The planning session appeared on Jordan's calendar three weeks after the partner incident.
The invite came from Karen directly. Phase 2 Planning — Identity Program. Brief agenda: program assessment, next phase priorities, resource alignment. Jordan had been half-expecting it since the audit conversation. Programs that proved themselves in a crisis tended to earn harder questions as a reward.
Jordan arrived early, as usual, carrying the same notebook that had traveled through every meaningful conversation of the past four months. The room was already set, chairs arranged in the tighter configuration Karen preferred when she wanted more conversation and less presentation.
Mark arrived next, followed by Evan. Priya sent a note from her phone: running two minutes behind.
Karen came in last, closing the door with the quiet efficiency that meant she was ready to use the time well.
"Let's start," she said, without looking for a slide deck. "Where do we stand?"
Jordan had prepared a one-page summary. Three columns: what they'd built, what it had proven, what it hadn't caught. The partner service account incident sat in the third column, documented clearly, alongside the remediation plan already in progress.
Karen read it in under a minute. Set it face-up on the table.
"This is a program," she said. "What you handed me four months ago wasn't."
Priya arrived and slipped into her seat. No one acknowledged the door.
"So. Phase 2." Karen leaned back slightly. "What does that look like?"
Jordan paused.
"I want to show you something first," Jordan said, and pulled up two views on the shared screen.
The first was the account inventory from the program's foundation phase. Employees. Contractors. Partners. Service accounts. All mapped, all owned, all running through defined review cycles. Clean lines. Visible structure.
Karen nodded. She'd seen this before.
Then Jordan opened the second view.
A different kind of inventory. Not employees or contractors. Not the service accounts they'd spent months documenting and cleaning up.
AI tools deployed across the business in the last 90 days.
Fourteen.
Each with its own credentials. Its own API tokens. Its own integration pathways into data systems the program had spent four months learning to govern.
Owner listed: none. Lifecycle process: none defined. Review cycle: none established.
The room was quiet.
"Where did they come from?" Evan asked.
"Finance has three," Jordan said. "Legal has two. Marketing deployed one last month, had it running in an afternoon. There's one connecting to the customer data platform that I still haven't been able to trace back to a requester."
Mark's expression didn't change. But his posture did.
"How long have they been running?" Karen asked.
"The oldest one is eleven weeks," Jordan said. "None of them were part of the identity intake process. There wasn't a process for them to go through."
Jordan let the data stay on the screen before continuing.
"When I started this role, we had a visibility problem with human identities. We didn't know what we had. We didn't know who owned it. We didn't know what it had access to or when access had last been reviewed."
Everyone in the room had lived through that version of the program.
"We built something for that. It works. It's proven it works."
Jordan advanced to the next view. The fourteen AI tools resolved into a simple grid. Tool name. Deploying team. Data systems accessed. Owner listed.
Every cell in the owner column was blank.
"Phase 2 isn't a bigger version of what we built," Jordan said. "It's the same program extended into territory we haven't governed yet. Because what we're looking at here isn't just a new category of tool."
Jordan paused.
"These are identities. They authenticate. They access data. They take actions on behalf of the business. Some of them are doing it around the clock."
Mark spoke first. "And they don't show up in any of our existing review cycles."
"Not yet."
Karen had been quiet for most of the last five minutes. Now she folded her hands on the table.
"Is the foundation we built transferable?" she asked. "Ownership. Lifecycle. Review cycles. Does that translate here?"
"The principles transfer," Jordan said. "Every identity needs an owner. Every identity needs a defined lifecycle: how it's created, what it can access, when it gets reviewed, how it gets deprovisioned. Every identity needs visibility in a system that can surface it when something goes wrong."
"Those don't change. What changes is the scale. And the speed."
"An employee gets onboarded over days. A contractor over hours. These tools get deployed in an afternoon by someone who didn't think of it as an identity event."
Jordan looked at the blank owner column on the screen.
"The same pattern that left us with hundreds of unmanaged service accounts before this program started is now playing out faster, across more teams, with tools that have broader access to more data than any service account ever did."
Karen was quiet for a moment. Then: "What do we need?"
They stayed in the room for another hour.
Not long enough to answer all of it. Long enough to ask the right questions about ownership models for AI tools, about what a lifecycle process looked like for a system that could be spun up and deprecated in the same week, about how to build governance that moved with the business instead of behind it.
Jordan walked out into the hallway when it was done, notebook under one arm.
The elevator bank at the end of the corridor was empty. Through the glass, the city was past midday, the light flat and even over the skyline.
Jordan thought about the first week. The calendar invite that appeared without explanation. The Identity Strategy Sync. The meeting where Mark had asked what the strategy was and Jordan had been honest enough to say they didn't know yet.
Four months. One program built from nothing into something that had caught a real problem, responded with clarity, and earned the right to ask harder questions.
And the harder questions were here.
The next challenge wasn't the same as the first one. It was faster. More distributed. It involved identities created by teams who had never thought about identity before, and systems that didn't wait for a provisioning ticket or a joiner workflow.
But the framework was there.
And so was Jordan.
The elevator arrived. Jordan stepped in, already thinking about Phase 2.
The Lesson
Building a solid identity program foundation doesn't protect you from what comes next. It prepares you for it.
Non-human identities have always existed in enterprise environments. Service accounts, API keys, certificates, integration credentials. These predate the current conversation by decades. What's changed is the speed and the scope. AI tools and agents are being deployed by business teams who have never considered the act of identity as an event. The result is a new population of identities multiplying faster than any governance process was designed to handle, with broader data access and no defined lifecycle.
The organizations that will navigate this transition best are the ones that have already done the foundational work. Not because that work directly answers the NHI challenge, but because it instilled the habits the challenge requires. Clear ownership. Defined lifecycle processes. Visibility infrastructure that can surface problems when they occur.
Extend those principles. Don't replace them. An AI tool needs an owner. It needs a defined scope of access. It needs a process for how it gets created, reviewed, and retired. The fact that it was deployed by a finance team in an afternoon doesn't change what it is: an identity that operates with credentials and accesses data that the business is responsible for protecting.
The question to ask in Phase 2 is the same question Jordan asked in week one.
What are we actually responsible for?
The answer just got a lot bigger.
Identity: Season One followed Jordan from a chaotic first week to a program that could finally respond when something went wrong, and see what was coming next. Season Two picks up where the foundation ends, and where the harder work begins.