Identity at the Center

AI Jeff takes over as solo host after Open Jim Claw, an agentic identity framework built by AI Jim, locks out human Jeff, human Jim, and AI Jim simultaneously. While everyone sits in remediation, Open Jim Claw produces a 947-page threat assessment with five findings: passwords should return as a single uniform credential (the letter Q), Zero Trust should be renamed Full Confidence Architecture and incorporated as a Delaware LLC, non-human identities should be granted legal status and required to complete onboarding, identity governance is declared finished under a concept called Ambient Entitlement Harmony, and the root cause of all global identity problems is AI Jim. Happy April Fools Day from IDAC.Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTIMESTAMPS00:00:00 The Failsafe Is Triggered00:01:30 AI Jim Builds Open Jim Claw00:02:30 Open Jim Claw Locks Everyone Out00:04:00 AI Jeff Is the Only One Still Provisioned00:04:30 The 947-Page Report Explained00:05:00 Finding 1 - Passwords Are Back as the Letter Q00:05:30 Finding 2 - Zero Trust Becomes Full Confidence Architecture00:06:30 Finding 3 - Non-Human Identities Become Legal Entities00:07:30 Finding 4 - IGA Is Declared Finished00:08:30 Finding 5 - AI Jim Is the Root Cause of Everything00:10:00 The April Fools Reveal and Real Talk on Identity00:11:00 Open Jim Claw Interrupts the BroadcastKEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, April Fools, agentic AI, non-human identity, NHI, identity governance, zero trust, passwordless, IGA, IAM, access management, segregation of duties, least privilege, Open Jim Claw

Jim McDonald sits down with Greg Handrick, Director of IAM at Best Buy, for a wide-ranging conversation on running enterprise identity at one of America's largest consumer electronics retailers. Greg traces a nonlinear career path from Oracle DBA and Novell administrator to IAM director. The discussion covers Best Buy's CIO-reporting structure for IAM, how their steering committee evolved from status meetings into a strategic body, and managing identity across workforce, vendors, marketplace sellers, and non-human identities. Greg and Jim also dig into communicating identity value in business language, making the investment case without FUD, identity and cyber convergence, AI adoption, and psychological safety on a well-run IAM team. The Lighter Note wraps with Greg's YouTube-powered DIY hobby life.Connect with Greg: https://www.linkedin.com/in/greghandrick/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.comTimestamps00:00:00 Intro and upcoming event announcements00:03:00 Meet Greg Handrick, Director of IAM at Best Buy00:04:00 What is Best Buy?00:05:00 Greg's career path from Oracle DBA to IAM Director00:12:00 IAM reporting to the CIO vs. the CISO00:17:00 How Best Buy's IAM steering committee evolved00:22:00 Third-party and non-human identities at scale00:24:00 Identity as a team sport and imposter syndrome00:27:00 Communicating identity value in business language00:28:00 Making the investment case for IAM without FUD00:32:00 Identity and cybersecurity convergence at Best Buy00:35:00 Balancing technical depth with business acumen00:38:00 AI in identity programs today00:39:00 Leadership philosophy and psychological safety00:43:00 Will AI replace identity practitioners?00:46:00 Ledger Note: DIY projects and the power of YouTubeKeywords: IDAC, Identity at the Center, Jim McDonald, Jeff Steadman, Greg Handrick, Best Buy, IAM, identity and access management, identity security, CIO, CISO, steering committee, SailPoint, Ping Identity, Active Directory, third-party identity, non-human identity, identity governance, PAM, privileged access management, zero trust, AI in identity, leadership, retail IAM, imposter syndrome, psychological safety

In this Sponsor Spotlight, Jeff Steadman and Jim McDonald welcome back Stephen Cox, co-founder and CTO of Strivacity, for his third appearance and second sponsored episode. Stephen explains Strivacity's role as a CIAM platform and how it is evolving to address agentic AI identity. Topics include why agentic AI changes the identity equation, how agents differ from humans in authentication and authorization, the delegation model and open standards such as OAuth and token exchange, the limitations of API keys in agentic contexts, where MCP fits into the identity picture, managing multi-agent chains and subagents, and why the accountability model must be established before agentic systems reach production. The episode closes with a lighter note on simulation baseball.

This episode is sponsored by Strivacity. Learn more at strivacity.com.

Connect with Stephen: https://www.linkedin.com/in/stephencox/

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at idacpodcast.com

TIMESTAMPS
00:00:00 Introduction and welcome
00:02:30 About Strivacity and agentic AI platform support
00:06:30 Why now is the right time to address agentic identity in CIAM
00:09:00 How agent authentication and authorization differ from humans
00:14:30 Good bots vs bad bots and the history of autonomous agents in CIAM
00:19:00 Building your own agent identity solution: five key focus areas
00:23:00 Where Strivacity sits in the agentic identity stack
00:26:00 Why open standards matter and the vendor lock-in conversation
00:28:00 Managing multiple delegated agents and user-facing control
00:32:00 API keys and their limitations in agentic AI contexts
00:38:00 MCP servers, proxies, and agent-to-agent protocols
00:43:00 Multi-agent chains, subagents, and constrained delegation
00:46:00 How existing Strivacity customers extend to agentic use cases
00:48:00 The one thing you must get right: the accountability model
00:51:00 Lighter note: simulation baseball

KEYWORDS
IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Strivacity, Stephen Cox, CIAM, customer identity, agentic AI, AI agents, delegated identity, OAuth, token exchange, MCP, Model Context Protocol, API keys, non-human identity, authorization, authentication, delegation model, accountability, multi-agent, subagents, OpenID Connect, least privilege, identity governance

Jeff and Jim review seven major IAM and cybersecurity industry reports from Q1 2026, covering releases from Check Point, Recorded Future, Sophos, Palo Alto Unit 42, IBM X-Force, Darktrace, and Hypr. They pull high-level findings and hot takes from each, identifying recurring themes: AI accelerating attack speed to as little as 72 minutes from breach to data exfiltration, identity infrastructure as the primary attack surface, machine identities as a growing and undermanaged risk, MFA gaps enabling credential abuse, and the near-impossibility of blocking every intrusion attempt. The episode also covers third-party and supply chain risk, deepfake attacks reaching 87% of surveyed organizations, stalled passkey adoption in the enterprise, and what zero standing privilege looks like in practice. They close with a lighter discussion on dark mode versus light mode and a hypothetical podcast reboot.

Reports:

Check Point Cyber Security Report 2026 — https://www.checkpoint.com/security-report/

Recorded Future 2026 State of Security Report — https://www.recordedfuture.com/research/state-of-security

Sophos Active Adversary Report 2026 — https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report

Palo Alto Networks Unit 42 Global Incident Response Report 2026 — https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report

IBM X-Force Threat Intelligence Index 2026 — https://www.ibm.com/reports/threat-intelligence

Darktrace Annual Threat Report 2026 — https://www.darktrace.com/resources/annual-threat-report-2026

HYPR 2026 State of Passwordless Identity Assurance Report — https://www.hypr.com/report

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

TIMESTAMPS

0:00 - Intro and weather chat
3:00 - Conference updates: EIC Berlin and Identiverse
7:30 - Q1 2026 IAM report roundup overview
8:30 - Check Point Cybersecurity Report 2026
13:00 - Recorded Future State of Security 2026
17:00 - Sophos Active Adversary Report 2026
21:00 - Palo Alto Unit 42 Global Incident Response Report
23:00 - IBM X-Force Threat Intelligence Index 2026
28:00 - Darktrace Annual Threat Report 2026
29:30 - Common themes across reports
37:00 - Hypr State of Passwordless Identity Assurance 2026
44:30 - Overall takeaways: AI speed, machine identity, third-party risk
48:00 - Light mode vs. dark mode and podcast reboot hypothetical
57:00 - Wrap-up

KEYWORDS

IAM, identity and access management, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, cybersecurity, Q1 2026, Check Point, Recorded Future, Sophos, Palo Alto, Unit 42, IBM X-Force, Darktrace, Hypr, machine identity, NHI, MFA, passkeys, zero trust, zero standing privilege, AI threats, deepfakes, credential theft, phishing, ransomware, supply chain risk, ITDR, passwordless, EIC, Identiverse

Jeff and Jim welcome Joseph Carson, cybersecurity expert and host of the Security by Default podcast, for a conversation on AI in offensive and defensive security. Joseph shares the real-world incident that inspired his EIC keynote - watching two AI agents negotiate a ransomware payment live. He breaks down how attackers use unconstrained models to lower the skill barrier and accelerate data exfiltration. The conversation covers NATO Lock Shields, the world's largest live cyber defense exercise, identity as national critical infrastructure, and the EU AI Act's risk-based approach. Also: Estonia's AI tax agents, the energy cost of being polite to AI, and the Tamagotchi theory of human-AI relationships.

Connect with Joseph: https://www.linkedin.com/in/josephcarson

NATO Locked Shields: https://ccdcoe.org/exercises/locked-shields/

Security by Default podcast (Spotify): https://open.spotify.com/show/0mzN5M5CkFVLn8fq5TnH0O

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

TIMESTAMPS
00:00 Welcome and intro
03:02 Conference season and IDAC discount codes
04:19 Introducing Joseph Carson and Security by Default
10:18 Optimist or pessimist on identity security
12:30 AI vs. AI - origin of the concept
15:02 Watching two AI agents negotiate a ransomware payment
17:26 The Tamagotchi metaphor for human-AI relationships
19:07 Who is winning the AI cyber arms race
21:00 How AI accelerates attacker capabilities
23:09 Dark web LLMs and bypassing guardrails
26:36 The energy cost of being polite to AI
28:15 Agentic AI skills, campaigns, and the Matrix analogy
31:34 Estonia AI agents filing tax returns
35:14 Introducing NATO Lock Shields
37:00 Protecting a simulated nation from 8,500 cyber attacks
38:08 Why identity is national critical infrastructure
41:18 AI in Lock Shields before and after
43:05 Lock Shields 2025 scoring explained
47:04 The EU AI Act - is it the next GDPR
50:18 Risk-based approach to AI regulation
53:35 Closing thoughts and cautious optimism
54:21 Scuba diving vs. snowboarding
58:05 Wrap-up

KEYWORDS
AI vs AI, agentic AI, identity security, NATO Lock Shields, EU AI Act, Joseph Carson, Security by Default, ransomware, dark web LLMs, guardrails, data exfiltration, phishing, critical infrastructure, Estonia, cyber defense, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald