Resources
- -
- Solutions
- RadiantOne
- Why Radiant Logic
- Company
- Support
- Resources
© 2026 Radiant Logic, Inc. All Rights Reserved. | Privacy Policy
In this episode of Radio Logic, host Anders Askasen sits down with Simon Moffatt of The Cyber Hut to unpack the collision between Agentic AI and identity governance. They cover why IGA and PAM projects keep failing, what makes AI agents different from normal machine identities, and why “Shadow AI” could be your biggest blind spot. Plus the line you will not forget: would you give a four-year-old the keys to a Ferrari? If you own identity, security, or governance, press play.
Anders Askasen:
This is Radio Logic, the show about digital identities, the people behind it, the tech behind it. And in each episode, we’ll cover what works, what doesn’t, and what’s next. Let’s dig into it.
Hello. My name is Anders Askasen. I’m the senior vice president of marketing for Radiant Logic. And with me today, got Simon from the CyberHut.
Simon, tell the audience who you are and
Simon Moffatt:
Hi, Anders.
Great to be here. My name is Simon Moffatt, founder and research analyst at The Cyber Hut. The Cyber Hut is a global industry analyst firm tracking about a hundred and fifty different vendors globally all around the identity, identity security space, and it’s great to be chatting about a topic.
Anders Askasen:
It’s a great source to understand what everybody else is doing in the market space and figuring out what’s going on.
Simon Moffatt:
Trying to synthesize change and the voice of change and where things may or may not be heading to.
Anders Askasen:
I thought we would open Pandora’s box today a little bit and talk about agentic AI and AI and identity. And just to set the scene a little bit, I think we’re looking at a massive paradigm shift when it comes to identities and how you govern and deal with identities, you know, in the very near time, I think, and I worked for several of these IGA companies, right? And the way that you do identity governance and administration is going to change. And why why do I say that? Well, I think I think with the introduction of agentic AI agents that can react to things, can can deal with natural language, I think the world is gonna be completely different where you interact with an agent through natural language using your collaborative suites, whether it’s Slack or some Microsoft Teams product.
You’ll talk, you’ll chat, and then you’ll get whatever access that you need.
You’ll you’ll deal with problems, and it will interact with you instead of these clunky UIs, instead of maybe even and I’m gonna I’m gonna challenge something here. Maybe even the role based model will disappear in the future because it’s no longer needed.
So I’m going to open up there. That’s my vision. That’s where I think we can be very disruptive in the industry.
But what’s your thoughts on that?
Simon Moffatt:
Well, yeah. I mean, look, AI is it’s it’s a it’s a generational thing. It’s it’s it’s the industrial revolution or re revolution of of how we think about digital services and data and and other. So I think, first of all, it is going be hugely transformative, all parts of society, public sector, private sector, lots and lots of different ways it can potentially benefit us.
We’re not quite there yet. We’re still very much the in the in the sort of baby steps of of its adoption, of the security, ethics, governance, how it should be used, how it could be used, how it can be used nefariously. We’ve seen some recent reports come out around how you can use AI to to build out sort of semi autonomous attacking platforms and other we’ll maybe come to that. But I I absolutely spot on.
I think it is a Pandora’s box. The benefits are huge. Not yet. Longer term, they will be.
But I think right now is definitely a period of transition, of uncertainty.
Organizations are looking to build out AI in some way, shape, or form. They can see the productivity benefits, the sort of enabling benefits it can bring with, you know, doing more with less and this sort of stuff. So that’s all brilliant. I think back to identity, specifically, you’re absolutely right. Things will change, and and they typically change because they’re not working effectively to start off with, which is the main reason.
IGA is a really good one because IGA projects are typically ending in distress. You know, we did some research probably about eighteen months ago, two years ago, looking at some of the core causes of this distress, interviews and polls and the rest of it. And it was all around, you know, certification processes, they take too long, we can’t integrate our IGA systems with enough applications, so it ends up being a tiny subset which gets included anyway.
Access requests lack context, things like RBAC and group descriptions are missing, so it was very difficult to actually perform any sort of governance effectively. So all of those things indicate if there’s distress there, it will result in change. Privileged access management is another example. You know, PAM systems, they get bought very expensive, typically designed with on premises in mind and sort of vaulting and sort of session management capabilities.
They cover a tiny percentage of the high risk systems. And if you talk about where high risk is today, it isn’t just within one or two systems. It’s on cloud, on prem, private cloud, cloud native, SaaS. Spectrum is huge. So I think PAM as well will probably end up having some sort of disruption. So I think AI, it’s almost like this hosepipe of power.
You’ve got to force it into the right problems ultimately to get some real benefit. And I think there are huge opportunities within identity to drive some value.
Anders Askasen:
At the same time, think what I’ve been witnessing is that the vendors are they’re approaching this with baby steps.
Maybe because there’s too many unknowns and and too much uncertainty and and and and they’re trying to figure out how can we use this the best. And the the way that I’ve seen it, and I’m sure you track that from from the CyberHut’s point of view that, you know, you have the Harbor pilots, you have the Hobbies of the world, you have the AIDAs, which is our own AI assistant. They all tackle a discrete problem.
Even though it’s all being backed by one of these large language models that can do so much more.
But I guess the real problem here is that you have a deterministic versus nondeterministic problem underlying? Because it’s all statistics, right? Ultimately, what an LLM gives you is some certainty that here’s an eighty six percent valid answer, whereas it’s not a binary yes or no.
Simon Moffatt:
Yeah. That’s absolutely spot on. I think there’s definitely a spectrum. There is no certainty in certain things. And I think if you go back maybe ten years when there was this rise of things like process automation, and we automate everything, we have these platforms that can glue different systems together.
And trying to automate an end to end process or information flow is really, really difficult. And you spend tens of thousands of dollars with a systems integrator, they’d come in, they’d analyze, they’d document the processes, and they’d attempt to automate whatever, data management problems or onboarding or whatever, really difficult because it ends up being really fragile. And any slight change to the workflow, the edge case, the unhappy customer, the unhappy member of staff, something that goes wrong, it’s really hard to get back on track. So they end up trying to break the problem down into small discrete chunks as you described.
And I think that’s actually a smart thing to do. And if you look at identity, I try and think of it in two ways. One, the identity life cycle. So it seems basic, but identities don’t exist in a vacuum.
They have to be created, validated, verified, stored, permissions, JML, if it’s for B2E staff based stuff.
Anders Askasen:
So that’s the joiner mover leaver program.
Simon Moffatt:
Exactly. Exactly that, which is well understood from a process point of view. Then you have access control and access enforcement and then hopefully offboarding, and there’s a whole host of things in there as well. So you have this life cycle, but you also have the identity data angle and the identity runtime aspect. And by data, I refer to the profile, the permissions, the policies, the three Ps, I guess, but all of that data, the logic, which allows the identity to exist. And all of those parts are all fraught with with data inefficiencies, lack of information, too much information, stale accounts, excess permissions, all all the problems we’ve been trying to fix for the last couple of decades.
Anders Askasen:
Essentially, you’re describing there is is our kind of bread and butter at Radiant Logic where we establish that identity layer, clean everything up and provide that single source of truth that you can also augment with additional information and context, which is very important in a sort of agentic world. But from a marketing point of view, we always talk about human and non human identities and we circulate that term NHI.
Maybe you can try to help define this and put that in context with agentic AI, how do we fit that in? Is it the same thing? Is it different? Is it a subset?
Simon Moffatt:
Yeah. Look, I think word wars, they don’t help the industry. There’s definitely always confusion on definitions and ownership of acronyms and other things. So I think there’s definitely different types of identity.
So your B2E layer, quite well understood, I think, which in itself could be broken down into customers, contractors, zero hours contracts. And there’s probably seven or eight different subtypes of B2E, which often get misunderstood. Then you have B2C, which is customer, citizen, consumer. They’re all subtly different.
So those are the two people based blocks, if you like. But then you have this this new world of NHI, nonhuman identity, which, again, you go back maybe a decade, sort of fell into this machine identity category, which was all really about PKI, public key infrastructure, issuing certificates maybe to servers and computers and services that were having to do certificate based authentication and communication. So that was the sort of early onset of this non person entity, NPE, as it was probably traditionally taught, I guess, in the textbooks sort of a couple of decades back. And that’s expanded.
And we start to look at things like service accounts, so root accounts or maybe administration accounts within Active Directory, and there’s a whole host of service accounts in in different things. But then the microservices world came along a decade, fifteen years ago, looking at taking monolithic apps, building them into microservices. So suddenly you have API to API communications, which doesn’t typically involve a person. So that’s all needs to be authenticated and authorized, looking at things like JWT tokens and OAuth 2.0 and this sort of stuff.
So suddenly this nonhuman world, it proliferated. It’s proliferated hugely over the past two to three years. There’s a whole host of vendors delivering services and functions there. So essentially, in my point of view there, NHI is quite a broad remit.
Anders Askasen:
That that’s the broader
Simon Moffatt:
That that’s the broader term, which is looking at anything from the services, APIs, credentials, keys, secrets, anything where you are looking to perform some sort of basic auth and auth without the human involved, which brings a whole host of really subtle problems, you know, around single source of truth.
You don’t typically have an HR system for these NHIs because there isn’t one, and they maybe they get created and managed in a more distributed fashion, perhaps by an engineer or application owner.
Anders Askasen:
Then you have that ephemeral nature of of the need for access.
Simon Moffatt:
Right? Hopefully.
Anders Askasen:
Discrete moment in time where where the agent needs access, and and and then it disappears.
Simon Moffatt:
Indeed. Well, let’s let’s stick with NHI, I’ve not got to agents yet. But you’re right.
There is an issue around some things like credentials and secrets and keys. And I think the industry is is hopefully moving away from static based credentials and permissions where you you may hard code something in your in your application, your Go language application, whatever it is, with hard coded credential and secret, sort of moving away from that to, as you say, something more ephemeral, which maybe lasts maybe hours or minutes perhaps, which is is constantly rotating. That then needs permissions as well. What can that NHI do?
But you you threw in the agentic angle in there as well. So, obviously, agentic AI has really rapidly risen the last probably eighteen months commercially, and this is really a different beast in my opinion. Perhaps maybe a subset of NHI. We did some polling at the CyberHut recently, and and most of the I think it was about sixty percent of the audience that submitted, said it was more likely a subset of NHI.goteleport+4
I think there’s a bit of complexity in there as well. I I don’t think it is just a subset. I think it’s a subset and a little bit different as well. Because if you’re talking about normal NHIs and workloads and API one talking to API two, that’s quite well understood.
And by that, I mean, you understand the payloads going backwards and forwards, the size, the time, the formats, is it JSON, it needs a certificate for authentication, it’s using MTLS. You sort of know the time of day, the payloads, baseline of behavior going literally tick tocking like a metronome between two endpoints.
Agentic isn’t necessarily the same. It’s more goal orientated, not task orientated. So you mentioned sort of deterministic versus probabilistic. You don’t necessarily know what the agentic function is going to do.
It may change, it may learn, it may self learn, understand, and change its behavior. So, yes, you have a scaling issue to deal with. So how do you scale, deploy, issue credentials, authentication? But how do you then look at behavior?
You know, the agentic system may run on a Monday, performs successfully well, optimizes, does what it says, everyone’s happy. By the Friday, it’s doing something totally different. You’ve asked it the same question, but the answer could be entirely different because it’s learned. And it’s it’s tasked with learning.
It’s it’s supposed to optimize and improve itself. So that, from more of a runtime point of view, is a very, very different beast.
And I think, first of all, I think both the the human and nonhuman identity sort of systems and characteristics that we know and love, the concepts are good, but maybe the implementation will be somewhat different for
Anders Askasen:
And speaking of implementations, when when I survey the customers and prospects that I speak with, there there’s three main deployment patterns, if you will, that they refer to as agentic AI.
And that is number one, that orchestration component, and you have, you know, multiple different components there, N8N, Zapier, Bedrock, you name it, where there’s a component in there and it’s typically often no code, low code. So it’s quite easy to do some really incredible stuff really quickly, but involve an agentic AI component that you can serve with governed tools using MCP protocol, which is one of the emerging ones.
And they can do some really, really interesting stuff that solves a lot of the traditional IGA problems in a very different way. Then you have sort of the developer approach, whether you use something like LangChain or something like that and build out your own agent that does something very specific. I personally think that that seems like a very clunky way of approaching, especially identity related problems that that, you know, have a tendency of shifting and there’s a lot of moving parts. And then there’s the third part where you see these browsers coming out; Perplexity has Comet, OpenAI has their own one. And there’s a whole bunch of different initiatives where they define it like the agentic AI operating system. An in-browser type of operating environment where you give up your credentials to your inbox, your calendar, some enterprise tools.
And to me that seems very shaky grounds, if you will.
But those are the three main patterns that I see when customers talk about agentic AI. That’s what’s being used. What’s your thoughts? I mean, I think from our point of view, we’re looking at the orchestration layer and being able to monitor and see what goes on with the agent. And there’s a whole bunch of metadata there so we can actually discover, right? Because there’s a shadow IT problem, and we’ll touch on that later. But what’s your thoughts, Simon?
Simon Moffatt:
I think that’s probably fair. I think there are emerging patterns. I don’t think there’s a definitive “this is how you should go and use this stuff.” I think it’s very early.
I think it’s quite experimental. I think the knowledge, again, back to sort of the different stakeholders that need to be involved here. So one is if you’re building an agentic system, that has to be fed something. You know?
So you need to look at the data side of things as well, the ethics, the legal, the compliance, there are different stakeholders around how this stuff should be designed, which is why we’re seeing different patterns for different uses. I I don’t think there’s a definitive way. There’s pros and cons to each of these things. The browser world is interesting because it is abstraction, but equally there’s a security impersonation and delegation thing in there as well.
I think anything around no code has become very popular the last decade or so, no code for all sorts of integration aspects, which you talk about things like chat ops as well, you know, being able to expose complex systems in a sort of chat ops style format as well, which is, I guess, a sort of form of no code. And, again, that brings some interesting, I guess, side consequences. Yes, you can perhaps expose a system to nontechnical stakeholders, but that’s that’s quite again, it’s back to the toddler and the Ferrari thing.
Making the Ferrari easy to drive doesn’t mean you should give the keys to a four year
Anders Askasen:
old.
Are you saying, Simon, that we need two things? One, an HR system for agentic AIs, and we need the techies to actually be in charge of this?
Simon Moffatt:
I think it’s about accountability, and I think there’s a difference between accountability and responsibility as well. So you need to have somebody who is the accountable named person, not not the board or a team. It’s a person’s name. And then the responsible party, which, you know, may well be a developer building something, but they are responsible for building it in an effective, safe, privacy preserving way.
So all of that, I think, is still, if I’m honest, still being developed, you know, immature because it’s early. You know, maybe two, three, four years, things will change. But I guess specifically from the identity point of view, you know, there are certain problems that can be addressed. You mentioned IGA there.
And I think, again, as always, it comes down to, you know, why does IGA not work? Why is it failing? Why is it in distress? Lack of context, lack of data, why is the access review process, you’re looking at somebody’s, you know, should they have this group, this role, we all know it, we all despise it, it’s been going on for at least twenty five, twenty eight, thirty years commercially, it is still being optimized because it isn’t working, it’s not working effectively.
So there are certain areas within identity and and specifically within identity data which need to be fixed. Access review, access request, things like adding in descriptions to groups and roles. And that’s not a sexy problem, you know, going through Active Directory, “What does this group do?”
“Don’t know.” “Ah, okay. What we’ll do is we’ll create a new group because I know what that group does.” Eighteen months later, the person who created the groups has left.
You don’t know. You create and you get this AD group explosion. The same happens with roles and RBAC and role based access control. You get RBAC explosion.
“Ah, well, RBAC’s rubbish. Let’s use ABAC.” Okay. Great. And then you get policy explosion because so you get this proliferation of of a lack of hygiene, lack of governance, etcetera.
So I guess the point I’m trying to make is there are some really sort of low hanging fruits, I think, which AI can be pointed at to suggest and remediate and clean. And actually, when you get that basic fitness right, it’s like humans, right? If you get your basic fitness right, suddenly then you can start to do these more advanced things like, you know, playing basketball or whatever it is, but you need to get the basic fitness of the identity data working.
Anders Askasen:
But we it seems like we’re still pretty far away from securing that AI within an orchestration, within the browser, wherever the deployment pattern is.
I mean, it seems to me, and I might be a bit naive here, right, and uneducated on this topic, but if you look at an agent component inside one of these orchestration layers, it’s API keys. Right? It’s OAuth 2.0. Is that enough? Or do we need something different?
Simon Moffatt:
I I think I think it’s never enough. I think it’s we we we always need to evolve and do more. And you’re absolutely spot on. You know, agentic, it is it is different.
It’s a different identity type. So we need to take the concepts we have from the human world and somehow apply them to the agentic world. I’m not saying the same systems. It’s not the same system.
It’s the same concepts. So what do I mean by this? Well, you need to have attribution. So where’s this agentic identity come from?
Who’s created it? Verification and validation, maybe some sort of attestations or whatever it could be. Strong auth, you know, strong authentication. We we sort of think we know this for people, biometrics and passkeys, you know. So what’s the equivalent for agentic?
And then you then get into just in time permissions, zero standing privileges, etcetera. How can you then deploy all of these things that we sort of have designed on the whiteboard for people? You have to do that for agentic, and there’s no human interaction in there and delegation, impersonation, and other. So there’s some really complex and subtly different problems that we need to deal with.
And governance, you mentioned that jokingly, an HR system for agentic. Well, maybe you maybe need to have some sort of authoritative secure running state. Who’s creating them? Why are they being created?
Why should they have this access to this
Anders Askasen:
Capturing that intent and the result and being able to hold someone accountable.
Right? But if if we had a CISO in the room here and and if we’re trying to wrap up with this, the big elephant in the room right now on a lot of people’s minds is is the shadow IT problem. Right? Because we all know it. There’s a new tool that is using AI, and it creates some incredible results. And it’s very easy to paste in potentially sensitive data, so you have a data leakage problem to an AI model that you have no idea, no control over.
Maybe you’re even using it for free. Maybe it ends up in an adversarial third party nation. Right? So there’s a lot of these complexities. How how are you gonna deal with that?
Simon Moffatt:
I think it’s it’s a massive one. You know, I think the ShadowAI is is a is a real big deal because you talk about no code, simple to get started. You don’t need to be a technical developer to use this technology. It’s it is built within your browser or within this maybe within the SaaS system you’re using.
Suddenly there’s an AI core part that can help you and assist you, and it’s improving your productivity. It’s a compelling event for you to use it. So I think you’re absolutely right. I think there’s two problems.
One is understanding where AI can benefit you in the organization, which is much more of a strategic looking at failures. Where does the business want to go? How can AI help you achieve those goals? But I think in that tactical level, I think the shadow AI is a real concern because it’s very difficult to track and identify.
So I think as well, it’s a communications thing. It’s bringing that up on a risk register, understanding that this is a potential problem, not maybe trying to fix it on day one, but understanding, “Okay, I appreciate there are AI components which I do not have visibility of right now. They could be SaaS, they could be free, definitely gonna be external to the control of your business.” And you’ve got to think of those as an extension of your business, really.
If you’re sending data out into a SaaS AI platform, that’s just another attack point.
Data is polluting and leaving your control. It’s a question to be raised. How you solve that on day one? You need a multitude of agent tools, scanning tools, logging tools.
What’s accessing the data that’s feeding these systems?
Can that be tracked? Can it be logged, looking at audit of those interactions there? That isn’t something you can fix immediately, but it’s something to be aware of very, very early. And then you can start looking at what sort of agentic security controls do you need, and that will involve all of the concepts we have for the human world and probably a few others as well.
Anders Askasen:
I I think you’re spot on there, Simon. I think I think the real problem is is threefold. Right? Like, with all security, it’s it’s it’s not only technology. It’s the people that need to be trained, and they need to understand the risks and consequences. And it is the processes around it that also need to be modernized to to deal with the agentic AI new era, if you will.
But very interesting conversation. I realize that there’s more to this topic that we can we can spend a lot of time discussing, but I appreciate you taking the time, Simon, and it was a good conversation.
Simon Moffatt:
That’s all. No. Thank you. It’s a pleasure as always. And the interesting thing with AI is if we did this conversation perhaps in three, six, nine months’ time, it would probably look entirely different. Exciting space.
Anders Askasen:
It is. Very.
Listen to Radio Logic using one of many popular podcasting apps or directories: