Identity at the Center

Episode 422 is the debut of Decoded by Identity at the Center, a new sub-series hosted by Jeff Steadman and Sean O'Dell dedicated to unpacking the specifications and standards powering IAM. Joining them is Pieter Kasselman, VP of Open Standards at Defakto and chair of the WIMSE working group. The conversation covers why traditional non-human identity approaches break at agentic scale, how SPIFFE and SPIRE enable short-lived automated credential provisioning without long-lived secrets, and why treating agents as workloads unlocks a decade of existing standards. Pieter walks through critical OAuth specs including JWT authorization grant, token exchange, client ID metadata, and the emerging transaction tokens draft. Sean connects these to practical gateway architecture, continuous access evaluation, and policy-based authorization. The episode closes with real-world deployment examples and a clear takeaway: the tools to secure agentic identity are available today.

Episode Links:Pieter Kasselman: https://www.linkedin.com/in/pieter-kasselman-0259862/AI Agent Authentication and Authorization: https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/Workload Identity in Multi-system environments (WIMSE): https://ietf-wg-wimse.github.io/OAuth SPIFFE Client Authentication: https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/Transaction Tokens: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/08/Agentic Identity Control Framework. You Already Have the Pieces. Now Build It. by Sean O'Dell: https://www.linkedin.com/pulse/agentic-identity-control-framework-you-already-have-pieces-o-dell-61b5e/

Timestamps:
00:00 Introduction to Decoded by Identity at the Center
00:13 The mission of the Decoded sub-series
03:02 Guest intro: Pieter Kasselman, VP of Open Standards at Defakto
06:21 Why agentic identity is urgent: scale, multi-platform, and shifting threat landscape
10:42 The real cost of API keys and credential sprawl in agentic systems
13:23 Agentic identity identifiers and how SPIFFE assigns unique workload IDs
21:00 Credential types: X.509, JWTs, and workload identity tokens
31:00 Connecting SPIFFE to OAuth and dynamic registration with client ID metadata
38:18 SPIFFE SVIDs, multiple credentials per agent, and governance traceability
41:44 Authentication versus authorization: delegation versus impersonation
47:00 Transaction tokens: binding access to specific transactions to stop token theft
51:21 Identity chaining and cross-domain authorization
55:00 Shared Signals Framework and dynamic authorization
57:00 Gateways, CAEP, and mid-flight token revocation for rogue agents
59:31 What you can deploy today with SPIFFE, OAuth, and existing IDPs
01:02:58 Policy-based access control and why instance-level governance cannot scale
01:04:58 Workload identity federation: Anthropic and Google Agent ID updates
01:07:13 Cross-platform federation and the law of agentic utility
01:11:55 Elevator pitch: agents are workloads and 95% of the problem is solved now
01:17:03 What is coming next: a transaction tokens deep dive

Keywords:
agentic identity, SPIFFE, SPIRE, OAuth, transaction tokens, Shared Signals Framework, WIMSE, workload identity, non-human identity, authorization delegation, JWT, CAEP, API gateway, IAM standards, AIMS, Jeff Steadman, Sean O'Dell, Pieter Kasselman, IDAC, Identity at the Center, Jim McDonald, Decoded by Identity at the Center

Decoded by Identity at the Center:

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Sean O'Dell: https://www.linkedin.com/in/seanodentity/

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Visit the show on the web at https://idacdecoded.com/

Jeff and Jim welcome back Henrique Teixeira, SVP of Strategy at Saviynt, for his fourth appearance on the podcast. The episode opens with Jim's firsthand experience building an AI agent for a work project and discovering in real time how identity management challenges surface in the agentic era. After conference updates on EIC in Berlin and Identiverse in Las Vegas, Henrique unpacks the crowded terminology around AI agent governance, from Gartner's agent management platforms to UADP, the Unified Agentic Defense Platform. He proposes a three-pillar framework for managing AI and non-human identities: discovery, identity lifecycle and governance, and runtime access management, with guidance on where to start depending on whether your organization is greenfield or legacy-heavy. The conversation then examines how AI is reshaping the analyst business model, what makes information sources trustworthy, and how proprietary inquiry data forms the real competitive moat for firms like Gartner and Forrester. The episode closes with a wide-ranging discussion on AI's risk to shared cultural experiences, hyper-personalized entertainment, and the ethics of licensing your digital identity in the afterlife.

Connect with Henrique: https://www.linkedin.com/in/bernardes/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

00:00:00 Intro
00:00:55 Jim's AI Agent Experiment and Identity Lessons
00:06:04 Conference News: EIC and Identiverse
00:07:22 Identity Beer Community Events
00:08:40 Introducing Henrique Teixeira
00:12:00 AI Control Plane: Competing Terminologies
00:17:36 Three Pillars of AI Agent Identity Management
00:18:46 Why Visibility Matters More for NHI
00:20:00 Ownership, Accountability, and Humans at the Control Plane
00:24:26 Industry Maturity and the Gaps That Remain
00:25:41 Where to Start: Governance-First vs. Visibility-First
00:29:52 AI's Impact on the Analyst Profession
00:34:57 What Analyst Firms Have That AI Cannot Replace
00:39:04 Trust, Boutique Analysts, and Repeatability
00:44:34 Proprietary AI Chatbots and Gated Intelligence
00:49:30 IP Rights and the Legal Gray Zone of AI Training
00:52:14 AI and the Erosion of Shared Cultural Experience
00:58:00 AI Music, Personalized Entertainment, and the Future of Art
01:03:47 Digital Afterlife, Voice Clones, and AI Personas
01:08:18 Wrap-Up and Closing

Keywords: IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Henrique Teixeira, Saviynt, AI identity control plane, non-human identities, NHI, agentic AI, AI agents, AI governance, identity lifecycle, access management, discovery, agent management platform, UADP, IAM, Gartner, analyst firms, AI and culture, digital identity, identity security, EIC, Identiverse, identity beer

This episode is made possible by GitGuardian. Jeff speaks with Dwayne McDaniel, Principal Developer Advocate at GitGuardian, about secrets sprawl, non-human identity governance, and the findings of the State of Secret Sprawl 2026 report. With 28.6 million secrets leaked to public GitHub in 2025 - a 34% year-over-year increase - they explore why hardcoded credentials persist, how agentic AI tools are making the problem worse, and what IAM practitioners can do to start addressing machine identity governance. Topics include GitGuardian's Good Samaritan notification program, the growing NHI inventory challenge, SPIFFE and SPIRE as a path to zero standing privilege, and data showing Claude Code co-authored commits are more than twice as likely to contain leaked secrets. Visit gitguardian.com/lps/idac to learn more.

Connect with Dwayne: https://www.linkedin.com/in/dwaynemcdaniel/

Dwayne's website: https://dwayne-mcdaniel.com/

Learn more about GitGuardian: https://www.gitguardian.com/lps/idac

GitGuardian Good Samaritan Program (free) - https://www.gitguardian.com/good-samaritan

The State of Secrets Sprawl 2026: https://www.gitguardian.com/state-of-secrets-sprawl-report-2026

SPIFFE Book: https://spiffe.io/book/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

TIMESTAMPS:
00:00 Introduction and sponsor welcome
00:48 Dwayne's background and path to developer advocacy
04:11 Surprises from entering the identity and security space
06:29 What a principal developer advocate actually does
09:32 Why secrets became Dwayne's focus area
14:10 GitGuardian: overview and mission
19:36 Where secrets commonly leak across the SDLC
22:17 The Good Samaritan notification program explained
28:00 Why 70% of leaked secrets from 2022 were still valid in 2025
33:54 State of Secret Sprawl 2026: the year software changed
40:39 AI coding tools, Claude Code, and secrets leakage data
47:28 Practical questions for IAM practitioners to start asking
52:24 Zero standing privilege and the case for SPIFFE/SPIRE
01:00:00 Resources: the SPIFFE book, WIMSE, and AWS STS
01:02:51 Hot sauce, the Cubs, and closing thoughts

KEYWORDS:
secrets sprawl, hardcoded secrets, non-human identity, NHI governance, GitGuardian, SPIFFE, SPIRE, workload identity, DevSecOps, agentic AI, Claude Code, zero standing privilege, supply chain security, credential abuse, identity and access management, IAM, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Dwayne McDaniel

Recorded live as part of the Identity Management Day 2026 streaming program, Jeff and Jim mark their fifth IMD episode. Introduced by Jeff Reich from the Identity Defined Security Alliance, they reflect on how the IAM industry has evolved since their first IMD episode in 2021 and grade overall progress a C. Topics include what has genuinely improved (passkeys, MFA adoption, broader awareness), what hasn't (compliance fatigue, security theater, persistent credential theft), the exploding challenge of non-human identity governance, whether AI will eventually need to certify other AI, and how AI-powered phishing and deep fakes are raising the bar for identity verification. The episode wraps with chat-submitted IAM bumper stickers.

Identity Management Day 2026: https://www.idsalliance.org/event/identity-management-day-2026/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

CHAPTERS
0:00 - Jeff Reich intro from the IMD stream
2:00 - Identity Management Day 2026 kicks off
3:30 - Five years of IMD: a look back at episode 88
7:00 - Does IMD move the needle?
9:30 - Who is Identity Management Day actually for?
12:00 - What has improved in IAM over five years
16:00 - What hasn't improved: compliance fatigue and security theater
18:30 - Grading the IAM industry
21:00 - NHI governance: visibility and accountability
26:00 - Can AI certify AI? Agentic identity governance
29:00 - AI-powered phishing and the evolving threat landscape
32:00 - Deep fakes and the identity verification challenge
36:00 - Lighter note: IAM bumper stickers

KEYWORDS
identity management day, identity management day 2026, NHI, non-human identity, agentic AI, phishing, deep fakes, IGA, passkeys, MFA, IAM, identity governance, access management, cybersecurity, credential theft, security awareness, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

What does it mean to build an identity system that is ethical? Jim McDonald and Jeff Steadman are joined by Elizabeth Garber, Executive Director of IDPro and marketing lead for the OpenID Foundation, for a conversation spanning ethics in digital identity, the tension between privacy and safety, biometric exclusion risks, and how practitioners can use structured frameworks to navigate these discussions productively. Elizabeth shares her three-part career journey, the latest from the IDPro community, and previews her upcoming keynotes at EIC Berlin and Identiverse Las Vegas.

Connect with Elizabeth: https://www.linkedin.com/in/elizabethgarber

IDPro Discount - New members get $25 off their first year of membership: https://idpro.org/idac/

Ethics and Digital Identity by Henk Marsman: https://bok.idpro.org/article/id/104/

Ethics for Digital Identity and Identity-Driven Algorithms by Mike Kiser: https://bok.idpro.org/article/id/105/

Human Centric Digital Identity white paper: https://openid.net/wp-content/uploads/2023/10/Human-Centric_Digital_Identity_Final-v1.1.pdf

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

Timestamps:

00:00 Intro and Jim's allergy research
03:42 Conference announcements: EIC and Identiverse
06:00 Welcome Elizabeth Garber
07:04 Elizabeth's three-part origin story
11:55 IDPro mission and the identity community
18:13 Membership, CIDPRO certification, and the Body of Knowledge
21:17 IDPro Slack community
23:40 IdentiBeer and local meetups
26:26 IDPro listener discount at idpro.org/idac
29:00 Operationalizing ideas in IAM
32:19 Ethics in the IDPro Body of Knowledge
33:30 Defining ethics in technology
34:19 The trolley problem and moral consistency
37:10 Big tech, privacy, and law enforcement
39:28 Where practitioners start with ethics
43:30 Biometric exclusion and the Uganda story
49:00 Privacy vs. safety: a false choice?
53:48 The case for consistent ethical frameworks
57:53 Elizabeth's EIC and Identiverse talks
59:49 Improv comedy and expensive hobbies
1:07:25 Wrap-up

Keywords: ethical IAM, digital identity ethics, IDPro, identity and access management, privacy, safety, biometrics, exclusion, Elizabeth Garber, GAIN Digital Trust, OpenID Foundation, Body of Knowledge, Ethical Canvas, zero knowledge proofs, passkeys, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, EIC Berlin, Identiverse