David Moulton (4:18)

So you mentioned that you worked in government intelligence and in communication. What experiences from your past have most shaped your view on identity as the foundation for secure AI?

Carrie Fred (4:34)

One of the things that I learned was that there was a huge debate in the organization over who was the source of truth. So the HR department argued that they were the source of truth because they hired people and paid them. And the finance department argued that they were the source of truth because they were actually the ones that paid people. And I went to meetings for three years where they fought with each other like cats and dogs over that issue. But I could never resolve it because they couldn't agree on should I take the data from the HR system or the finance system. So I had to build a hybrid. And I secretly argued that, you know, my identity system was a source of truth because that's what all of the systems in the network were using to decide what you got. So in some ways it didn't even matter. But not having a single source of truth was a great part of it. The second was that, you know, it's only your access that matters. So you could work at the organization, be paid. If you didn't have access to anything, then you couldn't do your job right. So the power was secretly in it. But you know, we just, we just didn't lord it over people. And then I started to learn all about how people engaged with their identity and with others identities, which, which was to say, you know, they quite often challenged what they thought should be going on in the system, what privileges that they had and in many cases, people made attempts to circumvent or avoid those guardrails in order to have less friction in their job. And by that I mean granting ourselves local access permissions and super user permissions on computers and desktop computers and laptops and all banner of that type of thing.

David Moulton (6:11)

So one of the consistent things I've heard in talking to CISOs, whether it was on this podcast or in a previous role where I was designing software, was identity was the third rail, the last thing any security leader wanted to touch. They'd fix the sim, they'd fix the firewalls, they'd work on policy grc. It didn't matter anything, just as long as touching identity was the last thing they did before they got fired. Because that was the, you know, there were six different identity systems and everyone wanted to keep theirs and none of them worked quite right. And yet here we are at a point where our hand is forced. I don't think that we can go into this age of AI without understanding how to map identity to agents. Are we getting to the point where our hand is forced? And we're going to have to, as organizations agree on how this works and if we don't, what are some of the consequences that you see coming?

Carrie Fred (7:11)

So our hand isn't forced and I'll explain why, but there are definitely consequences. And if we start on the consequences piece, the cyber threat actors out there have laid the table for us because over 80% of the breaches that are happening around the world now are happening because of identities that are being compromised. So we've seen this whole shift in cybersecurity from the deployment of malicious software and the methodology that went along with that and ransomware and et cetera, you name it, to really, you know, most, most of the threat actor groups abandoning that and focusing just on compromised identities and living off the land attacks, meaning you can log in and conduct attacks with legitimate identities. Organizations don't realize it's not you logging in. That's an, it's an imposter. And it's really easy to exfiltrate information and it's a cheaper attack. So they're smart, they're smart business people and they go, you know, why worry about developing new sources of malware and reverse engineering technologies and finding zero day vulnerabilities and all of those very expensive activities when we can easily steal employee identities, login as them find their elevated privileges and you know, we can have the same outcome. So that is now, you know, I mean, in terms of discussing identity as the third rail that was before any of this was an effective threat. Now it's the effective threat combined with identity being the third rail. And so if you're going to build this new foundation of agentic AI on top of that, you can just imagine or foretell, you know, the great success that the threat actor community is going to have if it gets control of, you know, what we call agents with agency, meaning that they have all these permissions and abilities to do things. And therefore, we are at this inflection point where we have a choice in front of us. We can choose to try and fix some of the legacy identity infrastructure that AI will crumble on if we don't fix it. And we can also try and ensure that as agentic AI develops, that we're putting forth the best practices in identity that we know about, and that in many ways we have made the choice not to implement in our organizations for the past 20 years, and it'll provide a much more secure future for the Internet and AI and humanity. But we can absolutely choose not to do that and reap the consequences as well.

David Moulton (9:41)

So when you were collaborating on your practitioner guidance that you've published out on a couple of sites I've seen, you shared the links with me. Medium comes to mind. And then the signup piece, what problems were you trying to solve for the security leaders? And I'm curious, what did you learn as you were collaborating on writing this piece?

Carrie Fred (10:04)

Yeah. So in terms of the signet community, just to give a little bit of the background there. So that's a network of CISOs and innovators that I've been a part of for going on 20 years now. And at a, and at a private meeting that we had a year and a half ago, we talked about what's the number one problem in cybersecurity that our community sees. And we all agreed with a consensus that it was identity. And we agreed to formulate a working group to talk about, you know, what we should do about it. And in parallel, generative AI was evolving into agentic AI. And so those two things very much came together in terms of that process. And so here are a number of things that we learned. One was we looked into the traditional information security and cybersecurity community for guidance on identity and found that it just didn't exist. And, for example, what I mean by that is if you go and look for the equivalent of the NIST framework in cybersecurity, but you look for that in identity, or you look for a maturity model and ask what Can I baseline my company's identity practices against to determine how mature I am? Those types of things simply did not exist in the, in the form that we needed them. So we, we knew right away what we wanted to write about, which was to develop that type of guidance and to develop a maturity model so that companies and organizations facing this challenge could easily agree, yes, we have this challenge, but how do we know what good looks like? And so we set out to, you know, develop what good looks like. And, and many of those discussions that the working group had, we talked about that conflict in organizations between the single source of truth. We talked about the legacy technologies and the turf wars over workforce and consumer identity. And part of the conclusion that we reached is the CISO is not going to change that. Not even the CEO is going to change that. There's been too much investment, there's too much operational capability. We're not going to go and start transforming and revolutionizing those systems. So we needed to come up with a framework that said we're going to accept that those things are there. You know, organizations have been around for a long time, are going to have a lot of, you know, identity pedigree and technical debt and things that they can't change. And even new organizations that are cloud, native or, you know, very, very Greenfield in their IT are going to struggle with this, but even to a lesser degree. So let's take a identity above all that and, you know, let's use, let's create a data plane for identity that artificial intelligence could work on top of to give CISOs visibility, to train models that, you know, agents will be able to eventually see the vulnerabilities and to perform the actions that we need to, you know, take people away who don't work there anymore, to find highly privileged people who have access to the wrong systems and to, to take that away. Essentially, the learning is that humans are not going to keep up with this at scale, and therefore we also need to use AI to do this. And lastly, with agents, we saw that there's a great possibility of them to not have an identity that would allow us to track what they do and to control them, and that we need to put that kind of identity foundation or root of trust into agents so that we'll have the same kind of security capabilities that we've had for computers and information and, you know, all the systems that we know and love today. As we get these in the future.

David Moulton (13:45)

I want to shift gears a little bit and talk to you about identity as a starting point. You know, A lot of teams, they talk about securing AI by hardening models or putting up more guardrails. Why do you argue that we, we must solve identity before anything else when deploying AI agents?

Carrie Fred (14:07)

So, so two thoughts. We definitely need to continue our security work on generative AI. So there's still lots to be done on LLMs to make sure that they're, you know, as good or as ethical or integral as possible and can't be sort of conned into performing evil tasks. So there's a lot of work that needs to continue in that space. But the idea with agents and identity specifically is that this agent is spun up and it'll be given agency, so it'll be asked to go off and perform a bunch of actions. It might spawn sub agents and it's going to do a bunch of things. And later on, if those bunch of things are determined to be a violation of the security policy or a data breach or something like that, we want to have logs, we want to have telemetry, we want to know what was happening and the way that these agents access systems today. There are sort of two choices. You can assign it a separate identity, like a non human identity, so we can create an account called Agent 1 and Agent 1 will log into our systems and leave an audit trail under Agent 1. Or the other thing that organizations are doing is using the human identity. So we'll say we're going to assign this agent to Carrie. And then this agent is logging into things and it says Carrie did these things. Either way, if these agents aren't attached to anything, right, then they're going to go off and do things either as you. And then how are we going to know the difference between what Carrie the human was doing or what Carrie's agent was doing? Because when my security team comes to interview you, you're going to say, well no, that wasn't me, that was the agent. And then how are we going to know the source of truth? And if it's this non human identity, then like what does Agent one tie back to? Because it was just this ephemeral thing that existed for a period of time, we'll have lost what like the activity log around what that agent actually did. So identity and Agents is not just about saying, does it have this ID that you give it, which is a unique ID that differentiates it from everything else. It's also about its cryptographic root of trust and its authentication, so that it's forced to go through the same checks and balances that we do in our own organizations. There's a reason that we have zero trust. And if you're going to have a zero trust model for agentic AI, it means that these agents will have to prove that they are the legitimate agent with the legitimate identity and access that has been prescribed to it and it's going and doing all these things. The problem is the identity systems that we have today, or at least a year and a half ago, they have no capability to do this. So you can't go into Active Directory and say I would like the console where I put in my agents and my non human identities. Active Directory doesn't understand the context of AI, nor do our IDPs, right? So the entras and the oktas and pings and the other things that are out there, they don't understand this either. So the good news is that we have started to see this capability get built into products like Cyberark and other products in the identity ecosystem. Because I think the industry has heard us and said, yes, we get it, we have to start building this identity management capability for agents. So that's good that we can get sort of these greenfield tools. But these agents are going to work in these large, complex, interdependent enterprise constructs that we have and there's going to be a lot of those systems that don't understand that context. So what this is about is ensuring that we can bridge this agentic AI world with the identity world so that we have that integrity and non repudiation going forward.

David Moulton (18:26)

So a quick follow up here. Are there early indicators that tell you that an organization's identity foundation can't support agentic AI at scale?

Carrie Fred (18:38)

Yeah, yes, absolutely. So if you consult the maturity model that we developed in the sign that guidance, there's actually several categories where you can assess your ability to understand your non human identity landscape. And it's not dissimilar from the NEST framework for cybersecurity in the sense that the kinds of things that you assess yourself against the controls or the capabilities that you have are things like inventories, are things like policies and standards, and are things like capabilities and technology and tool sets. So if your organization that's responsible for managing identity and security is not aware that it has created hundreds or thousands of AI agents, then that's going to be a problem. Right? Because you can't protect what you can't see. So if you don't have an inventory or you know something around that, if you don't have governance, right, if you haven't set up what your rules are going to be what your policies are going to be. And developers are just deciding on their own whatever they think is the most optimal and efficient idea to implement the functionality that they've been asked to implement. You know, they might get it right or they might not, but you need to have that governance. And then finally we know a lot of the tooling doesn't have functionality that's specifically designed for this. So either organizations are going to hack it or force fit it in retroactively into overlays, or they're not going to build it at all. And so you can go look at those three things right away and you can find out, okay, we're often doing this and we have no governance rules, process technology. Right. Or you can see that you have, you have some of the artifacts of that. And I worked with a lot of organizations, so I've talked to companies that are building AI agents. You can see where they are in their thinking. They're not that far along. You can talk to enterprises who are doing this. Telus is an enterprise that's doing this. We know where we are, we've done the maturity model, we have work to do to get to the place we want to go. And then I'm going to postulate that 95% of organizations haven't even thought about it. So I think that's just the state of agentic AI and identity.

David Moulton (20:53)

All right, I want to talk about AI native identity fabric. Can you paint a picture of that? AI native identity fabric. What must exist for identity to act as that core trust layer across the human and non human and AI identities?

Carrie Fred (21:13)

Yeah, so if you look at identity systems that we know of today, so your active directories, your LDAPs, your IDPs, multiple different systems, they all have their own sources of information unless you put in a lot of complicated synchronization and automation. Right. And that's really the only way these things work. And I'll go back again to source of truth. Because we have our HR systems, our workdays, our SAPs, we have our finance systems. So all these things have data about, about people and non human identities and contingent labor. So how do we come along to the idea of, you know, an AI fabric for identity? And it's using the same principles. Right. So there's data in all these layers that we can take and we can abstract to level up. So instead of thinking about it as an east west flow, let's think about it as a north south flow in the sense that these data identity data repositories and tools are south. And we want to take all the data up into a single control plane. So you take the data from your HRIS system from your workday about people, you take your data from your contingent labor pool of contractors and third parties, you take your data from your IT system identity repositories. And then if you have an IGA tool doing identity governance and authorization, then there's going to be information there about roles and systems and who has access to what. So if you bring this all up and put it in a conventional data warehouse or data lake, then we can train models that run on that, that can understand what the big picture looks like. And so we're very bullish on that kind of model because it's the only thing that can scale, right? So today it takes humans to run those systems. Someone's got to onboard people into workday, right? We recruit someone, we verify their identity. I hope we put them in the system, we start paying them, then it takes it. They create their accounts, they get their laptop, all those things. What we're trying to do is we're trying to get to a place where all that can happen, but where we have agents that can automate a lot of those functions. We want to have this little monitoring kind of function on top of what those agents are doing further down in the system privilege layer. So the data, the complicated systems, the actions that AI is taking, and that's what we. So when we talk about AI native, that's really the place where we can get to is it's a place where AI is running the identity just as much as AI is running everything else. And that sort of lays out the path of how we can get there. I wouldn't say that that's a roadmap. I'd say it's a vision, it's an idea that a bunch of us have about how that can take shape. But given the power of the tools that we have, cloud, data, AI, that's how we think we can use these tools essentially for good, to combat the cyber threat actors that are out there which will try to do the opposite against us.

David Moulton (24:28)

So a quick recommendation for CISOs who are looking at that fragmented IAM environment and how do you advise them to move forward? So this like unified identity and access system that you're talking about.

Carrie Fred (24:42)

So first I would say use the maturity model in the signet guide and baseline where you are as an organization, because it might tell you you have some things to do before you worry about AI. And it's going to be different for every company, but it will really give you a sense of, across numerous different categories, are we a one or a five? And it is sort of a self assessment with easily identified criteria that says if our place looks like this, then we're a three or we're a four or what have you. And I think on the basis of that, then you can decide, or there are some fundamental things that we need to, we need to clean up. But you can baseline your system's capabilities against that. If you are starting from the place of a cloud native idp, then I think you can pretty easily talk to the vendor community about what's in the roadmap coming for this type of thing. But the game in that vendor space is connectors, right? So it is who has a connector from everything from the right side, from the HRIs and then into the, you know, the directories and then into the authentication systems, who's got the connectors that can suck up all the data from those and then give that capability directly to the CISO and to the SOC to say, now you have the visibility, now you can see what's going on. Now you can perform actions at scale. The next step is we've got to go from the data to the actual act of defense, if I can call it that, right? So from the passive monitoring to the capability to say, revoke that privilege, delete that user offboard that person, I think that's the next step. So, like, people should understand that. I don't think those tool sets are, are there today, but that's the vision of where we want to go. And then once that capability is built in, then we can train the agents to do that on our behalf. When they're following rules or guidelines or seeing things that, you know, they go, okay, like, that person isn't working here anymore, but I see them accessing stuff, I'm going to terminate them right now. I can't tell you how many times in our own SOC we see a compromised identity and then we have to go to the very front end of that system, cut off their birthright access, and then wait for all that information to synchronize all along the path and hope that we have applications that are connected to that, that don't then have their own accounts for that person or that access mechanism is cut off. That's what we want to be able to do at machine speed. In the, in the AI world, when.

David Moulton (27:17)

Agents act on behalf of people or even on behalf of other agents, what delegated authority should be included to be safe and to be Auditable.

Carrie Fred (27:28)

I love that you're assuming there's going to be delegated authority. I mean, so that's, so that's the first part of your premise, right? I, that would be great if there's delegated authority in the sense that, you know, if we think about say how Gmail or Outlook works today, I can go to my EA's identity and I can say my EA can read my inbox and, or they can send emails on my behalf and, or they can make calendar appointments. Right? We both remember when those were capabilities that these systems did not have. And a lot of these systems, like especially in a worker or corporate context, still don't have all those delegated authorities. And so if we move that construct into the consumer world that really doesn't exist, right. I can't go into my consumer Gmail easily and say, you know, go to my, go to my partner or one of my children and say, you know, you can have these delegated authorities over my inbox. So number one, I think we sort of need to understand that that construct needs to be there. If I think about my online banking, there is no delegated authority, right? There is only the capability to sort of give someone access to my account. And if we think about how our big corporations work, you know, you have to call the call center and say so and so is able to operate on my behalf. And maybe you have a shared secret like a PIN or a common answer to a question or something and that's the way that it works. So yeah, so number one, we have to have delegated authorities. And then what I would say to the people who are building this new world is just do the test in your own head. To say would I be comfortable with whatever fingers on the button to say I would trust someone else to do that on my behalf. If I think about a wire transfer in my bank account, I might be willing to let an agent read invoices from contractors and suppliers that come into my inbox. Like say my landscaper who says I mowed the lawn, it's $89. I might be comfortable with the agent automatically paying that doing an online banking transfer, but I might like to have a threshold or a limit, right? Like anything over $250. I'd like the human in the loop. And so what we're really talking about is role based access control, fine grained privileges, really common concepts from the world of cybersecurity, but that are typically the exception rather than the rule. And so I think if we see platforms thinking about building those in and thinking about what the critical functions are. Deleting an email, sending a wire transfer, buying something. There are already AI agents today that you can ask to go on different commerce platforms and automatically buy things for you or even automatically buying stocks. If the stock hits a certain level, buy a thousand for me. So all of that thing is going to be really key. The delegated authority, the fine grained access model and the human and the loop. And I really hope that as consumers and as enterprises, we prioritize the platforms who are going to give us the control rather than saying we have this agent and you either give it 100% agency over everything or you get no capability at all. I think that would be really unfortunate.

David Moulton (30:49)

I think that you and I could spend another hour talking about this because it is the intersection of security and I think design to get this right so that especially at that consumer level that you've built something that people want to use and don't just throw up their hands and go, yeah, just turn it all on. I'm fine with it. Without having really thought about the impact of a decision like that. Before we wrap up. When you think about the future of identity and AI, what excites you the most and what keeps you up at night?

Carrie Fred (31:25)

The thing that excites me the most is actually the scary opportunity that I think AI has presented for identity. Because back to your point about it being the third rail. These problems existed before and when you went to talk to people about it, they would just go like, oh my God, like I'm not, you know, that's a toxic pile of my career is over if I go and try and solve that problem. But I think now we're coming to understand that we don't have a choice. So there is, at least for the moment, some urgency. There's interest in the investment community. CISOs everywhere are saying this is the priority. And so I think when all those things happen, good things will come from end. And I like what I'm hearing from the leaders in the industry, the anthropics and the Googles and many other companies that I won't name. But I think they're hearing the message. I'm starting to see them come out with things that says yes, we understand the gravity of this, we're working on fixing it. It. The part that I'm concerned about is that we will go too fast and deploy too many things and be in that race to win the market. That's how it always goes. And so I don't know who's going to win in the agentic AI space. Yet it's far too premature. If going back to the beginning of our podcast, I think about who the dominant players were when I was rolling out Mosaic and Netscape in the late 1990s. A lot of things changed, but you could see, you could see that same problem about to happen. But you know, by the time SQL injection attacks became a thing, that was really like 15 to 20 years later. So we have the opportunity to lay some groundwork so that that doesn't happen to us in the future. We won't get it perfect, we won't get it 100%. We all have to accept that. But I think there was a worst case scenario which, which we know that we can avoid if we're all smart and mindful about this.

David Moulton (33:18)

Carrie Frey, thank you for an awesome conversation today. I'd love to have you back on and keep digging into this because I think this is a story and a conversation that will continue to rapidly develop and frankly I think it's going to change quite a bit as we figure out what works and what doesn't. As agents become more and more common, I'm hoping that our listeners will go out and read your paper and the work that you and the the working group did again. We'll have that link there in our show notes so that it's easy to get to. And thank you. Appreciate the conversation today.

Carrie Fred (33:55)

Thank you. I would be happy to return to talk about identity at any time or any other subject for that matter. But it is my favorite awesome.

David Moulton (34:02)

Maybe next time down here in Texas when it's warm and we'll send you send you home with some barbecue tips.

Carrie Fred (34:08)

That would be perfect. Yes.

David Moulton (34:17)

That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Your reviews and feedback really do help me understand what you want to hear about. Or you can contact me directly about the show. Email me@threatvectoraloalto networks.com I want to thank our executive producer Michael Heller, our content and production teams, which include Kenny Miller, Joe Benecourt and Virginia Tran. Original music and mix by Elliot Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.

Carrie Fred (35:06)

Sa.