In partnership with


Give AI agents their own identity guardrails

AI agents need access to your apps, data, and clouds — but traditional IAM can’t deliver the guardrails or observability required.

That’s why we built the first identity orchestration platform for AI agents so enterprises can securely adopt agentic workflows at scale.

Get VIP access to a sandbox and experiment with the future of agentic identity today.
Join the private preview >

Hey {{first_name | Jedi}} , welcome to the 110th edition of the Identity Jedi Newsletter. Special shoutout to our sponsor this week, be sure to check out the crew over at Strata as they are giving you special access to their private preview of their latest release around Agentic AI orchestration.

On the news front, identity keeps edging from “management” into security as real-time session control, non-human identity (NHI) governance, and passwordless move from pilots to platforms. NIST SP 800-63-4 is now final, raising the bar on assurance; Azure DevOps rolled out (then briefly paused) Continuous Access Evaluation (CAE) to sync Conditional Access changes during live sessions; and passkeys continue to surge across the ecosystem. 1

Table of Contents

Let’s Talk about the evolution of Identity Management to Identity Security

Identity has always followed the shape of risk. In 2002, Sarbanes-Oxley (SOX) forced verifiable controls and audit evidence, pushing early IAM toward provisioning, separation of duties, and proof2.  A decade later, cloud computing dissolved the network perimeter, making federation, SSO, and MFA table stakes rather than add-ons3.  Then remote work went mainstream during the pandemic, accelerating the shift to Zero Trust and identity-centric access—codified by NIST SP 800-207 and echoed in industry adoption studies. 4

Now AI is evolving IAM again. We’re securing agents, workloads, and APIs—identities that outnumber humans by eye-watering ratios—and we’re doing it with assurance, continuous evaluation, and passwordless by default. NHIs have become a weekly risk headline, and vendors are reorganizing around identity security (e.g., Okta’s recent Axiom Security acquisition to bolster PAM). Meanwhile, platform moves like Google Cloud’s no-cost EU/UK data transfers are reshaping multicloud portability—good news for avoiding identity lock-in architectures. The new mandate: treat identity as a security control plane with real-time revocation, machine-native policy, and proof on demand. 5

The Live-Fire That Sold Identity Security 

The boardroom still smells like skepticism. You open with the smoothest thing in security: a passkey sign-in to a high-risk app. No password reset theater, no SMS roulette—just a verified device doing exactly what it’s supposed to do. The CFO leans forward because the login is both faster and safer—phishing-resistant by design and enforceable for sensitive resources. That’s your first lesson: security that speeds people up gets funded. 6

Next you raise a role for a scheduled change. Mid-session your partner flips the network from corporate to an untrusted segment; Continuous Access Evaluation (CAE) fires and the session challenges, then drops. There’s no “wait for token expiry.” You’ve just shown identity as a runtime control, not a quarterly policy. Eyes move from the CISO to the COO—because runtime control is operational risk control. 7

Then you show the agent catalog. Every non-human identity lists a human owner, purpose, scopes, last rotation, last successful run, and a kill switch. You press it. The pipeline fails safe, the audit trail updates, and the page with evidence is already waiting in the board deck. There’s a beat of silence—the good kind—when everyone realizes incidents don’t have to be crime scenes if the control plane is real. 8

You land the plane with a simple arc: SOX taught us to prove controls; cloud made identity the front door; remote work made Zero Trust non-optional; AI (and its NHIs) make identity the security system itself. What used to be “user admin” is now access reliability—who gets power, how quickly it adapts to risk, and how instantly you can take it back. The board nods because that language maps to the business they run.

Giphy

Why this is important (right now)

  • Attackers exploit time, not just creds. Phishing-resistant auth cuts credential theft; CAE eliminates the window where stale tokens keep doors open; NHI governance removes “forever keys.” Together, they shrink the blast radius and the dwell time.

  • Audits are moving from screenshots to streams. API-driven evidence (sign-ins, directory audits) turns SOX/PCI/HIPAA from month-long hunts into a query. That’s real OPEX back.

  • AI multiplies identities. Agents, service accounts, bots—they already outnumber humans in many estates. Govern them like first-class identities or they’ll govern your incident queue.

How this maps to the business

  • Revenue & CX: Passkeys remove login friction on high-value journeys → fewer abandons, fewer resets, more completed transactions.

  • Cost & Efficiency: Claims-aware sessions + JIT cut help-desk resets, shrink admin time, and reduce “access drift” cleanup.

  • Risk & Resilience: MTTR-to-revoke measured in minutes (not hours) lowers breach impact and makes tabletop outcomes predictable.

  • Compliance & Proof: API-native evidence means you can prove “who had what and why” without archaeology—lower audit cost, higher confidence.

Take this with you (use today)

  • Adopt three SLOs and publish them:

    • Phishing-resistant coverage: 100% of admin & finance roles on passkeys/FIDO within 30 days.

    • Revocation speed: ≤5 minutes MTTR-to-revoke for a user and an agent (prove it monthly).

    • NHI accountability: 90% of agents with named owner, purpose, and max lifetime within 45 days.

  • Run the 15-minute live-fire demo: passkey sign-in → JIT elevation → CAE challenge → kill switch + evidence link. Save the screen recording; make it your budget slide.

  • Ship one pattern, not a project: Pick a single high-risk workflow (prod deploys or finance exports). Move it to passkeys + JIT + CAE + agent kill switch. Measure time-to-prove and time-to-revoke before/after; report the deltas at staff meeting.

Look I get this is fictional, the point is we have to start looking at identity and measuring it in metrics that make make sense to the business and cents to the business. ( Read that last part again)

Industry News

Google Cloud introduces ‘no-cost’ data transfers for UK, EU businesses

Enterprises in the UK and European Union can transfer data at no cost

www.itpro.com/cloud/cloud-computing/google-cloud-introduces-no-cost-data-transfers-for-uk-eu-businesses?utm_source=chatgpt.com

Microsoft Authenticator is ending password autofill soon. How to set up a passkey before Aug. 1

If you’re a Microsoft Authenticator user, you’ve probably received at least one notice that the app’s password management features are no longer usable and that your stored passwords will be inaccessible starting Aug. 1 unless you have the Edge browser.

apnews.com/article/4cf0d3e4488f10702e15d916dc3604fd?utm_source=chatgpt.com

Non-human identities: Are we sleepwalking into a security crisis?

Machine identities have exploded - yet security strategies remain human-focused

www.itpro.com/security/non-human-identities-are-we-sleepwalking-into-a-security-crisis

Podcasts

Building the Future with AI and Identity

The Identity Jedi Show: Where Identity Meets Strategy · Episode

open.spotify.com/episode/30AmTG92zGGFw7Q76zUm8C?si=4300776caba34c84

#372 - Exploring the Evolution of Identity Management with Darren Rolls

Identity at the Center · Episode

open.spotify.com/episode/3uodqBnquk4V5gxMQzTBPm?si=ccbe5067757a4f66

The Last Word

Time is the most precious resource that we have. Spend it as such. For those of you that have been rocking with me for a number of years you know I’m about so much more that just identity and security. There is a reason why I end every newsletter and podcast with the same words..it’s because I mean them. Hug somebody you love after you read this, for no reason at all, just because you can. Till next time

Be Good to each other, Be Kind to each other, Love each other

David

What did you think of this weeks newsletter?

Login or Subscribe to participate

1 https://csrc.nist.gov/pubs/sp/800/63/4/final

2 https://www.investopedia.com/terms/s/sarbanesoxleyact.asp

3 https://iamexperts.consulting/our-blog-articles/the-evolution-of-iam-a-look-back-and-beyond/

4 https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf

5 https://www.itpro.com/security/non-human-identities-are-we-sleepwalking-into-a-security-crisis

6 https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-authenticator-passkey

7 https://devblogs.microsoft.com/devops/real-time-security-with-continuous-access-evaluation-cae-comes-to-azure-devops

8 https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview

Reply

or to participate

Keep Reading

No posts found

© 2025 Identity Jedi Newsletter.

Privacy policy

Terms of use

Powered by beehiiv