Transcript
I'm really excited to be here. It's my very first edition of Identity TV. So let me just quickly introduce myself. Chandra Gnanasamandam. I'm new to SailPoint. I lead all of product and engineering and tech here. And it's great to be meeting you all. Look, I truly enjoy this concept of Identity TV because we have the big customer conference, Navigate, that's in the fall. And so this actually gives us an opportunity to actually engage with you all who are the core identity and security practitioners on the SailPoint platform. And so I'm quite excited to be here. What I want to do today primarily is to give you a sense on the vision we have for the next three years and some of the problems and themes we are going to be solving and the kinds of products you can expect us to be launching over the next two, three years, right? You know, starting at Navigate this year. And so that's really the idea for today. And to me, I always start with what are the customer problems we are solving? Because the vision and the roadmap and the products we build should, the true north is always solving the most critical and the relevant and the strategic security problems in the world. So in the last two, three months, we have had a number of conversations, right? You know, 30, 40, 50 conversations with core practitioners like yourself and across a suite of stakeholders, right? Everyone from core identity users, admins to CISOs, to chief risk officers, to chief data officers, to CIOs and so on. And there are four themes we have consistently heard, right? One is just this increasing threat complexity. I'll spend a bit more time on it, but it is not just the volume of threats, but it's a sophistication of threats, right? You know, it used to be malicious code being introduced. Then it was bad actors using the whole supply chain to actually infiltrate networks. Then it moved to bad actors logging in using stolen credentials. So they were not even breaking in, they were logging in. Now it's increasingly, you know, LLMs and agents being hijacked, data privacy issues based on local laws and such, right? And so both the volume, the velocity, and the sophistication of threats are really exponentially growing. The second thing we heard consistently was this concept of operationalizing zero trust. It's been talked about for a few years now. You know, and in all honesty, it's more of a philosophy and a mindset than actual solutions and in a very, you know, implemented, deployed in a very operational way. We are going to change that, particularly from an identity perspective. So I will talk a bit more about least privilege and how we want to use a platform we have to really get a lot closer to least privilege and do it in a very context-specific way. But the theme is really around operationalizing zero trust. The next one is quite interesting, which is security is increasingly becoming a competitive advantage to large corporations. It's not just tech companies. It's not just software companies. It's large companies across industries because almost every large company now, it's becoming a digital enterprise, right? So with the use of a gen tech, you have lots of agents autonomously executing business processes just like humans are. So in a digital context like that, being more secure is more than a necessary evil, right? It's more than a good thing to have. It's actually a strategic competitive advantage. And in all the CEO conversations we have had, interestingly, this has come up, right? And so this is a big change from the past. And the last one is really the regulatory environment we live in today. And this concept I'm sure you've heard of, global, right? Which is there are some global regulations and laws related to security, but it's also the local ones, right? So a global 3,000 corporation on an average has or operates in at least 50 different countries. And there are 50 different data laws and security protocols and such that are specific to a country. So how do you really help customers manage through that environment? And for you all as identity and security practitioners, how do you deal with this on a day-to-day basis? So when I step back, these are the four big themes we heard. Now let's make it real, right? So particularly around the threat vectors, because that is the crux of the security problem. So I'll start with a little reminder of what I'm sure you all know, which is some of the major breaches over the last few years, right? SolarWinds, MGM Resorts, Okta. I'll quickly go through them with the theme across all of them being, every one of these, it all started with an identity breach. The core of this is really the identity. So SolarWinds, just to remind you, right? It was one of the largest supply chain security breaches. IT management, software vendor, a malicious code being introduced during the bill cycle, which looked so normal, it sort of infiltrated the networks and had access to privileged accounts at almost every one of their customers, right? 10,000 plus customers, including government agencies and so on. And it took almost a year to actually detect it, right? Normally the dwell time of an attack vector staying in the network before being identified is about three quarters, right? Two to three quarters. This took almost a year. And so that one, again, started with an identity. MGM Resorts, slightly different flavor, a ransomware attack, which was, again, cost driven by social engineering, right? And so an identity being breached. It was a single employee where the whole thing started, right? The losses, they had a massive economic loss. They had to, it had implications on the operations of the casino, the hotel and all of that. And Okta, again, an help desk employee, their account being breached and them being breached, right? And so in all these three cases, massive, massive threat started with an identity. Now, what's not on this page today, right? And because these are 2023 stories, right? If you look at late 2024 and early 2025 stories, still identity related, but of a slightly different nature, right? It's even more sophisticated. There have been dozen or more LLMs that are being trained on private data being hijacked. And that's the word being used, right? You know, hijacked. Same thing with agents. You know, when you have these agents that are autonomous, acting as a digital workforce, executing mission critical business processes, accessing critical systems, them being compromised, right? It's a version of, because they are all digital identities. And so the common thread across all of these threat vectors, it starts with an identity. In today's world, we've got to talk about AI, right? You know, if everything starts with an identity, what's the role of AI in it? Is it going to make it better? Is it going to make it worse? We believe it's both a threat and an opportunity, right? Meaning it's going to be used by the bad actors to do bad things, right? Talk about LLM hijacking. You talk about agent hijacking. You talk about data privacy breaches. A lot of that are actually driven by AI. And, you know, from places that are quite far away. But good people like you and us and others who are building solutions to these problems, we are also using AI, right? You know, we have already launched a number of AI capabilities, including two agents in the market, which we are quite excited by. And you will see us do a lot more, right? And it's using AI, not just gen AI, machine learning, gen AI, to solve problems is a massive investment area for us, right? And so, so net it all out, right? You know, four big customer problems and a lot of the threat vectors, starting with an identity. Now, the question is, you know, what does it all mean, right? How does this inform the future of where SailPoint is going, our vision and our roadmap? The headline on that is really using, getting identity much more closer to security, meaning identity has always been on the periphery of solving security problems. And our view is if the majority of the threat vectors in the world originate with an identity, the solution will have to mirror that, right? Today, the, you know, the tools that are available to manage threats, if you go into a SOC, I'm sure a lot of you work inside a SOC, you have network tools and network traffic data, you have cloud data, you have endpoint data, you have a lot of data security tools. What you don't have in a very deep way, the deep context that's not inside a SOC is actually the identity context. So our view is there's this concept, you know, our view is really re-imagining. We are gonna re-imagine identity security and the crux of that is bringing identity the core, to the core of solving security problems. What does this mean? We believe there are six structural shifts that need to happen to get identity closer to security. First is we are gonna go from managing and governing human identities to humans plus agents and machines and LLMs, okay, broadly. Because if you really think about it, agent, agents are really a digital workforce because they are autonomous, they can reason and they are executing, they're gonna execute business processes on their own, on behalf of a human, but in a very autonomous way. So you've got to govern them, you've got to manage them exactly, you know, how you manage a human identity. So digital identities, agents, LLMs and machines is gonna be a big focus area, right? That's one shift. The second shift, this is quite fundamental, is this notion of standing privilege, static privilege for the majority of identities, except the few that are sort of managed through a, as a privileged, you know, account. I think that idea is outdated for the threat vectors of today. Our view is every identity in the world, inside a company should be privileged to varying degrees. And the degree will be based on the risk of the identity and what's trying, you know, what it's trying to access at an entitlement level and the context based on which it's doing the access, right? And so we are going to be introducing products that will get customers closer to just-in-time, just-in-time access, which will be based on risk and context, right? So that's another big shift from static standing privilege to least privilege. And this is core to operationalizing Zero Trust. The third one is really using identity as the center of solving threat problems, right? And really getting threat intel that have very rich and deep identity context in them. So what does it mean, right? So today, if you go again, like I talked about, if you go look at the tools and data available inside a SOC, there is very little identity is a minority there, right? It doesn't, it's not, you know, while most of the threats originate through an identity, the solutions and the tools and the data is, you know, identity is not well represented. So you will increasingly hear as provide solutions in the market, right? About, you know, which will do, which will have risk scoring, right? You know, a number of the companies that you belong to, I'm sure you have millions and millions of entitlements that are stored in either SailPoint or some platform. Could you have a risk perspective on each of those entitlements? Could you have a heat map on what is the risk profile of all those entitlements? Could you know, you know, what if you knew what the blast radius of the highest risk entitlements? What are the access pathways that are highly risky? Those are the kinds of things that we believe should be available as tools inside a SOC. And this is a shift, this is a movement you will actually see us make. The fourth one is this concept of data in addition to applications is a new workload. Data is a new workload, right? And what I mean by this is for a long time, you've had humans accessing applications and applications access data. That's sort of the chain that got managed. Now that has changed, right? Which is that is still there, but increasingly you have humans. If you are a data scientist, if you are a machine learning engineer, if you are a data engineer, you are not necessarily going through applications to access data. You're going straight to a lake house, to a data warehouse to access data. If you are a machine, if you are an agent, you certainly are getting trained directly on data. You are accessing data directly, right? And so you have gone from managing one simple chain, human to applications, to managing almost eight to 10 different links here, right? That is human to application, human to data, machine to data, agent to data, agent to machine to data. So you have to govern these links just as well as how you govern the link between humans and applications. So that's really the concept of data as a new workload and it needs to be governed and linked to identity the same way that applications were linked to identity. The next one is really the ability to, where you're going from first-party apps, where you kind of live with what those apps actually provide, to the ability for you to orchestrate identity-centric workflows using identity data. So our platform increasingly will be a lot more extensible. The core underpinning of what we do will become the identity graph, which will have a ton of identity context in it. All of the identity context will be in it. And so giving practitioners like you and the developers to really configure your own workflows using those to solve other problems and using identity data to solve broader security problems. That's really the shift to platform. And the last one is really about agents. And this, like I mentioned, we have launched two different agents in the market. One focused on workflow generation, one focused on natural search. And you will see us do more and more of this in the future, right? So again, right? So this concept of re-imagination of identity security, these are the six structural shifts that we believe will drive it. Now, the question is, if you were to net it all out, you know, what does it mean? What should you be expecting from us? Not just at Navigate this year, right? Later in the fall, but also in 2026, 2027, and so on. Because, you know, our view is we want to plan for three years. That's a right time horizon, and make some adjustments along the way. But give you a clear visibility into the kind of focus areas and themes that we are going to be working on. First is really around agentic security and governance. Like I talked about, right? Agents are one of the biggest growth vectors. They're autonomous if they are executing mission-critical business processes. We are going to come up with a fairly distinctive, you know, product, which will be differentiated in terms of securing those agents and governing those agents. I think, you know, we are going to be differentiated relative to all the announcements and, quite frankly, a bit of noise in the market. Our confidence comes from the fact that these agents are solving mission-critical problems, which need access to applications and data that sit on mainframes, that are legacy platforms. If you are a hospital system, you have agents accessing radiology platforms. If you are a bank, you have agents accessing mainframes, you know, and so on and so forth. And there are very few identity security companies in the world who can manage that level of complexity, particularly with all legacy platforms in the world. SailPoint is one of the unique ones. So that's why we are quite excited about our ability and the differentiation to solve this problem. The second one is really this, the concept of just-in-time privilege, right, that I mentioned. This is core to operationalizing Zero Trust. And in our view, this will be, this is going to be based on, the differentiation on this will come from risk modeling at an entitlement level. If any of you that use our platform, you operate at an entitlement level, you have millions of them. We are going to risk score at that level and use that as a basis and combine that with context, some external context and other context to actually provide you intelligence on who should get access in real time, right? And so this will fundamentally change the way that you will think about privilege. You will think about privilege for identities, which is much required given the threat vectors that we are actually beginning to see today, right? And both human identities as well as digital identities. The third one is really data security. Look, like I talked about, right? Increasingly with machines and also with humans, right? They are going straight to data. So the question is, how do you really manage data governance and access at a fine grain level? Almost, you know, person X with role Y, the ability to access this level, this column and this role in this cloud data store, you know, that whole chain, that's a complex problem to solve, right? And so, and this is very much in the sweet spot for SailPoint because, you know, we have for the past 20 years, this is what we have done well, fine grained access control, right? Fine grained management of security. And so we're going to apply that same know-how in terms of, you know, going to the data level. We have a product today in the market, which is focused on unstructured data. And we are now, you will see us get more into structured data. And we are going to do that in partnership with these cloud providers who have these cloud data stores, right? We are going to, you know, we're going to partner with every one of them in the industry because we want to partner with people who have the platforms that own these cloud data stores today. And the last one is really the threat intelligence, right? And so, you know, you should really expect from us more and more on this in terms of all the way from just giving you visibility into risk on all the entitlements you have into doing some predictive threats, or sorry, predictive risk, predictive sort of risk analytics so that it's not just based on what is there today, you know, what, you know, what kind of, you know, what can be forecast for you, right? Just based on, based on behaviors, doing anomalous deduction, you know, access attack pathways. And so more and more intelligence from an identity perspective that will be threat intelligence that you could use to solve threat problems inside a SOC, right? Hopefully that gave you a flavor of where SailPoint's going in the future, the kinds of problems we are going to be solving and the big themes that we are going to be addressing and what kind of products that you should be expecting as not only in Navigate, but beyond Navigate. So hopefully this is exciting and it gave you a flavor of where we are going and thank you for listening. And I'm quite, I'm quite excited and looking forward to seeing you all at Navigate in person later in the fall. Thank you. Thank you.
