need help. So what when I'm stuck when, when the way I'm using a tool is changing because I'm obviously searching for whatever menu, I'm obviously searching for

something. I am slower than I'm usually then then AI may may understand, OK, this is Martin's stock. This is he's stuck in that area. And then it might might start delivering me valuable hints in the context of what I'm currently doing. Sounds a little bit weird and and a bit of has too much supervision. But you know, when, when, when I look at the, the my, my car, that that car can would probably, I never tested it, at

least it, it's ass. It would do an immerge stop if I fall, if, if I fall, fall to sleep and don't sort of don't react. So, so that car is constantly watching me. So we, we have it in, in our everyday life. Why should we do it in software? And it's probably beyond, beyond identity, but it also relates to, to the sort of the UX improvements we see overall. I think we see some, some really interesting stuff here, which

which is helpful. As I've said, application onboarding, one of these huge challenges we, we are seeing that's where AI can be super, super helpful. I think also AI can help us a lot in, you know, one of the things I've said to a couple of vendors when they came up with their first, oh, we have this AI thing and it helps you understanding which entitlements you have and where you're whatever over entitlements are, etcetera. And I said, you know, AIAI lives from data.

So why, why don't you look at all the usage data and use it

for instance, to tell me which 90% of the entitlements the users have are never used. That would be a real benefit because then you can reduce the the the number of of or can passively you reduce your level of over entitlements very

quickly. That would be a huge benefit from a, from a security and governance perspective and maybe even understand when someone will need certain entitlements that could be more sort of time or sort of based on other triggers like whatever the finance department needs certain specific entitlements during the around the end of the fiscal year because they do certain things they only do once a year.

Same holds true when you're in factory and for, for, for the machines, the, the suppliers come in and do all the software updates etcetera. During the, the whatever two or three-week summer break. Then you have a defined period where things happen or maintenance periods in, in, in a, in a, in a data centre, all that stuff.

They are well defined. But it also could be that again, clearly a bit scary, but maybe AI understands what will be the next thing you will do because you did it always the same way. It's, it's a bit, a bit again, going back to my car. My car predicts what would be probably my, my next target for. So for the, for the GPS, it predicts, OK, you're probably will go there next because it knows where I'm driving.

So I whatever at certain times in the week I attempt to, to pick up my daughter or bring her back to her to her flat. And that it knows, OK, most likely Martin will drive there. And when he's there, he most likely will drive back to his home. So the same we can do in IT. Also, we have probably way, way more indicators because we have our outlook or other calendar and all that information we could use. And then we could provide access

just in time. We, we just do it sort of the, the millisecond ahead of of when it's needed and we remove it when the action is done. That could be a playing field for AI. Yeah, I agree. That's where AI where you give tremendous value, it's because I think the zero standing privileges seems unachievable without something like AI that can scale. I think for me, where AI really revolutionizes identities when they can make decisions for people.

So we've spent the last 10 years complaining about access reviews and we give the people too much to review it. And then it's like, how do we get away from rubber stamping? And and a lot of it was like, OK, let's just send them the priority stuff. So that delegated out, let's do all these things, but. But I have this. Letting AI decide AAI, we don't have a good idea. We don't need AI for getting rid of accessory recertifications.

We, we can do it much simpler. You know, the, the easiest way is that we, we trust say, OK, you have time limited access. So if you're in the well for recertification, 6 is 6 months only give access for up to six months and you're done with their own little recertification stuff. You probably will give give much less entitlement. So a lot of things would be solved, but that's, that's again a different theme. So, so I say, but but yes, AI can help us to, to fix some of the problems.

But we also should be like like this recertification, we also should be careful of do we cure the symptoms or do we address the cause. And you know for roles for recertification etcetera, cure the symptoms might be helpful. But I think the industry would be also well advised to look at what is the cause of the problem and how do we really address it at that level. Yeah, and I use the example of

recertification. The other example I was going to use was authentications, you know, having AI play a greater role in identifying the person on the way and making the decision that it is the person or it's not the person.

I think ultimately it needs to trace back that if needed, you can see what the decision was based on what were the what was the basis for alliance, you know, approving someone to have access or giving or authenticating an account, an account or making that access review decision if it's say a compliance driven process and you just can't get around doing it for now. But I do think AI is going to

have to provide the paper trail. But you know, overall as I think about AI for identity, I think it's going to continue to be important. I think it's like you mentioned kind of within that framework of non human identities. There's this whole space now of software solutions focusing on

non human. There is, it's just a number of spaces or what should I call it, like sub sectors within identity that keeps popping up. And it's like new acronyms like IVIP, which is I'm not discounting the importance or how cool these different technologies are, but as a practitioner, like how am I supposed to keep track of all

this? IVIP, non human identity, Kim, ISPMITDR, you name it. How do we as practitioners identify which of these is going to be ones that we need to pay attention to that we need to invest in? Or what are the ones that we should wait a little bit because we, we still have the disciplines like IGA access management or privilege access management. But eventually organizations get to the point where it's like, OK, we're, we're, we're solid with those things.

We, we've gotten them too much to the point where it's like, yes, we do enhancements. Yes, we do add, change, remove as needed, but we're ready to take that next level. And you know, how do, where do people invest? What is the? Yeah, What's your framework? Yeah. So, so, so the framework we are propagating for for many years is the identity fabric.

I think we came up with this some 7-8 years ago at least. And and it's increasingly popular also right now used by a lot of auto parties, a lot of vendors, some other analyst firms, etcetera. And I think the identity fabric is very helpful for, for that, because with the identity fabric approach, you, you can think about, you have a sort of a capability based approach. So you don't start with the tool, you start with the capability.

So which are the capabilities you you need for certain use cases? And then you can look at sort of do I do you already have these capabilities? You can prioritise capabilities and then you can think about which are the services where I put together certain capabilities and then you can think about the tools that factually delivered that service. And I think we we need to be very careful with this. We have a problem, we need a tool.

It doesn't make that much sense. I think what we should do is think about what are the capabilities that will be added by sort of new technologies that already helps us to understand. I would say for with a little bit of of good human sense, whether this is a something which is likely to exist as a separate tool category over the next years and maybe decades, or whether it's something which most likely will converge into other categories, always other evolutions.

So, so I take Keem and, and what we call nowadays non human identity management. A lot of those Keem in some sense is non human access and the other is non human identity. And I think there's a logic that things like that converge to to an extent see how some convergence to to Pam and other

things. I think for I whip, honestly, I whip for me is, is, is a bit of a added capability to access governance and, and I think the first question is you should ask yourself that goes beyond the capabilities is why do I need it? So, so you may say I need it, but the question why is much more interesting when we look at iweb because you don't have sufficient insight into your into your entitlements. In a perfect world of access governance and IGA, you would have that information.

So it probably also means that you have challenges in your IGA program and you need to think about, do I need Iowa temporarily to overcome some of these things to be able to to have some insights? Or is it that that maybe this is sort of my next evolutionary step where I wait for my IGA vendor to edit because there are some edit functions I have. Or is it that I better go back to my IGA program and think how I fixed the cost to to really have all the publications on on

board, etcetera. So what can I do here? Because I would be at the end of the day, sort of deliver something you should have with a, it's a good IGA program. A lot of what I've promises to deliver should be there already. And so I think the capability based approach helps you. And then you also, if you take this broader perspective, as in the fabric, you also have, have a better understanding of these are the different bits and pieces that that may be lacking.

And you can prioritize it because no organization can handle to, to, to do all these projects in peril to add more and more tools. And I don't want identity to, to end up in the state of today's cybersecurity where most organisations have far too many cybersecurity tools and still far too many gaps. So without a, a concept behind, we will end up in a similar scenario. And and then also, I think it makes a lot of sense to to be to look at one of one of this is marketing or analyst type.

Oh, clearly it's cool for an analyst to bring up a new category of tools that the analyst hasn't wended, but is it really helpful to the end users? Probably not. But you've bundled something there about having too many cyber security tools. And let me just speak from my experience. So I've been in IT identity for over 20 years, 20 / 25 years. I don't want to date myself too much, but all in the United States. And so I remember working on projects called vendor

rationalization, right. So you, you take all the IT products that you're using across the enterprise and you look for, hey, we have 7 customer relationship management systems and we only need one. So let's just pick one. And even these others might be better in something. We're just going, if this one does something, we're just going to do that. So that's, I feel like that's AUS approach, which is minimizing vendors or one throat to choke or however you want to term term it.

Whereas what you've been talking about is identity fabric, which I love that concept. I love the idea that you can take some kind of technology that is maybe more innovative, bring it into the environment, it becomes part of the environment and you can connect it into the central services, potentially leveraging it. Yeah, but it's not. Contributory dancing or is that? No, I think, I don't think so.

I, I think, I also don't think that it's contradictory to when rationalist rationalization, because when you look at the capabilities and, and you map, map it down to the tools you may already have in place. So that the first thing is you, you may, when you, when you look for a capability and say, OK,

there's something new. You, you, you may understand this February concept. This capability is already available in some form. It might be not the perfect implementation, but you may have it. And then you already have something where you say, OK, then I can use that capability. The other thing is if you feel and start analysing it, you see that that same capability is

delivered by multiple solutions. Then you can use exactly this approach to start your rationalization and think about does it make sense to to reduce it. I think this is always a balance that sometimes the the cost of rationalization is higher than the benefit of rationalization. Again, something to to think about carefully, but it also helps you to understand where, where, where is the potential for rationalization. When you look at your existing infrastructure, What do you already have?

Which capabilities do you have? Can I not use these same capabilities for the other use case, be it from the same instance or a different instance of the same tool? But the fabric, I think fits very well to that because it needs are it gives you the flexibility that the part is. I think that the main thing is really this understanding of, I take a broader perspective and this is nothing which takes you months or years. You can't do this very, very

fast. And then you can understand what is, where's my redundancy, redundancy or where are my redundancies? Where are my gaps? Are these gaps of relevance or not?

You know, you don't need everything in that in identity management, you and, and the other element is this what we frequently commonly uses our reference architecture, which lists the different building blocks and bringing these things together helps you to understand, OK, this, this is these are all the elements that you made and end up saying, OK, I have all the elements in in there.

So if you have a consumer identity management if and an employee or workforce identity management, you basically have all elements for partner identity management already available. So you can ask yourself the question, does it make sense to add another solution? Is it maybe even that that my access management piece can serve those customers and employees?

But the the B to B part always would be sometimes closer to the consumer, sometimes closer to the to the workforce, but you would have everything as a capability already there. And then you can think about, does it make sense? Is there a benefit in adding another tool if you have certain elements of visibility, Is there a benefit of adding another tool? Or is it maybe even that you say, I can't rationalize because I have already too many

overlaps. And the, the point, the identity fabric really the, the, the starting point was especially exactly in these these days where beyond workforce identity, we saw consumer identity emerging and then we saw the B2B stuff. And my thinking was, hey, it doesn't make sense to have a ton of identity silos over time. And this is exactly this rationalisation thing which was therefore I would say from the very beginning in the thinking of the of the identity fabric all.

Right. I, I think with the, the fabric too, you can have the coexistence of multiple generations of technology and not feel like, hey, every time you want to add some new capabilities like ripping off the Band-Aid and starting with a full migration project, that was always one of the benefits that I saw in the fabric.

I just wanted to ask you like on those spaces that we talked about, are there any of that you feel like people need to be playing really close attention to like IVIP, which is identity visibility and Pelagist platforms? So we had a sponsor on recently Nexus, who's in that space ITDRISPM. We have we've had Silver Ford in the on the past. There's feel like compelling solutions. Are there any that kind of jump

off? And I'm not talking about like vendors, but are any of these spaces ones that you feel like organizations ought to be taking a close look at now? Yeah, I think that the most important area clearly is everything around is workloaded entities and AI identity or a identity as I then to call it. So this is the section of AI and identity. I think this is this is the the the most relevant field of all of these. And that that automatically brings in a certain level of

ITDR for instance. So you can handle that the, this huge amount of of sort of new, new or naturally new identity types without a certain degree of automation and detection response. So, so you need these capabilities there. But I, I think from, from, from the risk and, and complexity perspective, I probably would,

would put my focus on these. And I, I would say, you know, when you look at the EDI we've enters, most of them are in a, in a sense or many of them have a have their roots in the access governance space. So it's an innovation, I would say, plus a new password mainly in an existing space where it's about continuous improvement. And yes, there might be a need for these capabilities. The same I think holds true for ITDR also with the relationship clearly to XDR.

The, the, the biggest really new challenge, untackled challenge in that sense clearly from my perspective is workload identities and JDKI identities. And if you have anything in hardware that has identities like industrial, IoT and traditional OT, this is also a huge field where things can go horribly wrong. So you should you should put your focus on that. Yeah, for sure.

So all these topics that we talked about today are ones that are going to get a lot of attention at the EIC, which is coming up in May in Berlin, Germany. I'll be there. Jeff will be there. Martin, tell us a little bit about what to expect. Is there going to be anything different in this year's EIC than in years past? So, so I think EIC the, the,

the, the concepts will remain the same. So we have a lot of tracks, keynotes on the first afternoon, workshops on the 1st morning, the morning keynotes, evening keynotes, a lot of interaction. I think a lot of conversations as usual on the floor where people meet and discuss and exchange. And we also will have what I know again, our food trucks outside and so for the breaks, all that stuff. Topic wise, I think we've touched several of these topics. A identity will be very

important. Regular identities will be very important. I think also other, other evolutions will be important. The identity fabric will play an important role. We will again look at the decentralized identity stuff where a lot of things are going on. So the EUDI wallet is sort of coming closer. We have the Apple Wallet and the Apple ID stuff and and other initiatives and, and it's clearly about and also understanding how does display into does display into the broader identity field.

We will look at some some of the other kind of more consumer identity related topics like like content. So we are preparing, I believe, a very, very interesting keynote section around that with some, some really, really smart people discussing about what could be the future of concert because no one likes the cookie concert stuff. So it's, it's really annoying. So we need to figure out better ways to do that. And, and so, so I think that

will be also be a scene. Might we probably also have a look because in this EIC term, there's also this cloud element. I think the, the sovereign cloud discussion clearly is something which is important especially for European conference. But when you look at trust, I think today's announcement of AWS for sovereign clouds where they will spend billions again, it means it's relevant for everyone.

And so, so we will see I think have a very broad set of themes again, we will discuss we, we will be again fully hybrid.

So sessions will be available on site app, but also you can join virtually, which I think a lot of people really, really appreciate sometimes because they would ever have to break to, to do a call sometimes in the morning at the hotel and then watch some sessions remotely while they then move to the when you later on. All that stuff will be the same food hopefully also will be as good as at all the other conferences we we were running. Hopefully the weather is good.

I mean, so my experience from attending last year was the keynotes were fantastic. I mean your keynote, I'm not just saying that because you're here, but your keynote was really good on their dandy fabric. It really got me, I think again as like I think I have kind of a American centric view sometimes, right?

And you know, maybe with the way we talked about it today, I'm, I'm softening on that and I feel like maybe it's not so much an American centric view in terms of product or, you know, picking a, picking a solution versus being comfortable with multiple solutions in the enterprise. So the vendor rationalization piece, regardless the the I, I felt like that really got the wheels turning. A lot of the sessions as well.

You had a lot of people from the ID Pro community come from the United States as well as from within Europe attending. There was an identity beer in Berlin that kicked it off. I'm going to be in Italy the following week and we're going to set up an identity beer. Andrea Rossi and Marco are going to, you know, work with me or I'm going to probably do the very minimal versus them and getting that identity or set up in Rome. It'll be the first one.

So look for that on on LinkedIn. If we're not connected on LinkedIn, please let's connect. And I'm sure Martin's the same way, but also the the after hours events and things like that. It's just one of the one of my favorite conferences of all time. Thank you. Yeah, absolutely. And I also want to give a shout out to Marina from your team. She was working on the back end, making sure that we get podcasts and we had a good set up and we had discount code, which is very

important to our listeners. So definitely shout out to Marina doing a great job and look forward to working on this year's event with her. OK, yeah. Looking forward to meet you again in Berlin and me. Absolutely and really appreciate you taking the time. Thank you for doing this, Martin. Any final words for for our audience before we depart?

You know, I think that the most important thing I believe is we, we should as an industry, and I think in many organizations sometimes just take a little time step back and think about are we curing symptoms or are we fixing the cause? And I think that that would be really helpful. So is this something we just do as an interim solution or is this really the, the, the, the sort of the longer term solution? And, and also also always think about do we need this added capabilities?

What is the first thing we need? Where do we spend our time and resources? And yeah, being a bit conscious about so so not blindly follow every new bathroom. I think that helps a lot. Good advice. Thank you, Martin. I'm going to wrap up the show everyone, so you can find us on the web at idcpodcast.com. There's the listen function. If you go into listen function, you can search all of our past episodes.

So if there's a topic that you're interested in or a particular person within the industry that may or may not have been on the show, you search for their name, you search for Martin, you're going to find a lot of episodes. He's been on the show quite a number of times. We certainly appreciate that. We're also on YouTube, so you can go to idacpodcast.tv, takes you right to our YouTube page. And of course, we're on every podcasting platform.

So if you're on Apple Podcast or Spotify, I think we're getting to the point where you type that identity. We're going to be the first or the second option, but it obviously if you search for identity at the center, you're going to find us. If you have a moment and you feel like we've earned it, please give us a five star rating and leave a review for the show if you've got the time. We always appreciate those, and Jeff and I and Martin are all on LinkedIn. We'd love to hear from you.

Any comments you have about anything that was discussed today, Please, you know, good, bad, or indifferent, send them our way. Again, thank you, everyone, and we'll see you on the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.