Risky Bulletin Podcast — Episode: Sponsored: What is Extended Identity Access Management?

Host: Casey Ellis
Guest: Fletcher Heisler, Founder & CEO of Authentic
Date: March 22, 2026

Episode Overview

This episode features an insightful conversation between Casey Ellis and Fletcher Heisler about the rapidly evolving landscape of Identity and Access Management (IAM). The discussion focuses on Authentic’s approach, highlighting the new concept of “Extended IAM,” its necessity in a digital environment teeming with human and non-human users (including AI agents and devices), and how the field is adapting to challenges around consolidation, security, and flexibility. The episode also touches on AI’s implications for identity security and upcoming conference activities.

Key Discussion Points and Insights

1. What is Extended IAM?

• Background: Authentic has introduced the Extended IAM (Identity and Access Management) acronym to reflect the modern demands for comprehensive identity management.
• Extended IAM Defined:

  • Encompasses all users: humans, non-human agents (e.g., AI bots), workforce, customers, and even customers’ customers.

  • Aims to unify management for all identities—across users and devices—under one platform.

  • Designed to work flexibly across multi-region, multi-cloud, on-premises, or hybrid environments.

  • Differentiates from traditional IDP (Identity Provider) solutions by going beyond human user SSO to address agent and device authentication, integration with health metrics, and seamless interoperability.

    "Extended IAM is kind of that full user lifecycle for every possible user."
    — Fletcher Heisler [01:50]

2. Market Drivers and Current Challenges

• Consolidation: Enterprises struggle with multiple, sometimes overlapping IDPs, which often require ad-hoc solutions like identity orchestration layers.

• Resiliency & Availability: Outages now affect not just employees, but also automated processes and service accounts capable of stalling entire organizations.

• Security Concerns: Organizations are wary of proprietary, cloud-only IDPs that act as opaque black boxes and may lack robust security histories.

  "You have these duct tape solutions and solutions for solutions where you’ve seen things like identity orchestration... now you have three IDPs, you’re trying to balance them and you have another layer that could go down that’s kind of duct taping them all together."
  — Fletcher Heisler [02:54]

  "It’s not just a matter of some of my workers can’t get to some of their applications for a couple hours. None of us can do any business, especially our service accounts... everything grinds to a halt."
  — Fletcher Heisler [03:27]

3. Flexibility & Integration

• Authentic vs. Market Players:

  • Authentic offers infrastructure that can quickly integrate new applications or protocols without requiring vendor involvement.

  • Emphasizes an open data model for rapid, tailored attribute or mapping changes.

    "You don’t even have to wait on us if you need that data attribute, just read it in. If you need to map something out to a user, you could do that as well."
    — Fletcher Heisler [04:49]

4. Agentic Identity & AI Implications

• Rise of Non-Human Users: Organizations must extend IAM principles to AI and automated agents, with the same guardrails as human users.

• Security Fundamentals Apply: Need for fine-grained permissions, infrastructure as code, and API-first approaches becomes even more essential.

• Current Duct Tape Solutions: Many "reinvented" architectures have emerged as AI users increase, stemming from legacy systems or insufficient application APIs.

  "We’re kind of relearning all of the classic security lessons just with a new layer of a new type of user… if your AI agent is going to eventually be doing all the same tasks as humans… they need very fine grained permissions. You don't want to hand over the keys to the castle without knowing that you've done so..."
  — Fletcher Heisler [05:33]

  "Everything you should have been doing before is even more important... All of those become absolutely critical when some of your users are non-human users..."
  — Fletcher Heisler [06:17]

5. Rejecting Forced “AI-Powered” Trends

• Product Philosophy: Authentic deliberately avoids adding AI just for trend’s sake, focusing on fundamentals and adopting AI tools only when it provides direct value.

  "We're not trying to slap AI onto the product... we're not about to throw a chatbot into your IDP directly without a very strong need to do that."
  — Fletcher Heisler [08:06]

  “The idea that you guys are focused on fundamentals and now the deployment of AI by literally everyone else is kind of revealing the need for [that]…”
  — Casey Ellis [08:49]

6. Community Presence & Open Source Activities

• BSIDES and RSA Events:

  • Authentic will present at BSIDES about sustaining and scaling open source security projects.

  • DevRel team presenting a talk on the quirky history of SSO.

  • Authentic will participate informally around RSA events.

    "We have two different talks at BSIDES… our head of Devrel giving a really interesting talk on the history of SSO that goes into some bizarre corners of history I never knew about."
    — Fletcher Heisler [09:12]

7. Open Access and Getting Started

• Product Adoption:

  • Authentic’s platform is mostly open source; users can try it via Docker Compose without signups.

  • Enterprises can easily schedule demos and engagement.

    "Just head to the website... pretty much the vast majority of it is open source so don’t have to sign up for anything. You could just get started and try it out."
    — Fletcher Heisler [09:56]

Notable Quotes & Memorable Moments

• On launching another acronym:

  "I'm afraid we have unleashed yet another acronym on the world."
  — Fletcher Heisler [00:19]

• On security lessons for AI users:

  "We’re kind of relearning all of the classic security lessons just with a new layer of a new type of user."
  — Fletcher Heisler [05:33]

• Product philosophy:

  "We're not trying to slap AI onto the product."
  — Fletcher Heisler [08:06]

• On the futility of superficial AI integration:

  "We're not about to throw a chatbot into your IDP directly without a very strong need to do that."
  — Fletcher Heisler [08:19]

Timestamps for Key Segments

• [00:14] — Introduction of "Extended IAM"
• [02:39] — Market drivers: consolidation, resiliency, and security
• [05:12] — Challenges with current stopgap solutions
• [05:33] — The rise of agentic (AI) identities
• [07:44] — Discussing AI in the security ecosystem
• [09:12] — Upcoming conferences and community talks
• [09:56] — How to access Authentic’s stack and get started

Summary and Takeaway

This episode highlights critical shifts in IAM necessitated by automation, AI, and device proliferation. Authentic’s “Extended IAM” presents a flexible, open, and robust alternative to legacy identity systems frequently requiring convoluted “duct tape” solutions. The company’s commitment to fundamentals, thoughtful use of AI, and openness to the community spotlight the next wave in secure, resilient, and seamless identity management.

For more information or to try Authentic’s solution:
Visit goauthentic.io (as shared by Fletcher Heisler [09:56]).