Threat Vector Podcast: "The Kill Switch for AI Agents"

Date: January 22, 2026
Host: David Moulton (Palo Alto Networks)
Guest: Carrie Fred, Chief Security Officer at Telus

Episode Overview

This episode explores the critical intersection of identity management and AI, focusing on how organizations must address identity as the central foundation for deploying agentic AI (AI agents with the ability to take independent actions). David Moulton and Carrie Fred unpack why legacy approaches to identity are insufficient, the evolving threat landscape, and how cybersecurity leaders must proactively adapt to ensure trustworthy and auditable AI operations. They also discuss practical frameworks and recommendations for CISOs facing these new challenges.

Key Discussion Points & Insights

1. Origins & Background: Carrie's Path to Identity (02:01–04:18)

• Carrie’s Background:
  Carrie Fred shares her journey from being a computer science student working at Canada’s National Cryptologic Agency (akin to the NSA) to leading security at Telus. Her early work highlighted practical access and identity challenges—issues foundational to today’s AI landscape.

• Early Identity Lessons:
  Realization of access control as a critical security component:

  “One of my customers came to me and said, all of this information in the web server is available to everybody ... we need that kind of functionality. ... Thus began my journey on developing security models and security overlays…” —Carrie Fred (02:39)

2. Identity as the “Third Rail” & Organizational Challenges (04:18–09:41)

• Identity Disputes:
  Organizations wrestle with the “source of truth” for employee data—HR vs. Finance—demonstrating the complexity and politics of centralizing identity systems.

• Reluctance to Address Identity:
  Security leaders have historically avoided tackling identity due to its complexity and entrenched turf wars:

  “Identity was the third rail, the last thing any security leader wanted to touch … here we are at a point where our hand is forced.” —David Moulton (06:11)

• Consequences of Inaction:
  As AI advances, failure to modernize identity practices carries dangerous risks:

  “Over 80% of the breaches ... are happening because of identities that are being compromised. ... You can just imagine ... the great success that the threat actor community is going to have if it gets control of ... agents with agency…” —Carrie Fred (07:11)
  She emphasizes that organizations are at an “inflection point,” needing to either remediate legacy practices or face escalating threats.

3. Driving Industry Guidance: The Signet Community and Maturity Models (09:41–13:45)

• No Standard Identity Frameworks:
  There’s a lack of NIST-like frameworks or maturity models specifically for identity, making it hard for organizations to assess themselves.

  “We looked into the traditional information security and cybersecurity community for guidance on identity and found that it just didn’t exist… So we set out to … develop what good looks like.” —Carrie Fred (10:52)

• AI on Top of Identity:
  The solution: develop a data plane above existing systems so AI can manage identity at scale, flagging risks, and revoking access in real time.

• Key Takeaway:
  Human-driven identity management can’t keep pace with AI-scale automation—organizations must use AI to manage the identity environment itself.

4. Why Identity Must Come Before AI Guardrails (13:45–18:26)

• The Auditability Imperative:
  If AI agents act without well-defined, unique identities, organizations lose the ability to determine accountability and perform forensic analysis:

  “How are we going to know the difference between what Carrie the human was doing or what Carrie’s agent was doing? ... Identity and agents is not just about saying, does it have this ID ... it’s also about its cryptographic root of trust...” —Carrie Fred (14:07)

• Shortcomings of Current Systems:
  Technologies like Active Directory and popular IDPs aren’t built for agentic AI context, though some vendors (e.g., CyberArk) are starting to address this gap.

5. Early Warning Signs: Assessing Readiness for Agentic AI (18:26–20:53)

• Maturity Model Usage:
  The maturity model Carrie helped create can help organizations assess their non-human identity management readiness; look for weaknesses like lack of inventory, missing governance, and insufficient tooling.

• Industry Readiness:
  "95% of organizations haven’t even thought about it ... that’s the state of agentic AI and identity." —Carrie Fred (20:12)

6. The Vision: AI-Native Identity Fabric (20:53–24:28)

• What Is Needed:
  A unified, AI-powered “control plane” that integrates identity data from HR, finance, IT, and more, supporting both human and non-human actors:

  “Let’s take all the data up into a single control plane ... then we can train models that understand what the big picture looks like…” —Carrie Fred (21:37)

• Why It Matters:
  Only automation can scale with AI-driven environments—humans can’t manually provision, audit, or revoke access at machine speed.

7. Recommendations for CISOs & Security Leaders (24:28–27:17)

• Start with Self-Assessment:
  Use the maturity model to baseline current capabilities. Address foundational gaps first.

• Leverage Vendors’ Connectors:
  Engage with IDP and security vendors—prioritize tools that unify data from diverse identity sources and provide actionable visibility.

• The Next Step:
  Move from passive monitoring to automated defense (e.g., instant revocation of access at “machine speed”).

8. Delegated Authority & Access in an AI World (27:17–30:49)

• Necessity of Delegated Roles:

  “We have to have delegated authorities ... If I think about a wire transfer in my bank account, I might be willing to let an agent ... pay that ... but anything over $250, I’d like the human in the loop.” —Carrie Fred (28:50)

• Key Principles:

  • Role-based access control (RBAC)
  • Fine-grained privileges
  • Human-in-the-loop for sensitive actions

• Platform Responsibility:
  Urges vendors to give users granular control, avoiding “all-or-nothing” agent privileges.

9. Hopes & Concerns for the Future (30:49–33:18)

• What Excites Carrie:
  AI has created a sense of urgency for finally solving long-standing identity challenges:

  “There is, at least for the moment, some urgency ... I like what I’m hearing from the leaders in the industry ... I’m starting to see them come out with things that says yes, we understand the gravity of this, we’re working on fixing it.” —Carrie Fred (31:25)

• What Worries Her:
  The risk of going too fast and repeating old mistakes, creating new attack surfaces before foundational security is in place.

• Call to Action:
  Lay the groundwork now to avoid history repeating itself (e.g., not letting identity debt persist as vulnerability for 15–20 years as happened after previous Internet transitions).

Notable Quotes & Memorable Moments

• On facing legacy inertia:

  “We are at this inflection point ... We can choose to try and fix some of the legacy identity infrastructure that AI will crumble on if we don’t fix it.” —Carrie Fred (07:45)

• On auditability of AI agents:

  "Either way, if these agents aren’t attached to anything, right, then they’re going to go off and do things either as you ... how are we going to know the difference?" —Carrie Fred (15:00)

• On industry readiness:

  "I’m going to postulate that 95% of organizations haven’t even thought about it. So I think that’s just the state of agentic AI and identity." —Carrie Fred (20:15)

• On the future of identity controls:

  “Role-based access control, fine-grained privileges, really common concepts from the world of cybersecurity, but that are typically the exception rather than the rule.” —Carrie Fred (29:31)

Timestamps for Key Segments

• Opening & Introduction to Carrie Fred and Theme: 00:12–01:59
• Carrie’s Background & Early Identity Lessons: 02:01–04:18
• The “Third Rail” of Identity in Security: 06:11
• Threat Shift to Identity Compromise: 07:11–09:41
• Signet Community and the Maturity Model for Identity: 10:04–13:45
• Necessity of Identity Before Deploying AI Agents: 13:45–18:26
• Readiness Indicators and Industry State: 18:38–20:53
• AI-Native Identity Fabric Vision: 20:53–24:28
• Practical Advice for CISOs: 24:42–27:17
• Delegated Authority and Fine-Grained Privileges: 27:28–30:49
• Future: Excitements and Worries: 31:25–33:18

Tone & Language

Carrie Fred brings a pragmatic, candid, and occasionally urgent tone, emphasizing both the complexity and the necessity of finally addressing identity as critical infrastructure—especially in the context of AI. David Moulton steers the conversation to practical implications and industry leadership.

Summary

This episode issues a clear challenge to cybersecurity leaders: AI will force organizations to confront and solve legacy identity weaknesses. Without urgent progress towards unified, auditable, and automated identity fabrics—including rigorous role-based controls and non-human identity management—organizations risk devastating consequences as AI agents proliferate.

Carrie Fred’s advice: start with realistic self-assessment, use available maturity models, work with vendors for connected identity solutions, and prioritize controls that balance agent autonomy with robust, granular oversight. Now is the time to lay the groundwork before threat actors exploit new vulnerabilities at scale.

For those looking for practical frameworks and deeper exploration, Carrie Fred’s practitioner guidance and maturity model (linked in show notes) are recommended resources.