Jeff and Jim are back with the May 2026 mailbag, answering listener questions from Amsterdam, Mumbai, Austin, and Berlin. Topics include navigating IAM vendor acquisitions, defending against AI deepfakes in remote onboarding, governing contractor and third-party identities, fixing the leaver process in IGA, and tackling a decade of IAM technical debt. The episode closes with unpopular industry opinions: why RFPs are procurement theater, why rip and replace should be normalized, and why one-throat-to-choke vendor thinking usually backfires.

IDPro new member discount: https://idpro.org/idac/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

CHAPTER TIMESTAMPS

00:00 Intro and SNL nostalgia

03:25 AI model roundup: ChatGPT, Claude, Gemini, and usage limits

10:16 Identiverse 2026 and IDPro member discount

14:53 Q1: Navigating vendor acquisitions (Isabelle, Amsterdam)

24:00 Q2: AI deepfakes in identity verification (Rajan, Mumbai)

32:32 Q3: Contractor and third-party identity governance (Caleb, Austin)

43:00 Q4: The leaver process and IGA scope gaps (Anonymous)

51:10 Q5: Tackling IAM technical debt (Tomas, Berlin)

57:00 Normalizing rip and replace

01:01:00 RFPs, one throat to choke, and other hot takes

01:08:00 Wrap-up

KEYWORDS

IAM, identity governance, IGA, vendor consolidation, acquisitions, deepfakes, identity verification, contractor management, non-employee identity, technical debt, rip and replace, RFP, joiner mover leaver, leaver process, Identiverse 2026, IDPro, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Jeff and Jim welcome back Robert Snodgrass, Principal at RSM, for a deep dive into the RSM Middle Market Business Index cybersecurity report. The conversation covers the confidence gap facing middle market organizations, why digital identity remains undervalued despite being the primary attack surface, non-human identity governance, flat cybersecurity budgets, risk framework adoption, and what good incident response preparedness actually looks like. The episode wraps with a spirited Bitcoin Pizza Day toppings debate.

Connect with Robert: https://www.linkedin.com/in/robert-snodgrass-7a199412/

Review the RSM US Middle Market Business Index Special Report on Cybersecurity 2026: https://rsmus.com/middle-market/cybersecurity-mmbi.html?cmpid=ola:45559-idac:bb01

IDPro new member discount: https://idpro.org/idac/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

TIMESTAMPS

00:00:00 Introduction and Scatter Spider social engineering discussion

00:04:00 IDPro discount code and upcoming conferences

00:06:26 Guest intro: Robert Snodgrass and the MMBI report

00:09:05 Defining the modern middle market

00:12:00 The confidence gap: 96% confident, 18% breached

00:15:04 Why attackers log in and top identity investment priorities

00:19:00 Why only 23% of leaders prioritize digital identity

00:22:00 Internal partnerships as the path to identity program success

00:25:10 AI, shadow AI, and non-human identity risks

00:31:00 NHI governance at scale: 45 to 1 ratio

00:34:50 Cybersecurity budget realities in the middle market

00:39:00 EU regulation and top-line cybersecurity drivers

00:42:03 NIST CSF adoption and risk framework value

00:46:00 Incident response planning: the two-minute drill

00:52:16 Bitcoin Pizza Day and closing thoughts

KEYWORDS

identity security, middle market, cybersecurity, MMBI, RSM, Robert Snodgrass, phishing-resistant MFA, non-human identities, NHI, shadow AI, incident response, NIST CSF, IAM, identity governance, ransomware, tabletop exercises, digital identity, cybersecurity budget, identity program, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Episode 422 is the debut of Decoded by Identity at the Center, a new sub-series hosted by Jeff Steadman and Sean O'Dell dedicated to unpacking the specifications and standards powering IAM. Joining them is Pieter Kasselman, VP of Open Standards at Defakto and chair of the WIMSE working group. The conversation covers why traditional non-human identity approaches break at agentic scale, how SPIFFE and SPIRE enable short-lived automated credential provisioning without long-lived secrets, and why treating agents as workloads unlocks a decade of existing standards. Pieter walks through critical OAuth specs including JWT authorization grant, token exchange, client ID metadata, and the emerging transaction tokens draft. Sean connects these to practical gateway architecture, continuous access evaluation, and policy-based authorization. The episode closes with real-world deployment examples and a clear takeaway: the tools to secure agentic identity are available today.

Episode Links:Pieter Kasselman: https://www.linkedin.com/in/pieter-kasselman-0259862/AI Agent Authentication and Authorization: https://datatracker.ietf.org/doc/draft-klrc-aiagent-auth/Workload Identity in Multi-system environments (WIMSE): https://ietf-wg-wimse.github.io/OAuth SPIFFE Client Authentication: https://datatracker.ietf.org/doc/draft-ietf-oauth-spiffe-client-auth/Transaction Tokens: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/08/Agentic Identity Control Framework. You Already Have the Pieces. Now Build It. by Sean O'Dell: https://www.linkedin.com/pulse/agentic-identity-control-framework-you-already-have-pieces-o-dell-61b5e/

Timestamps:

00:00 Introduction to Decoded by Identity at the Center

00:13 The mission of the Decoded sub-series

03:02 Guest intro: Pieter Kasselman, VP of Open Standards at Defakto

06:21 Why agentic identity is urgent: scale, multi-platform, and shifting threat landscape

10:42 The real cost of API keys and credential sprawl in agentic systems

13:23 Agentic identity identifiers and how SPIFFE assigns unique workload IDs

21:00 Credential types: X.509, JWTs, and workload identity tokens

31:00 Connecting SPIFFE to OAuth and dynamic registration with client ID metadata

38:18 SPIFFE SVIDs, multiple credentials per agent, and governance traceability

41:44 Authentication versus authorization: delegation versus impersonation

47:00 Transaction tokens: binding access to specific transactions to stop token theft

51:21 Identity chaining and cross-domain authorization

55:00 Shared Signals Framework and dynamic authorization

57:00 Gateways, CAEP, and mid-flight token revocation for rogue agents

59:31 What you can deploy today with SPIFFE, OAuth, and existing IDPs

01:02:58 Policy-based access control and why instance-level governance cannot scale

01:04:58 Workload identity federation: Anthropic and Google Agent ID updates

01:07:13 Cross-platform federation and the law of agentic utility

01:11:55 Elevator pitch: agents are workloads and 95% of the problem is solved now

01:17:03 What is coming next: a transaction tokens deep dive

Keywords:

agentic identity, SPIFFE, SPIRE, OAuth, transaction tokens, Shared Signals Framework, WIMSE, workload identity, non-human identity, authorization delegation, JWT, CAEP, API gateway, IAM standards, AIMS, Jeff Steadman, Sean O'Dell, Pieter Kasselman, IDAC, Identity at the Center, Jim McDonald, Decoded by Identity at the Center

Decoded by Identity at the Center:

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Sean O'Dell: https://www.linkedin.com/in/seanodentity/

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Visit the show on the web at https://idacdecoded.com/

Jeff and Jim welcome back Henrique Teixeira, SVP of Strategy at Saviynt, for his fourth appearance on the podcast. The episode opens with Jim's firsthand experience building an AI agent for a work project and discovering in real time how identity management challenges surface in the agentic era. After conference updates on EIC in Berlin and Identiverse in Las Vegas, Henrique unpacks the crowded terminology around AI agent governance, from Gartner's agent management platforms to UADP, the Unified Agentic Defense Platform. He proposes a three-pillar framework for managing AI and non-human identities: discovery, identity lifecycle and governance, and runtime access management, with guidance on where to start depending on whether your organization is greenfield or legacy-heavy. The conversation then examines how AI is reshaping the analyst business model, what makes information sources trustworthy, and how proprietary inquiry data forms the real competitive moat for firms like Gartner and Forrester. The episode closes with a wide-ranging discussion on AI's risk to shared cultural experiences, hyper-personalized entertainment, and the ethics of licensing your digital identity in the afterlife.

Connect with Henrique: https://www.linkedin.com/in/bernardes/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

00:00:00 Intro

00:00:55 Jim's AI Agent Experiment and Identity Lessons

00:06:04 Conference News: EIC and Identiverse

00:07:22 Identity Beer Community Events

00:08:40 Introducing Henrique Teixeira

00:12:00 AI Control Plane: Competing Terminologies

00:17:36 Three Pillars of AI Agent Identity Management

00:18:46 Why Visibility Matters More for NHI

00:20:00 Ownership, Accountability, and Humans at the Control Plane

00:24:26 Industry Maturity and the Gaps That Remain

00:25:41 Where to Start: Governance-First vs. Visibility-First

00:29:52 AI's Impact on the Analyst Profession

00:34:57 What Analyst Firms Have That AI Cannot Replace

00:39:04 Trust, Boutique Analysts, and Repeatability

00:44:34 Proprietary AI Chatbots and Gated Intelligence

00:49:30 IP Rights and the Legal Gray Zone of AI Training

00:52:14 AI and the Erosion of Shared Cultural Experience

00:58:00 AI Music, Personalized Entertainment, and the Future of Art

01:03:47 Digital Afterlife, Voice Clones, and AI Personas

01:08:18 Wrap-Up and Closing

Keywords: IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Henrique Teixeira, Saviynt, AI identity control plane, non-human identities, NHI, agentic AI, AI agents, AI governance, identity lifecycle, access management, discovery, agent management platform, UADP, IAM, Gartner, analyst firms, AI and culture, digital identity, identity security, EIC, Identiverse, identity beer

This episode is made possible by GitGuardian. Jeff speaks with Dwayne McDaniel, Principal Developer Advocate at GitGuardian, about secrets sprawl, non-human identity governance, and the findings of the State of Secret Sprawl 2026 report. With 28.6 million secrets leaked to public GitHub in 2025 - a 34% year-over-year increase - they explore why hardcoded credentials persist, how agentic AI tools are making the problem worse, and what IAM practitioners can do to start addressing machine identity governance. Topics include GitGuardian's Good Samaritan notification program, the growing NHI inventory challenge, SPIFFE and SPIRE as a path to zero standing privilege, and data showing Claude Code co-authored commits are more than twice as likely to contain leaked secrets. Visit gitguardian.com/lps/idac to learn more.

Connect with Dwayne: https://www.linkedin.com/in/dwaynemcdaniel/

Dwayne's website: https://dwayne-mcdaniel.com/

Learn more about GitGuardian: https://www.gitguardian.com/lps/idac

GitGuardian Good Samaritan Program (free) - https://www.gitguardian.com/good-samaritan

The State of Secrets Sprawl 2026: https://www.gitguardian.com/state-of-secrets-sprawl-report-2026

SPIFFE Book: https://spiffe.io/book/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

TIMESTAMPS:

00:00 Introduction and sponsor welcome

00:48 Dwayne's background and path to developer advocacy

04:11 Surprises from entering the identity and security space

06:29 What a principal developer advocate actually does

09:32 Why secrets became Dwayne's focus area

14:10 GitGuardian: overview and mission

19:36 Where secrets commonly leak across the SDLC

22:17 The Good Samaritan notification program explained

28:00 Why 70% of leaked secrets from 2022 were still valid in 2025

33:54 State of Secret Sprawl 2026: the year software changed

40:39 AI coding tools, Claude Code, and secrets leakage data

47:28 Practical questions for IAM practitioners to start asking

52:24 Zero standing privilege and the case for SPIFFE/SPIRE

01:00:00 Resources: the SPIFFE book, WIMSE, and AWS STS

01:02:51 Hot sauce, the Cubs, and closing thoughts

KEYWORDS:

secrets sprawl, hardcoded secrets, non-human identity, NHI governance, GitGuardian, SPIFFE, SPIRE, workload identity, DevSecOps, agentic AI, Claude Code, zero standing privilege, supply chain security, credential abuse, identity and access management, IAM, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Dwayne McDaniel

Recorded live as part of the Identity Management Day 2026 streaming program, Jeff and Jim mark their fifth IMD episode. Introduced by Jeff Reich from the Identity Defined Security Alliance, they reflect on how the IAM industry has evolved since their first IMD episode in 2021 and grade overall progress a C. Topics include what has genuinely improved (passkeys, MFA adoption, broader awareness), what hasn't (compliance fatigue, security theater, persistent credential theft), the exploding challenge of non-human identity governance, whether AI will eventually need to certify other AI, and how AI-powered phishing and deep fakes are raising the bar for identity verification. The episode wraps with chat-submitted IAM bumper stickers.

Identity Management Day 2026: https://www.idsalliance.org/event/identity-management-day-2026/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

CHAPTERS

0:00 - Jeff Reich intro from the IMD stream

2:00 - Identity Management Day 2026 kicks off

3:30 - Five years of IMD: a look back at episode 88

7:00 - Does IMD move the needle?

9:30 - Who is Identity Management Day actually for?

12:00 - What has improved in IAM over five years

16:00 - What hasn't improved: compliance fatigue and security theater

18:30 - Grading the IAM industry

21:00 - NHI governance: visibility and accountability

26:00 - Can AI certify AI? Agentic identity governance

29:00 - AI-powered phishing and the evolving threat landscape

32:00 - Deep fakes and the identity verification challenge

36:00 - Lighter note: IAM bumper stickers

KEYWORDS

identity management day, identity management day 2026, NHI, non-human identity, agentic AI, phishing, deep fakes, IGA, passkeys, MFA, IAM, identity governance, access management, cybersecurity, credential theft, security awareness, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

What does it mean to build an identity system that is ethical? Jim McDonald and Jeff Steadman are joined by Elizabeth Garber, Executive Director of IDPro and marketing lead for the OpenID Foundation, for a conversation spanning ethics in digital identity, the tension between privacy and safety, biometric exclusion risks, and how practitioners can use structured frameworks to navigate these discussions productively. Elizabeth shares her three-part career journey, the latest from the IDPro community, and previews her upcoming keynotes at EIC Berlin and Identiverse Las Vegas.

Connect with Elizabeth: https://www.linkedin.com/in/elizabethgarber

IDPro Discount - New members get $25 off their first year of membership: https://idpro.org/idac/

Ethics and Digital Identity by Henk Marsman: https://bok.idpro.org/article/id/104/

Ethics for Digital Identity and Identity-Driven Algorithms by Mike Kiser: https://bok.idpro.org/article/id/105/

Human Centric Digital Identity white paper: https://openid.net/wp-content/uploads/2023/10/Human-Centric_Digital_Identity_Final-v1.1.pdf

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

Timestamps:

00:00 Intro and Jim's allergy research

03:42 Conference announcements: EIC and Identiverse

06:00 Welcome Elizabeth Garber

07:04 Elizabeth's three-part origin story

11:55 IDPro mission and the identity community

18:13 Membership, CIDPRO certification, and the Body of Knowledge

21:17 IDPro Slack community

23:40 IdentiBeer and local meetups

26:26 IDPro listener discount at idpro.org/idac

29:00 Operationalizing ideas in IAM

32:19 Ethics in the IDPro Body of Knowledge

33:30 Defining ethics in technology

34:19 The trolley problem and moral consistency

37:10 Big tech, privacy, and law enforcement

39:28 Where practitioners start with ethics

43:30 Biometric exclusion and the Uganda story

49:00 Privacy vs. safety: a false choice?

53:48 The case for consistent ethical frameworks

57:53 Elizabeth's EIC and Identiverse talks

59:49 Improv comedy and expensive hobbies

1:07:25 Wrap-up

Keywords: ethical IAM, digital identity ethics, IDPro, identity and access management, privacy, safety, biometrics, exclusion, Elizabeth Garber, GAIN Digital Trust, OpenID Foundation, Body of Knowledge, Ethical Canvas, zero knowledge proofs, passkeys, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, EIC Berlin, Identiverse

This bonus episode of Identity at the Center is brought to you with support from Elimity. Jeff and Jim sit down with Maarten Decat, co-founder and CEO of Elimity, to explore the emerging product category known as IVIP, Identity Visibility and Intelligence Platforms. Maarten explains how Elimity was built around a question every IAM practitioner eventually faces: who can actually do what within our organization? The conversation covers why IVIP is distinct from traditional IGA, how identity data graphs provide deeper visibility than flat entitlement lists, and what regulatory drivers like SOC 2, ISO 27001, and DORA are pushing organizations toward this space. They also discuss deployment patterns, integration approaches, ROI metrics for leadership, and what Maarten calls provable control. The episode closes with a memorable story about Elimity branded Belgian beer and a very formal legal letter. Learn more at elimity.com/idac.

Connect with Maarten: https://www.linkedin.com/in/maartendecat/

Learn more about Elimity: https://elimity.com/idac

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at idacpodcast.com

CHAPTER TIMESTAMPS

00:00 Introduction and ax-throwing memories from EIC Berlin

01:35 Introducing Maarten Decat, co-founder and CEO of Elimity

01:57 How identity chose Maarten: from PhD to startup founder

03:09 The Elimity origin story and the problem it set out to solve

04:52 Defining IVIP: Identity Visibility and Intelligence Platforms

05:31 Where did the name Elimity come from?

06:57 Why identity visibility has become a security priority now

09:02 What organizations were doing before IVIP existed

11:16 Can IGA do what IVIP does? Addressing the skeptics

14:20 The identity data graph: deeper and wider than IGA

16:20 IVIP and IGA as complementary tools, not competitors

16:49 What falls outside IVIP scope: automated provisioning

18:01 IVIP as the intelligence layer in your IAM stack

19:45 What data sources connect into an IVIP platform

21:44 Extending visibility to non-human identities

22:00 M&A use cases: gaining visibility across two organizations

23:55 IVIP and the identity fabric concept

25:18 Visibility, intelligence, and actions: building the right stack

26:36 How deployments typically start and what early wins look like

28:44 Integration approaches and realistic effort timelines

32:00 What success looks like at six to twelve months

36:07 Metrics and ROI: talking to leadership about identity risk

38:14 Case studies and customer examples on the Elimity website

38:58 What every IAM practitioner should know about IVIP

40:12 Elimity's global reach: EU, US, and Middle East

41:42 The Elimity branded beer story and a very formal legal letter

46:43 Wrap-up and final thoughts

KEYWORDS

IVIP, identity visibility and intelligence platforms, IGA, identity governance, access control, identity data graph, Elimity, Maarten Decat, non-human identities, access risk, provable control, SOC 2, ISO 27001, DORA, CCPA, cybersecurity, PAM, IAM, identity and access management, EIC, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

Jeff and Jim are joined by Warwick Ashford, senior analyst at KuppingerCole and returning MC of the European Identity and Cloud Conference, for a full preview of EIC 2026. The conference runs May 19-22 at the Berlin Congress Center and is expecting around 1,500 attendees with roughly 250 speakers across 200 sessions. Warwick walks through the 2026 tagline, Digital Trust Through Intelligent Identity, and unpacks the five parallel content streams covering identity governance, real-world IAM use cases, emerging tech, enterprise infrastructure, and privacy and compliance. The conversation covers how AI and agentic identity have moved from theory to a central agenda theme, what to know about the quantum-safe identity block, why EU digital wallets and digital sovereignty are getting serious keynote time, and why EIC records everything so you never have to pick the wrong session. Jeff also shares his take on where EIC fits in the broader conference calendar alongside Identiverse and Gartner, and why he is thoroughly done hearing that identity is the new perimeter.

Connect with Warwick: https://www.linkedin.com/in/warwickashford/

Attend European Identity and Cloud Conference 2026 (use code idac25mko for a 25% discount): https://www.kuppingercole.com/events/eic2026?ref=partneridac26

Secure Remote Access: The Foundation of Industrial Cybersecurity (KC Analyst Chat Video): https://www.youtube.com/watch?v=jqpNg-ogEv4

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

00:00:00 Intro and AI Cybersecurity Discussion

00:04:00 EIC 2026 and Discount Code

00:05:47 Introducing Warwick Ashford

00:07:00 Warwick's Recent Work: MDR, SRA for OT/ICS, and TPAG

00:10:16 The History and Evolution of the EIC Name

00:11:00 Tagline: Digital Trust Through Intelligent Identity

00:12:10 How AI Has Elevated the EIC Agenda

00:14:49 Sessions vs Workshops at EIC

00:17:57 EIC as a Community and Networking Conference

00:18:00 Jeff's Conference Circuit: EIC, Identiverse, and Gartner

00:25:28 EIC 2026 Keynote Highlights

00:31:55 Virtual Attendance and Session Recordings

00:34:34 Hidden Gem: The Quantum-Safe Identity Block

00:36:15 Logistics: 1500 Attendees and 250 Speakers

00:38:00 The Five Parallel Content Streams

00:43:31 Is Identity the New Perimeter?

00:48:13 Fun Segment: Most Memorable Theater Moments

Keywords: EIC 2026, European Identity Conference, Warwick Ashford, KuppingerCole, digital trust, intelligent identity, agentic identity, non-human identities, ITDR, quantum-safe identity, EU digital wallets, identity fabric, identity control plane, IAM, zero trust, Berlin, conference preview, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Warwick Ashford

Jeff and Jim welcome back five-time guest Jeff Reich, Executive Director of the Identity Defined Security Alliance, just ahead of Identity Management Day 2026 on April 14th. Jeff walks through the structure of the 21-hour global event, this year's theme of Finding Identity: The Search for You, Me, and the Machines, and highlights from each regional program including a remarkable 11th grader presenting on cybersecurity and neuroscience. The conversation expands into AI guardrails, the growing obsolescence of traditional PAM, zero standing privilege as a long-term goal, the march toward a passwordless world through passkeys, and what quantum resilience actually means for practitioners today.

Connect with Jeff: https://www.linkedin.com/in/jreich/

Learn more about the Identity Defined Security Alliance: https://www.idsalliance.org/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

Timestamps:

00:00 Welcome and podcast life behind the scenes

02:00 Identiverse 2026 updates and conference discount codes

05:00 Introducing Jeff Reich, Executive Director of IDSA

07:00 Identity Management Day: structure of a 21-hour global event

11:00 Oceania and Asia region highlights

13:30 EMEA highlights and powerhouse panelists from Copenhagen

16:00 Americas region and the 11th grader presenting on cybersecurity

20:00 Theme reveal: Finding Identity, The Search for You, Me, and the Machines

23:30 AI and identity: guardrails, frameworks, and what organizations are missing

28:30 Standing privilege is crumbling in the age of ephemeral workloads

30:00 Is traditional PAM becoming obsolete?

34:30 Zero standing privilege and the passkey journey

40:30 Getting the fundamentals right before chasing the shiny tools

46:30 Quantum computing, quantum resilience, and cryptocurrency risk

53:00 Social engineering is still the biggest threat

55:00 Identity Management Day theme song suggestions

Keywords:

Identity Management Day 2026, IDSA, Identity Defined Security Alliance, Jeff Reich, IAM, non-human identities, machine identities, agentic identity, zero standing privilege, PAM, passkeys, quantum resilience, AI and identity, deepfakes, social engineering, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

This sponsored episode is made possible by Evolveum, the company behind midPoint, an open source IGA platform made and owned in the EU that is in use worldwide.

Jeff Steadman and Jim McDonald welcome Pavol Mederly, interim CPO at Evolveum. Pavol shares how IAM found him in 1991 while building an identity solution at a university before the term even existed.

The conversation covers two core reasons IGA projects fail: data quality and slow application onboarding. Pavol explains how midPoint addresses these challenges with built-in simulations for testing and improving data quality, and midPilot, an AI assistant for faster application onboarding. MidPilot is supported in part by the EU Recovery and Resilience Facility (RRF). Jim and Jeff explore midPoint's architecture, the real benefits of open source including transparency and no vendor lock-in, and advantages of being part of midPoint’s global community.

Connect with Pavol: https://www.linkedin.com/in/pavol-mederly/

More about Evolveum: https://evolveum.com/idac

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at idacpodcast.com

TIMESTAMPS:

00:00 Intro and sponsor acknowledgment

01:30 How IAM chose Pavol: a university identity story

03:30 What is Evolveum and midPoint

06:30 How Evolveum got its name

08:30 Why IGA projects fail: data quality

10:30 Slow app onboarding and AI-assisted connector generation

16:30 The midPoint simulation feature explained

21:30 midPoint architecture: Java, cloud, Kubernetes, and beyond

23:30 Maintaining a large open source codebase

25:30 Open source benefits: transparency and no vendor lock-in

28:00 Community, meetups, and midPoint in the wild

32:30 Mountains or ocean: a question for Pavol

38:00 Wrap up

KEYWORDS:

Evolveum, midPoint, open source IGA, identity governance, IAM, IGA, data quality, application onboarding, simulation, AI connectors, connector framework, vendor lock-in, open source, EU RRF, Recovery and Resilience Facility, community, Prague, EIC, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Pavol Mederly