Data, Identity & the Next Security Frontier

The 107th Edition of the Identity Jedi Newsletter

Author

David Lee
June 12, 2025

Hey Jedi , welcome to the 107th Edition of the Identity Jedi Newsletter. I’ve been working with several customers lately who are wrestling with fragmented app-onboarding processes—nothing slows a rollout like misaligned entitlements, opaque approval chains, and last-minute surprises. Can’t say that I’m shocked we are still dealing with this problem as an industry, but a little surprised there’s been so slight improvement. We’ll unpack that problem in an upcoming deep dive. In the meantime, here’s what’s caught my eye this week in the world of IAM.

Table of Contents

Let’s Talk about The AI, Data, and Identity Problem

Mark my words, in the next 12 months “AI Posture Management” will become a thing. In fact I’m sure there are probably about 3 different startups right now trying to get seed funding for their idea. But I digress. But if we really get down to it if we want to secure AI what we are really talking about is data security posture management (DSPM) and identity controls. AI models themselves don’t make decisions; they act on data you feed them, and that data is only as secure as the identities guarding it. So let’ talk about what would be needed to pull this off

Visibility Across the Chain

Identity→ Resource → Data → AI.

If your identity provider (IdP) can’t show you every token exchange an AI agent performs against a data store, or your DSPM tool can’t tell you which dataset that agent accessed, you’ve blind spots that adversaries will exploit. The next wave of posture management must fuse identity telemetry (who, what agent, which permissions) with data classification, and then map that into your AI pipelines.

From Static Policies to Adaptive Control

Traditional IAM policies tend to be static: “User A gets read access to Table X.” With AI agents, you need dynamic, context-aware policies that factor in the model’s purpose, the sensitivity of the data slice, and the downstream impact (e.g., “only allow inference calls on anonymized subsets after approval”). Think of it as human-in-the-loop “pre-commit” checks for every model training job.

Starting the Conversation Today

  1. Map your data stores that feed AI pipelines.

  2. Overlay entitlements from your identity solutions—where do agents hold service-account credentials?

  3. Define metrics

  4. Trademark AI Posture Management, buy a domain, and find some co-founders…😅

The Great IGA Migration—From Legacy Sprawl to Cloud Clarity

I remember the first time I opened an IdentityIQ console that was more maze than map. Dozens of connectors, hundreds of orphaned accounts, and a tangle of certifications that no one could explain—least of all the tool itself. If your IGA environment feels like a cryptic labyrinth, you’re not alone. Over the past year, I’ve seen teams wrestle legacy on-prem solutions, bolt on “cloud modules,” and lament that migration to a modern IGA feels more daunting than slaying a Sith Lord.

But here’s the truth: migrating an IGA platform isn’t a one-and-done technical project—it’s a strategic reset. Done right, it transforms your identity program from a fragile Frankenstein of scripts and tickets into a flexible, auditable, cloud-native powerhouse. Let’s unpack why so many migrations stumble, and how to chart a smooth path to clarity.

Why IGA Migrations Trip Over Their Own Feet

  1. The “Big Bang” Illusion

    It’s tempting to flip a switch: “We’ve built the new IGA, now retire the old one.” Reality check: your users, apps, and workflows don’t pause for your migration schedule. A “big bang” cutover often means break-fix firefighting for weeks—hardly the hero’s journey you envisioned.

  2. Underestimating Data Complexity

    Your HR system might feed usernames into one forest, automation scripts into another, and your ticketing tool into a custom database. Reconciling these identity sources—mapping overrides, resolving conflicting attributes—can become a full-time archaeology dig.

  3. Role Model Reinvention Syndrome
    Many teams take the opportunity to redesign roles from scratch. Noble in theory, but in practice it spirals into dozens of review cycles with application owners, security, and HR—long after your pilot window closed.

  4. Connector Sprawl

    Every app seems to demand its own “special sauce.” That homegrown CRM needs SCIM v1 with custom attributes, the legacy ERP only speaks LDAP, and the shiny new SaaS platform expects OAuth. Suddenly you’re managing three middleware layers—and none of them talk to each other

These pitfalls are avoidable if you shift perspective: treat migration as an iterative journey, not a destination.

Four Jedi-Approved Steps to a Successful Migration

Scope with Surgical Precision

  • Pilot Narrow, Then Expand: Pick two or three non-critical applications—ideally one cloud-native SaaS, one on-prem web app, and your directory service—to prove the end-to-end process.

  • Define Clear Boundaries: List exactly which systems, roles, and workflows belong in phase one. Everything else waits.

Data Reconciliation as Ritual

  • Inventory All Sources: Catalog every pipeline that touches identities or entitlements.

  • Attribute Normalization: Apply consistent transformations in a middleware or connector hub.

  • Reconciliation Reports: Before and after each wave, catch mismatches early.

Role-Model-by-Example

  • Logical Roles First: Draft three to five “golden roles” with clear business justifications.

  • Map to Existing Groups: Align those roles to the permissions your pilot apps already use.

  • Iterate Outward: Expand your role catalog one department at a time.

Automate, Validate, Repeat

  • Connector Templates: Build reusable templates for SCIM, LDAP, API, etc.

  • Preflight Checks: Integrate schema and policy validations into your automation workflows.

  • Dashboards & Alerts: Monitor sync failures, reconciliation discrepancies, and certification progress.

Process Re-Engineering: Embrace the Tesla Mindset

Stop trying to make your 2025 Tesla operate like your 1995 Toyota Camry. That’s the essence of process re-engineering. When you bolt modern IGA onto old processes, you’ll spend more time fighting the system than driving progress. Instead:

  • Question Every Assumption: Does approval really need six signatures? Can access requests auto-route based on role?

  • Redesign for Speed & Control: Modern IGA platforms offer built-in workflows, dynamic attestations, and API-first connectors—use them, don’t work around them.

  • Shift Left on Governance: Embed policy checks and data validations into early stages of application deployment rather than auditing after the fact.

  • Continuous Improvement Loop: With cloud-native IGA, you can iterate weekly. Launch a new workflow on Monday, gather feedback by Wednesday, refine by Friday.

A Tesla’s over-the-air updates, telemetry-driven optimizations, and integrated control plane aren’t features you graft onto a ’95 Camry; they’re built-in from day one. Your IGA process deserves the same re-engineering mindset.

The Cloud-Native Finish Line

Once you’ve migrated your pilot and re-engineered your processes, you’ll see:

  • Elastic Scalability: Cloud IGA adapts to demand—no more hardware refresh firefights.

  • Continuous Updates: Features and security patches drop seamlessly.

  • Unified Insights: Combine provisioning telemetry, identity risk scoring, and non-human identity metrics in one pane of glass.

Your First Mission: The 5-Day Sprint

  1. Day 1: Kickoff workshop—confirm pilot scope and map current processes.

  2. Day 2: Inventory pilot systems and document schema, role, and workflow gaps.

  3. Day 3: Draft three logical roles; map them to existing permissions.

  4. Day 4: Configure your first connector template; test provisioning/de-provisioning.

  5. Day 5: Run a reconciliation report; demo to stakeholders and collect feedback.

Treat each sprint as a chance to re-engineer—not just migrate. You’ll reclaim time, reduce risk, and build a process that drives continuous value.

—May the force be with you

Quick Tip of the Week

Here’s a homework assignment I’ve given to a couple of customers of the last couple of weeks. Context: If your IAM project is stuck, stalled, or looking at a migration:

Pick one thing in your current identity program that drives you nuts—maybe it’s slow approvals, orphaned service accounts, or manual access reviews. Then:

  1. Design the ideal flow for it.

  2. Define success metrics (e.g., time to onboard, number of manual interventions, risk reduction).

  3. Estimate the business impact (e.g., faster time-to-market, fewer audit findings, improved developer velocity).

Have fun with it—and shoot me a note on what you come up with!

Industry News

Love & Hate: AI Agents Are Growing Security Risks

Companies are rushing into AI agents, but are now apprehensive because of the tendency for security issues

AI agents need to be monitored just like regular employees, report warns

www.techradar.com/computing/artificial-intelligence/love-and-hate-tech-pros-overwhelmingly-like-ai-agents-but-view-them-as-a-growing-security-risk?utm_source=chatgpt.com

Okta Unveils “Auth for GenAI” Developer Preview

“We want to work with the best" - Okta reveals new security tools designed to safeguard GenAI systems

New tools for GenAI integration are coming from Okta

www.techradar.com/pro/security/we-want-to-work-with-the-best-okta-reveals-new-security-tools-for-genai?utm_source=chatgpt.com

CyberArk’s Q1 2025: 43% Revenue Growth & $1.215 B ARR

CyberArk Announces Strong First Quarter 2025 Results

Total ARR Reaches $1.215 billion Subscription Portion of Annual Recurring Revenue (ARR) Reaches $1.028 billion Total Revenue of $318 million for the First Quarter of 2025 Free Cash Flow of $96 million, or a 30% FCF margin, for the First Quarter of 2025 CyberArk (NASDAQ: CYBR ), the global leader in identity security , today announced strong financial results for the first quarter ended March 31, 2025. “CyberArk delivered a strong start to 2025, highlighting the power of our unified platform and

investors.cyberark.com/news/news-details/2025/CyberArk-Announces-Strong-First-Quarter-2025-Results/?utm_source=chatgpt.com

PODCASTS

Innovating Identity: An Interview with Steven Washington

The Identity Jedi Show: Where Identity Meets Strategy · Episode

open.spotify.com/episode/7GcmJ4ijhINFNfP9VgZlZM?si=0a7804656f3546f6

#354 - Kristina Yasuda & Torsten Lodderstedt on the EUDI Wallet and its Global Impact

Identity at the Center · Episode

open.spotify.com/episode/16x6cEryvw4TBDYgw6EWiH?si=162748fcdec64c1e

The Last Word

Yes I know it’s late. Sorry, but it’s been a whirlwind 10 days. I’ve got so much content to put out over the next month lots of things on my mind I want to share with you. Identiverse was fantastic, had such a fun time, I’ll do a recap here soon, and already posting content from that week. Summer is here, make sure you get a chance to enjoy it. See ya soon!

Be Good to each other, Be Kind to each other, Love each other

David

What did you think of this weeks newsletter?

Login or Subscribe to participate in polls.

Reply

or to participate.

© 2025 Identity Jedi Newsletter.

Privacy policy

Terms of use

Powered by beehiiv