In partnership with
Where to Invest $100,000 Right Now, According to Experts
Investors face a dilemma. When the S&P 500 finished its worst quarter since 2022 last month, diversifiers like bonds and bitcoin fell too.
Even with the turnaround in mid-April, analysts at Goldman Sachs and Vanguard have projected low-single-digit annualized returns from 2024-2034.
Bloomberg asked where experts would personally invest $100,000 for their March monthly edition.
One answer that surfaced for a second time? Art.
It's what billionaires like Bezos and the Rockefellers have privately used to diversify for decades.
Why?
Appreciation. The ArtPrice100 Index outpaced the S&P 500 overall from 2000 to 2025
Low-correlation. The postwar contemporary segment has moved independently of traditional investments like stocks since ‘95.*
Resilience. A scarce, physical, and global asset class with decades of demonstrated demand.
Thanks to the world's premier art investing platform, now anyone can invest in works featuring legends like Banksy, Basquiat, and Picasso, without needing millions.
Shares in new offerings can sell quickly but...
*According to Masterworks data. Investing involves risk. Past performance is not indicative of future returns. See important Reg A disclosures at masterworks.com/cd.
-THE WIRE THIS WEEK IN IDENTITY
N°01 · AGENTIC AI
A rogue AI agent at Meta passed every identity check, then leaked data for two hours
Classic confused deputy. The agent inherited the permissions of the system that spawned it, and nothing watched what it did after login. The post-authentication blind spot, in production.
VENTUREBEAT →
N°02 · GOVERNANCE
OWASP ships State of Agentic AI Security and Governance v2.01
The standards body said the quiet part out loud: teams are deploying agents faster than they can govern them. Now it is on paper you can hand a board.
GENAI.OWASP.ORG →
Hey {{first_name|Jedi}},
I was watching a YouTube video.
A small business owner was walking through how he'd deployed AI agents in his company. The video wasn't technical. He wasn't a security practitioner. He was just a guy running a business who'd figured out that agents could do real work — and he was explaining his process for making it work.
He talked about giving each agent a specific job. A defined scope. He talked about onboarding the agent the way he'd onboard a new employee — setting up credentials, documenting what it was responsible for, making sure it had access to exactly what it needed and nothing it didn't.
I stopped the video.
I'd spent 22 years in enterprise IAM. Joiner-mover-leaver. Access certification. Role engineering. Segregation of duties. The entire discipline built around one central question: who has access to what, and should they? And here was a small business owner in a YouTube video describing the entire governance model — intuitively, without the vocabulary, just because it was the right way to run something that has access to your systems.
That was the moment it clicked.
What clicked wasn't that agents needed governance. I already knew that intellectually. What clicked was the scale of what was coming and how completely unprepared the enterprise was for it.
This small business owner was onboarding two or three agents. He could manage that manually. He could hold the context in his head. He knew what each agent was doing because he built it.
Enterprise environments don't work that way. We're talking about hundreds of agents. Thousands, eventually. Agents that other agents spawn. Agents running inside SaaS platforms you didn't deploy. Agents operating across cloud environments, on-premises systems, and third-party APIs simultaneously. The small business owner's intuition scales to three agents. It does not scale to three hundred.
And I'd been building agents. Interacting with AI systems for years. I understood how they reason — not abstractly, but operationally. How they interpret a goal and find a path. How they don't ask for permission to take the next step. How the access they need to reason effectively is fundamentally different from the access a human needs to do a job.
The controls we had were static. Long-standing credentials. Periodic certifications. Reviews nobody actually reads. Everything we'd built assumed a relatively stable access state — a human identity with a defined role that changed slowly over time. Agents don't have roles. They have tasks. They have contexts. The access footprint changes with every session.
There was nothing in the deployment flow to limit that. No governance gate. No certification trigger. No way to ask whether the access the agent was using matched the task it was actually doing.
We needed a rethink. Not a new tool on top of the existing model. A rethink of the model itself.
If this is the kind of read you want more of the practitioner take on where agentic identity is actually heading that's what the Padawan tier is for. The frameworks, the deeper breakdowns, and the vendor-conversation tools I use myself. → See what's in Padawan:
The Last Word
That YouTube video didn't teach me anything I didn't already know. It showed me how obvious the problem was to someone with no training in it, and how much work the people with the training still had left to do.
See ya next week.
Be good to each other, be kind to each other, love each other