Identity at the Center

Recorded live at EIC 2026 in Berlin, Jeff and Jim sit down with Martin Sandren, IAM Product Lead at IKEA, for a wide-ranging conversation covering nearly every corner of modern identity security. Martin shares what has changed since his first IDAC appearance on episode 293, including the rise of AI, growing interest in digital sovereignty, and the maturing shared signals framework. The conversation moves through risk-based defense in depth, tiered MFA rollout strategies, session management, and the real challenge of trusting AI to make security decisions. Martin introduces identity dark matter and explains how IVIP can surface the 95-plus percent of applications that never reach an IGA system. The episode also covers shadow AI, MCP server risks, the SaaSpocalypse debate, and the EU AI Act. It closes on a grounded note: solar panels.Connect with Martin: https://www.linkedin.com/in/martinsandren/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS00:00 Welcome and EIC 2026 intro01:47 What has changed in two years: AI, sovereignty, shared signals03:06 Martin's EIC presentations: AI for IAM and IAM for AI04:46 Can you prioritize one direction over the other?07:13 What would it take to trust AI making identity decisions?09:32 AI-enhanced detection and risk-based session management13:07 Session invalidation and the shared signals framework14:11 Defense in depth and right-sizing privileges18:25 MFA today: any MFA versus phish-resistant MFA19:17 AI chatbots, enterprise LLMs, and shadow AI23:11 MCP servers, NHI risk, and return on risk thinking27:00 AI configuring IAM systems: how close are we?31:30 LLM costs, the SaaSpocalypse, and enterprise AI futures40:10 Identity dark matter and the IVIP concept44:16 CMDB versus IVIP: do you need both?46:18 The EU AI Act and building an AI governance registry49:18 Where to start: get your AI inventory in place first50:00 Closing thoughts and the solar panel tangentKEYWORDSAI for IAM, IAM for AI, identity dark matter, IVIP, IGA, shared signals framework, phish-resistant MFA, defense in depth, session management, MCP servers, NHI, shadow AI, SaaSpocalypse, EU AI Act, AI governance, zero standing privilege, EIC 2026, IKEA, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Martin Sandren

Recorded live at EIC 2026 in Berlin, Jeff and Jim sit down with Thomas Zarnhofer, IAM Architect at a major retail company in central Europe. Thomas shares his experience leading a full IGA transformation from a decade-old on-premise system to a modern cloud-based platform. The conversation covers the shift from a contract-based to a person-based identity model, the importance of cleaning data before migration begins, a three-phase framework of Foundation, Migration, and Adoption, lessons learned from running two systems in parallel, and a look at how AI could make IGA predictive. The episode ends with Thomas's tips for visiting Austria.Connect with Thomas: https://www.linkedin.com/in/tzarnhofer/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 Introduction and EIC 2026 Setting02:00 Thomas's Identity Origin Story04:21 The Catalyst for IGA Modernization07:43 Contract-Based vs Person-Based Identity Models09:22 Consolidating Master Data Sources11:39 Data Quality and Attribute Ownership13:34 Partnering with HR for Clean Data16:43 Data Analysis: Why They Chose Excel Over AI17:53 Clean Your Data Before You Migrate18:23 The Three Phases: Foundation, Migration, Adoption20:12 Driving Adoption Across the Organization21:10 Running Two Systems in Parallel22:47 Challenge Everything vs Lift and Shift27:23 Surprises in the Cloud IGA Journey29:02 Testing Requirements in the Cloud29:51 AI and the Future of IGA32:25 AI Chatbots and Role Discovery35:30 Scoping Business Role Visibility36:06 Life Outside IAM: Travel and Austria TipsKeywords:IAM, IGA, Identity Governance, IGA Migration, On-Premises to Cloud, Identity Model, Contract-Based Identity, Person-Based Identity, Master Data, Data Quality, HR Integration, Joiner Mover Leaver, Cloud IGA, Retail IAM, EIC 2026, AI in IGA, Predictive IGA, Role Management, Access Governance, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Thomas Zarnhofer

This episode and the Identity at the Center podcast is supported by CrowdStrike. Learn more at crowdstrike.com.Jeff Steadman and Jim McDonald sit down with Scott Kriz, GM of Continuous Identity at CrowdStrike, for a deep dive into continuous identity, zero standing access, and the convergence of identity and security. Scott traces his path from co-founding Bitium, to selling it to Google Cloud, to building SGNL and ultimately joining CrowdStrike. The conversation covers how continuous identity works in practice, why traditional PAM and IGA fall short in a real-time world, and what the rise of agentic AI means for identity governance at scale. Connect with Scott: https://www.linkedin.com/in/scottkriz/Learn more about Crowdstrike: https://www.crowdstrike.com/en-us/platform/next-gen-identity-security/caep/?idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.com00:00:00 Introduction and welcome00:01:21 How Scott got into identity and co-founded Bitium00:03:55 Selling to Google Cloud and the inspiration for SGNL00:05:02 Continuous identity and zero standing access explained00:09:13 Defining continuous identity at CrowdStrike00:10:20 How continuous identity differs from PAM and IGA00:15:06 Data as the foundation for continuous identity00:19:29 Open ecosystems, Shared Signals Framework, and CAEP00:25:26 Agents, identity chaining, SPIFFE, SPIRE, and MCP gateways00:33:02 Identity inside CrowdStrike's broader security strategy00:37:27 Identity security budgets and ROI-driven purchasing00:40:04 Agentic scale and the need for automated identity controls00:43:39 The SGNL acquisition: what it means for both companies00:50:25 Zero trust as a real architectural framework00:54:00 Helicopter skiing, avalanches, and staying presentKeywords: IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Scott Kriz, CrowdStrike, SGNL, continuous identity, zero standing access, PAM, IGA, zero trust, agentic AI, non-human identity, NHI, SPIFFE, SPIRE, MCP, identity security, real-time authorization, cybersecurity

Jeff and Jim are back with the May 2026 mailbag, answering listener questions from Amsterdam, Mumbai, Austin, and Berlin. Topics include navigating IAM vendor acquisitions, defending against AI deepfakes in remote onboarding, governing contractor and third-party identities, fixing the leaver process in IGA, and tackling a decade of IAM technical debt. The episode closes with unpopular industry opinions: why RFPs are procurement theater, why rip and replace should be normalized, and why one-throat-to-choke vendor thinking usually backfires.IDPro new member discount: https://idpro.org/idac/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comCHAPTER TIMESTAMPS00:00 Intro and SNL nostalgia03:25 AI model roundup: ChatGPT, Claude, Gemini, and usage limits10:16 Identiverse 2026 and IDPro member discount14:53 Q1: Navigating vendor acquisitions (Isabelle, Amsterdam)24:00 Q2: AI deepfakes in identity verification (Rajan, Mumbai)32:32 Q3: Contractor and third-party identity governance (Caleb, Austin)43:00 Q4: The leaver process and IGA scope gaps (Anonymous)51:10 Q5: Tackling IAM technical debt (Tomas, Berlin)57:00 Normalizing rip and replace01:01:00 RFPs, one throat to choke, and other hot takes01:08:00 Wrap-upKEYWORDSIAM, identity governance, IGA, vendor consolidation, acquisitions, deepfakes, identity verification, contractor management, non-employee identity, technical debt, rip and replace, RFP, joiner mover leaver, leaver process, Identiverse 2026, IDPro, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Episode 422 is the debut of Decoded by Identity at the Center, a new sub-series hosted by Jeff Steadman and Sean O'Dell dedicated to unpacking the specifications and standards powering IAM. Joining them is Pieter Kasselman, VP of Open Standards at Defakto and chair of the WIMSE working group. The conversation covers why traditional non-human identity approaches break at agentic scale, how SPIFFE and SPIRE enable short-lived automated credential provisioning without long-lived secrets, and why treating agents as workloads unlocks a decade of existing standards. Pieter walks through critical OAuth specs including JWT authorization grant, token exchange, client ID metadata, and the emerging transaction tokens draft. Sean connects these to practical gateway architecture, continuous access evaluation, and policy-based authorization. The episode closes with real-world deployment examples and a clear takeaway: the tools to secure agentic identity are available today.Episode Links:Pieter Kasselman: https://www.linkedin.com/in/pieter-kasselman-0259862/AI Agent Authentication and Authorization: https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/Workload Identity in Multi-system environments (WIMSE): https://ietf-wg-wimse.github.io/OAuth SPIFFE Client Authentication: https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/Transaction Tokens: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/08/Agentic Identity Control Framework. You Already Have the Pieces. Now Build It. by Sean O'Dell: https://www.linkedin.com/pulse/agentic-identity-control-framework-you-already-have-pieces-o-dell-61b5e/Timestamps:00:00 Introduction to Decoded by Identity at the Center00:13 The mission of the Decoded sub-series03:02 Guest intro: Pieter Kasselman, VP of Open Standards at Defakto06:21 Why agentic identity is urgent: scale, multi-platform, and shifting threat landscape10:42 The real cost of API keys and credential sprawl in agentic systems13:23 Agentic identity identifiers and how SPIFFE assigns unique workload IDs21:00 Credential types: X.509, JWTs, and workload identity tokens31:00 Connecting SPIFFE to OAuth and dynamic registration with client ID metadata38:18 SPIFFE SVIDs, multiple credentials per agent, and governance traceability41:44 Authentication versus authorization: delegation versus impersonation47:00 Transaction tokens: binding access to specific transactions to stop token theft51:21 Identity chaining and cross-domain authorization55:00 Shared Signals Framework and dynamic authorization57:00 Gateways, CAEP, and mid-flight token revocation for rogue agents59:31 What you can deploy today with SPIFFE, OAuth, and existing IDPs01:02:58 Policy-based access control and why instance-level governance cannot scale01:04:58 Workload identity federation: Anthropic and Google Agent ID updates01:07:13 Cross-platform federation and the law of agentic utility01:11:55 Elevator pitch: agents are workloads and 95% of the problem is solved now01:17:03 What is coming next: a transaction tokens deep diveKeywords:agentic identity, SPIFFE, SPIRE, OAuth, transaction tokens, Shared Signals Framework, WIMSE, workload identity, non-human identity, authorization delegation, JWT, CAEP, API gateway, IAM standards, AIMS, Jeff Steadman, Sean O'Dell, Pieter Kasselman, IDAC, Identity at the Center, Jim McDonald, Decoded by Identity at the CenterDecoded by Identity at the Center:Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Sean O'Dell: https://www.linkedin.com/in/seanodentity/Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Visit the show on the web at https://idacdecoded.com/

This episode is made possible by GitGuardian. Jeff speaks with Dwayne McDaniel, Principal Developer Advocate at GitGuardian, about secrets sprawl, non-human identity governance, and the findings of the State of Secret Sprawl 2026 report. With 28.6 million secrets leaked to public GitHub in 2025 - a 34% year-over-year increase - they explore why hardcoded credentials persist, how agentic AI tools are making the problem worse, and what IAM practitioners can do to start addressing machine identity governance. Topics include GitGuardian's Good Samaritan notification program, the growing NHI inventory challenge, SPIFFE and SPIRE as a path to zero standing privilege, and data showing Claude Code co-authored commits are more than twice as likely to contain leaked secrets. Visit gitguardian.com/lps/idac to learn more.Connect with Dwayne: https://www.linkedin.com/in/dwaynemcdaniel/Dwayne's website: https://dwayne-mcdaniel.com/Learn more about GitGuardian: https://www.gitguardian.com/lps/idacGitGuardian Good Samaritan Program (free) - https://www.gitguardian.com/good-samaritanThe State of Secrets Sprawl 2026: https://www.gitguardian.com/state-of-secrets-sprawl-report-2026SPIFFE Book: https://spiffe.io/book/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS:00:00 Introduction and sponsor welcome00:48 Dwayne's background and path to developer advocacy04:11 Surprises from entering the identity and security space06:29 What a principal developer advocate actually does09:32 Why secrets became Dwayne's focus area14:10 GitGuardian: overview and mission19:36 Where secrets commonly leak across the SDLC22:17 The Good Samaritan notification program explained28:00 Why 70% of leaked secrets from 2022 were still valid in 202533:54 State of Secret Sprawl 2026: the year software changed40:39 AI coding tools, Claude Code, and secrets leakage data47:28 Practical questions for IAM practitioners to start asking52:24 Zero standing privilege and the case for SPIFFE/SPIRE01:00:00 Resources: the SPIFFE book, WIMSE, and AWS STS01:02:51 Hot sauce, the Cubs, and closing thoughtsKEYWORDS:secrets sprawl, hardcoded secrets, non-human identity, NHI governance, GitGuardian, SPIFFE, SPIRE, workload identity, DevSecOps, agentic AI, Claude Code, zero standing privilege, supply chain security, credential abuse, identity and access management, IAM, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Dwayne McDaniel

What does it mean to build an identity system that is ethical? Jim McDonald and Jeff Steadman are joined by Elizabeth Garber, Executive Director of IDPro and marketing lead for the OpenID Foundation, for a conversation spanning ethics in digital identity, the tension between privacy and safety, biometric exclusion risks, and how practitioners can use structured frameworks to navigate these discussions productively. Elizabeth shares her three-part career journey, the latest from the IDPro community, and previews her upcoming keynotes at EIC Berlin and Identiverse Las Vegas.Connect with Elizabeth: https://www.linkedin.com/in/elizabethgarberIDPro Discount - New members get $25 off their first year of membership: https://idpro.org/idac/Ethics and Digital Identity by Henk Marsman: https://bok.idpro.org/article/id/104/Ethics for Digital Identity and Identity-Driven Algorithms by Mike Kiser: https://bok.idpro.org/article/id/105/Human Centric Digital Identity white paper: https://openid.net/wp-content/uploads/2023/10/Human-Centric_Digital_Identity_Final-v1.1.pdfConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00 Intro and Jim's allergy research03:42 Conference announcements: EIC and Identiverse06:00 Welcome Elizabeth Garber07:04 Elizabeth's three-part origin story11:55 IDPro mission and the identity community18:13 Membership, CIDPRO certification, and the Body of Knowledge21:17 IDPro Slack community23:40 IdentiBeer and local meetups26:26 IDPro listener discount at idpro.org/idac29:00 Operationalizing ideas in IAM32:19 Ethics in the IDPro Body of Knowledge33:30 Defining ethics in technology34:19 The trolley problem and moral consistency37:10 Big tech, privacy, and law enforcement39:28 Where practitioners start with ethics43:30 Biometric exclusion and the Uganda story49:00 Privacy vs. safety: a false choice?53:48 The case for consistent ethical frameworks57:53 Elizabeth's EIC and Identiverse talks59:49 Improv comedy and expensive hobbies1:07:25 Wrap-upKeywords: ethical IAM, digital identity ethics, IDPro, identity and access management, privacy, safety, biometrics, exclusion, Elizabeth Garber, GAIN Digital Trust, OpenID Foundation, Body of Knowledge, Ethical Canvas, zero knowledge proofs, passkeys, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, EIC Berlin, Identiverse

In this MailBag episode, Jeff Steadman and Jim McDonald tackle eight questions submitted by listeners from around the world, including Munich, Sao Paulo, Singapore, Toronto, Hanoi, London, Sydney, and Chicago. The conversation covers governing AI and non-human identities, practical first steps toward passwordless adoption, what a mature IAM program actually looks like, who should own identity within an organization, building credibility with leadership as a new IAM practitioner, enforcing least privilege in practice, rethinking access reviews beyond checkbox compliance, and how to make the business case for identity security investment before a breach occurs. The episode wraps up with some lighter listener questions about sports analogies for IAM roles and whether anyone in their personal lives actually understands what they do for a living.Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS00:00 - Introduction and RSA Conference debate03:41 - Conference plans for 2026: EIC, Identiverse, and Authenticate05:17 - MailBag intro and how questions get selected06:51 - Q1 (Hans, Munich): Governing AI access vs. human access — same principles or a different approach?12:32 - Q2 (Gabriela, Sao Paulo): Realistic first steps toward passwordless without disrupting everything18:34 - Q3 (Wei, Singapore): What does a mature identity program actually look like?30:26 - Q4 (Marcus, Toronto): When IT and security both claim to own identity, how do you sort it out?39:33 - Q5 (Linh, Hanoi): Building credibility and influence as someone new to the IAM space42:53 - Q6 (Claire, London): Enforcing least privilege in practice without slowing down the business46:14 - Q7 (James, Sydney): Are access reviews just a checkbox exercise, and is there a better way?49:18 - Q8 (Darnell, Chicago): Making the case to a CFO or CEO for identity security investment before a breach52:38 - Lighter note: If IAM was a sport, what position would you play?1:00:27 - Lighter note: Does your family actually understand what you do?1:03:06 - Wrap-up and how to submit future questionsKEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, identity and access management, MailBag, non-human identity, AI governance, agentic AI, passwordless, passkeys, IAM program maturity, identity ownership, RACI, least privilege, zero standing privilege, access reviews, security theater, identity security budget, business case for IAM, ISPM, IGA, IDPro, Identiverse, EIC, Authenticate conference, RSA conference, cybersecurity podcast, identity security, identity community