The 118th Edition of the Identity Jedi Newsletter

Welcome to the 118th edition of the Identity Jedi Newsletter. Coming up in this week's edition, we gotta talk about OpenClaw. I got some thoughts people…

This week, something shifted for me. Not in a hype-cycle way. Not in a vendor-demo way. In a “we just crossed a line” way. OpenClaw might be the tipping point. If software was eating the world, AI is now devouring software. And identity is sitting directly in the blast radius.

Let’s talk about it.

This week I listened to the OpenClaw founder break down the assistant he built and the philosophy behind it. It was mind-blowing.We are not talking about chatbots anymore. We are talking about systems that can reason, plan, make decisions, execute tasks, call tools, and work alongside you.

This is Jarvis-level technology. Not theoretical. Not ten years from now. Now.

So pause for a second.

If this is happening at the personal level, what happens when enterprises deploy it at scale? Everyone jumps to Skynet and Ultron. But that’s not the real threat. The real threat is the infrastructure we wrap around it.

At its core, OpenClaw is a gateway in front of an LLM. It enables omnichannel interaction, tool orchestration, and multi-step execution. To unlock its full power and convenience, it needs access. Access to email. Access to files. Access to internal systems. Access to APIs.

And this is where everything changes.

Because if we apply our old identity model, we just gave an LLM permanent standing access to everything that’s fully accessible to the internet.

I’m going to let that marinate for a second…….

………….

……little bit more……….

ok, moving on.

Historically, we assigned access based on educated guesses. Roles. Groups. Entitlements. Just-in-case provisioning. We left access sitting there because we didn’t know intent. Now we do. In a prompt-based world, the user tells the system what they want. The agent creates a plan. The system knows exactly what data and operations are required. For the first time in cybersecurity history, we can see intent at runtime. Which means access should be fine-grained, contextual, runtime-based, and ephemeral.

Not permanent.

This isn’t a feature request. It’s the only way this works safely because the AI itself isn’t the danger, unbounded permissions are.

Identity legend Sarah Cecchetti built an AI agent called Claudrey Hepburn. But here’s what impressed me most. She built a policy engine first. Using Cedar, she defined what the agent could and could not do before giving it personality.

That’s the model.

Guardrails before charm. Policy before power. If you haven’t read it, you should. It’s a blueprint for responsible AI identity design.

That’s how this gets done right.

A new industry report shows that roughly one-third of successful attacks now involve stolen credentials, with infostealer malware and phishing tactics accounting for a large share of initial access efforts. The analysis concludes that identity and supply-chain visibility must be elevated as core enterprise priorities because attackers are increasingly using compromised identities to breach deeper into environments. This reinforces the idea that identity is the perimeter — and AI-enabled workflows only amplify that attack surface

A new study reveals that organizations running AI agents with excessive privileges experienced up to 4.5× more security incidents than peers with tighter access controls. This strongly validates the concern that unbounded autonomous identities pose quantitatively greater risk, especially when those agents operate with standing access to sensitive systems or data.

A major non-human identity and secrets governance platform just raised $50M in funding to tackle machine-identity and AI agent risk across enterprises. The CEO emphasized that secrets sprawl and non-human identities are exploding, and organizations need tools that detect, remediate, and govern these identities — especially as agents and autonomous workflows proliferate. This funding round underscores that the market now sees non-human identity security as a core imperative, not an optional add-on.

On that note, I’ve got two talks accepted for Identiverse 2026. We’re going to push this conversation even further live on stage. If you’re planning to attend, use my speaker discount code:

IDV26-Speaker25

And because we’re building community here, I have one full conference pass to give away. If you want one, reply to this newsletter with why you should be there. I’ll select a winner next week.

Listen, those who know me know I’ve been wanting to build my own Jarvis for a long time. OpenClaw looks like the closest I’ll ever get. ( Fun Fact: I started down this path waaay back in 2008 when I started my first company. That’s a different story for a different time.

So stay tuned as I’ll be building and launching my OpenClaw agent over the coming weeks. I’ve just got to get a Mac Mini, and get through a packed travel schedule, prep for Season Four of the podcast, and oh yeah, full-time job, but THIS…this has weekend coding vibes all over it. All my premium subs, I’ll keep you posted on the updates!

It’s an exciting and scary time in the world right now. Things are changing, some in ways we never would have imagined. I implore you, embrace the change, study it, learn it, and help guide it.

See ya next time.