In partnership with
Powered By
Personalized Onboarding for Every User
Quarterzip makes user onboarding seamless and adaptive. No code required.
✨ Analytics and insights track onboarding progress, sentiment, and revenue opportunities
✨ Branding and personalization match the assistant’s look, tone, and language to your brand.
✨ Guardrails keep things accurate with smooth handoffs if needed
Onboarding that’s personalized, measurable, and built to grow with you.
Hey {{first_name | Jedi}} , welcome to the 113th Identity Jedi Newsletter. Coming up this week let’s talk AI agents, service accounts, and audits.
Listen the board doesn’t care how many MFA prompts you shipped. They care if a contractor’s stale token can still drain production or if an “AI agent” you stood up last quarter now has God-mode in your CRM. Identity is the control plane. If it’s sloppy, everything downstream is negotiable—detection, response, even your audit story. Pressure is up. Auditors want proof, not vibes. Execs want velocity without headlines. And your stack just grew a thousand non-human identities you can’t see, don’t meter, and definitely aren’t governing. That’s the gap, but it’s also the opportunity. If you can bring order to entitlements, service accounts, and AI connectors—with automation and receipts—you win. If not, your blast radius is waiting for a bad day….a very bad day.
Table of Contents
Let’s Talk
about something identity leaders don’t say out loud enough: most of your risk isn’t users—it’s the permissions you never reclaimed and the machines you never governed. The thing we aren’t saying is that permission debt compounds faster than tech debt. You’ve got “temporary” access from the outage in May still hanging around in prod. You’ve got a zombie service principal owning a crown-jewel datastore because nobody knew who to page. And now you’ve got AI agents spinning tokens and scopes like it’s free candy.
Why now?
Because audits are narrowing to evidence of control, not intent. Because the SEC turned “material cyber events” into board questions. Because your 2025 roadmap includes more automation, more agents, more integration—whether IAM is ready or not.
Leadership here means ruthless clarity on scope, brave prioritization (workloads before niceties), and disciplined delivery you can show on a slide.
Zero Standing Privilege That Actually Sticks
Most “least privilege” programs are theater.
You run an annual attestation, sprint through heroic spreadsheets, and three weeks later emergency access, one-off project grants, and “temporary” service accounts have quietly rebuilt your risk.
Why?
Because you’re trying to drive a Tesla with a Camry playbook — manual approvals, static roles, and faith-based cleanup.
The world moved. Your governance didn’t.
Why teams get stuck
Role bloat & entitlement soup
Years of “just add one more role,” M&A chaos, and app migrations left you with 2,000+ groups and 17 paths to prod.RBAC turned into RB-guess.
Immortal service accounts
Owners leave. Tickets close. Tokens never expire.Nobody touches it because “something might break.” Until something does break — and suddenly that “quiet little account” becomes incident #1.
Rubber-stamp attestations
Managers approve everything because the UI is trash and the blast radius isn’t visible. No usage data, no context, no heat map. Just “Approve All.”
Emergency access that never dies
Outage? Flip the break-glass. Two months later? Still live — because nobody circled back.
Tool worship without discipline
Buying PAM or IGA doesn’t fix sloppy thinking.Otherwise your roadmap just becomes a museum of dashboards.
The Fix: A 90-Day Zero-Standing-Privilege Sprint
You don’t boil the ocean.
You drain a bathtub… with receipts.
1) Draw the boundary of pain
Pick 2–3 business-critical systems — revenue, customer data, or production control plane.
At least one cloud platform + one data tier.
Map identities & access paths:
Humans
Service accounts
Workload identities
AI agents
Emergency access paths
Debug tunnels
If you don’t have a diagram, whiteboard it. Photograph it. That’s your truth.
2) Define zero standing privilege — for real
Default deny
JIT elevation only
Purpose required (ticket / change / incident)
MFA everywhere
Tokens expire — no exceptions
60-minute max elevation window
Dual control for crown jewels
Static privilege is a business decision.Make someone own it.
3) Automate the gates
Policy-as-code
Real-time signals (device, location, posture)
Auto-revoke on offboarding / incident
Kill switch for bad deployments
If your control can’t revoke in seconds, it’s not a control — it’s a suggestion.
4) Make service accounts first-class citizens
Inventory + classify
Owners required (block deploy if missing)
Expiry + rotation SLAs
Separate prod vs non-prod scopes
Temporal scopes for batch jobs (2am jobs shouldn’t run at noon)
Unknown identity = security incident
5) Build receipts for auditors
Evidence lives in one place, not in screenshots:
Elevation logs
Policy diffs
Auto-closure of exceptions
Exception register w/ expiry & business sign-off
Weekly metrics
Standing admin count
Mean elevation time
% service accounts with rotation + owner
Top 10 riskiest entitlements by usage
Auditors don’t hate risk — They hate un-owned risk.
6) Socialize the blast radius
One slide: Where admin can happen and how access dies.
Green arrows = just-in-time pathways
Red boxes = standing privilege being eliminated. Then demo it live:
Request
Approve
Rotate
Revoke
Ten minutes. Zero screenshots. Receipts > rhetoric.
The discipline that makes it stick
Exceptions get owners, expiry, and review cycles
Drift detection auto-opens PRs
“No owner, no prod.”
“No policy, no elevation.”
Hard gates change behavior. Nothing fixes culture faster than “blocked by policy.”
Pick the systems. Draw the line. Say it out loud.
“We’re shrinking blast radius without slowing shipping.”
Give a date. Publish a dashboard. Burn the safety rope behind you. And when someone asks to skip controls, ask: " Are you willing to put your name on the exception?”
Watch how fast the priorities change.
Industry News
Podcasts
The Last Word
If you think AI is a bubble, you could be right. But it’s definitely a productive one. This past two days alone I’ve created more productivity with AI applications than anything I’ve done in my entire career as a software developer. All done in hours, without coding. It’s not hype folks. It’s real. It’s trivial things, stuff that helps me run the media company and be more productive as an entrepreneur, but it’s what it allow me to do. For instance. In one day I created an agent to research topics, sort them by relevancy and then another agent to serve as an editor to look for themes and draft editorials for my review. Set to run every day, and store the reviews where I can access them, or I can run it on demand. Hours of work done in seconds. Not only does it save me time, but it save me cost in having to hire someone to do it. Instead of hiring on Fiver/Upwork/insert free lance tool here. OpenAI and Make.com for roughly $29/ month.
So let’s look at the current landscape of AI right now. CUA models have every vendor you can think of releasing a version of “smart connector” enabling the ability to connect to applications easier and in a more automated way. But that’s just the tip of the iceberg. The beauty with AI, is the ability to “reason”. Not just simple “if-then-else” rules. But a general set of instructions to follow and abide by. Think “policy”. Then next wave of Identity systems is coming next year. Agentic based systems that work towards solving problems, instead of configuring them. I for one, can’t wait!
Be Good to each other, Be Kind to each other, Love each other