This episode is sponsored by Bravura Security. Learn more at bravurasecurity.com/idac.This is a Sponsor Spotlight episode of the Identity at the Center podcast. Jim McDonald and Jeff Steadman are joined by Bart Allan, General Manager at Bravura Security, to discuss why enterprise password management remains a critical piece of identity security even as organizations pursue passwordless strategies. Bart shares Bravura's history dating back to 1992, starting with self-service password reset and evolving into a full identity security platform spanning identity management, privileged access management, and enterprise password management. The conversation digs into the uncomfortable truth that while organizations may get 80% of their applications onto modern authentication, the remaining 20% still rely on passwords, creating real security risk. Bart explains how treating enterprise passwords the way organizations treat privileged credentials, with automated rotation and centralized management, can remove the human element from password creation and reduce exposure to breaches and social engineering. The group also discusses help desk social engineering attacks, breach recovery challenges, deployment strategies for rolling out an enterprise password manager, and the emerging role of password managers as passkey managers for portability. The episode wraps with some outdoor adventure stories from Bart and Jim.Connect with Bart: https://www.linkedin.com/in/bartholomewallan/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTIMESTAMPS00:00 - Introduction and welcome01:00 - Sponsor Spotlight overview and Bravura Security introduction01:52 - Bart Allan's background in identity03:30 - History of Bravura Security from 1992 to today05:39 - How the Bravura name came to be07:00 - What makes Bravura unique in the identity market08:33 - Why password management still matters09:58 - The uncomfortable truth about passwords and the 80/20 problem13:00 - Personal vs enterprise password managers16:00 - The last mile to passwordless and legacy systems19:00 - Why storing passwords is not enough without active management22:00 - Help desk social engineering and the human element25:00 - Breach response and the fog of war31:00 - Scattered spider scenarios and credential reset at scale35:00 - Is a password manager the only viable option for the final 20%?38:00 - The future of password managers as passkey managers40:00 - Tips for deploying an enterprise password manager42:45 - Measuring success with an enterprise password manager45:17 - Lighter side of the conversation begins46:00 - Bart's backcountry skiing avalanche story from Rogers Pass50:30 - Jim's lightning storm story from backpacking in Yosemite52:53 - Final thoughts from Bart on the passwordless journey54:00 - Wrap up and outroKEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Bravura Security, Bart Allan, password management, enterprise password manager, passwordless, passkeys, privileged access management, identity security, help desk social engineering, breach recovery, credential rotation, self-service password reset, identity verification, IAM operations, shadow IT, FIDO, sponsor spotlight, password vault, legacy systems

Simon Moffatt, founder and analyst at The Cyber Hut and co-host of The Analyst Brief podcast, returns to Identity at the Center for a wide-ranging conversation about the strategic evolution of identity security. Simon shares an update on his second book, IAM at 2035, which explores where identity is heading over the next decade. The discussion covers why identity has shifted from a back office function to a strategic business enabler, driven by the convergence of cloud, zero trust, and expanding digital ecosystems.Jim and Jeff dig into how organizations can measure their identity security posture, and Simon introduces his Identity Security Scorecard, a framework of 50-plus data points covering visibility, protection, detection, and response. The conversation shifts to the identity attack lifecycle, where Simon explains why organizations need to move beyond log-based forensics and toward real-time detection and response before attacks complete.The group also explores how non-identity data signals, like CAEP and shared signals frameworks, are critical to building a fuller picture of risk. The final segment tackles agentic AI and its implications for identity, including the argument that agentic identities may represent a third identity type distinct from both human and machine. Simon makes the case that AI adoption is outpacing identity and security innovation, creating a widening gap that the industry must address through governance, accountability, and new architectural patterns.Connect with Simon: https://www.linkedin.com/in/simonmoffatt/The Analyst Brief Podcast: https://www.thecyberhut.com/podcast/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 Introduction and conference discount codes02:29 Simon Moffatt returns to the show03:58 Update on the IAM at 2035 book07:25 The Analyst Brief podcast and covering identity trends08:44 Identity shifts from back office to strategic priority11:47 The compliance trap and reactionary identity management14:25 Customer identity transparency influencing workforce identity16:52 Defining identity security across 80-plus vendors20:11 Products alone do not solve identity security21:14 Thinking like an attacker about identity flows23:23 Red flags in an organization's identity posture25:43 The identity security scorecard and measuring risk29:27 Avoiding FUD when presenting identity risk to the board32:34 The identity attack lifecycle explained36:53 Building the mindset for real-time detection and response37:41 CAEP, shared signals, and non-identity data sources40:10 Identity as a 24/7 security operations function43:24 Agentic AI drops like a nuclear explosion on identity46:49 The widening gap between AI adoption and identity security47:51 Is agentic identity a third identity type?50:47 What needs to change to address the agentic identity explosion53:24 Will AI shake the core of enterprise IT?57:24 AI may be the only thing that can secure AI58:04 Travel tips for EIC Berlin and European conferences01:02:45 Wrapping upKeywordsidentity security, identity attack lifecycle, identity attack paths, agentic AI, agentic identity, non-human identity, NHI, identity security scorecard, zero trust, CAEP, shared signals framework, identity governance, identity strategy, IAM, identity posture, Simon Moffatt, The Cyber Hut, The Analyst Brief, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

This episode features Tim Beasley, a Senior Incident Response Consultant at Semperis with decades of experience in compromise recovery and post-breach response.With a background that includes leading recovery efforts at Microsoft’s DART team and helping build the Compromise Recovery Security Practice, Tim brings deep operational insight into what happens after attackers gain access. His work spans ransomware, nation-state intrusions, and large-scale identity compromises across public and private sector organizations.In this episode, Tim explains why gaining access is only the beginning of modern attacks and why identity remains the primary path for escalation. He breaks down how attackers exploit credential exposure and identity infrastructure, and why prevention alone fails without a recovery-first mindset. He shares real-world lessons from incident response and recovery, including how teams contain threats and limit the impact of identity compromises.This episode reframes identity security as a resilience problem and offers a clearer way to think about preparing for the breach you haven’t detected yet.Guest Bio Tim Beasley is a Senior Incident Response Consultant at Semperis. He is Microsoft and VMware Certified, a MIS graduate, and a self-driven IT professional with experience in both public sector and private sector technology. While extremely loyal to employers, Tim has gained quality knowledge throughout a career that's enabled tremendous growth in an IT security environment. He enjoys challenges and implements proactive measures to maintain complete customer satisfaction and success.Guest Quote “Everything in compromise essentially starts with identity. We always say identity is the new perimeter. It's true. All attacks, breaches, every engagement that I've been a part of... all start with a compromised set of credentials.”Time stamps 00:41 Meet Tim Beasley: Cybersecurity Specialist 01:32 Tim's Journey at Microsoft 12:24 The Role of Identity in Cybersecurity 20:57 Real-World Cybersecurity Identity Challenges 23:27 The Big Four in Identity Management 24:01 Flashcard Fiascos: Cyberattacks Across Industries 32:50 Assume Breach Mentality 37:08 Conclusion and Final ThoughtsSponsor The HIP Podcast is brought to you by Semperis, the leader in identity-driven cyber resilience for the hybrid enterprise. Trusted by the world’s leading businesses, Semperis protects critical Active Directory and Entra ID environments from cyberattacks, ensuring rapid recovery and business continuity when every second counts. Visit semperis.com to learn more.LinksConnect with Tim on LinkedInConnect with Sean on LinkedInDon't miss future episodesLearn more about Semperis

In this episode of Identity at the Center, hosts Jeff and Jim dive into the details of the Shared Signals Framework (SSF) and Continuous Access Evaluation Profile (CAEP), with special guest Atul Tulshibagwale, the CTO of Signal. The trio discusses the complexities and applications of these identity security standards, recent adoption by major tech companies, and how they are transforming the approach towards identity and access management. Atul also shares exciting news about Signal's impending acquisition by CrowdStrike and reflects on a recent safari trip in Kenya. Tune in to learn about the evolution of identity security and the future of SSF and CAEP.Connect with Atul: https://www.linkedin.com/in/tulshi/Learn more about the Artificial Intelligence Identity Management Community Group: https://openid.net/cg/artificial-intelligence-identity-management-community-group/Learn more about SSF and CAEP:https://openid.net/how-authzen-and-shared-signals-caep-complement-each-other/https://sgnl.ai/whitepaper/caep-best-practices/https://caep.dev/https://youtu.be/qakOw0g2mZ8?si=p8z9imn7x-HhLdcVhttps://www.youtube.com/live/e64YiAmGmf4?si=QPKDg2Jm9oSZmbhZhttp://sharedsignals.guide/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00 Introduction and Episode Milestone00:17 Challenges with Installing Molt Bot02:32 MoltBook and AI Agents03:21 Jim's Perspective on AI Assistants09:24 Conferences and Networking10:10 Introduction to Shared Signals and CAEP13:03 CrowdStrike Acquisition of Signal14:03 AI Identity Management Community16:59 Shared Signals Framework and CAEP Explained30:03 Final Version of CAEP and Shared Signals Released30:35 Adoption by Major Technology Providers32:49 Benefits of Implementing Shared Signals36:32 Future of SSF and CAEP40:51 Certification Program for Shared Signals52:48 Real-World Safari Adventure01:00:34 Conclusion and Final ThoughtsKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Atul Tulshibagwale, Shared Signals Framework, SSF, CAEP, Continuous Access Evaluation Profile, OpenID Foundation, CrowdStrike, SGNL AI Identity, Agentic Identity, AuthZEN, Risk, Identity Security, IAM, Podcast

This episode is sponsored by PlainID. Visit plainid.com/idac to learn more.In this sponsored episode, Jim McDonald and Jeff Steadman talk with Gal Helemski, CTO and co-founder of PlainID, about the evolving landscape of authorization. The conversation covers the transition from traditional roles and attributes to a modern policy-based access control (PBAC) approach. Gal explains how PlainID helps organizations centralize authorization logic, improve security posture, and simplify the management of access across complex hybrid and multi-cloud environments. The discussion also touches on the importance of visibility into who has access to what and the role of standards like Cedar and Rego in the future of authorization.Connect with Gal: https://www.linkedin.com/in/gal-helemski-b9542231/Learn more about PlainID: plainid.com/idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at idacpodcast.comTimestamps:00:00 Introduction to the Sponsor Spotlight02:15 Meet Gal Helemski from PlainID05:30 The shift from RBAC to PBAC10:45 Challenges with traditional authorization methods15:20 How PlainID centralizes authorization logic22:10 Integrating with existing identity providers28:45 The role of visibility and auditing in authorization35:30 Discussion on authorization standards: Cedar and Rego42:15 Future trends in identity and access management50:00 Final thoughts and where to learn moreKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, PlainID, Authorization, Policy-Based Access Control, PBAC, RBAC, Cybersecurity, IAM, Access Management, Gal Helemski, Identity Security

In this milestone episode of Identity at the Center, Jeff and Jim celebrate 400 episodes and reflect on their journey over the past six and a half years. They discuss the podcast’s evolution, from its early days focusing on strategy and framework to recent themes like cloud identity, governance, and AI-driven technologies. Jim shares his New Year's resolution of writing a book about identity, blending practitioner stories with educational elements, and utilizing AI tools. The duo also highlights significant trends in identity and access management, including frictionless authentication and privilege access management. They look forward to the future of identity within an AI-driven landscape, urging listeners to adapt to technological advancements. Tune in for insights, reflections, and their plans for continuing to grow the podcast.Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 Welcome and Milestone Celebration00:44 Reflecting on the Podcast Journey01:27 Jim's New Year's Resolution: Writing a Book05:16 Using AI in the Writing Process09:34 Podcast Growth and Listener Support13:08 Remembering Luis Almeida16:59 Conference Highlights and Discount Codes19:05 Lessons Learned from Podcasting29:01 The Evolution of the Podcast36:01 Pandemic Disruptions and Podcast Challenges36:30 Funny Moments and Swearing on the Show37:24 Identity Management Trends in 202039:20 Cloud Identity and Certifications in 202141:54 Governance and Compliance in 202244:23 Security Convergence and Milestones in 202351:07 Privilege Access Management in 202455:15 Frictionless Authentication in 202558:20 AI and the Future of Identity in 202601:09:00 Reflections and GratitudeKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, podcast, cybersecurity, digital identity, AI, agentic identity, PAM, IGA, cloud security, passkeys, professional development, IDPro, identity governance

Jim McDonald is joined by Jeff Margolies, Chief Product and Strategy Officer at Saviynt, to discuss the intersection of artificial intelligence and identity security. Jeff shares his decades of experience in the industry, from building the IAM practice at Accenture to his current leadership role at Saviynt. The conversation covers how AI is making manually intensive identity tasks more efficient, the emergence of Identity Security Posture Management (ISPM), and the critical need to govern identities for AI agents. Jeff also provides his perspective on the future of the identity practitioner and why he remains an optimist in a rapidly changing technological landscape.Connect with Jeff Margolies on LinkedIn: https://www.linkedin.com/in/jmargolies/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00:00 - Introduction and Gartner Identity Conference Recap00:02:11 - Jeff Margolies' Career Journey in Identity and Security00:04:36 - Returning to Identity and Joining Saviynt00:06:13 - How AI is Impacting Identity Security and Governance00:09:56 - The Future of Identity Services in an AI World00:13:58 - Will AI Disrupt the SaaS Model for Identity?00:19:50 - The Impact of AI on the Identity Practitioner Job Market00:26:16 - Identity for AI: Governing Agents and Delegated Authority00:32:00 - Combating Deepfakes and Proving What is Real00:34:40 - The Rise of Identity Security Posture Management (ISPM)00:41:46 - Comparing Posture Management and ITDR00:44:17 - Advice for CISOs: Why Posture Should Come First00:49:35 - The Secret to Saviynt's Success and Future Outlook00:52:19 - Lighter Note: Why Jeff Chose a Tesla for His DaughterKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Jeff Margolies, Saviynt, IAM, Identity and Access Management, AI, Artificial Intelligence, ISPM, ITDR, Cybersecurity, Identity Governance, SaaS, IGA

This episode features Dr. Mary Aiken, Professor of Cyberpsychology at Capitol Technology University and one of the world’s leading experts on the impact of technology on human behavior.With a career spanning academia, law enforcement advisory roles, and global policy work with organizations like INTERPOL and Europol, Dr. Aiken brings deep insight into how human psychology shapes security outcomes. Her work focuses on the human layer of cyber risk—how trust, perception, fatigue, and bias influence behavior in digital environments.In this episode, Dr. Aiken explains why humans aren’t the weakest link in cybersecurity but the most targeted. She shows how attackers weaponize human behavior through phishing, MFA fatigue, and insider recruitment, and why hybrid identity must be treated as a cyber-psychological battlefield. She also discusses what human-aware defenses look like in practice and why intelligence augmentation is critical to psychological and technical resilience.This episode reframes identity security as a human problem first and offers a clearer way to think about protecting people in an increasingly manipulative digital world.Guest BioDr Mary Aiken is a world leading expert in Cyberpsychology – the study of the impact of technology on human behaviour. She is Professor of Cyberpsychology and Chair of the Department of Cyberpsychology at Capitol Technology University Washington D.C.’s premier STEM University, and Professor of Forensic Cyberpsychology at the University of East London. Professor Aiken is a Member of the INTERPOL Global Cybercrime Expert Group and an Academic Advisor to Europol's European Cyber Crime Centre (EC3). She is a Fellow of The Royal Society of Medicine, a member of the Medico-Legal Society and an International Affiliate Member of the American Psychological Association (APA). She is a former Global Fellow at the Washington DC Wilson Center, and is a Fellow of the Society for Chartered IT Professionals. She is a former Director of the Royal College of Surgeons (RCSI) Cyberpsychology Research Centre. Dr Aiken's work inspired the CBS PrimeTime TV series 'CSI: Cyber.' Her landmark bestselling book 'The Cyber Effect' was a 2016 'Times book of the year.' Dr Mary Aiken is recognised as an international expert in industry and policy debates at the intersection of technology and human behaviour she has been invited to present at events organised by global organisations such as the United Nations, the European Union, NATO, G7, Europol, INTERPOL and the White House.Guest Quote“People talk about humans being the weakest link in the cybersecurity equation. They're not the weakest link, they're just simply the most targeted link.”Time stamps01:58 Meet Dr. Mary Aiken: World-leading Expert in Cyberpsychology 03:17 The Psychology of Cybersecurity 10:40 Behavioral Differences Online vs. Real World 15:17 Cyber Behavioral Attack Vectors 23:05 Future of Cybersecurity: AI and Human Collaboration 25:46 Conclusion and Final ThoughtsSponsorThe HIP Podcast is brought to you by Semperis, the leader in identity-driven cyber resilience for the hybrid enterprise. Trusted by the world’s leading businesses, Semperis protects critical Active Directory and Entra ID environments from cyberattacks, ensuring rapid recovery and business continuity when every second counts. Visit semperis.com to learn more.LinksConnect with Dr. Aiken on LinkedInConnect with Sean on LinkedInDon't miss future episodesLearn more about Semperis

In this episode, Jim McDonald welcomes back Martin Kuppinger, Principal Analyst at KuppingerCole, to discuss the rapidly evolving landscape of identity in 2026. With Jeff Steadman away, Jim and Martin dive deep into the intellectual challenges posed by AI agents and the limitations of traditional non-human identity frameworks. Martin explains why organizations are feeling a sense of disillusionment with AI and how a capability-based identity fabric approach can help manage the complexity. They also explore the balance between security and business enablement, the rise of workload identities, and what to expect at the upcoming European Identity and Cloud Conference (EIC) in Berlin.Connect with Martin: https://www.linkedin.com/in/martinkuppinger/KuppingerCole: https://www.kuppingercole.comEuropean Identity and Cloud Conference (EIC) (don’t forget to use our discount code idac25mko): https://www.kuppingercole.com/events/eic2026Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 - Welcome back to 2026 and EIC preparations02:48 - The shift from future potential to current AI agent challenges03:12 - Understanding AI disillusionment and the lack of control in regulated industries05:19 - Security as a business enabler vs progress prevention09:55 - Why AI agents should not be classified simply as non-human identities11:43 - Complex relationships between humans, agents, and delegated tasks15:17 - Self-service identity for knowledge workers and AI productivity18:40 - The risks of decentralized agent creation and "shadow" AI21:58 - How AI is being baked into identity products beyond role mining26:55 - Using usage data to reduce over-entitlements34:10 - The Identity Fabric: A capability-based approach to IAM40:33 - Vendor rationalization and the flexibility of the fabric47:19 - Previewing EIC 2026 topics: Wallet initiatives and consent52:44 - Final advice: Curing symptoms vs addressing causesKeywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Martin Kuppinger, KuppingerCole, IAM, AI Agents, Identity Fabric, EIC 2026, Non-Human Identity, Workload Identity, ITDR, IGA, Cybersecurity

Jeff Steadman is joined by RSM colleagues Rich Servillas and Charles John to explore the critical intersection of identity access management, operational resilience, and disaster recovery. Rich, a director from the cyber response group, shares insights from the front lines of ransomware and cloud intrusions, while Chuck, director of operational resilience, discusses the importance of business continuity planning. The conversation covers the true impact of security incidents on brand reputation and operations, the necessity of out-of-band communication, and why identity is often the first thing challenged and the last thing trusted during a crisis. The guests also provide practical advice for IAM professionals on reducing blast radius through standing privilege reduction and robust logging.Connect with Rich: https://www.linkedin.com/in/richard-servillas-041a0551/Connect with Chuck: https://www.linkedin.com/in/chuckjohn/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00:00 - Introduction and 2026 conference outlook00:01:44 - Introducing guests Rich and Chuck from RSM00:03:56 - Defining operational resilience and business continuity00:06:22 - When and how to start the planning process00:09:55 - Chuck's background in public health and emergency management00:12:44 - The broad impact of incidents on brand and operations00:16:45 - Key elements every recovery plan must include00:19:14 - Defining incident severity and matrixes00:21:52 - Identity as the new perimeter and its operational dependencies00:24:57 - Why hackers log in rather than break in00:26:46 - The first hours of a cyber incident response00:29:35 - Current threat trends and the role of AI00:31:29 - Updating plans through post-action debriefs00:34:31 - Cyber insurance gaps and contractual SLAs00:40:24 - Advice for identity professionals on reducing blast radius00:46:10 - Personal milestones and looking forward to 2026Keywords:IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, Cybersecurity, Business Continuity, Disaster Recovery, Operational Resilience, RSM, Incident Response, Ransomware, Cyber Insurance, Identity Governance