Federal Tech Podcast: Why Identity is the First Pillar of Federal Security in the Digital Age

Hey, John Gilroy here. In 1978, an English rock band released an album called “Who Are You?” Today, we’re applying “who are you” to the federal government. Hit the music, Manny.

Welcome to the Federal Tech Podcast, the show that connects you to federal technology leaders. I’m John Gilroy, your moderator. Our guest today is John Pritchard, CEO of Radiant Logic. I opened with rock and roll because identity really comes down to “who are you?”

I love it, John, and thanks for having me.

Let’s stay with that “gold standard” theme. In rock and roll, some say it’s the Beatles. In tech, many would say Microsoft Active Directory. Is Active Directory the right place to start when we talk about identity in the federal government?

I don’t think you can talk about identity without talking about Active Directory.

I agree. I studied it years ago, and many principles still apply. For listeners, can you briefly explain what you mean, and touch on LDAP and why it’s so valuable?

In the federal space, every agency has a distinct mission, and over time they’ve adopted different technologies. So Interior, Energy, and DoD all have specialized identity and HR systems. That’s similar to the commercial world: there’s no single dominant technology, just lots of identity silos.

The history helps explain this. Early in the Cold War, we centralized around mainframes, which drove a centralized identity model. In the 70s and 80s, PCs drove decentralization and departmental systems. LDAP became the standard protocol, and local directories appeared inside departments.

Around 2000, we centralized again as Windows and Office dominated. Active Directory emerged to give Windows environments a central way to do authentication and authorization. In the early 2000s, web services and APIs pushed another decentralization, especially for nonhuman actors—machines talking through API gateways. Around 2011, government leaned into cloud; Okta appeared, Microsoft introduced Azure Active Directory, and AWS became a major player. Later in the 2010s, we saw more decentralization with single sign-on and, more recently, decentralized identity and blockchain concepts.

Across those waves of centralization and decentralization, agencies rarely had the chance to fully retire older systems, so identity sprawl is now the norm.

I’ve lived through most of that, and it’s a great 30-year perspective. You’d think IBM would have dominated, but Microsoft’s decentralization wave had more impact than many realized.

Concepts from 20–30 years ago still apply under the banner of continuous improvement. We usually think of that in software, but it also applies to identity, right?

Absolutely. There’s a growing focus on “identity hygiene”—an acknowledgment that sprawl is pervasive in both federal and commercial organizations. To improve hygiene, you clean up identity data and configuration issues. You’ll hear the term “identity security posture management” for this approach.

Typically, it works in phases: first you discover where all your identity silos are, then you inventory human and nonhuman accounts, then you evaluate risks and configurations. Many organizations have nonhuman identities with no clear owner—service or system accounts created during an installation that now automate critical processes but sit outside normal access reviews. They don’t go through the same entitlement validation as human users, which makes them hard to manage as organizations mature.

In the 90s, a small law firm might have a couple of servers down the hall; that was easy to manage. Now agencies have layers of federated systems, shadow IT, and cloud services—very hard to get a handle on. Where does Radiant Logic fit in helping the federal government manage this?

We’re an identity security company focused on solving identity sprawl and the cost and risk of poor identity hygiene, with a data-centric approach. We look at identity security posture management through three lenses.

First is discovery and understanding: accounting for all the places identity data lives—directories, multiple Active Directories, HR systems, training systems, and more. An employee’s full profile often lives in many systems. We unify that into a single, trusted source of truth and then apply data science techniques to spot misconfigurations, such as over-entitled accounts.

For example, someone who’s been in the organization for years may have accumulated access they no longer need. Over-entitled accounts are attractive targets for attackers, who look for under-managed identities they can compromise. We help organizations clean those up with analytics and then monitor in real time so new risks or data don’t creep back in.

When I walk around Washington, I see pillars everywhere, and in cyber discussions we always hear about the pillars of zero trust. Identity is always the first one. Talk about the CISA Zero Trust Maturity Model and identity’s role as the first pillar.

The CISA model defines pillars like identity, devices, and networks, plus maturity stages in each. It’s significant that identity is first, because none of the other pillars work without it.

Zero trust recognizes that we no longer have a simple network perimeter. Single sign-on, remote work, and coalition operations—like NATO exercises or multi-agency defense missions—require sharing with “friendly” organizations while still blocking unintended access. The principle is that every attempt to access a resource is untrusted; we verify every time and apply least privilege and just-in-time access.

Identity is foundational for that. Every system making an authentication decision (“are you who you say you are?”) or authorization decision (“are you allowed to do this?”) needs a reliable identity profile. The underlying identity data is critical for those decisions.

On your website I saw the phrase “hygiene remediation workflows.” I’m used to seeing workflows on whiteboards for software processes, but not usually for identity. What kind of workflow is involved?

There are several, but around hygiene we use the phrase “get clean and stay clean.” Organizations are complex and full of blind spots—silos or accounts you can’t see clearly. Those blind spots create risk.

A hygiene remediation workflow is the cleaning process: finding the account, analyzing over-entitlements, confirming ownership, and tightening group memberships. For example, you might have a group meant to give everyone in a department the same access, but in practice each person has exceptions. Those groups can become unwieldy, and many don’t have clear owners. That’s a common source of over-entitlement, and remediation workflows are designed to identify and correct those issues.

In our prep call, I asked if you compete with Okta and Ping, and you said you work with them. So you’re really focused on clean identity data and can partner with tools like Okta and Ping to achieve that, right?

Exactly. We’re a unified, single source of truth—a data layer in large architectures. This aligns with the NIST Zero Trust reference architecture from the National Cybersecurity Center of Excellence, which calls for a shared, centralized identity data source supporting access management, privileged access, and identity governance systems.

It makes sense: organizations invest heavily in tools like Okta, Ping, and endpoint systems like CrowdStrike. They all make decisions based on identity data and policy. The data enables those decisions, so you want it to be as trusted as possible. That’s the role we play.

If you claim to be the single source of truth, people will ask how you keep that data safe and trustworthy.

Every organization models how its data is ingested, correlated, and staged. Many identity systems—whether for SSO or provisioning—assume that identity data is already in one place. They’re not designed for complex data correlation and synchronization across many systems. We handle that data work and then let organizations model how it’s shared.

To secure it, you can decide which data elements are visible to which systems and which are reserved for specific partners or coalitions. The modeling is crucial because identity data is so distributed and complex.

Radiant Logic clearly earned trust in the federal space.

We do have a long history there. The federal government is one of the largest, oldest, and most complex “organizations” on Earth. A commercial customer of mine says, “today’s innovation is tomorrow’s legacy.” Agencies adopt what seems like game-changing technology, then move on to the next innovation without fully retiring what came before. Over decades, that creates massive complexity.

We’ve mentioned data staging and orchestration. Let’s talk about the hybrid environments most agencies live in. I assume you integrate with hybrid environments in line with what an enterprise architect designs?

Yes. Hybrid environments are not just legacy—they’re operationally necessary. Agencies still have systems of record on-prem, and in defense scenarios you may need systems that work on ships or in maneuver units without constant cloud connectivity.

Hybrid setups add complexity: some systems are self-managed on-prem, some are cloud-based, and connectivity can be intermittent. You need synchronization, and we help solve the data side of that. Hybrid has enabled automation and scale, but it’s also increased identity sprawl, especially nonhuman identities.

Service and system accounts—identities for automated processes like scanning data or running payroll—have exploded with hybrid cloud. They need identities to access resources, and their numbers have grown dramatically. Many were created during application installs, and the teams behind them are long gone. Without clear owners, they’re often outside normal access reviews. Hybrid cloud amplifies this risk.

Listeners walking the dog or at the gym may want to learn more about Radiant Logic. Is there a white paper you recommend?

Yes. We have a piece on real-time identity observability that explains our approach to identity security posture management and hygiene in real time. I’ll give you a link for your podcast site so listeners can download it.

Great. Go to federaltechpodcast.com, look up Radiant Logic, and I’ll put that link in the show notes.

John, I really appreciate the time.

You’ve been listening to the Federal Tech Podcast with John Gilroy. I’d like to thank my guest, John Pritchard, CEO of Radiant Logic.