You already have a take on which AI lab ships next.
Claude or Gemini? OpenAI or Anthropic? GPT-7 before year-end or not? If you read tech newsletters, you've already formed opinions on all of it.
Kalshi has real-money markets on which AI model leads benchmarks this week, which lab ships AGI first, when Anthropic releases Mythos, whether OpenAI raises ChatGPT pricing, and which company has the best coding model at year-end. These aren't abstract questions — they're live markets with real money on both sides, moving as labs ship, benchmarks drop, and announcements land.
The edge belongs to whoever actually follows this space. Not the casual observer — the person who reads model cards, tracks evals, and notices when a new release outperforms the field before the mainstream press catches up.
That person has a genuine edge. If that's you, Kalshi lets you act on it.
-THE WIRE THIS WEEK IN IDENTITY
N°01 · GOVERNANCE GAP
Only 18 percent of leaders trust their identity systems with agents. Only 23 percent have a strategy.
New Strata research put a number on the feeling. 18 percent of security leaders are highly confident their identity systems can handle agent identities, and just 23 percent have a formal enterprise-wide agent-identity strategy. The rest are improvising, with the responsibility smeared across teams that each assume someone else owns it. STRATA →
N°02 · BREACH ECONOMICS
71 percent breached, and 41 percent of it traces back to weak non-human identity
Sophos surveyed 5,000 security leaders across 17 countries. 71 percent suffered at least one identity-related breach in the past year, the average cleanup ran 1.64 million dollars, and 41 percent of those incidents traced straight back to weak NHI management. API keys in code. Static creds. Service accounts whose owner left two reorgs ago. SOPHOS →
Hey {{first_name|Jedi}},
Let me tell you about a test you can run in the next ten minutes that will ruin your afternoon.
Open your IGA platform. The one you spent seven figures on. The one that runs your joiner-mover-leaver, your access certifications, your segregation-of-duties checks. Now go find an AI agent in it. Not a service account that happens to drive an automation. An actual agent. Something that interprets a goal, picks its own path, and calls tools in sequences nobody designed. Search for it. Try to certify its access. ( So many thoughts on this..but that’s for another time) Try to answer who owns it and what it touched yesterday.
You can't. And it's not because you bought the wrong platform. (Well, maybe you did…) But it’s mainly because the entire category was built to answer one question: who has access to what and should they, for a world where the who was a person and the access was relatively stable. An agent breaks both halves of that sentence at once.
The 18 percent confidence number from Strata is the ceiling because confidence is self-reported, and you can only worry about the agents you can see. The agents your IGA platform can't see don't even make it into the denominator. The honest number is below 18 percent, and the gap between what your platform knows and what's actually running in your environment is where the 41 percent of breaches Sophos tied to weak non-human identity comes from.
Think about how an agent actually gets access. It rarely shows up at the front door of your IGA platform and asks for an entitlement. It gets spun up inside an application or inside a SaaS tool that one of your teams has connected to another SaaS tool, and it inherits the permissions of whatever spawned it. That's the confused-deputy pattern, and it's no longer theoretical. It's the exact mechanism behind the agent incidents that made the news this spring. The agent passed every identity check because the identity check was the only gate, and there was no gate watching what it did after it authenticated.
Your IGA platform is a joiner-mover-leaver machine. An agent doesn't join, move, or leave. It gets instantiated, it acts, and it disappears, sometimes inside a single session, and the access footprint changes with every task. You are trying to govern a flickering thing with a tool built for a stable one. Periodic certification cannot keep up with an identity whose access profile changes faster than your review cycle. The certification is stale before the campaign closes.
And this is where the conversation usually goes wrong, because the instinct is to ask which vendor fixes it. That's the wrong first question. The right first question is whether you can even see the problem in numbers that your leadership will fund. This is the gap I keep coming back to with teams. They know the agents are there. They cannot translate that knowledge into the language that moves budget, because the IGA dashboard, the one source of truth the executives trust, shows green. The platform reports full coverage of the identities it knows about, and it has no idea what it doesn't know about. So the board sees a healthy program and the practitioner sees a fire, and the two never meet.
That disconnect is the actual problem to solve first. Not the tool. The translation. You have to be able to walk into a room and show that the thing measuring your identity risk has a category of identity it structurally cannot measure, and put a dollar figure on what that blind spot is worth. The 1.64 million dollar average remediation cost from Sophos is a starting point. The headline is that your assurance is being generated by a system that doesn't know agents exist, so the assurance is fiction for the fastest-growing identity in your environment.
I built the Identity Value Matrix for exactly this room. It's the tool I use to turn "our IGA platform is blind to agents" into "here is the quantified exposure, here is what closing it is worth, here is why it funds itself." That's a Knight-tier resource, and I'll point you to it below, because the practitioners who win this argument aren't the ones with the scariest stat. They're the ones who can price the blind spot.
So run the test. Open the platform, go look for an agent, and watch it come up empty. Then ask yourself the only question that matters next. If the system you trust to tell you who has access to what can't see the identities growing fastest in your environment, what exactly is that green dashboard measuring?
Quick thing before you go.
If this one landed, there's a version of Identity Jedi that goes a lot deeper than the free edition. Members get the full Deep Dives with nothing held back, plus the tools I actually use in the field. The Identity Value Matrix for turning identity work into the language executives actually fund, and the IAM Question Framework for pressure-testing a program before it goes sideways. Knight is 49 a month, it includes the Identity Value Matrix and the monthly live Q and A with me, and it's built for exactly the budget fight this issue is about.
You've been reading for a reason. Want the tools that go with it?
The Last Word
The hard truth about a mature IGA program is that maturity can hide a blind spot better than chaos can. A messy program knows it's messy. A polished one shows you green and lets you believe it, right up until the category it never modeled walks through a door it was never watching. The fix doesn't start with a new tool ( I know they are shiny, and everyone is trying to sell you one); instead, it starts with refusing to trust a dashboard that can't see the thing you're most afraid of. Know exactly what you want to solve, and then get your shiny new tool.
See ya next week.
Be good to each other, be kind to each other, love each other


