RadiantLogic-Cisco-Dashboard-Reporting-Hero

The Inheritance Problem: Why Agentic AI Needs a Unified Identity Foundation


Every enterprise now operates with three types of identity: humans, non-human identities (NHIs), and AI agents. The challenge isn’t just managing a third population category. It’s also that AI agents actively connect all three — inheriting permissions, delegating access, and binding identities to assets and to each other. Each connection can outlive the identity that created it.

Speakers include: Akshay Srinivas Rajanbabu – Distinguished Engineer, Solution Consulting at Radiant Logic, Dr. Charles Herder – Co-Founder at Badge Inc, Andy Weeks – Independent Cybersecurity Advisor, and Mandy Logan – Brainstem Hacker and InfoSec Enthusiast.

Read the transcript

Hello and welcome. Thank you so much for joining us here for this SE media panel cast and we’re going to get to discuss the inheritance problem. Why agentic AI needs a unified identity foundation.

To begin, I’m your host or moderator, Mandy Logan. I co host on Pulse Security Weekly, which interestingly enough is in its twentieth year, one of the longest running podcasts on the surface of the earth. I can’t speak for other worlds, but here it is one of the longest running podcasts.

It is for practitioners by practitioners, and we do dive into up to date news stories, history behind issues that are presenting, and additional detail for the entire community as we all face ongoing cybersecurity challenges.

Please be sure to tune in and subscribe. I am very intrigued because today we have an illustrious panel brought together. But before we get into the detail, there’s a little bit of housekeeping.

Welcome to our webinar platform. In the upper right hand corner, you will find links to additional resources. Here is where you will find the detailed and beautiful prod say products, but it’s really not. It’s really detailed for you provided by Radiant Logic and our panel.

Those resources will also give you an option to access your CPE certification after about the forty minute mark.

Additionally, you will receive an email that allows for your playback. And you’ll receive an email that allows you to download your CPE certification. We want to make sure that you have all documentation required.

So, over the next fifty minutes, we are going to discuss how AI agents forge persistent identity inheritance chains across humans, nonhuman identities, and agents.

This is also a deeply held terror point for a lot of teams because we can see how much the fragmented data leaves our security teams in the blind.

Building on information that Doctor. John Pritchard, the CEO of Radiant Logic brought out in his keynote at Identiverse twenty twenty six, we’ll zero in on this three identity problem and discuss security’s chaotic era.

Before we jump in, I’d like to properly introduce our three panelists.

Because this space is still so very new, their backgrounds are genuinely relevant to how they approach the inheritance problem. So I’m going to give each a little bit more detail as I’m going to invite the audience to also sit back and think about how the expertise that each member brings is being given to you in ways that you can modify and enhance how you face this magnificent problem that we are all in right now.

First, joining us, Akshay Rajanbabu, Distinguished Engineer, Solution Consulting, Radiant Logic.

Akshay Rajanbabu is a Distinguished Engineer at Radiant Logic specializing in large scale identity systems.

With deep expertise in identity management, modern authentication, identity verification, and dynamic risk detection, he focuses on building practical, high scale identity solutions that strengthen enterprise security while driving innovation.

Welcome, Akshay.

Next, we have Andy Weeks, an independent cybersecurity advisor.

Andy Weeks is an independent cybersecurity advisor with twenty five years of experience building enterprise identity programs at Fortune ten scale.

As former VP of Identity and Access Management at Syncora and AVP of Identity and Access Management at Humana, he has led large teams through aggressive M and A cycles, complex regulatory demands, and major digital transformations.

Giving him that rare and fantastic practitioner’s view of what actually works at scale.

Welcome, Andy.

Thank you.

Welcome.

Next, we have Doctor. Charles Herder, co founder of Badge Inc.

I’ll note here Badge is also a partner with Radiant Logic.

Doctor. Herder is a recognized expert in cryptography, systems security, AI and quantum computing. He holds four degrees from MIT, including a PhD in cryptography and is named on over thirty five patents.

He previously worked on embedded system security at Texas Instruments, co founded a cybersecurity company that was successfully acquired, and is currently co founder of Badge Inc, where he leads Identity A Privacy First Approach to Authentication in the AI Era. Welcome Doctor. Herder.

Thanks.

Okay. Akshay, I am going to jump to you first.

So, you along with Doctor. Pritchard, you got to speak at IdentiFirst as well. And you spoke on agentic AI identity governance and the theme carried across the whole conference.

What was the through line you heard, and how does it map to the inheritance problem that we are unpacking today?

So first of all, Mani, thank you so much for organizing this. And I’m super excited to be with Charles and Andy on this panel because these are two folks that I worked with for a very long time. And together with they’re trying to solve this problem in this space, and we’re excited about that. So thank you so much for having us.

Back to your question. What really stood out for me at IdentityWorks was that the conversation around identity is expanding again. Right? So last decade, we we focused on human identities, and human identities were your typical employees, contractors, and partners. And then came the machine identities, aka nonhuman identities. Right? They became a major focus when there was cloud, adoption of cloud, automation at scale.

And but the true line I heard across the conference, including John Richard’s keynote, was that there’s a three third class of identity, which is basically your agentic AI, and this is now creating a new identity frontier. Right? And these agents are not just applications. Right?

So you can look at these agents. They’re agents that are formal in nature. They are automated in nature. They can reason.

They can act. They can invoke other workflows.

They can trigger tools that get access to additional data. They can skip between parameters of ecosystems within your organization. So when you look at this, each of these agents along the way, they’re gonna be inheriting access.

When they invoke a tool, in an example, they connect to ServiceNow, that means that they’re invoking an NHI to get access to a service, which means that they’re inheriting access as they work towards their ecosystem. Right?

This risk is not only what permissions does this AI agent have when they are created. This primarily also focuses on permissions that they’re inheriting along the ways of how they act within an organization. So it can really get uncontrolled really quick. And their agents, to be very honest, they start with a narrow task.

But through user prompts, through the workflows, they try to get access to more systems, access to more data. And if we do not have that visibility into that access chain, we really cannot govern these agents appropriately. So the big takeaway for me was AgentDK identity governance cannot be treated as a future problem. It exists today.

We need to start working on it today. We need to map that inherited access chain and and really, really excited about having discussions around this in less inheritance issue because that becomes the bridge between the traditional identity on how we managed and the new autonomous world of how agentic AI operates within an ecosystem. So we’re kind of bringing in old best practices, building new best practices, and basically fusing it together. So really excited about that topic.

And that’s what I heard in general, Mandy, along the conference.

It is. I mean, secondhand, I genuinely get very excited about this topic. And I’m gonna say, so I’m currently raising a pup that will be a service animal. And so I’m saying thinking you’re talking about the agents a little bit like a pup that ends up being able to find things absolutely you never thought existed and this bring it all together. Unlike dealing with a puppy, these are not visible. So, Andy, I want to turn to you. We keep hearing that business owners are spinning up agents and low low code tools faster than security can see them.

From everything that you have lived through at scale, the M and A chaos, regulatory hammers, budget fights, how bad is the ownership and off boarding gap actually getting in these agent chains?

Because I think about that. You know, there are statistics right now, and based on the analysts, it’s anywhere from forty to a hundred and fifty x the number of identities that are being created relative to the human and NHI identities. And you wanna stop and think about that. We’re still at the beginning of the AI wave.

Right? And so this is only gonna accelerate. So so what really concerns me is that we’re trying to manage this emerging population of autonomous agents, and we’re trying to use governance processes that quite frankly were built around human identities. We tried to scale that to non human, to NHIs, and it clearly is not going to scale as we think about agentic workloads and identities associated with that.

We saw it with service accounts and NHIs, but the problem here is that the agentic world changes the scale and the speed of that problem. And the ownership gap becomes really significant, especially when you consider the delegation gap.

So let’s think this through for a second. An employee creates an agent, in order to go do something from a business process standpoint. As we go forward, we’re gonna see actually not this idea of a one for one, but that I’m going to create an agent that itself is going to go break down a task into multiple components and itself spawn multiple agents. More than that, they may actually be calling persistent agents that exist that weren’t created by the individual who’s calling it.

Right? And so now you start getting these relationships that are happening. And so access decisions and data access events are happening several generations removed from the original human or the business process that initiated it. And at that point, we have to ask the question, whose authority is actually being exercised when work is being done by the agent?

Who approved it? And ultimately, who’s accountable for it?

You know, as as I think about that, what keeps me up is is that it’s not just visibility. It’s So let’s think about this again. Six months later, the employee changes roles. They leave the company or the business process they’re working on changes.

Who owns that chain of delegated authority from end to end? If we can’t answer that, we’re gonna struggle with all aspects of this. We’re gonna struggle with governance. We’re gonna struggle with compliance. In in very real terms, we’re gonna struggle with security. Right? Because now we have an uncontrolled identity, a nonhuman identity out there that has access that we have no visibility into even noting that it’s there.

And so ultimately, I think visibility becomes the biggest issue that we have to address as we go forward.

Absolutely.

That, Doctor. Herter, I wanna go to you next, but I want to bring out something I find intriguing about RadiantLogic standing here because Akshay, can you speak very quickly about how does this correlate to the directories issues that security was facing twenty years ago?

Yeah. That’s exactly the issue. And Andy brings up a really good point, because visibility has been a big challenge, but it’s it’s kinda like the blast radius was managed because the volume and the scale and velocity was not anything like what we have in the agent ecosystem.

I personally feel that most organizations do not have an identity problem because they lack data. They have an identity problem because the data is fragmented.

One system knows the user, the other knows the group, the other knows the service account, the other knows the cloud role, and another system might know the application’s entitlement information. Right? But no single place shows all of these identities and permissions and how they are connected between each of these ecosystems. So the security teams end up looking at access and slices, and they can see permissions here, a role there, a group there, memberships that are a part of a user, but they cannot see the full inheritance chain.

And that is where unified identity data layer changes the conversation. The first step, I would say, in bringing identity data from all these systems and normalizing becomes the first step. The second step, the most important step is mapping the relationships between them. That becomes critical because that provides really the context about how do those users, roles, groups, permissions, entitlements, and applications all coexist with each other, and then they start communicating with each other, how does that influence an agent when it has access to all of these different systems?

Right? So once you put that into a relationship graph, the invisible becomes really visible to you. Right? You can start to ask practical questions like, hey, if an AI agent is connected to a service account, what access can that agent really ultimately have?

If this contractor is removed from the group, what downstream impacts does the contractor have? What applications does it impact? If an identity has access to sensitive data, is that explicit? Did they really gain that access through official processes or did they just reach out to a help desk and then our access was given to that identity to access sensitive data?

This is a very different operating model. For the people cleaning up the mess every day, they have more context when they make these changes. They are more credible when they make these changes. They don’t impact the business when these make these changes.

So unifying identity data, really, it turns governance to Andy’s point from a reporting exercise into an operational control plan for understanding and reducing real risks. So that is extremely important.

Actually, would actually say this is super important. And Mandy, what you the the question is also very insightful that you’d pointed to, this is analogous to some of the directory questions that we experienced twenty years ago.

I also would like to point out that we are still living with the same directories that we were living with twenty years ago. Identity is extremely sticky. And so not only is Akshay’s point incredibly important to the extent that we actually are enabling operational value here. I believe based on historical evidence that whatever directory and other identity patterns and standards we pick right now, those are the ones we’re gonna be living with for twenty years.

Because that’s how sticky this stuff is. And now if we compare that with just how fast artificial intelligence is moving, we are at a critical moment right now. We need to make the right decisions and think not six months in advance, not three months in advance. We need to be thinking about the twenty year problem now because that’s how sticky identity is.

And we need to basically be able to think and have a unified front a unified identity platform that supports the future problem now because it’s that’s what’s gonna be there.

Well, fair. And it kinda boggles my mind to think that it is that we are at that threshold that we can have unified identity fabric. And I would kind of counter that even going beyond twenty years, because to me, I think of it a little bit like we’re at this point in history where the agentic AI, the agents being able to take over the nonhuman identities, taking over and creating new chains, new identities. It reminds me of like Linux or Unix in a way, because basically now Linux and Unix is going to be eternal.

Right? There is no way around that. It is almost eternal and we’re sort of getting to be on the cutting edge of establishing that now. So with that in mind, Doctor.

Herder, take us through this a little bit more. You here is our resident crypto wizard. So once teams can see these inheritance chains, the next question becomes accountability and proving that a real human is actually authorized and has given that agent that action.

From the cryptographic side, how do organizations close that gap? And why does doing it without stored secrets matter more as the agents multiply?

So and let’s look at this like a simplified a simplified view for the CSOs and the teams that are looking at adopting this. This fabric then, does it supplant or does it help, IGA and what they have as I am right now?

From my perspective, it does not replace because the identity fabric is much broader. There’s no way to create a true singular identity provider.

We are truly looking at a distributed identity realm. And, again, it’s also not contained within the enterprise. Right? Now, as we increasingly see business partnerships, b to b relationships, and all of that, Again, federation doesn’t necessarily solve that problem. We need the idea of a transportable identity that works across a global identity fabric. Now we’re not really there yet, but I think we’re gonna start to see that evolve as we go forward.

Let’s think about where we were with networking. When I started in IT, everything in networking was point to point. The idea of a global worldwide network that we now call the Internet was just a dream. Now that’s how we all do business.

Think we’re seeing the same thing beginning to happen in the identity space. We’re not gonna have one company company a’s identity, company b’s identity, company c’s identity, but the idea of an evolving global identity fabric as we go forward.

Now I’m looking a little bit forward, but I think those are the sorts of things that we will start to see coming forward as we as we look down the road.

So we’re at the moment where we have the opportunity to allow the humans to still be the the main push, like to still be the main people involved because the fabric is now established and relying on the humans that exist currently.

My question is is can that work at scale?

Okay. This was yeah. This was a big question because next to my well, that creates a huge question. How do the identity architectures hold up as the agents multiply?

Akshay, I’ll turn to you. Like, how does correlating identity data into a single continuously updated view change what’s possible?

Yeah. So I would I would kinda, like, touch back on how we just get on the same page. Right? While we build some of these solutions, to manage each entity identities, the scale, the volume are critical that we we we focus on.

And at the same time, I am on the same page that every time, from an engineering standpoint, I build something, a week later, I go back and things have changed. Whether it’s these large cloud providers or whether it’s, the application SaaS apps. Right? The the way we interact with them changes.

MCP changes. APIs changes. The data that they deliver to us for us to consume as a part of the unified platform changes. But the one thing that I would focus on is Adi did mention that we need to push the boundaries to pushing it to hours.

Right? I would say we need to actually push it to seconds, and there’s a reason why. Right? Think about it.

An AI agent that has access to sensitive data and if that is something that is controlled through a guardrail, right, a common concept within an ecosystem like AWS, imagine there’s a misconfiguration and the agent owner comes in and says, okay. I’m gonna remove this guardrail. Right? It might seem like a very small misconfiguration.

But if you look at the actual impact of it, now you’ve allowed the agent to have access to that sensitive information, and that would be in turn used by the large language models, which means you’ve leaked the data, which is irreversible.

Even seconds of having those guardrails removed is a bigger impact to the organization. So I would push the boundaries and say, these misconfigurations need to be identified within seconds because of the inventor reasons. Right? So and going back to Charles as well, right, and going back to your question, Manvi.

Right? Agents do not live inside one clean system boundary. And I think Charles talked about that. Right?

Agents can be created in one platform. They might be authenticating in another. They might use another service account somewhere else that allows API access across systems, whether be it ServiceNow, Salesforce, Snowflake, any of these systems. Right?

That’s the whole beauty of agents because they’re able to kinda, like, build a workflow of orchestrations. If your identity data is fragmenting, if you don’t correlate all of this data, what happens is this handoff between these different ecosystems become your blind spots. Because you don’t know what the user is. You don’t know the context of the nonhuman identity.

You don’t know the context of the application. You don’t know context of the agent. And if these are context contextual information that’s all critical, then it becomes extremely challenging for you to enforce any kind of governance or any kind of authorization and so on and so forth. Right?

So the foundation has to be continuously updated identity layer, which understands the context. It’s building those relationship graphs so that you can really ask the questions about does this agent have access? How did it get the access?

And what it can do within the ecosystem? What can it ultimately reach within the ecosystem? Right? That’s the inheritance chain that we need to focus on.

So with this graph, the operational model by itself fully changes. This real time component becomes extremely critical because agents by itself are dynamic in nature. Right? So having dynamic agents and real time is the is the recipe for you to have any kind of discipline or AI governance or, you know, just your blast radius, like, bringing that down from a security standpoint.

You need something that’s scalable. You need something that understands the context. You need something that’s real time. Right?

That’s the most important piece. We need something that’s within seconds and and not services that were quarterly in nature because that becomes more reactive than proactive.

It does. Now this is it’s exciting and it’s interesting, and it’s so detailed, nuanced, multilayered. And so I wanna take a moment to encourage the audience to use the chat feature. If you haven’t already, please turn to the chat.

Add your questions, because I think we all have a lot of questions and we could discuss this for hours and hours. But let’s go back to Doctor. Herder. Building on what Akshay was saying, where does the cryptographic trust fit on top of this foundation?

You know, that’s actually, that’s a fantastic segue, because one of the things that sort of happens when we talk about, oh, we need this global worldwide network of identities and whatever, and that sounds just incredibly daunting and impossible.

But I would actually argue that this is a problem that we have faced before, exactly with what Andy and what Akshay were saying. And then from the networking perspective, we had small networks that had sort of peer to peer trust just based on the fact that they were co located in the same building. And then we needed to scale that up to the entire world wide web, but we needed to maintain that trust. And the ultimate way that we did that was using TLS.

When I go to Google dot com, I know that I’m on their website, even though their server is being hosted halfway across the country in a data center that I don’t even know about. And this is done through this asymmetric cryptography. And so I would view that what the current transition that we’re facing to go from these individual silos of federation to this global, you know, global identity network that asserts identity across these federation boundaries as the similar problem is transitioning from local networks to a global worldwide web. And so effectively what we need is we need TLS, but we need it for people.

And Mandy, going back to your point, humans need to be at the center of this, and the reason for this is that trust is not founded in some abstract algorithm. Trust is always based in something physical. Trust is based in a hardware security module somewhere. It’s based in a company.

But most of the time it’s based in the humans. It’s based in us. We are the foundations of trust on the internet. And so we need a mechanism by which we can scale human trust up through our AI agents that are operating on our behalf to work across the entire internet.

And that, in my opinion, is really one of the core problems here. So just envisioning what does it take to operate TLS for people at scale. Number one, it’s exactly what Andy said. We can’t completely rip and replace the entire identity infrastructure.

They’re already way really far behind. We need to meet the customer where they are.

They have fifty different federated identity systems. It’s not their job to then go in and do a massive internal identity transformation to make it work with the newest and greatest shiny thing. We need to be able to operate exactly with whatever directories they have. And I think that that’s one of the really great benefits of what Radiant does, which is exactly that.

They’re not going in and saying, hey, you need to take out your intro, your active directory, your octree, your ping. We’re gonna sit on top of it. We’re gonna write on top of it and create this virtualized directory that then allows you to then reason about identities across these federation boundaries. So that’s one of the critical components is being able to meet the customer where they are and be able to connect those identities in this unifying way.

And then the other piece of this is to be able to have an actual credential, a human shaped credential that allows me to go in and assert my identity across these different federation boundaries. So it’s easy for me to authenticate to my Microsoft Intra because it owns my identity. It knows who I am, I registered with it. But if I’m going in and authenticating to some other company’s directory, they don’t know who I am.

So how can they actually go back and do this? And the way that you end up having to do it is I need to be able to have a cryptographic key that then asserts my identity that has a trust chain up to my system. It’s TLS, but it’s for people. And this is really the core of what Badge really, we’re really focused on is to be able to solve the cryptography and the key management problems that come with that.

And that’s the other reason why we’re so excited to be partnered with Radiant Logic, because I think between the two of us, we actually have a path forward towards addressing some of these huge, big, hairy problems that are coming down the pipe and that we need to solve right now.

Yeah. So just to add on to that, Mandy. Right? The partnership was critical because I think we uniquely solve two problems.

Right? So the unified identity graph becomes the foundation for visibility, and the cryptography kinda layers on top to just become that trusted layer that strengthens the assurance, and that becomes the foundation for assurance. Once we know the relationships, we still need to prove the identity, verify delegation, protect integrity, and establish trust in action agents really take. Right?

So I would frame it this way. Right? The graph tells us what exact exists and how it is connected. Cryptography trusts helps to prove that these identities, credentials, and actions are authentic and trustworthy.

So you need both. Right?

Connecting identity intelligence underneath and verifiable trust on top. That creates a really phenomenal marriage, be very honest, a long lasting marriage. So, you know, we’re we’re very excited, Mandy. The way we look at this problem together is very unique from you know, you can call it the on behalf of Flow. You can call it the inheritance chain that you hand over, but that trust factor and the assurance factor on top of the inheritance chain is is really the way to solve for some of these challenges that we’re facing in the genetic space.

Yeah. I do find this very fascinating, and I’ll share a little bit more on my background. A number of years ago, how I came to be around this industry and this world a little bit more was looking at how you could take the totality of an individual and numerically reduce it to a mathematical quotient of integrity. And that that integrity would then unlock access to certain levels of data. So looking at this, I’m like, this is comforting to me to hear that this is where we are moving, like what Badge is doing. Being able to allow that that human is still what is the I don’t know why I wanna say token here because it’s not that the human is the token.

You’re not wrong.

You’re not wrong.

You’re actually thinking of it in the right way. We need the human to be the root of trust. And this is really hard because humans are fuzzy, analog, fallible human beings and cryptography is this infinitely precise mathematics. And you need to be able to blend those two things together.

And that turns out to be a really hard problem, which is what I got my PhD in and all that’s really fun. But basically, yeah, no, that’s the critical piece is going that last mile to being able to make, turn all of the fuzziness and analog into something that’s a stable cryptographic key that then can be used as a part of these very high scale, very high assurance identity networks that then can actually be scaled out to the global system. And that’s exactly what I’m personally passionate about and what we’re doing at Badge, because I think it solves this huge number of hard downstream problems.

But to Akshay’s point, in order for that key to have meaning in a larger context, I need to be able to map my identity and create this graph of who am I within the context of this particular federated system, but then be able to share that across these federation boundaries using a virtualized system. And so, yeah, it’s exactly like, just to echo what Akshay is saying, I really think that this is a very sort of hand in glove partnership that allows us to really leverage both of our strengths to tackle what I think both of us believe is a really important problem to solve.

Not just from like an enterprise perspective, but just frankly from a future of humanity perspective. This is a problem that needs to be solved. Otherwise, we will not be able to reap the benefits of artificial intelligence. And I think that there is a there is a likelihood that you end up in a bad spot because AIs are indistinguishable from people.

True. Now Andy, thinking about anything that has been brought up so far, is there any portion that you would want to have already had in the past?

The absolute trust at the person level is a problem that every organization struggles with.

We see it, for example, whenever we onboard to a new organization.

That how do you know that the individual who is interviewing for a job is the person who they say they are? How do we know that the person who’s showing up on that first day of work is the person who interviewed for the job who originally applied for the job on back. And I can go on and give you example after example after example, where that human trust factor becomes really critical. It becomes even more critical when you start talking about outside of the boundaries of a single enterprise.

Because then trust is now something, and I think we used the term actually used the term earlier, transitive trust. That’s kind of the the realm where we’re going into is into this idea that trust is a transitive thing. We’ve talked today about human to agent being one of those elements of transitive trust, but it also extends organization to organization, person to person. We have all kinds of transitive trust relationships.

The thing that I keep struggling with is as things continue to accelerate I’m going back, actually, to what you said earlier about this squeezing down to seconds and ultimately microseconds. Making authorization decisions is not something that is going that that can be done after the fact. It’s going to be something that has to happen in the instant. Dynamic authorization is the only way that this scales as we go forward.

And then I’m gonna add one more thing to this discussion, and that is intent. How do we evaluate the intent of what’s being done? Because that authorization decision is not simply based on who I am.

It’s not, you know, because my identity, even if it’s authorized cryptographically, has attributes associated with it that can determine some things, but it cannot determine what my intent is.

And so that becomes the next horizon that that concerns me is how do we move from static authorization to dynamic authorization to intent based authorization.

And so I’m waiting for the next batch of PhDs, Charles, to come and solve that problem because that’s the next horizon from my perspective.

Without going minority report on it. Right?

That’s you’re right, Mandy. Like the point is is that anything that’s evaluating human authorization and human intent has to be baked, has to have a privacy layer baked in. Because if I have big brother who is the person evaluating my intent, that works. But ultimately, that’s a problem.

The way I would phrase it is that it doesn’t scale. If you’re trying to operate this as a global network, even ignoring all the privacy impacts, what that means is that single authorization engine that has access to all these informations and decisions effectively has infinite concentration of value as a part of it, and what that means is that hackers have an effectively infinite incentive to break that system. So in order to basically deal with that massive concentration of authorization power, the best way to think about this is through basically, it’s principle of least privilege. It’s exactly that.

It’s just making sure that the authorization decisions are not wholly centralized, that they live with either the people who are authorizing them or with the resource owners that actually own the actual resources. But that’s one of the big problems that we’re facing with your AI agents is that AIs themselves are concentrating the privilege that is being required of them because a whole bunch of people are interacting with a single AI agent that then is operating on all of those people’s behalf is this concentration. And this exactly goes back to Andy’s point of the reason why dynamic authorization is required.

If you try and do something static in that environment, you’re gonna have to, you know, authorize the superset of all possible actions, and that becomes a god service, which is, you know, from security perspective, untenable.

Yeah. Just to add to Charles and Andy’s point, right, there’s also a user experience part of this. Right? Like, if you look at an application, you know, you could provide basically birthright provisioning.

Right? Hey. This is what the user’s role is. This is what the user can access.

But agents in general are built to be dynamic, built to serve different problems based on the intent that Andy was speaking of, right, Which means the authorization for the agents are also gonna be dynamic. And the focus always has to be least privileged to Charles’ point. Right? When you create the agent, give it zero standing privileges.

It has nothing but what it can do, right, from a Lambda function as an example, right, that that gets associated with the agent. But it shouldn’t really have any authorization principles. It should adopt those authorization principles from the human as a verified credential and kinda go through the on behalf of Flow. And doing that, really, the agent understands intent.

The agent understands context. And the agent can be a lot more better when it comes to user experience because a financial adviser asking for financial questions, the agent now knows that it’s a financial adviser. So it goes to a SAP financial system to get financial data instead of going to Salesforce to get financial data, which is basically data that a salesperson would go access. Right?

Just giving you an example. Right? So understanding intent is critical, and that allows dynamic authorization as well. So, definitely a problem statement that we need to focus on and put all of our brains in and and solve for a better user experience, in general.

And productivity for an agent becomes critical because these are expensive resources. If you look at an agent, they are expensive. When you deploy it, when you run it, when you invoke it, they are very, very expensive. So you wanna make sure that they are productive in nature.

They bring value to the ecosystem. Users tend to use it much more than basically drop it. Right? You want you want folks to use it.

So speaking about that, like, right now, let’s say that we have one of our fantastic audience members that adopts what RadiantLogic and Badge is presenting.

And they are able to use this unified identity data layer. And I really want to key in on the relationship graph that you mentioned. Does that relationship graph utility allow for identifying intent at this point? And or what other items does it allow?

So the graph and I’ll take a stab at this and Charles and Andy. Right? So the graph by itself becomes the strategic foundation. Right?

Because what an intent is is basically based on the context that the human user already has adopted. And that context comes through the inheritance chain. And if an agent has access to the inheritance chain, the dynamic authorization becomes a lot more seamless. Right?

There are a couple of outcomes by building that foundation, right, and providing or passing that back to an agent. You definitely get better security outcomes because you exactly know what access decisions you wanna pass to the agent. So it reduces excessive access. In it inherited inherits the privileges.

It reduces orphan accounts. So from a security standpoint, the outcomes are phenomenal. Right? The second piece that is extremely important is faster and safer operation.

Right? It’s extremely important that context kind of feeds into intent. Intent feeds into making sure that the user gets access to a system, and they’re able to actually be productive with the agent that they’re using and leveraging.

And most importantly, as security owners, governance and compliance becomes extremely critical. Right?

Evidence is that you wanna present to your auditors. If you have a full inheritance chain, it becomes a lot more easier, including the intent with which the user operated it. Right? And businesses want to adopt agents.

And most often, there’s a there’s a bad name on the street that identity teams might have been the bottleneck in the past. And we don’t wanna carry forward that. Right? We wanna allow businesses to adopt agents.

If the business says, hey. I want each and every team to show automation, we wanna allow that. And, quite honestly, if we have a better security framework for adoption, AI agent adoption is gonna be a lot more faster. So it’s critical that everybody builds that identity foundation that gives you that inheritance chain or access to that inheritance chain.

It’s a long term benefit, basically. It reduces risk and allows for business operation.

True note, doctor Herder, I noticed some of your facial expressions, and I feel like you have something to add in here.

I just no. Akshay is exactly on point, and I think the the intent based derivation is super interesting and I think is incredibly important as a part of the identity graph because gleaning intent, intent comes from context.

I’m accessing this particular dataset, but the context tells us who I am, why I’m doing this, am I coming in from this other system? And that gives us color as to what is actually going on and why this particular transaction is happening in the way that it is. And really, one of the key benefits and values that I see as a part of our, as Radiant especially giving here is that the more color that you can bring to bear on a given action based on its context, the more you can narrow down exactly what is meant by intent. Because I think intent here can mean sort of two different things.

It can mean the, what am I explicitly trying to do? Like I’m trying to access this particular row of a database, versus what am I actually trying to do? I’m trying to compute this year’s financial numbers numbers for a report that I have in an hour. The latter is much more business focused and much more fuzzy.

The former is much more concrete and actionable. And so I think that what this global network of identity and all these different relationships allows us to do is to not just look at the concrete I’m trying to access this particular data set, but also all of the different contextual information around that which gets towards the more human definition of what intent means, which is what am I actually trying to do?

Akshay, am I fairly representing

No.

What you’re saying there? It also goes down, Mandy, to what department does this human belong to. Right? If it’s an employee.

Right? You you wanna like I said, like, a sales workforce should be treated by an agent differently than a financial workforce. Right? So understanding the department, understanding the human elements, understanding ownership, everything becomes critical.

Right? So that’s why the human context is important. The nonhuman context is important. The agent context is important.

And all of this irreversibly will deliver good, you know, context about the intent of the user. And that becomes more personalized when the user is actually action actioning on that agent, right, and using that agent and so on and so forth.

I would say in some ways, the the the quest for role based access a generation ago, it feels like a generation ago, was a form of intent based access. Right? If I say that someone is an AP analyst, then the intent is that they’re going to be looking at billings from their suppliers. They’re going to be evaluating the appropriateness of those billings, and they’re going to be authorizing payment, Right?

Those are the things that are inherent in the role of being an AP analyst. So my intent is tied to that particular element. If I try to do something outside of the realm of that role, then the intent should come into question. And so we looked to kind of create roles that reflected that.

But again, that was a pretty manual activity. Even with tools, building those was fairly difficult to do.

As we go forward, it’s going to have to become, especially as we think about agents that are out there doing actions on behalf of someone who is, for example, that AP analyst, that agent then needs to carry that intent forward. You can’t necessarily give it the same role as the person, but you can carry the intent of that role forward with the agent to say, it appropriate or is it not to access, for example, supplier files?

The answer would be yes because the intent is I’m doing an AP specific activity.

No. Hundred percent. And there’s also the concept of risky inheritance. Right? To Andy’s point, you wanna be able to protect the toxic combinations of access that you create as a dynamic authorization and pass it back to an agent.

Right? For example, the agent should not be able to, place an order and pay for the order as well. Right? So there those are two two actions that you wanna segregate.

You don’t want the same agent to be doing both. Right? That’s that’s very, very risky from an organizational standpoint. So, there’s all of that context as well, that allows for intent classification.

And, you know, in in all words that Andy and Charles have said, it it’s basically the dynamic authorization in real time that we might be able to create.

So we are up against time, and I’m going to ask each of you to bring up three to five words of what you see as concrete strategic benefits for organizations that adopt a unified identity fabric at this time versus organizations that continue to try to use bolt on afterthought or traditional credential situations. You think of those words, and I’m going to wrap up for our audience that thank you for joining us. Please make sure to reach out to Radiant Logic or to Badge for additional information.

Take full advantage of the resources that have been provided. And for myself, on behalf of SC Media and the Security Weekly family of shows, feel free to reach out. If you see me at any conferences or anywhere, always enjoyed speaking and getting to know more.

Do that now. I will go let’s see. Akshay, give me three to five words. What are the benefits?

I would say a real time anomaly detection from misconfiguration standpoint is critical. I would say this creates more of a proactive versus reactive governance, and that becomes critical.

And most often most importantly, the authorization, you wanna make that as dynamic as possible in real time as possible, as verifiable as possible so we know what the intent is. We know what the context is. We know what the agent is doing within the ecosystem, and you know how to control them because this inheritance chain is about to become uncontrollable. Right? So let’s all take back control. That’s my final statement, Natalie.

Perfect. Andy, I’ll turn to you.

Full visibility creates better decisions.

There you go. Gorgeous. And Doctor Herder?

I would say that basically, you have ephemeral credentials that create zero transcending trust, and that allows you scale and agility.

Nice. Agility is always fantastic. Okay, so thank you all for joining us. Thank you to Akshay, Andy and Doctor Herder. And that’s a wrap. We got to get this chaos of the three identity problem handled. Let’s go for it.

Awesome, thanks. Thanks.