
Hosted by Identity at the Center · EN

Recorded live at EIC 2026 in Berlin, Jeff and Jim sit down with Martin Sandren, IAM Product Lead at IKEA, for a wide-ranging conversation covering nearly every corner of modern identity security. Martin shares what has changed since his first IDAC appearance on episode 293, including the rise of AI, growing interest in digital sovereignty, and the maturing shared signals framework. The conversation moves through risk-based defense in depth, tiered MFA rollout strategies, session management, and the real challenge of trusting AI to make security decisions. Martin introduces identity dark matter and explains how IVIP can surface the 95-plus percent of applications that never reach an IGA system. The episode also covers shadow AI, MCP server risks, the SaaSpocalypse debate, and the EU AI Act. It closes on a grounded note: solar panels.Connect with Martin: https://www.linkedin.com/in/martinsandren/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS00:00 Welcome and EIC 2026 intro01:47 What has changed in two years: AI, sovereignty, shared signals03:06 Martin's EIC presentations: AI for IAM and IAM for AI04:46 Can you prioritize one direction over the other?07:13 What would it take to trust AI making identity decisions?09:32 AI-enhanced detection and risk-based session management13:07 Session invalidation and the shared signals framework14:11 Defense in depth and right-sizing privileges18:25 MFA today: any MFA versus phish-resistant MFA19:17 AI chatbots, enterprise LLMs, and shadow AI23:11 MCP servers, NHI risk, and return on risk thinking27:00 AI configuring IAM systems: how close are we?31:30 LLM costs, the SaaSpocalypse, and enterprise AI futures40:10 Identity dark matter and the IVIP concept44:16 CMDB versus IVIP: do you need both?46:18 The EU AI Act and building an AI governance registry49:18 Where to start: get your AI inventory in place first50:00 Closing thoughts and the solar panel tangentKEYWORDSAI for IAM, IAM for AI, identity dark matter, IVIP, IGA, shared signals framework, phish-resistant MFA, defense in depth, session management, MCP servers, NHI, shadow AI, SaaSpocalypse, EU AI Act, AI governance, zero standing privilege, EIC 2026, IKEA, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Martin Sandren

This episode is presented courtesy of SailPoint. Rob Sebaugh, Senior Identity Strategist at SailPoint, joins Jeff and Jim for a wide-ranging conversation on the past, present, and future of identity governance. Rob brings more than two decades of practitioner experience to the table, including 16 years running large-scale identity programs before making the move to the vendor side. The conversation covers what identity governance means today, why it must move to the forefront rather than be treated as an afterthought in an agentic world, and how organizations need to think fundamentally differently about non-human identities. Jeff and Jim explore the concept of treating AI as a first-class identity, how AI is beginning to replace rubber-stamp access certifications, the shift toward policy-based access control, and the practical path toward zero standing privilege. The episode wraps with a lighter conversation about Rob's 3D printing hobby.About SailPoint:SailPoint (Nasdaq: SAIL) is defining the new era of adaptive identity security. In a world where non-human identities now significantly outnumber humans, our AI-powered platform unifies identity, security, and data intelligence to protect today’s enterprise from advanced identity-based threats. We deliver the identity solution that spans both the breadth of identities and the depth of context needed to drive real-time access with confidence. Built on principles like zero-standing privilege and contextualized risk, our SailPoint platform transforms identity from a point of vulnerability into a powerful security advantage. Trusted by many of the world's leading organizations, SailPoint secures the enterprise with intelligent, autonomous identity security.Learn more about SailPoint: https://www.sailpoint.com/Connect with Rob: https://www.linkedin.com/in/rob-sebaugh-1ba9013/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps:00:00 Introduction00:48 Rob Sebaugh and the identity strategist role at SailPoint04:38 Practitioner advice from the field07:49 What SailPoint does: the hotel key analogy11:04 Buying identity technology means buying a business process13:30 What identity governance is and why it still matters16:47 Risk-appropriate governance and privileged access19:39 Non-human identities and the scale of the agentic challenge22:57 Treating AI as a first-class identity24:28 When AI makes governance decisions: beyond rubber stamping28:04 Is identity governance a binary decision?29:58 Securing data inside AI and large language models34:09 Identity: the field that reinvents itself35:01 Identity as the new control plane37:21 Is all access privileged access?40:25 Zero standing privilege in practice44:22 Innovation, continuous identity, and what SailPoint is building46:28 Identity posture management50:13 Practitioner advice for the next three to five years53:00 The future of IGA in ten years57:44 Lighter note: 3D printing with Rob Sebaugh1:05:35 Final thoughts on SailPointKeywords: Rob Sebaugh, SailPoint, identity governance, identity security, IGA, non-human identities, agentic AI, zero standing privilege, just-in-time access, identity posture management, control plane, zero trust, policy-based access control, AI certification, rubber stamping, sponsor spotlight, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Recorded live at EIC 2026 in Berlin, Jeff and Jim sit down with Thomas Zarnhofer, IAM Architect at a major retail company in central Europe. Thomas shares his experience leading a full IGA transformation from a decade-old on-premise system to a modern cloud-based platform. The conversation covers the shift from a contract-based to a person-based identity model, the importance of cleaning data before migration begins, a three-phase framework of Foundation, Migration, and Adoption, lessons learned from running two systems in parallel, and a look at how AI could make IGA predictive. The episode ends with Thomas's tips for visiting Austria.Connect with Thomas: https://www.linkedin.com/in/tzarnhofer/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00 Introduction and EIC 2026 Setting02:00 Thomas's Identity Origin Story04:21 The Catalyst for IGA Modernization07:43 Contract-Based vs Person-Based Identity Models09:22 Consolidating Master Data Sources11:39 Data Quality and Attribute Ownership13:34 Partnering with HR for Clean Data16:43 Data Analysis: Why They Chose Excel Over AI17:53 Clean Your Data Before You Migrate18:23 The Three Phases: Foundation, Migration, Adoption20:12 Driving Adoption Across the Organization21:10 Running Two Systems in Parallel22:47 Challenge Everything vs Lift and Shift27:23 Surprises in the Cloud IGA Journey29:02 Testing Requirements in the Cloud29:51 AI and the Future of IGA32:25 AI Chatbots and Role Discovery35:30 Scoping Business Role Visibility36:06 Life Outside IAM: Travel and Austria TipsKeywords:IAM, IGA, Identity Governance, IGA Migration, On-Premises to Cloud, Identity Model, Contract-Based Identity, Person-Based Identity, Master Data, Data Quality, HR Integration, Joiner Mover Leaver, Cloud IGA, Retail IAM, EIC 2026, AI in IGA, Predictive IGA, Role Management, Access Governance, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Thomas Zarnhofer

Jeff and Jim are joined by Heather Flanagan, Content Chair, and Andi Hindle, Conference Chair, for a full preview of Identiverse 2026 at Mandalay Bay in Las Vegas. They cover the 2026 theme of trust and change, why AI was removed as a standalone track and redistributed across all content areas, the provocative argument that non-human access now dramatically outpaces human access and is reshaping identity system design, whether authentication is truly solved, authorization as the harder unsolved problem, CFP surprises, networking events including Women at Identiverse, and predictions for 2027. Save 30% with code IDV26-IDAC30%. New IDPro members save $25 at idpro.org/idac.Connect with Heather: https://www.linkedin.com/in/hlflanagan/Connect with Andi: https://www.linkedin.com/in/ahindle/Identiverse 2026: https://events.identiverse.com/2026/begin?code=IDV26-IDAC30%25Heather's IAM Conference List: https://github.com/fedidcg/meetings/wiki/2026-List-of-Identity-and-Related-Conferences-and-Standards-Development-EventsConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS00:00:00 Introduction and SolarWinds breach banter00:03:27 Identiverse preview and discount codes00:06:10 Guest introductions00:06:52 Role of Content Chair00:08:46 Role of Conference Chair00:11:16 2026 conference theme00:15:00 AI as context, not a standalone track00:16:32 Control plane vs enablement plane debate00:22:19 What the industry is underestimating00:24:00 Non-human access outpaces human access00:26:52 Is authentication solved? Passkeys00:30:31 Authorization: far from solved00:36:04 Extensibility in standards and deployments00:38:22 CFP surprises: fraud and identity proofing00:41:48 Usability and UX gaps00:43:18 Agentic AI: identity or governance?00:47:55 Networking and newcomer programming00:51:45 Women at Identiverse00:52:46 AI-generated CFP submissions00:55:00 Predictions for Identiverse 202700:58:04 Theme songs for Identiverse 202601:02:58 Heather's identity conference list on GitHub01:04:47 Swag culture at identity conferences01:12:25 Wrap-upKEYWORDSIdentiverse 2026, Heather Flanagan, Andi Hindle, identity conference, NHI, non-human identity, agentic AI, passkeys, authentication, authorization, IAM, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, digital identity, continuous identity architecture, zero standing privilege, verifiable credentials, identity governance

This episode and the Identity at the Center podcast is supported by CrowdStrike. Learn more at crowdstrike.com.Jeff Steadman and Jim McDonald sit down with Scott Kriz, GM of Continuous Identity at CrowdStrike, for a deep dive into continuous identity, zero standing access, and the convergence of identity and security. Scott traces his path from co-founding Bitium, to selling it to Google Cloud, to building SGNL and ultimately joining CrowdStrike. The conversation covers how continuous identity works in practice, why traditional PAM and IGA fall short in a real-time world, and what the rise of agentic AI means for identity governance at scale. Connect with Scott: https://www.linkedin.com/in/scottkriz/Learn more about Crowdstrike: https://www.crowdstrike.com/en-us/platform/next-gen-identity-security/caep/?idacConnect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.com00:00:00 Introduction and welcome00:01:21 How Scott got into identity and co-founded Bitium00:03:55 Selling to Google Cloud and the inspiration for SGNL00:05:02 Continuous identity and zero standing access explained00:09:13 Defining continuous identity at CrowdStrike00:10:20 How continuous identity differs from PAM and IGA00:15:06 Data as the foundation for continuous identity00:19:29 Open ecosystems, Shared Signals Framework, and CAEP00:25:26 Agents, identity chaining, SPIFFE, SPIRE, and MCP gateways00:33:02 Identity inside CrowdStrike's broader security strategy00:37:27 Identity security budgets and ROI-driven purchasing00:40:04 Agentic scale and the need for automated identity controls00:43:39 The SGNL acquisition: what it means for both companies00:50:25 Zero trust as a real architectural framework00:54:00 Helicopter skiing, avalanches, and staying presentKeywords: IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Scott Kriz, CrowdStrike, SGNL, continuous identity, zero standing access, PAM, IGA, zero trust, agentic AI, non-human identity, NHI, SPIFFE, SPIRE, MCP, identity security, real-time authorization, cybersecurity

Jeff and Jim recap their week at KuppingerCole's EIC 2026 in Berlin, covering standout keynotes, hallway conversations, and sessions on securing AI agents, CIAM, and AI versus nuclear regulation. They announce a giveaway of Eve Maler's signed copy of Mastering Digital Identity for YouTube commenters by June 12th. The episode also features live footage and a full interview with Espen Bago, founder of IdentiBeer, recorded at the Berlin event. Jeff, Jim, and Espen discuss the rapid global growth of the IdentiBeer community, terminology challenges around NHI and IAM concepts, the gap between conference talk and real client needs, and why the industry keeps bypassing foundational data work in the rush toward AI and agentic identity.Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.com00:00:10 Welcome and EIC 2026 Setup00:03:57 Eve Maler Book Giveaway Details00:05:00 Conference Highlights: Keynotes and Hallway Con00:06:07 Elizabeth Garber's Standing Ovation Keynote00:07:02 Brazil Invitation and Securing AI Agents00:09:10 Nuclear Regulation vs. AI Regulation00:11:07 Upcoming EIC Episode Preview00:14:16 IdentiBeer Berlin Live Event00:14:29 Interview with Espen Bago Begins00:15:14 IdentiBeer Growth and Global Expansion00:17:23 The IdentiBeer Name Debate00:23:26 Data Quality Gaps in NHI and IAM00:26:31 Who Owns IAM Terminology?00:34:20 Conference Talk vs. Client Reality00:40:52 The HR-IAM Gap Nobody Talks About00:43:17 Fundamentals: The Karate Kid AnalogyKeywords: EIC 2026, European Identity Conference, IdentiBeer, Espen Bago, Eve Maler, Elizabeth Garber, Mastering Digital Identity, Berlin, Identiverse, NHI, non-human identities, IAM fundamentals, AI regulation, agentic identity, IGA, PAM, CIAM, IDPro, identity community, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Jeff and Jim are back with the May 2026 mailbag, answering listener questions from Amsterdam, Mumbai, Austin, and Berlin. Topics include navigating IAM vendor acquisitions, defending against AI deepfakes in remote onboarding, governing contractor and third-party identities, fixing the leaver process in IGA, and tackling a decade of IAM technical debt. The episode closes with unpopular industry opinions: why RFPs are procurement theater, why rip and replace should be normalized, and why one-throat-to-choke vendor thinking usually backfires.IDPro new member discount: https://idpro.org/idac/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comCHAPTER TIMESTAMPS00:00 Intro and SNL nostalgia03:25 AI model roundup: ChatGPT, Claude, Gemini, and usage limits10:16 Identiverse 2026 and IDPro member discount14:53 Q1: Navigating vendor acquisitions (Isabelle, Amsterdam)24:00 Q2: AI deepfakes in identity verification (Rajan, Mumbai)32:32 Q3: Contractor and third-party identity governance (Caleb, Austin)43:00 Q4: The leaver process and IGA scope gaps (Anonymous)51:10 Q5: Tackling IAM technical debt (Tomas, Berlin)57:00 Normalizing rip and replace01:01:00 RFPs, one throat to choke, and other hot takes01:08:00 Wrap-upKEYWORDSIAM, identity governance, IGA, vendor consolidation, acquisitions, deepfakes, identity verification, contractor management, non-employee identity, technical debt, rip and replace, RFP, joiner mover leaver, leaver process, Identiverse 2026, IDPro, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Jeff and Jim welcome back Robert Snodgrass, Principal at RSM, for a deep dive into the RSM Middle Market Business Index cybersecurity report. The conversation covers the confidence gap facing middle market organizations, why digital identity remains undervalued despite being the primary attack surface, non-human identity governance, flat cybersecurity budgets, risk framework adoption, and what good incident response preparedness actually looks like. The episode wraps with a spirited Bitcoin Pizza Day toppings debate.Connect with Robert: https://www.linkedin.com/in/robert-snodgrass-7a199412/Review the RSM US Middle Market Business Index Special Report on Cybersecurity 2026: https://rsmus.com/middle-market/cybersecurity-mmbi.html?cmpid=ola:45559-idac:bb01IDPro new member discount: https://idpro.org/idac/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS00:00:00 Introduction and Scatter Spider social engineering discussion00:04:00 IDPro discount code and upcoming conferences00:06:26 Guest intro: Robert Snodgrass and the MMBI report00:09:05 Defining the modern middle market00:12:00 The confidence gap: 96% confident, 18% breached00:15:04 Why attackers log in and top identity investment priorities00:19:00 Why only 23% of leaders prioritize digital identity00:22:00 Internal partnerships as the path to identity program success00:25:10 AI, shadow AI, and non-human identity risks00:31:00 NHI governance at scale: 45 to 1 ratio00:34:50 Cybersecurity budget realities in the middle market00:39:00 EU regulation and top-line cybersecurity drivers00:42:03 NIST CSF adoption and risk framework value00:46:00 Incident response planning: the two-minute drill00:52:16 Bitcoin Pizza Day and closing thoughtsKEYWORDSidentity security, middle market, cybersecurity, MMBI, RSM, Robert Snodgrass, phishing-resistant MFA, non-human identities, NHI, shadow AI, incident response, NIST CSF, IAM, identity governance, ransomware, tabletop exercises, digital identity, cybersecurity budget, identity program, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Episode 422 is the debut of Decoded by Identity at the Center, a new sub-series hosted by Jeff Steadman and Sean O'Dell dedicated to unpacking the specifications and standards powering IAM. Joining them is Pieter Kasselman, VP of Open Standards at Defakto and chair of the WIMSE working group. The conversation covers why traditional non-human identity approaches break at agentic scale, how SPIFFE and SPIRE enable short-lived automated credential provisioning without long-lived secrets, and why treating agents as workloads unlocks a decade of existing standards. Pieter walks through critical OAuth specs including JWT authorization grant, token exchange, client ID metadata, and the emerging transaction tokens draft. Sean connects these to practical gateway architecture, continuous access evaluation, and policy-based authorization. The episode closes with real-world deployment examples and a clear takeaway: the tools to secure agentic identity are available today.Episode Links:Pieter Kasselman: https://www.linkedin.com/in/pieter-kasselman-0259862/AI Agent Authentication and Authorization: https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/Workload Identity in Multi-system environments (WIMSE): https://ietf-wg-wimse.github.io/OAuth SPIFFE Client Authentication: https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/Transaction Tokens: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/08/Agentic Identity Control Framework. You Already Have the Pieces. Now Build It. by Sean O'Dell: https://www.linkedin.com/pulse/agentic-identity-control-framework-you-already-have-pieces-o-dell-61b5e/Timestamps:00:00 Introduction to Decoded by Identity at the Center00:13 The mission of the Decoded sub-series03:02 Guest intro: Pieter Kasselman, VP of Open Standards at Defakto06:21 Why agentic identity is urgent: scale, multi-platform, and shifting threat landscape10:42 The real cost of API keys and credential sprawl in agentic systems13:23 Agentic identity identifiers and how SPIFFE assigns unique workload IDs21:00 Credential types: X.509, JWTs, and workload identity tokens31:00 Connecting SPIFFE to OAuth and dynamic registration with client ID metadata38:18 SPIFFE SVIDs, multiple credentials per agent, and governance traceability41:44 Authentication versus authorization: delegation versus impersonation47:00 Transaction tokens: binding access to specific transactions to stop token theft51:21 Identity chaining and cross-domain authorization55:00 Shared Signals Framework and dynamic authorization57:00 Gateways, CAEP, and mid-flight token revocation for rogue agents59:31 What you can deploy today with SPIFFE, OAuth, and existing IDPs01:02:58 Policy-based access control and why instance-level governance cannot scale01:04:58 Workload identity federation: Anthropic and Google Agent ID updates01:07:13 Cross-platform federation and the law of agentic utility01:11:55 Elevator pitch: agents are workloads and 95% of the problem is solved now01:17:03 What is coming next: a transaction tokens deep diveKeywords:agentic identity, SPIFFE, SPIRE, OAuth, transaction tokens, Shared Signals Framework, WIMSE, workload identity, non-human identity, authorization delegation, JWT, CAEP, API gateway, IAM standards, AIMS, Jeff Steadman, Sean O'Dell, Pieter Kasselman, IDAC, Identity at the Center, Jim McDonald, Decoded by Identity at the CenterDecoded by Identity at the Center:Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Sean O'Dell: https://www.linkedin.com/in/seanodentity/Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Visit the show on the web at https://idacdecoded.com/

Jeff and Jim welcome back Henrique Teixeira, SVP of Strategy at Saviynt, for his fourth appearance on the podcast. The episode opens with Jim's firsthand experience building an AI agent for a work project and discovering in real time how identity management challenges surface in the agentic era. After conference updates on EIC in Berlin and Identiverse in Las Vegas, Henrique unpacks the crowded terminology around AI agent governance, from Gartner's agent management platforms to UADP, the Unified Agentic Defense Platform. He proposes a three-pillar framework for managing AI and non-human identities: discovery, identity lifecycle and governance, and runtime access management, with guidance on where to start depending on whether your organization is greenfield or legacy-heavy. The conversation then examines how AI is reshaping the analyst business model, what makes information sources trustworthy, and how proprietary inquiry data forms the real competitive moat for firms like Gartner and Forrester. The episode closes with a wide-ranging discussion on AI's risk to shared cultural experiences, hyper-personalized entertainment, and the ethics of licensing your digital identity in the afterlife.Connect with Henrique: https://www.linkedin.com/in/bernardes/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.com00:00:00 Intro00:00:55 Jim's AI Agent Experiment and Identity Lessons00:06:04 Conference News: EIC and Identiverse00:07:22 Identity Beer Community Events00:08:40 Introducing Henrique Teixeira00:12:00 AI Control Plane: Competing Terminologies00:17:36 Three Pillars of AI Agent Identity Management00:18:46 Why Visibility Matters More for NHI00:20:00 Ownership, Accountability, and Humans at the Control Plane00:24:26 Industry Maturity and the Gaps That Remain00:25:41 Where to Start: Governance-First vs. Visibility-First00:29:52 AI's Impact on the Analyst Profession00:34:57 What Analyst Firms Have That AI Cannot Replace00:39:04 Trust, Boutique Analysts, and Repeatability00:44:34 Proprietary AI Chatbots and Gated Intelligence00:49:30 IP Rights and the Legal Gray Zone of AI Training00:52:14 AI and the Erosion of Shared Cultural Experience00:58:00 AI Music, Personalized Entertainment, and the Future of Art01:03:47 Digital Afterlife, Voice Clones, and AI Personas01:08:18 Wrap-Up and ClosingKeywords: IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Henrique Teixeira, Saviynt, AI identity control plane, non-human identities, NHI, agentic AI, AI agents, AI governance, identity lifecycle, access management, discovery, agent management platform, UADP, IAM, Gartner, analyst firms, AI and culture, digital identity, identity security, EIC, Identiverse, identity beer