In partnership with
Realtime User Onboarding, Zero Engineering
Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.
✨ Dynamic Voice guides users in the moment
✨ Picture-in-Picture stay visible across your site and others
✨ Guardrails keep things accurate with smooth handoffs if needed
No code. No engineering. Just onboarding that adapts as you grow.
Hey {{first_name | Jedi}} , welcome to the 114th Edition of the Identity Jedi Newsletter.
Listen… the pressure is real. AI isn’t coming; it’s already in your threat models, your logs, your board questions and collaboration platforms—Teams, Slack, Zoom—are now where identity battles start, not where they end. This isn’t a “watch the trend” moment. It’s a “change how you operate” mandate. Stop reacting. The only sustainable position is to put identity at the control plane and run it with discipline. If you do, you set the tempo. If you don’t, attackers and auditors will.
Table of Contents
Let’s Talk Discipline
Let’s talk about something identity leaders don’t say out loud enough: your IAM program is not a tool—it’s an operating model. And right now, many of you are running a 2025 program on 2009 processes and wondering why it feels slow, brittle, and unconvincing in front of the board..
Why now matters: the market is shifting under your feet—AI-native risk scoring is landing in mainstream stacks; collaboration suites are treated like high-value applications; auditors are expanding scope into lateral movement paths you’ve never documented. If your processes can’t ingest new signals, automate decisions, and prove control effectiveness, you will lose time, money, and credibility.
Leadership here is simple, not easy: clarity, prioritization, disciplined delivery. Pick the few identity journeys that carry the most risk and rebuild them for speed and auditability.
Identity: Stop Running a 2025 Program on 2009 Processes
Here’s the uncomfortable truth: your breach risk is less about your vendor list and more about your process debt. You’ve stacked new tools on top of old ways of working—manual approvals, quarterly certs as theater, ticket-driven provisioning, and one-size-fits-all policies. That worked when the threat was slow and the perimeter was clear. It fails when decisions must be risk-adaptive, audit-ready, and fast.
Why teams get stuck
Tool-first thinking.
We buy technology expecting it to “fix” process. Tools only amplify what you already do—good or bad. If your joiner-mover-leaver process is ticket soup, an IGA platform just gives you prettier soup.
Fear of the audit
Many leaders cling to 2010 controls because they feel “safe” in the audit room. Ironically, they produce more exceptions, more compensating controls, and more findings because the process cannot prove effectiveness.
Ownership vacuum
Identity decisions sprawl across security, IT, HR, and app teams. Without a single accountable owner per journey, every change triggers a turf war. Turf beats speed.
No meaningful metrics
If you can’t show time-to-provision, orphaned account half-life, policy exception burn-down, and toxic combo drift, you’re flying by vibe. Boards don’t fund vibes.
Let’s put 2025 discipline on the core journeys.
Joiner-Mover-Leaver (JML)
Uncomfortable truth — Most organizations still key JML off tickets or batch HR feeds. That’s latency you can’t afford.
Fix - Event-driven provisioning from HRIS with policy-as-code. Define role and attribute rules that auto-issue least-privilege and trigger step-up for high-risk duties. Log each decision and its inputs. Build defensible workflows. HR data will always be messy, so design your processes to recover gracefully when data is inconsistent or when unusual transaction patterns start to appear.
Metrics - Median time-to-provision for critical roles, variance by location/business unit, and unprovisioned access half-life after termination. Set hard SLAs and show exception trend lines.
Privileged Access
Uncomfortable truth - “Always-on” admin rights are a standing invite to ransomware and insider abuse.
Fix - Just-in-time elevation with session recording, command restriction, and mandatory ticket-to-context linkage. Add risk signals—unfamiliar device, anomalous time, new geo—to force stronger verification or deny.
Metrics - Percent of privileged sessions that are JIT, median duration, approvals per session, and step-up rate on high-risk signals. Aim for boredom: every privileged session looks the same
Access Reviews
Just get rid of em. …Sigh…No? Ok.
Uncomfortable truth: quarterly certification campaigns are checkbox theater that burn your managers and miss real risk.
Fix: continuous, scoped reviews. Certify what changed, not what persisted. Use AI to flag weird entitlements by peer group baseline. Collapse the campaign into a weekly trickle that reviewers actually complete. ( Yes, you will have to work with your auditors. Yes you will also have to do some data cleanup to establish your peer group baseline for the AI to work, yes this shit is simple, but it’s not easy.)
Metrics: reviewer completion time, reassign rate, percent of access removed per review, and relapse rate (re-grants within 30 days). If removal is near zero, your process is performative
Application Onboarding
Uncomfortable truth: app teams see IAM as a tax because onboarding is slow and brittle
Fix: productize it. Publish a paved road—OIDC/SAML templates, SCIM, group design patterns, break-glass, logging requirements. Offer a 2-week onboarding sprint with a standard acceptance checklist and reuseable IaC modules. And yes, vendor tools are rolling out AI features to make this easier as well.
Metrics: time-to-integrate, percent on paved road, number of custom exceptions. Tie funding to paved-road adoption
What AI and automation actually change
Decision velocity: AI turns signals into risk scores at the moment of access. Your process must know what to do with those scores—step-up, limit scope, deny, or queue for human review.
Coverage: automation eliminates the gap between intention and action. If a mover changes departments, the change propagates automatically. Humans handle exceptions, not the median case.
Evidence: modern identity is a control plane with a ledger. Every decision is explainable: inputs, policy, output. That’s audit gold and breach forensics fuel.
Industry News
Palo Alto’s Playing Sherlock on Microsoft Teams—Finally Some Love for Collaboration Security Palo Alto is turning on deeper detections for Microsoft Teams. Good. Collaboration tools are business systems with identity paths, data exposure, and lateral movement built in. Treat them like critical apps: threat detection, DLP, and identity-aware policies—wired into incident response. If your playbooks don’t mention Teams by name, you’re already behind.
AI Risk Scoring for the Win!
Imprivata just bought Verosint to wire AI-driven risk into access decisions. This isn’t about prettier dashboards; it’s about higher-fidelity signals driving allow/step-up/deny in real time. If fraud and ATO keep showing up in your reports, this is the direction of travel: context-rich scoring at the decision point, not another after-action report. Bring this language into your board prep: “We’re moving from static rules to risk-adaptive control.”
Podcasts
The Last Word
We hit a tipping point last week, I wrote about it here ( here). I can’t help but feel like we are hurling towards a new reality that our current systems and teams are just not prepared for. I know, I know, we are always gloom and doom in security but I’m not trying to be, I’m trying to be realistic. This past year as I’ve been talking to customers and looking at their environments I’m not seeing a lot of maturity. But when I look at technology, and what’s coming I’m seeing a TON of innovation and fast moving threats. One of these things is not like the other….strap in folks…it’s going to get bumpy. Happy Turkey Week.
Be Good to each other, Be Kind to each other, Love each other