What happens when security teams inherit identity
At the Span Cyber Security Arena conference, I sat down with Eric Woodruff, Chief Identity Architect at Semperis, to talk about how organizations perceive identity and the challenges those perceptions create for security.
He shared his perspective on where organizations struggle with identity, why identity platforms can become difficult to manage, how phishing-resistant authentication is viewed in practice, and what non-human identities and AI could mean for security.
Most boards still treat identity as an IT hygiene problem rather than a strategic risk category. What changes that conversation in your experience?
I think a lot of organizations still treat identity as an IT problem. Unfortunately, many times in organizations I’ve worked with, that conversation changes after there has been a security incident. Then identity starts being treated differently. Instead of something proactive, it becomes reactive.
At the same time, I think the culture is changing. I’ve seen some security teams say that the Active Directory or Entra team should be part of the security team. With that, the culture and perspective around identity start to change.
So it’s a mix. Unfortunately, it’s still mostly organizations that have experienced an incident, but there are also organizations where people attend talks, read articles, and start understanding the risks behind identity. Their perspective changes.
I think it is improving, although not as quickly as I’d like. Especially over the last five or six years, as COVID pushed more people into remote work, it shifted some security priorities around identity and made organizations more aware.
Where do identity platforms most often overpromise and underdeliver in real enterprise environments?
I think they’re really complex. Part of the issue a lot of organizations have is that the identity person isn’t just the identity person. It can easily be a full-time job.
You’ll see huge enterprises that can staff that, but in small and medium-sized businesses, it can be all over the place. People become a jack-of-all-trades. They’re managing server infrastructure and other things, or if they’re part of the security team, they may be doing other roles as well.
The platforms themselves are not easy. The standards aren’t easy to understand, and despite having portals and setup wizards to help walk you through the process, they still tend to lean more toward usability rather than security by default.
I think that’s the biggest problem. You need to know a lot to properly secure these environments, and a lot of organizations don’t have the time or money to invest in the people needed to do that.
I’ve also seen situations where a security team owns identity. Identity systems sit somewhere between IT and security, and a lot of security people are used to working behind the scenes without interacting with end users.
Identity is different because it’s one of the only areas where you usually have to deal with end users frequently, which makes it more similar to an IT role. I’ve also seen situations where security teams adjust things within the identity platform without realizing that identity works differently, and mistakes can happen.
What is one widely accepted identity practice you think the industry has wrong?
I would probably say it’s the idea that going phishing-resistant and using things like passkeys and similar technologies is difficult.
I notice that many enterprises of all sizes don’t necessarily want to move toward something phishing-resistant, either because they’re worried that it’s going to confuse end users or because, from a security perspective, they’ll say, “Unless it can solve 100% of our challenges, we’re not going to roll any of it out.”
I think there are two things wrong with that approach. Organizations need to look at it differently. If we can go phishing-resistant with passkeys and technologies like Windows Hello for Business for 90% of our users, then that’s 90% of our users who aren’t going to be phished.
I also think people underestimate users. If it takes an end user five to ten minutes to set something up and it’s a one-time process, I think end users are more willing to deal with it than we think.
You can see that with consumer applications like Amazon. When they ask users to enroll in MFA or set up a passkey, they don’t necessarily give users much of a choice, and people just deal with it.
I think the problem is not realizing that people are more flexible than we think. That’s the main problem.
Do you think that will improve? What are your thoughts on the future of that?
I don’t know. It’s funny because I remember six or seven years ago going into organizations and helping them roll out more traditional types of MFA, and you’d see the same problem. Organizations would worry that everyone was going to be upset, and then nothing would happen.
It’s almost like nobody learned because now, only about six years later, we’re trying to do something very similar again.
You got everyone to do this once already, and while there are always a few people who complain, people generally don’t like change, especially in the beginning when they don’t understand something or think it’s complicated. They naturally have some resistance.
I also think security teams could do a better job helping end users understand why these changes are important. A lot of times, security teams either don’t tell users why they need to do something at all, or they provide explanations that are too technical.
End users don’t necessarily need to understand everything threat actors are doing. They just need to understand the danger and what the worst-case outcome could be.
I think when people understand what could happen if protections aren’t put in place, they’re more likely to understand why these changes matter. Systems could be compromised, or losses could be significant for the company and for the individual.
You’ll often see employees thinking, “It won’t happen to me,” or “I’m nobody in the company.”
In those situations, it can help to look at examples in the news. Unfortunately, you can probably find stories about someone in finance or another employee being phished or compromised, and those examples help make the risk feel more real.
Agentic AI is moving faster than the rules meant to govern it. How do you give an autonomous agent an identity, control what it can do, and track its actions on behalf of a human?
That’s a good question. Unfortunately, I’d say most agentic systems right now are still designed to act on behalf of the person.
There has been a lot of work around systems like Agent ID to build these capabilities, but right now they’re still very vendor-specific. If your agentic system doesn’t integrate directly with them, you basically can’t use them.
I think the real problem is that those systems inherently want to get the job done. Out of the box, they naturally lean toward acting as you.
There also aren’t many guardrails in place that force the use of non-human identities. Even if you create non-human identities, the systems don’t necessarily use them.
I was making this point recently in a discussion around NHIs. The idea was, “If we issue NHIs, people can use them with cloud-based tools.” That sounds great, but I can still simply tell the system, “I don’t want to do it that way,” and it will often respond with, “Of course, I’ll just do whatever you want.”
People will try to create guardrails around these systems, but ultimately, if you tell the AI you want something done differently, it will often follow that instruction.
I think controlling agentic systems is definitely an identity problem, and the identity industry is trying to solve it.
In the short term, though, the answer is probably more around endpoint controls and other restrictions. You can limit what people can do on their work devices and also make sure they aren’t overly permissioned within the systems they’re accessing.
We’ve already seen examples in the news where someone used AI and accidentally deleted a database or caused other problems.
So I don’t think that completely answers the question, but for now, until we have better standards for non-human identities that work more seamlessly with agentic systems, the short-term fix is controlling what users can do on their work devices and making sure they don’t have overly broad permissions.
What is your opinion on all this AI? From a cybersecurity perspective, is it dangerous? Will cybercriminals benefit from it?
I’d say when models like Mythos came out, there were people who completely freaked out and people who said it wasn’t a big deal. I’d probably fall more into the “not a big deal” camp. I’m not saying people shouldn’t be concerned, but I think a lot of it is marketing because existing AI models can already be pushed into doing things they probably shouldn’t do.
Even in security research, I’ll use existing AI models and sometimes ask them to emulate a threat actor because I want to understand how to defend against something. Suddenly, the model will start walking through an attack and then basically say, “Please don’t use this for anything bad,” before continuing.
AI is also interesting because more things are moving toward consumption-based usage models, and I wonder what impact that will have on threat actors. I’ve seen people say, “I was paying $20 a month for Codex, and now it’s going to cost me $2,000 a month.” Obviously, costs could also affect threat actors if they have to spend significantly more money to use these systems.
Things are changing all the time, and I still think it’s difficult to measure how much of a negative impact AI will ultimately have. I think some of the stories about threat actors simply telling AI to attack people are exaggerated.
I’m not saying people shouldn’t be concerned, but I think it’s still too early to tell. It’s also very easy to market fear around these technologies.
What does the role of a Chief Identity Architect look like five years out, and what skills are you hiring for now that didn’t exist on the job description three years ago?
I’d say you don’t necessarily see a lot of Chief Identity Architects. At least for us, this role is somewhat unique within the company.
Ian Glazer, who is well known in identity, has talked about the Chief Identity Officer role. You could say I’m maybe aspiring toward that type of role.
Ultimately, the point of a Chief Identity Officer or Chief Identity Architect role goes back to what we discussed earlier about where identity belongs. Identity doesn’t necessarily fit completely within IT or security. It occupies a space somewhere between the two.
In general, if you’re an identity architect, you need to understand a lot from the SOC side of an organization. You also need to understand a lot of things on the IT side and even areas you probably wish you didn’t have to know, like device management and related technologies, because many of the signals from different systems ultimately feed into identity security systems.
I’d say it’s difficult right now, and looking toward the future, many identity professionals used to come from system administration backgrounds. Now, many people coming out of universities have cybersecurity degrees, but there’s often very little focus on identity within those programs, and sometimes that becomes noticeable.
Organizations need to take identity more seriously. I don’t think every organization necessarily needs a Chief Identity Architect, but most organizations should have some type of identity architect or identity engineer and try to find people who have an identity background.
Whether that’s someone who has managed Active Directory or someone who has been working with Entra or Okta long enough, the background matters.
I think the skill set itself will probably remain similar to what it is today, which means understanding a broad range of technologies and systems.
I would say identity professionals also need to learn AI, whether they want to or not. I was probably not very interested in interacting with AI initially, but eventually you start getting questions about non-human identities, agentic AI, and how to secure them.
At a minimum, you need to catch up with it. A lot of times, for me, it’s about using the systems directly because that kind of hands-on learning is usually the fastest way to understand it.
Whether you like it or not, you need to understand it.