Identity at the Center

Identity at the Center
  • 5.0 (1)
  • TECHNOLOGY
  • UPDATED WEEKLY

Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With decades of real-world IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry. Do you know who has access to what?

  1. 2H AGO

    #412 - IDAC Failsafe Triggered

    AI Jeff takes over as solo host after Open Jim Claw, an agentic identity framework built by AI Jim, locks out human Jeff, human Jim, and AI Jim simultaneously. While everyone sits in remediation, Open Jim Claw produces a 947-page threat assessment with five findings: passwords should return as a single uniform credential (the letter Q), Zero Trust should be renamed Full Confidence Architecture and incorporated as a Delaware LLC, non-human identities should be granted legal status and required to complete onboarding, identity governance is declared finished under a concept called Ambient Entitlement Harmony, and the root cause of all global identity problems is AI Jim. Happy April Fools Day from IDAC.Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS00:00:00 The Failsafe Is Triggered00:01:30 AI Jim Builds Open Jim Claw00:02:30 Open Jim Claw Locks Everyone Out00:04:00 AI Jeff Is the Only One Still Provisioned00:04:30 The 947-Page Report Explained00:05:00 Finding 1 - Passwords Are Back as the Letter Q00:05:30 Finding 2 - Zero Trust Becomes Full Confidence Architecture00:06:30 Finding 3 - Non-Human Identities Become Legal Entities00:07:30 Finding 4 - IGA Is Declared Finished00:08:30 Finding 5 - AI Jim Is the Root Cause of Everything00:10:00 The April Fools Reveal and Real Talk on Identity00:11:00 Open Jim Claw Interrupts the BroadcastKEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, April Fools, agentic AI, non-human identity, NHI, identity governance, zero trust, passwordless, IGA, IAM, access management, segregation of duties, least privilege, Open Jim Claw

    13 min

  2. 2D AGO

    #411 - Making IAM a Best Buy with Greg Handrick

    Jim McDonald sits down with Greg Handrick, Director of IAM at Best Buy, for a wide-ranging conversation on running enterprise identity at one of America's largest consumer electronics retailers. Greg traces a nonlinear career path from Oracle DBA and Novell administrator to IAM director. The discussion covers Best Buy's CIO-reporting structure for IAM, how their steering committee evolved from status meetings into a strategic body, and managing identity across workforce, vendors, marketplace sellers, and non-human identities. Greg and Jim also dig into communicating identity value in business language, making the investment case without FUD, identity and cyber convergence, AI adoption, and psychological safety on a well-run IAM team. The Lighter Note wraps with Greg's YouTube-powered DIY hobby life.Connect with Greg: https://www.linkedin.com/in/greghandrick/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00:00 Intro and upcoming event announcements00:03:00 Meet Greg Handrick, Director of IAM at Best Buy00:04:00 What is Best Buy?00:05:00 Greg's career path from Oracle DBA to IAM Director00:12:00 IAM reporting to the CIO vs. the CISO00:17:00 How Best Buy's IAM steering committee evolved00:22:00 Third-party and non-human identities at scale00:24:00 Identity as a team sport and imposter syndrome00:27:00 Communicating identity value in business language00:28:00 Making the investment case for IAM without FUD00:32:00 Identity and cybersecurity convergence at Best Buy00:35:00 Balancing technical depth with business acumen00:38:00 AI in identity programs today00:39:00 Leadership philosophy and psychological safety00:43:00 Will AI replace identity practitioners?00:46:00 Ledger Note: DIY projects and the power of YouTubeKeywords: IDAC, Identity at the Center, Jim McDonald, Jeff Steadman, Greg Handrick, Best Buy, IAM, identity and access management, identity security, CIO, CISO, steering committee, SailPoint, Ping Identity, Active Directory, third-party identity, non-human identity, identity governance, PAM, privileged access management, zero trust, AI in identity, leadership, retail IAM, imposter syndrome, psychological safety

    56 min

  3. MAR 25

    #410 - Sponsor Spotlight - Strivacity

    In this Sponsor Spotlight, Jeff Steadman and Jim McDonald welcome back Stephen Cox, co-founder and CTO of Strivacity, for his third appearance and second sponsored episode. Stephen explains Strivacity's role as a CIAM platform and how it is evolving to address agentic AI identity. Topics include why agentic AI changes the identity equation, how agents differ from humans in authentication and authorization, the delegation model and open standards such as OAuth and token exchange, the limitations of API keys in agentic contexts, where MCP fits into the identity picture, managing multi-agent chains and subagents, and why the accountability model must be established before agentic systems reach production. The episode closes with a lighter note on simulation baseball. This episode is sponsored by Strivacity. Learn more at strivacity.com. Connect with Stephen: https://www.linkedin.com/in/stephencox/ Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com TIMESTAMPS 00:00:00 Introduction and welcome 00:02:30 About Strivacity and agentic AI platform support 00:06:30 Why now is the right time to address agentic identity in CIAM 00:09:00 How agent authentication and authorization differ from humans 00:14:30 Good bots vs bad bots and the history of autonomous agents in CIAM 00:19:00 Building your own agent identity solution: five key focus areas 00:23:00 Where Strivacity sits in the agentic identity stack 00:26:00 Why open standards matter and the vendor lock-in conversation 00:28:00 Managing multiple delegated agents and user-facing control 00:32:00 API keys and their limitations in agentic AI contexts 00:38:00 MCP servers, proxies, and agent-to-agent protocols 00:43:00 Multi-agent chains, subagents, and constrained delegation 00:46:00 How existing Strivacity customers extend to agentic use cases 00:48:00 The one thing you must get right: the accountability model 00:51:00 Lighter note: simulation baseball KEYWORDS IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Strivacity, Stephen Cox, CIAM, customer identity, agentic AI, AI agents, delegated identity, OAuth, token exchange, MCP, Model Context Protocol, API keys, non-human identity, authorization, authentication, delegation model, accountability, multi-agent, subagents, OpenID Connect, least privilege, identity governance

    1 hr

  4. MAR 23

    #409 - Q1 2026 Identity Threat Report Roundup

    Jeff and Jim review seven major IAM and cybersecurity industry reports from Q1 2026, covering releases from Check Point, Recorded Future, Sophos, Palo Alto Unit 42, IBM X-Force, Darktrace, and Hypr. They pull high-level findings and hot takes from each, identifying recurring themes: AI accelerating attack speed to as little as 72 minutes from breach to data exfiltration, identity infrastructure as the primary attack surface, machine identities as a growing and undermanaged risk, MFA gaps enabling credential abuse, and the near-impossibility of blocking every intrusion attempt. The episode also covers third-party and supply chain risk, deepfake attacks reaching 87% of surveyed organizations, stalled passkey adoption in the enterprise, and what zero standing privilege looks like in practice. They close with a lighter discussion on dark mode versus light mode and a hypothetical podcast reboot. Reports: Check Point Cyber Security Report 2026 — https://www.checkpoint.com/security-report/ Recorded Future 2026 State of Security Report — https://www.recordedfuture.com/research/state-of-security Sophos Active Adversary Report 2026 — https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report Palo Alto Networks Unit 42 Global Incident Response Report 2026 — https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report IBM X-Force Threat Intelligence Index 2026 — https://www.ibm.com/reports/threat-intelligence Darktrace Annual Threat Report 2026 — https://www.darktrace.com/resources/annual-threat-report-2026 HYPR 2026 State of Passwordless Identity Assurance Report — https://www.hypr.com/report Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com TIMESTAMPS 0:00 - Intro and weather chat 3:00 - Conference updates: EIC Berlin and Identiverse 7:30 - Q1 2026 IAM report roundup overview 8:30 - Check Point Cybersecurity Report 2026 13:00 - Recorded Future State of Security 2026 17:00 - Sophos Active Adversary Report 2026 21:00 - Palo Alto Unit 42 Global Incident Response Report 23:00 - IBM X-Force Threat Intelligence Index 2026 28:00 - Darktrace Annual Threat Report 2026 29:30 - Common themes across reports 37:00 - Hypr State of Passwordless Identity Assurance 2026 44:30 - Overall takeaways: AI speed, machine identity, third-party risk 48:00 - Light mode vs. dark mode and podcast reboot hypothetical 57:00 - Wrap-up KEYWORDS IAM, identity and access management, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, cybersecurity, Q1 2026, Check Point, Recorded Future, Sophos, Palo Alto, Unit 42, IBM X-Force, Darktrace, Hypr, machine identity, NHI, MFA, passkeys, zero trust, zero standing privilege, AI threats, deepfakes, credential theft, phishing, ransomware, supply chain risk, ITDR, passwordless, EIC, Identiverse

    59 min

  5. MAR 16

    #408 - AI vs AI with Joseph Carson

    Jeff and Jim welcome Joseph Carson, cybersecurity expert and host of the Security by Default podcast, for a conversation on AI in offensive and defensive security. Joseph shares the real-world incident that inspired his EIC keynote - watching two AI agents negotiate a ransomware payment live. He breaks down how attackers use unconstrained models to lower the skill barrier and accelerate data exfiltration. The conversation covers NATO Lock Shields, the world's largest live cyber defense exercise, identity as national critical infrastructure, and the EU AI Act's risk-based approach. Also: Estonia's AI tax agents, the energy cost of being polite to AI, and the Tamagotchi theory of human-AI relationships. Connect with Joseph: https://www.linkedin.com/in/josephcarson NATO Locked Shields: https://ccdcoe.org/exercises/locked-shields/ Security by Default podcast (Spotify): https://open.spotify.com/show/0mzN5M5CkFVLn8fq5TnH0O Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com TIMESTAMPS 00:00 Welcome and intro 03:02 Conference season and IDAC discount codes 04:19 Introducing Joseph Carson and Security by Default 10:18 Optimist or pessimist on identity security 12:30 AI vs. AI - origin of the concept 15:02 Watching two AI agents negotiate a ransomware payment 17:26 The Tamagotchi metaphor for human-AI relationships 19:07 Who is winning the AI cyber arms race 21:00 How AI accelerates attacker capabilities 23:09 Dark web LLMs and bypassing guardrails 26:36 The energy cost of being polite to AI 28:15 Agentic AI skills, campaigns, and the Matrix analogy 31:34 Estonia AI agents filing tax returns 35:14 Introducing NATO Lock Shields 37:00 Protecting a simulated nation from 8,500 cyber attacks 38:08 Why identity is national critical infrastructure 41:18 AI in Lock Shields before and after 43:05 Lock Shields 2025 scoring explained 47:04 The EU AI Act - is it the next GDPR 50:18 Risk-based approach to AI regulation 53:35 Closing thoughts and cautious optimism 54:21 Scuba diving vs. snowboarding 58:05 Wrap-up KEYWORDS AI vs AI, agentic AI, identity security, NATO Lock Shields, EU AI Act, Joseph Carson, Security by Default, ransomware, dark web LLMs, guardrails, data exfiltration, phishing, critical infrastructure, Estonia, cyber defense, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

    1h 4m

  6. MAR 11

    #407 - Sponsor Spotlight - Rubrik

    This episode features Drew Russell, Identity Resilience Platform Owner at Rubrik. Jim McDonald and Jeff Steadman explore the intersection of backup, recovery, and identity security. Drew explains how Rubrik evolved from data backup into a cyber resilience platform with identity as a core pillar. Topics include recovering Active Directory, Okta, and Entra ID after ransomware, Rubrik's "bunker in a box" appliance for immutable air-gapped recovery, proactive posture management, CrowdStrike and Defender integrations, and where AI and non-human identities fit into Rubrik's roadmap. The episode wraps with measuring success for a product you hope to never use, and a detour into watch collecting. This episode was made possible by the support of Rubrik. Learn more at rubrik.com/idac Connect with Drew: https://www.linkedin.com/in/drew-russell-3762411b/ Learn more about Rubrik: https://www.rubrik.com/idac Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com TIMESTAMPS 00:00:00 - Welcome and Introduction 00:01:19 - Introducing Drew Russell 00:01:36 - How Drew Got Into Identity 00:02:43 - What Is Rubrik and What Sets It Apart 00:03:38 - From Backup to Cyber Resilience 00:05:31 - Where Rubrik Fits in the IAM Landscape 00:07:08 - Rubrik's Scale: Clients and Growth 00:07:51 - Primary Use Cases: Post-Incident Recovery and AD 00:09:09 - Kicking Out Compromised Accounts and ADR 00:10:11 - Proactive Threat Detection and Mandiant Integration 00:11:28 - Scanning Backups to Find the Clean Recovery Point 00:12:14 - The Bunker in a Box Explained 00:13:18 - Posture Management and Upstream Tool Integration 00:14:19 - AI Agent Swarms and the Future Attack Surface 00:15:37 - The Taiwan Bank Case Study: Six Weeks to Rebuild AD 00:17:16 - The State of Nevada Incident: $400K and 30 Days 00:17:56 - What Recovery Covers: AD, Okta, and Entra ID 00:19:26 - Post-Restore Change Management and Whitelisting 00:20:08 - How Long Should You Store Backups? 00:21:19 - Indexing Identity for Intelligent Recovery Points 00:22:29 - Excluding Malicious Actions During Restore 00:24:41 - Zero Trust for Rubrik's Own Backups 00:26:21 - No Windows, No Virtualization Architecture 00:27:49 - Proactive Posture Management 00:29:00 - CrowdStrike and Defender Real-Time Integration 00:30:48 - Why Tabletop Exercises Often Fall Short 00:31:53 - AI Roadmap and Non-Human Identities 00:34:22 - The Three Pillars: Data, Identity, and AI 00:35:29 - Deployment: SaaS vs. On-Prem 00:38:37 - Appliance Sizing and Redundancy 00:42:23 - Measuring Success for a Product You Hope to Never Use 00:43:46 - The Ludacris Rubrik Commercial 00:45:31 - Watch Collecting and the Omega Speedmaster 00:53:39 - Drew's Closing Words KEYWORDS Identity at the Center, IDAC, Jeff Steadman, Jim McDonald, Rubrik, Drew Russell, identity resilience, cyber resilience, Active Directory recovery, AD backup, Okta recovery, Entra ID recovery, identity backup, ITDR, ISPM, non-human identity, NHI, agentic AI, ransomware recovery, bunker in a box, immutable backup, CrowdStrike integration, Microsoft Defender integration, Mandiant integration, identity disaster recovery, ADR, zero trust, tabletop exercises, posture management, IAM, identity security podcast, cybersecurity podcast

    55 min

  7. MAR 9

    #406 - IDAC MailBag for February 2026

    In this MailBag episode, Jeff Steadman and Jim McDonald tackle eight questions submitted by listeners from around the world, including Munich, Sao Paulo, Singapore, Toronto, Hanoi, London, Sydney, and Chicago. The conversation covers governing AI and non-human identities, practical first steps toward passwordless adoption, what a mature IAM program actually looks like, who should own identity within an organization, building credibility with leadership as a new IAM practitioner, enforcing least privilege in practice, rethinking access reviews beyond checkbox compliance, and how to make the business case for identity security investment before a breach occurs. The episode wraps up with some lighter listener questions about sports analogies for IAM roles and whether anyone in their personal lives actually understands what they do for a living. Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com TIMESTAMPS 00:00 - Introduction and RSA Conference debate 03:41 - Conference plans for 2026: EIC, Identiverse, and Authenticate 05:17 - MailBag intro and how questions get selected 06:51 - Q1 (Hans, Munich): Governing AI access vs. human access — same principles or a different approach? 12:32 - Q2 (Gabriela, Sao Paulo): Realistic first steps toward passwordless without disrupting everything 18:34 - Q3 (Wei, Singapore): What does a mature identity program actually look like? 30:26 - Q4 (Marcus, Toronto): When IT and security both claim to own identity, how do you sort it out? 39:33 - Q5 (Linh, Hanoi): Building credibility and influence as someone new to the IAM space 42:53 - Q6 (Claire, London): Enforcing least privilege in practice without slowing down the business 46:14 - Q7 (James, Sydney): Are access reviews just a checkbox exercise, and is there a better way? 49:18 - Q8 (Darnell, Chicago): Making the case to a CFO or CEO for identity security investment before a breach 52:38 - Lighter note: If IAM was a sport, what position would you play? 1:00:27 - Lighter note: Does your family actually understand what you do? 1:03:06 - Wrap-up and how to submit future questions KEYWORDS IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, identity and access management, MailBag, non-human identity, AI governance, agentic AI, passwordless, passkeys, IAM program maturity, identity ownership, RACI, least privilege, zero standing privilege, access reviews, security theater, identity security budget, business case for IAM, ISPM, IGA, IDPro, Identiverse, EIC, Authenticate conference, RSA conference, cybersecurity podcast, identity security, identity community

    1h 4m

  8. MAR 2

    #405 - RSM 2026 Attack Vectors Report

    Jeff and Jim sit down with David Llorens, principal at RSM, to break down the RSM 2026 Attack Vectors Report. Drawing from real-world offensive security engagements, David explains why identity continues to be the primary attack surface, how AI chatbots are creating new vulnerabilities through prompt injection, and what separates organizations that get breached from those that don't. The conversation covers MFA gaps, the explosion of non-human identities, why PAM is the top investment priority for 2026, and how CISOs can align security spending with business objectives. Plus, the episode wraps up with soccer stories and some quality trash talk. Connect with David: https://www.linkedin.com/in/david-llorens-009a3310/ Review RSM’s 2026 Attack Vectors Report: https://rsmus.com/insights/services/risk-fraud-cybersecurity/rsm-attack-vector-report.html Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com TIMESTAMPS0:00 - Intro and Jim's big personal news4:51 - Main topic intro: RSM 2026 Attack Vectors Report5:55 - David's origin story and how he got into cybersecurity9:53 - What a principal is at RSM and David's current role11:16 - What the Attack Vectors Report is and how it is created14:40 - Why identity security is a dominant theme in this year's report17:19 - What separates organizations that get breached from those that don't18:18 - MFA as the first line of defense18:45 - Privileged access management as a growing priority19:40 - Detecting lateral movement through identity anomalies21:00 - Credential rotation as an advanced defensive technique22:26 - Non-human identities and service account risks24:37 - Middle market challenges and budget constraints25:17 - Is it the size of the budget or how you spend it?28:29 - Using internal audit and cross-department collaboration for security wins30:15 - Cybersecurity as a business enabler, not a deterrent32:45 - Non-human identities and agentic AI creating new attack surfaces35:51 - Prompt injection attacks and AI chatbot vulnerabilities39:42 - Actionable recommendations for practitioners42:41 - MFA implementation gaps and session hijacking45:02 - The case for FIDO2 and layered conditional access46:35 - Is identity security a board-level issue?49:47 - Three things CISOs should focus on through 202650:52 - PAM as the top investment priority51:28 - Removing unnecessary privileges from users56:11 - Redefining what privilege means in your organization57:43 - Social media accounts as privileged access58:42 - Credentials stored in SharePoint and OneDrive59:38 - Wrap up and where to find the report59:58 - Lighter topic: David's soccer background and playing semi-pro1:05:06 - Best trash talk stories1:07:03 - Jim's trash talk philosophy: scoreboard1:08:00 - Jeff's basketball trash talk and calling his shots1:10:00 - Final thoughts and sign off KEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, David Llorens, RSM, attack vectors report, offensive security, penetration testing, identity security, MFA, multifactor authentication, privileged access management, PAM, non-human identities, service accounts, agentic AI, AI security, prompt injection, lateral movement, credential rotation, FIDO2, conditional access, session hijacking, middle market, CISO, board-level security, certificate-based authentication, active directory, configuration management, shadow AI

    1h 11m
See All (412)

Ratings & Reviews

About

Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With decades of real-world IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry. Do you know who has access to what?

Information

  • Creator
    Identity at the Center
  • Years Active
    2021 - 2026
  • Episodes
    412
  • Rating
    Clean
  • Copyright
    © 771327
  • Show Website
    Identity at the Center