Identity at the Center

Jeff and Jim recap their week at KuppingerCole's EIC 2026 in Berlin, covering standout keynotes, hallway conversations, and sessions on securing AI agents, CIAM, and AI versus nuclear regulation. They announce a giveaway of Eve Maler's signed copy of Mastering Digital Identity for YouTube commenters by June 12th. The episode also features live footage and a full interview with Espen Bago, founder of IdentiBeer, recorded at the Berlin event. Jeff, Jim, and Espen discuss the rapid global growth of the IdentiBeer community, terminology challenges around NHI and IAM concepts, the gap between conference talk and real client needs, and why the industry keeps bypassing foundational data work in the rush toward AI and agentic identity.

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

00:00:10 Welcome and EIC 2026 Setup
00:03:57 Eve Maler Book Giveaway Details
00:05:00 Conference Highlights: Keynotes and Hallway Con
00:06:07 Elizabeth Garber's Standing Ovation Keynote
00:07:02 Brazil Invitation and Securing AI Agents
00:09:10 Nuclear Regulation vs. AI Regulation
00:11:07 Upcoming EIC Episode Preview
00:14:16 IdentiBeer Berlin Live Event
00:14:29 Interview with Espen Bago Begins
00:15:14 IdentiBeer Growth and Global Expansion
00:17:23 The IdentiBeer Name Debate
00:23:26 Data Quality Gaps in NHI and IAM
00:26:31 Who Owns IAM Terminology?
00:34:20 Conference Talk vs. Client Reality
00:40:52 The HR-IAM Gap Nobody Talks About
00:43:17 Fundamentals: The Karate Kid Analogy

Keywords: EIC 2026, European Identity Conference, IdentiBeer, Espen Bago, Eve Maler, Elizabeth Garber, Mastering Digital Identity, Berlin, Identiverse, NHI, non-human identities, IAM fundamentals, AI regulation, agentic identity, IGA, PAM, CIAM, IDPro, identity community, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Jeff and Jim are back with the May 2026 mailbag, answering listener questions from Amsterdam, Mumbai, Austin, and Berlin. Topics include navigating IAM vendor acquisitions, defending against AI deepfakes in remote onboarding, governing contractor and third-party identities, fixing the leaver process in IGA, and tackling a decade of IAM technical debt. The episode closes with unpopular industry opinions: why RFPs are procurement theater, why rip and replace should be normalized, and why one-throat-to-choke vendor thinking usually backfires.

IDPro new member discount: https://idpro.org/idac/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

CHAPTER TIMESTAMPS
00:00 Intro and SNL nostalgia
03:25 AI model roundup: ChatGPT, Claude, Gemini, and usage limits
10:16 Identiverse 2026 and IDPro member discount
14:53 Q1: Navigating vendor acquisitions (Isabelle, Amsterdam)
24:00 Q2: AI deepfakes in identity verification (Rajan, Mumbai)
32:32 Q3: Contractor and third-party identity governance (Caleb, Austin)
43:00 Q4: The leaver process and IGA scope gaps (Anonymous)
51:10 Q5: Tackling IAM technical debt (Tomas, Berlin)
57:00 Normalizing rip and replace
01:01:00 RFPs, one throat to choke, and other hot takes
01:08:00 Wrap-up

KEYWORDS
IAM, identity governance, IGA, vendor consolidation, acquisitions, deepfakes, identity verification, contractor management, non-employee identity, technical debt, rip and replace, RFP, joiner mover leaver, leaver process, Identiverse 2026, IDPro, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Jeff and Jim welcome back Robert Snodgrass, Principal at RSM, for a deep dive into the RSM Middle Market Business Index cybersecurity report. The conversation covers the confidence gap facing middle market organizations, why digital identity remains undervalued despite being the primary attack surface, non-human identity governance, flat cybersecurity budgets, risk framework adoption, and what good incident response preparedness actually looks like. The episode wraps with a spirited Bitcoin Pizza Day toppings debate.

Connect with Robert: https://www.linkedin.com/in/robert-snodgrass-7a199412/

Review the RSM US Middle Market Business Index Special Report on Cybersecurity 2026: https://rsmus.com/middle-market/cybersecurity-mmbi.html?cmpid=ola:45559-idac:bb01

IDPro new member discount: https://idpro.org/idac/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

TIMESTAMPS
00:00:00 Introduction and Scatter Spider social engineering discussion
00:04:00 IDPro discount code and upcoming conferences
00:06:26 Guest intro: Robert Snodgrass and the MMBI report
00:09:05 Defining the modern middle market
00:12:00 The confidence gap: 96% confident, 18% breached
00:15:04 Why attackers log in and top identity investment priorities
00:19:00 Why only 23% of leaders prioritize digital identity
00:22:00 Internal partnerships as the path to identity program success
00:25:10 AI, shadow AI, and non-human identity risks
00:31:00 NHI governance at scale: 45 to 1 ratio
00:34:50 Cybersecurity budget realities in the middle market
00:39:00 EU regulation and top-line cybersecurity drivers
00:42:03 NIST CSF adoption and risk framework value
00:46:00 Incident response planning: the two-minute drill
00:52:16 Bitcoin Pizza Day and closing thoughts

KEYWORDS
identity security, middle market, cybersecurity, MMBI, RSM, Robert Snodgrass, phishing-resistant MFA, non-human identities, NHI, shadow AI, incident response, NIST CSF, IAM, identity governance, ransomware, tabletop exercises, digital identity, cybersecurity budget, identity program, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Episode 422 is the debut of Decoded by Identity at the Center, a new sub-series hosted by Jeff Steadman and Sean O'Dell dedicated to unpacking the specifications and standards powering IAM. Joining them is Pieter Kasselman, VP of Open Standards at Defakto and chair of the WIMSE working group. The conversation covers why traditional non-human identity approaches break at agentic scale, how SPIFFE and SPIRE enable short-lived automated credential provisioning without long-lived secrets, and why treating agents as workloads unlocks a decade of existing standards. Pieter walks through critical OAuth specs including JWT authorization grant, token exchange, client ID metadata, and the emerging transaction tokens draft. Sean connects these to practical gateway architecture, continuous access evaluation, and policy-based authorization. The episode closes with real-world deployment examples and a clear takeaway: the tools to secure agentic identity are available today.

Episode Links:Pieter Kasselman: https://www.linkedin.com/in/pieter-kasselman-0259862/AI Agent Authentication and Authorization: https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/Workload Identity in Multi-system environments (WIMSE): https://ietf-wg-wimse.github.io/OAuth SPIFFE Client Authentication: https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/Transaction Tokens: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/08/Agentic Identity Control Framework. You Already Have the Pieces. Now Build It. by Sean O'Dell: https://www.linkedin.com/pulse/agentic-identity-control-framework-you-already-have-pieces-o-dell-61b5e/

Timestamps:
00:00 Introduction to Decoded by Identity at the Center
00:13 The mission of the Decoded sub-series
03:02 Guest intro: Pieter Kasselman, VP of Open Standards at Defakto
06:21 Why agentic identity is urgent: scale, multi-platform, and shifting threat landscape
10:42 The real cost of API keys and credential sprawl in agentic systems
13:23 Agentic identity identifiers and how SPIFFE assigns unique workload IDs
21:00 Credential types: X.509, JWTs, and workload identity tokens
31:00 Connecting SPIFFE to OAuth and dynamic registration with client ID metadata
38:18 SPIFFE SVIDs, multiple credentials per agent, and governance traceability
41:44 Authentication versus authorization: delegation versus impersonation
47:00 Transaction tokens: binding access to specific transactions to stop token theft
51:21 Identity chaining and cross-domain authorization
55:00 Shared Signals Framework and dynamic authorization
57:00 Gateways, CAEP, and mid-flight token revocation for rogue agents
59:31 What you can deploy today with SPIFFE, OAuth, and existing IDPs
01:02:58 Policy-based access control and why instance-level governance cannot scale
01:04:58 Workload identity federation: Anthropic and Google Agent ID updates
01:07:13 Cross-platform federation and the law of agentic utility
01:11:55 Elevator pitch: agents are workloads and 95% of the problem is solved now
01:17:03 What is coming next: a transaction tokens deep dive

Keywords:
agentic identity, SPIFFE, SPIRE, OAuth, transaction tokens, Shared Signals Framework, WIMSE, workload identity, non-human identity, authorization delegation, JWT, CAEP, API gateway, IAM standards, AIMS, Jeff Steadman, Sean O'Dell, Pieter Kasselman, IDAC, Identity at the Center, Jim McDonald, Decoded by Identity at the Center

Decoded by Identity at the Center:

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Sean O'Dell: https://www.linkedin.com/in/seanodentity/

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Visit the show on the web at https://idacdecoded.com/

Jeff and Jim welcome back Henrique Teixeira, SVP of Strategy at Saviynt, for his fourth appearance on the podcast. The episode opens with Jim's firsthand experience building an AI agent for a work project and discovering in real time how identity management challenges surface in the agentic era. After conference updates on EIC in Berlin and Identiverse in Las Vegas, Henrique unpacks the crowded terminology around AI agent governance, from Gartner's agent management platforms to UADP, the Unified Agentic Defense Platform. He proposes a three-pillar framework for managing AI and non-human identities: discovery, identity lifecycle and governance, and runtime access management, with guidance on where to start depending on whether your organization is greenfield or legacy-heavy. The conversation then examines how AI is reshaping the analyst business model, what makes information sources trustworthy, and how proprietary inquiry data forms the real competitive moat for firms like Gartner and Forrester. The episode closes with a wide-ranging discussion on AI's risk to shared cultural experiences, hyper-personalized entertainment, and the ethics of licensing your digital identity in the afterlife.

Connect with Henrique: https://www.linkedin.com/in/bernardes/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

00:00:00 Intro
00:00:55 Jim's AI Agent Experiment and Identity Lessons
00:06:04 Conference News: EIC and Identiverse
00:07:22 Identity Beer Community Events
00:08:40 Introducing Henrique Teixeira
00:12:00 AI Control Plane: Competing Terminologies
00:17:36 Three Pillars of AI Agent Identity Management
00:18:46 Why Visibility Matters More for NHI
00:20:00 Ownership, Accountability, and Humans at the Control Plane
00:24:26 Industry Maturity and the Gaps That Remain
00:25:41 Where to Start: Governance-First vs. Visibility-First
00:29:52 AI's Impact on the Analyst Profession
00:34:57 What Analyst Firms Have That AI Cannot Replace
00:39:04 Trust, Boutique Analysts, and Repeatability
00:44:34 Proprietary AI Chatbots and Gated Intelligence
00:49:30 IP Rights and the Legal Gray Zone of AI Training
00:52:14 AI and the Erosion of Shared Cultural Experience
00:58:00 AI Music, Personalized Entertainment, and the Future of Art
01:03:47 Digital Afterlife, Voice Clones, and AI Personas
01:08:18 Wrap-Up and Closing

Keywords: IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Henrique Teixeira, Saviynt, AI identity control plane, non-human identities, NHI, agentic AI, AI agents, AI governance, identity lifecycle, access management, discovery, agent management platform, UADP, IAM, Gartner, analyst firms, AI and culture, digital identity, identity security, EIC, Identiverse, identity beer