Identity at the Center

Identity at the Center

Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With decades of real-world IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry. Do you know who has access to what?

  1. 1D AGO

    #407 - Sponsor Spotlight - Rubrik

    This episode features Drew Russell, Identity Resilience Platform Owner at Rubrik. Jim McDonald and Jeff Steadman explore the intersection of backup, recovery, and identity security. Drew explains how Rubrik evolved from data backup into a cyber resilience platform with identity as a core pillar. Topics include recovering Active Directory, Okta, and Entra ID after ransomware, Rubrik's "bunker in a box" appliance for immutable air-gapped recovery, proactive posture management, CrowdStrike and Defender integrations, and where AI and non-human identities fit into Rubrik's roadmap. The episode wraps with measuring success for a product you hope to never use, and a detour into watch collecting. This episode was made possible by the support of Rubrik. Learn more at rubrik.com/idac Connect with Drew: https://www.linkedin.com/in/drew-russell-3762411b/ Learn more about Rubrik: https://www.rubrik.com/idac Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com TIMESTAMPS 00:00:00 - Welcome and Introduction 00:01:19 - Introducing Drew Russell 00:01:36 - How Drew Got Into Identity 00:02:43 - What Is Rubrik and What Sets It Apart 00:03:38 - From Backup to Cyber Resilience 00:05:31 - Where Rubrik Fits in the IAM Landscape 00:07:08 - Rubrik's Scale: Clients and Growth 00:07:51 - Primary Use Cases: Post-Incident Recovery and AD 00:09:09 - Kicking Out Compromised Accounts and ADR 00:10:11 - Proactive Threat Detection and Mandiant Integration 00:11:28 - Scanning Backups to Find the Clean Recovery Point 00:12:14 - The Bunker in a Box Explained 00:13:18 - Posture Management and Upstream Tool Integration 00:14:19 - AI Agent Swarms and the Future Attack Surface 00:15:37 - The Taiwan Bank Case Study: Six Weeks to Rebuild AD 00:17:16 - The State of Nevada Incident: $400K and 30 Days 00:17:56 - What Recovery Covers: AD, Okta, and Entra ID 00:19:26 - Post-Restore Change Management and Whitelisting 00:20:08 - How Long Should You Store Backups? 00:21:19 - Indexing Identity for Intelligent Recovery Points 00:22:29 - Excluding Malicious Actions During Restore 00:24:41 - Zero Trust for Rubrik's Own Backups 00:26:21 - No Windows, No Virtualization Architecture 00:27:49 - Proactive Posture Management 00:29:00 - CrowdStrike and Defender Real-Time Integration 00:30:48 - Why Tabletop Exercises Often Fall Short 00:31:53 - AI Roadmap and Non-Human Identities 00:34:22 - The Three Pillars: Data, Identity, and AI 00:35:29 - Deployment: SaaS vs. On-Prem 00:38:37 - Appliance Sizing and Redundancy 00:42:23 - Measuring Success for a Product You Hope to Never Use 00:43:46 - The Ludacris Rubrik Commercial 00:45:31 - Watch Collecting and the Omega Speedmaster 00:53:39 - Drew's Closing Words KEYWORDS Identity at the Center, IDAC, Jeff Steadman, Jim McDonald, Rubrik, Drew Russell, identity resilience, cyber resilience, Active Directory recovery, AD backup, Okta recovery, Entra ID recovery, identity backup, ITDR, ISPM, non-human identity, NHI, agentic AI, ransomware recovery, bunker in a box, immutable backup, CrowdStrike integration, Microsoft Defender integration, Mandiant integration, identity disaster recovery, ADR, zero trust, tabletop exercises, posture management, IAM, identity security podcast, cybersecurity podcast

    55 min

  2. 3D AGO

    #406 - IDAC MailBag for February 2026

    In this MailBag episode, Jeff Steadman and Jim McDonald tackle eight questions submitted by listeners from around the world, including Munich, Sao Paulo, Singapore, Toronto, Hanoi, London, Sydney, and Chicago. The conversation covers governing AI and non-human identities, practical first steps toward passwordless adoption, what a mature IAM program actually looks like, who should own identity within an organization, building credibility with leadership as a new IAM practitioner, enforcing least privilege in practice, rethinking access reviews beyond checkbox compliance, and how to make the business case for identity security investment before a breach occurs. The episode wraps up with some lighter listener questions about sports analogies for IAM roles and whether anyone in their personal lives actually understands what they do for a living. Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com TIMESTAMPS 00:00 - Introduction and RSA Conference debate 03:41 - Conference plans for 2026: EIC, Identiverse, and Authenticate 05:17 - MailBag intro and how questions get selected 06:51 - Q1 (Hans, Munich): Governing AI access vs. human access — same principles or a different approach? 12:32 - Q2 (Gabriela, Sao Paulo): Realistic first steps toward passwordless without disrupting everything 18:34 - Q3 (Wei, Singapore): What does a mature identity program actually look like? 30:26 - Q4 (Marcus, Toronto): When IT and security both claim to own identity, how do you sort it out? 39:33 - Q5 (Linh, Hanoi): Building credibility and influence as someone new to the IAM space 42:53 - Q6 (Claire, London): Enforcing least privilege in practice without slowing down the business 46:14 - Q7 (James, Sydney): Are access reviews just a checkbox exercise, and is there a better way? 49:18 - Q8 (Darnell, Chicago): Making the case to a CFO or CEO for identity security investment before a breach 52:38 - Lighter note: If IAM was a sport, what position would you play? 1:00:27 - Lighter note: Does your family actually understand what you do? 1:03:06 - Wrap-up and how to submit future questions KEYWORDS IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, identity and access management, MailBag, non-human identity, AI governance, agentic AI, passwordless, passkeys, IAM program maturity, identity ownership, RACI, least privilege, zero standing privilege, access reviews, security theater, identity security budget, business case for IAM, ISPM, IGA, IDPro, Identiverse, EIC, Authenticate conference, RSA conference, cybersecurity podcast, identity security, identity community

    1h 4m

  3. MAR 2

    #405 - RSM 2026 Attack Vectors Report

    Jeff and Jim sit down with David Llorens, principal at RSM, to break down the RSM 2026 Attack Vectors Report. Drawing from real-world offensive security engagements, David explains why identity continues to be the primary attack surface, how AI chatbots are creating new vulnerabilities through prompt injection, and what separates organizations that get breached from those that don't. The conversation covers MFA gaps, the explosion of non-human identities, why PAM is the top investment priority for 2026, and how CISOs can align security spending with business objectives. Plus, the episode wraps up with soccer stories and some quality trash talk. Connect with David: https://www.linkedin.com/in/david-llorens-009a3310/ Review RSM’s 2026 Attack Vectors Report: https://rsmus.com/insights/services/risk-fraud-cybersecurity/rsm-attack-vector-report.html Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com TIMESTAMPS0:00 - Intro and Jim's big personal news4:51 - Main topic intro: RSM 2026 Attack Vectors Report5:55 - David's origin story and how he got into cybersecurity9:53 - What a principal is at RSM and David's current role11:16 - What the Attack Vectors Report is and how it is created14:40 - Why identity security is a dominant theme in this year's report17:19 - What separates organizations that get breached from those that don't18:18 - MFA as the first line of defense18:45 - Privileged access management as a growing priority19:40 - Detecting lateral movement through identity anomalies21:00 - Credential rotation as an advanced defensive technique22:26 - Non-human identities and service account risks24:37 - Middle market challenges and budget constraints25:17 - Is it the size of the budget or how you spend it?28:29 - Using internal audit and cross-department collaboration for security wins30:15 - Cybersecurity as a business enabler, not a deterrent32:45 - Non-human identities and agentic AI creating new attack surfaces35:51 - Prompt injection attacks and AI chatbot vulnerabilities39:42 - Actionable recommendations for practitioners42:41 - MFA implementation gaps and session hijacking45:02 - The case for FIDO2 and layered conditional access46:35 - Is identity security a board-level issue?49:47 - Three things CISOs should focus on through 202650:52 - PAM as the top investment priority51:28 - Removing unnecessary privileges from users56:11 - Redefining what privilege means in your organization57:43 - Social media accounts as privileged access58:42 - Credentials stored in SharePoint and OneDrive59:38 - Wrap up and where to find the report59:58 - Lighter topic: David's soccer background and playing semi-pro1:05:06 - Best trash talk stories1:07:03 - Jim's trash talk philosophy: scoreboard1:08:00 - Jeff's basketball trash talk and calling his shots1:10:00 - Final thoughts and sign off KEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, David Llorens, RSM, attack vectors report, offensive security, penetration testing, identity security, MFA, multifactor authentication, privileged access management, PAM, non-human identities, service accounts, agentic AI, AI security, prompt injection, lateral movement, credential rotation, FIDO2, conditional access, session hijacking, middle market, CISO, board-level security, certificate-based authentication, active directory, configuration management, shadow AI

    1h 11m

  4. FEB 25

    #404 - Sponsor Spotlight - Bravura Security

    This episode is sponsored by Bravura Security. Learn more at bravurasecurity.com/idac. This is a Sponsor Spotlight episode of the Identity at the Center podcast. Jim McDonald and Jeff Steadman are joined by Bart Allan, General Manager at Bravura Security, to discuss why enterprise password management remains a critical piece of identity security even as organizations pursue passwordless strategies. Bart shares Bravura's history dating back to 1992, starting with self-service password reset and evolving into a full identity security platform spanning identity management, privileged access management, and enterprise password management. The conversation digs into the uncomfortable truth that while organizations may get 80% of their applications onto modern authentication, the remaining 20% still rely on passwords, creating real security risk. Bart explains how treating enterprise passwords the way organizations treat privileged credentials, with automated rotation and centralized management, can remove the human element from password creation and reduce exposure to breaches and social engineering. The group also discusses help desk social engineering attacks, breach recovery challenges, deployment strategies for rolling out an enterprise password manager, and the emerging role of password managers as passkey managers for portability. The episode wraps with some outdoor adventure stories from Bart and Jim. Connect with Bart: https://www.linkedin.com/in/bartholomewallan/ Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com TIMESTAMPS00:00 - Introduction and welcome01:00 - Sponsor Spotlight overview and Bravura Security introduction01:52 - Bart Allan's background in identity03:30 - History of Bravura Security from 1992 to today05:39 - How the Bravura name came to be07:00 - What makes Bravura unique in the identity market08:33 - Why password management still matters09:58 - The uncomfortable truth about passwords and the 80/20 problem13:00 - Personal vs enterprise password managers16:00 - The last mile to passwordless and legacy systems19:00 - Why storing passwords is not enough without active management22:00 - Help desk social engineering and the human element25:00 - Breach response and the fog of war31:00 - Scattered spider scenarios and credential reset at scale35:00 - Is a password manager the only viable option for the final 20%?38:00 - The future of password managers as passkey managers40:00 - Tips for deploying an enterprise password manager42:45 - Measuring success with an enterprise password manager45:17 - Lighter side of the conversation begins46:00 - Bart's backcountry skiing avalanche story from Rogers Pass50:30 - Jim's lightning storm story from backpacking in Yosemite52:53 - Final thoughts from Bart on the passwordless journey54:00 - Wrap up and outro KEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Bravura Security, Bart Allan, password management, enterprise password manager, passwordless, passkeys, privileged access management, identity security, help desk social engineering, breach recovery, credential rotation, self-service password reset, identity verification, IAM operations, shadow IT, FIDO, sponsor spotlight, password vault, legacy systems

    55 min

  5. FEB 23

    #403 - Strategic Identity Security with Simon Moffatt

    Simon Moffatt, founder and analyst at The Cyber Hut and co-host of The Analyst Brief podcast, returns to Identity at the Center for a wide-ranging conversation about the strategic evolution of identity security. Simon shares an update on his second book, IAM at 2035, which explores where identity is heading over the next decade. The discussion covers why identity has shifted from a back office function to a strategic business enabler, driven by the convergence of cloud, zero trust, and expanding digital ecosystems.Jim and Jeff dig into how organizations can measure their identity security posture, and Simon introduces his Identity Security Scorecard, a framework of 50-plus data points covering visibility, protection, detection, and response. The conversation shifts to the identity attack lifecycle, where Simon explains why organizations need to move beyond log-based forensics and toward real-time detection and response before attacks complete.The group also explores how non-identity data signals, like CAEP and shared signals frameworks, are critical to building a fuller picture of risk. The final segment tackles agentic AI and its implications for identity, including the argument that agentic identities may represent a third identity type distinct from both human and machine. Simon makes the case that AI adoption is outpacing identity and security innovation, creating a widening gap that the industry must address through governance, accountability, and new architectural patterns. Connect with Simon: https://www.linkedin.com/in/simonmoffatt/ The Analyst Brief Podcast: https://www.thecyberhut.com/podcast/ Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com Timestamps00:00 Introduction and conference discount codes02:29 Simon Moffatt returns to the show03:58 Update on the IAM at 2035 book07:25 The Analyst Brief podcast and covering identity trends08:44 Identity shifts from back office to strategic priority11:47 The compliance trap and reactionary identity management14:25 Customer identity transparency influencing workforce identity16:52 Defining identity security across 80-plus vendors20:11 Products alone do not solve identity security21:14 Thinking like an attacker about identity flows23:23 Red flags in an organization's identity posture25:43 The identity security scorecard and measuring risk29:27 Avoiding FUD when presenting identity risk to the board32:34 The identity attack lifecycle explained36:53 Building the mindset for real-time detection and response37:41 CAEP, shared signals, and non-identity data sources40:10 Identity as a 24/7 security operations function43:24 Agentic AI drops like a nuclear explosion on identity46:49 The widening gap between AI adoption and identity security47:51 Is agentic identity a third identity type?50:47 What needs to change to address the agentic identity explosion53:24 Will AI shake the core of enterprise IT?57:24 AI may be the only thing that can secure AI58:04 Travel tips for EIC Berlin and European conferences01:02:45 Wrapping up Keywordsidentity security, identity attack lifecycle, identity attack paths, agentic AI, agentic identity, non-human identity, NHI, identity security scorecard, zero trust, CAEP, shared signals framework, identity governance, identity strategy, IAM, identity posture, Simon Moffatt, The Cyber Hut, The Analyst Brief, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

    1h 4m

  6. FEB 16

    #402 - An Update on SSF and CAEP with Atul Tulshibagwale

    In this episode of Identity at the Center, hosts Jeff and Jim dive into the details of the Shared Signals Framework (SSF) and Continuous Access Evaluation Profile (CAEP), with special guest Atul Tulshibagwale, the CTO of Signal. The trio discusses the complexities and applications of these identity security standards, recent adoption by major tech companies, and how they are transforming the approach towards identity and access management. Atul also shares exciting news about Signal's impending acquisition by CrowdStrike and reflects on a recent safari trip in Kenya. Tune in to learn about the evolution of identity security and the future of SSF and CAEP. Connect with Atul: https://www.linkedin.com/in/tulshi/ Learn more about the Artificial Intelligence Identity Management Community Group: https://openid.net/cg/artificial-intelligence-identity-management-community-group/ Learn more about SSF and CAEP: https://openid.net/how-authzen-and-shared-signals-caep-complement-each-other/https://sgnl.ai/whitepaper/caep-best-practices/https://caep.dev/https://youtu.be/qakOw0g2mZ8?si=p8z9imn7x-HhLdcVhttps://www.youtube.com/live/e64YiAmGmf4?si=QPKDg2Jm9oSZmbhZhttp://sharedsignals.guide/ Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com Timestamps: 00:00 Introduction and Episode Milestone 00:17 Challenges with Installing Molt Bot 02:32 MoltBook and AI Agents 03:21 Jim's Perspective on AI Assistants 09:24 Conferences and Networking 10:10 Introduction to Shared Signals and CAEP 13:03 CrowdStrike Acquisition of Signal 14:03 AI Identity Management Community 16:59 Shared Signals Framework and CAEP Explained 30:03 Final Version of CAEP and Shared Signals Released 30:35 Adoption by Major Technology Providers 32:49 Benefits of Implementing Shared Signals 36:32 Future of SSF and CAEP 40:51 Certification Program for Shared Signals 52:48 Real-World Safari Adventure 01:00:34 Conclusion and Final Thoughts Keywords: IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Atul Tulshibagwale, Shared Signals Framework, SSF, CAEP, Continuous Access Evaluation Profile, OpenID Foundation, CrowdStrike, SGNL AI Identity, Agentic Identity, AuthZEN, Risk, Identity Security, IAM, Podcast

    1h 2m

  7. FEB 11

    #401 - Sponsor Spotlight - PlainID

    This episode is sponsored by PlainID. Visit plainid.com/idac to learn more. In this sponsored episode, Jim McDonald and Jeff Steadman talk with Gal Helemski, CTO and co-founder of PlainID, about the evolving landscape of authorization. The conversation covers the transition from traditional roles and attributes to a modern policy-based access control (PBAC) approach. Gal explains how PlainID helps organizations centralize authorization logic, improve security posture, and simplify the management of access across complex hybrid and multi-cloud environments. The discussion also touches on the importance of visibility into who has access to what and the role of standards like Cedar and Rego in the future of authorization. Connect with Gal: https://www.linkedin.com/in/gal-helemski-b9542231/Learn more about PlainID: plainid.com/idac Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com Timestamps: 00:00 Introduction to the Sponsor Spotlight 02:15 Meet Gal Helemski from PlainID 05:30 The shift from RBAC to PBAC 10:45 Challenges with traditional authorization methods 15:20 How PlainID centralizes authorization logic 22:10 Integrating with existing identity providers 28:45 The role of visibility and auditing in authorization 35:30 Discussion on authorization standards: Cedar and Rego 42:15 Future trends in identity and access management 50:00 Final thoughts and where to learn more Keywords: IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, PlainID, Authorization, Policy-Based Access Control, PBAC, RBAC, Cybersecurity, IAM, Access Management, Gal Helemski, Identity Security

    52 min

  8. FEB 9

    #400 - Celebrating 400 episodes of IDAC

    In this milestone episode of Identity at the Center, Jeff and Jim celebrate 400 episodes and reflect on their journey over the past six and a half years. They discuss the podcast’s evolution, from its early days focusing on strategy and framework to recent themes like cloud identity, governance, and AI-driven technologies. Jim shares his New Year's resolution of writing a book about identity, blending practitioner stories with educational elements, and utilizing AI tools. The duo also highlights significant trends in identity and access management, including frictionless authentication and privilege access management. They look forward to the future of identity within an AI-driven landscape, urging listeners to adapt to technological advancements. Tune in for insights, reflections, and their plans for continuing to grow the podcast. Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com Timestamps 00:00 Welcome and Milestone Celebration00:44 Reflecting on the Podcast Journey01:27 Jim's New Year's Resolution: Writing a Book05:16 Using AI in the Writing Process09:34 Podcast Growth and Listener Support13:08 Remembering Luis Almeida16:59 Conference Highlights and Discount Codes19:05 Lessons Learned from Podcasting29:01 The Evolution of the Podcast36:01 Pandemic Disruptions and Podcast Challenges36:30 Funny Moments and Swearing on the Show37:24 Identity Management Trends in 202039:20 Cloud Identity and Certifications in 202141:54 Governance and Compliance in 202244:23 Security Convergence and Milestones in 202351:07 Privilege Access Management in 202455:15 Frictionless Authentication in 202558:20 AI and the Future of Identity in 202601:09:00 Reflections and Gratitude Keywords: IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, podcast, cybersecurity, digital identity, AI, agentic identity, PAM, IGA, cloud security, passkeys, professional development, IDPro, identity governance

    1h 12m
See All (407)

4.9
out of 5
40 Ratings

About

Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With decades of real-world IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry. Do you know who has access to what?

Information

  • Creator
    Identity at the Center
  • Years Active
    2019 - 2026
  • Episodes
    407
  • Rating
    Clean
  • Copyright
    © 771327
  • Show Website
    Identity at the Center

You Might Also Like