The 121st Edition of the Identity Jedi Newsletter

Welcome to the 121st edition of the Identity Jedi Newsletter!

Have we been thinking of identity in the wrong way? Is it really just infrastructure? ( Shout out to Richard Bird, as this was his idea, and it’s been living rent-free in my head ever since he mentioned it to me.) Let’s dig in! It’s the rare Friday drop ( I’ll explain why in The Last Word)

Let’s get ot the good stuff!

Don’t forget to check out the Identity Jedi Store. E-books, guides and all kinds of good stuff there.

A recent conversation topic got me thinking, and we all know how dangerous that is. The topic was this question: How should we be integrating all these tools? CSPM, ITDR, ISPM... how do we get them working together?"

Immediately, I was taken back to a conversation between Richard Bird and me, in which he dropped the notion on me that Identity really is just infrastructure.

Immediately, I started thinking about all the things we’ve seen over the past two decades, and what we are seeing in the last two years, and I came to this conclusion:

Tool integration is an architecture problem. Architecture requires a strategy. And most organizations are trying to solve the integration question before they've answered the strategy questions, and are wondering why nothing sticks.

Let’s break this down, shall we?

Before any tool conversation, you need honest answers to:

What are you protecting? Not "everything" — that's not an answer. Which systems, which data, which processes represent actual business risk if compromised? The crown jewels differ by organization. If you don't know yours, you don't have a strategy.

How do you want to protect it? What's your architectural philosophy? Zero trust is a decision. Least privilege is a decision. Perimeter-based thinking is also a decision, just usually an unconscious one. Your controls should flow from an intentional posture, not from whatever the last vendor demo showed you.

-But, Dave, it was really reall shiny and had cool dashboards with dark mode!

I know, look, I love dark mode pretty dashboards too, ( Whatup, Wiz) but those dashboards aren’t going to help you.

What matters, and what doesn't? Risk tolerance is a business conversation, not a security conversation. Not every vulnerability is a five-alarm fire. Knowing what you can accept versus what you cannot is what turns a security team into a strategic partner rather than a cost center that says no to everything.

Answer those three questions clearly, and the tool conversation becomes surprisingly straightforward. Skip them, and you'll be in the same meeting next year with a bigger stack and the same confusion.

Once you've defined what you're protecting and how you want to protect it, your security architecture starts to take shape. Here's how I think about the layers and why identity belongs at the center of all of them.

Endpoints are where device identities live. The question isn't what EDR you're running, it's whether you know what device identities exist in your environment and whether they're trusted. Device trust is the first signal in every subsequent access decision. If you can't answer "is this device known and healthy?", every layer above it is built on sand.

Network is a path, not a perimeter. In a zero-trust model, the network connects things — it doesn't protect them. Segmentation and ZTNA support your access model. They don't define it. Your controls operate at a layer the network can't see: identity.

Identity is where I deliberately break the layered model — because identity isn't just a layer. It's the connective tissue that runs through every other layer at the same time. Authentication, authorization, governance, and privilege management affect your data, applications, network, and endpoints simultaneously. That's why the thought of it being infrastructure really makes sense. Not because it's a product category, but because it functions like infrastructure — it's the thing everything else runs on.

Applications are where access decisions get tested at scale. Every SaaS platform, cloud service, and internal app has its own entitlement model. ISPM helps you govern that at scale. But the governing principle — who should have access to what, based on role and risk — comes from your identity architecture, not from the application itself.

Data is what you're ultimately protecting. Classification drives access policy. Access policy is governed by identity. DSPM tells you what you have and who can reach it. Strategy tells you whether that's acceptable.

Here's what nobody is saying loudly enough: the rush to deploy AI agents, copilots, and automated workflows hasn't introduced a new security problem. It has massively amplified an existing one.

Non-human identities, service accounts, API keys, OAuth tokens, CI/CD pipelines, already outnumbered human identities in most enterprise environments long before generative AI arrived. The governance frameworks most organizations had were already struggling to keep up. Most had orphaned service accounts with no owner, long-lived credentials nobody rotated, and AI access to systems that nobody formally approved.

AI agents are just the newest category of non-human identity. They reason. They take dynamic actions. Their blast radius is harder to predict than a traditional service account. And they're being deployed at a rate that makes the old service account problem look quaint.

The organizations that get ahead of this aren't the ones buying an NHI-specific tool first. They're the ones that treat NHI governance as a first-class identity program. Same rigor as human IGA, different lifecycle assumptions, and different tooling.

Same plays, different playbook.

Now — the tools.

Once you have a strategy and an architecture, the question of the tool almost answers itself.

CSPM: Is my cloud posture consistent with my intended architecture? ITDR: Are my identities actively under attack right now? ISPM: Do my SaaS entitlements reflect the access model I defined? IGA: Is the access lifecycle governed from joiner to mover to leaver? PAM: Is she really finer than Gina? ( IYKYK) Are my privileged pathways controlled and auditable?

Every tool answers a specific architectural question. When you know what questions matter most for your environment, you know which tools earn their budget and which ones are filling gaps in a strategy you haven't defined yet.

That's the conversation worth having.

AI is just different. So maybe it’s time we start to rethink how we design systems to use it. Good Read

Yikes…

Absolutely loved this article, and 1000% agree with Andrej's take here. This is only the beginning

Ok, so there’s been a lot going on (Good stuff this time), and I haven’t had a ton of time to get the newsletter out on its regular cadence. One of the things I’ve been working on is what I’ve internally called Conerstone OS. It’s a central hub that allows my team and me to create and distribute content, as well as a soon-to-be open-source project around an Identity Data lake. AI has made coding fun again, and I’m truly enjoying the creative process of building applications. ( Yes, agents are at the center of all of these applications) All of this coding has me burning through my usage rates, so now I’m playing with running local models. So what does this mean for you!? Well, hopefully tons more content. Our ability to create, ideate, and distribute content quickly will definitely make for a fun summer of Identity.

Speaking of which: Don’t forget to sign up for Identiverse! We’ll see ya