Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Saviynt: Standards, AI Speed, and the Future of Identity

Saviynt
07/01/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Welcome back friends. It is time, the best conversation you're going to have all day. Welcome to Savvy Talk. We are rooted in conversation. Let me tell you, we have got the ultimate special guest coming up for this episode. Before I get to that, Enrique, what's going on, buddy? David, I'm excited for this one. I hear she basically invented Internet or pieces of it. Yeah, pretty much. She invented Internet, she invented standards, like it's just, she invented everything. How did we even get that guest? We are just privileged to be in her presence. I think it's because of you. So is the audience. It's not because of me. It's not because of me at all. She had the time, so she said, I will come and grace your lovely audience with her presence. Oh, man. We are talking about folks, none other than, recently anointed, the number one pick on Okta's Identity Top 25, Heather Flanagan herself. Heather, this is going to be an amazing episode. Stay right there. All right. She has made her way here. There was a procession, people, like they laid out roses, there was trumpets. I was the most impressive thing I've ever seen. Heather Flanagan, welcome to the show. You have a very creative interpretation of what happened today. Thank you, Heather. Thank you for coming. Now, I was looking forward to this one. Like I said, well, you basically touched the Internet. Sometimes I flex saying, well, I came up with ITDR. So this is not it. It's way bigger. The fact is much bigger. So Enrique, it's not the flex you think it is, right? So ITDR. But Heather. I have touched the Internet in many ways, but all of them have been completely appropriate. No inappropriate touching. And a lot of it has been fantastic because it's coming about from someone like me, who I'm supposed to be a librarian. That's my degree. I'm a librarian. Is that your major? Yep. I have a degree in library science from the University of North Carolina, Chapel Hill. Once I got that degree, I never ended up working in a library again. I'm not sure why not. Were you afraid of AI taking your job as a librarian? How old do you think I am? I think, no, because in 1995 when I graduated, that was not a concern. In fact, we were just where my undergraduates still had the card catalog. Okay. Yeah. No, I remember that. He may not remember. I remember card catalogs. Cool. So thank you. And Heather. So you made this top 25 list. And I think, I don't think I had a ranking between them, but I agree with David. Top of the names that we have. No, I saw the rankings. They just didn't let everybody else know because they didn't want people's feelings to get hurt. I saw the rankings. Heather was number one. Guaranteed, right? Yeah. So tell us a little bit what you do. I know you have so many affiliations and things that you do, but perhaps to explain to me, I think that's the first time we had this one-on-one because I know of you, of course. I know how fantastic you are, but I think, share with me, the listeners, a little bit of, okay, so what different institutions, well, what are you doing today? So what are the big things in your life? Right. So ask a small question. Why don't you just start? So what I do is I, let me tell you what I'm not doing. I'm not a developer. Okay, same. I'm not an architect, right? I'm not an ops manager. So like when you're in tech, it's like, okay, well, then what do you do? What's left? Because this is, well, as it turns out, my favorite technical people in the world usually aren't great communicators. They're not always the most organized people I've ever met. And they certainly can't translate what they're trying to do into something that either their users or their management understand. And that's where I come in. I come in in these large-scale collaborations that are all working towards how do you make the internet as a whole better? And I'm like, okay, how can I help you? What do you need? In some cases, that's executive oversight for the process of their publication, right? For eight years, I was the RFC series editor for the Internet Engineering Task Force. So IETF. Yeah, IETF, right? And if you've ever referred to an RFC, especially if you've ever referred to an RFC since 2019 in the whole new format, yeah, the new format, that was my fault. The reason we don't have plain text ASCII anymore. Yeah, it took eight years, but by gosh, I got them to change. And then I said, all right, people, I am done. That's a career right there, right? Yeah, and that was not a full-time job. Great, no. Since I became an independent about 15 years ago, I have so many different roles and they're fantastic because you just get to say, all right, look at all these communities. Did you know what these people are doing over here? Let me pull you together and work on that. And you, you need that and you need that. And these people over here need to come in for that. I love that. It's super cool. Yeah, and within the work with IETF and the internet, so that this eight year stint, so I was always very curious. What does it take? And I would say, you had a day job besides this thing or other jobs besides this thing, was not even a full-time thing, but what was the actual effort? And explain the day in life and how you contribute to a specification like that. And perhaps other people that may be interested in doing that. Okay, so what I was doing is not what a typical participant in the IETF would do. Or any standards organization for that matter, because I do, I collect standards organizations like other people collect Pokemon, right? It's like, how many can I actually participate in? All of them, I want all of them. Cause they're all so interesting in terms of their process and procedures and the personalities that they bring and attract the type of conversations they have. If you're going to go to an ISO meeting, you are talking about, I would like to interrupt Mr. Lee. Mr. Lee, I would like to raise a question, super formal. I object or honor kind of thing. Something like that. I mean, Robert's rules of order has become the way you do things. And then you get into the IETF where they stand up and go, I think that's stupid. You know, I mean, it's just very, very straightforward. This is so refreshing. Okay, no, no, tell me more. So it can be any number of different things, right? So what I would do in a given day or what I do in any given day in these collaborations is a lot of listening to understand. Let's say I'm having a working group that's got some uncomfortable debate, which happens. Really? In our industry? Yeah, I know, right? It's like, how could you not all agree on Apple, Google? What do you mean you don't just do that? Right. But you stop and say, okay, let me step back and Enrique, let's just go over here for a second. I wanna understand where you're coming from. What are you talking about? What are your concerns? Listen to that, incorporate that, and then go, okay, cool. Let me go talk to David, right? I'm not gonna like name names, but let me see if I can't bridge something here. So you really are unhappy with this design choice. And I mean, I think I know where they're coming from on that. I think it's this. What makes you uncomfortable about that, right? And having these kinds of conversations, it's a lot of facilitation where I understand the tech they're trying to do well enough to be able to have that conversation, though not well enough to actually suggest a particular solution or not. But that can happen multiple times a day. Lots of bouncing, it might be calls, it might be typing on Slack, any number of things. And then when I start to lose my composure, I put all that down and I write a blog post because I write my best blog posts when I just get really angry with everybody. Steam off, right? Yeah, Steam comes off and it's like, you know what, I'll just start typing. And it's all good. And I can see this issue when I bring up our industry. And the way I said is because I can see this happening in organizations as well, right? So not only on these forums that you participate, but clients buying technology today or running IAM programs, vendors building products, how many times they disagree, right? So I think it's a very valuable skill that it takes effort, it takes intention, right? To make that and find a common ground. How's your role shifted with ID Pro in the last couple of years, right? Because that's... ID Pro has been super fun. So I was a founding member because I learned what Ian Glazer and Sarah, now Kachetti, was trying to do in 2017. And I'm like, I think that's cool. I think a community that's just focused on identity practitioners is a cool idea, right? And they thought amongst themselves, you know what, it would be really nice if we actually had documentation, actual material, researched, published material, peer-reviewed material. Who could we get to actually organize a process like that? Which one? I'm like, me, me, me. And they said, you, you. And they hired me to be the principal editor of the Body of Knowledge, which is a Creative Commons licensed, freely available material. It's got over three dozen articles at this point, just about all sorts of topics about identity and access management. It is peer-reviewed. It is reviewed by the board of ID Pro. Lots of people get to look at this. It's pretty cool stuff. And as part of that, let me tell you about Scope Creep when it comes to jobs. You know, it wasn't just they put the process together. It also then was like outreach to, I need more people to be willing to write. I need to actually help them learn how to write. How do you do research? Because these are not blog posts. These are actually thoughtful, researched, 10-page articles, right? Help them work with that. Train them on the writing process. Work with them on the editing process. Abolishing. Lots of, in some cases, perhaps a lot of rewriting because English is not necessarily their first language and they come out with this stream of consciousness, which is great for them. No one else is gonna understand a word that they said, but that's okay because I am here to help. But that then leads into, okay, well, how do you attract more people? You get into social media. And so I started taking over their social media bits and then taking over their announcements to Slack bits. And then taking over reports to the board bits. And then taking over, at which point it's like, excuse me, what am I doing? They had brought on an executive director, a president of the organization. And she left, I guess it was two years ago. Yeah, it was about two years ago now. And the board at the time was like, well, dang. Now what do we do? Heather, help. And I'm like, no, no, I don't wanna be executive director. I don't know how to do that job. I'll do it interim. How about that? And they said, sure. Okay, so now I am, in fact, the official executive director at Edipro. And still the principal editor. And that is one of six contracts that I currently hold. How many members are there today at Edipro? So in terms of warm bodies, it's around 1,300 people. Wow. But a lot of those come from, I mean, there's individual members, people who want to sign up directly for themselves. But then there's also people who their companies sign up for them. And therefore, if you come in at, say, an Oak level, then you get 10 seats that you can use for just your people as an interesting business development opportunity. Or if you come in at Diamond or Platinum, then it's like, really, how many seats do you want? Just take them all. And so we have some of the larger organizational members have hundreds of people. The reach is amazing. And with the recent news of Identity at the Center podcast as well, the partnership. So tell us about, what was that about? What was that? Oh, that was glorious. Okay, so I don't need to tell you the producing podcasts is not a small amount of work. Oh, yeah. And it's not- Well, I don't know. I just show up. Well, I was doing showing up. I was also doing the organizing. I was also trying to figure out, what do the production costs are? And it's not a small thing. So Edipro put one together just because we wanted to interview our members and help people understand, what did you do to get involved in Identidate? Because no one has the same story. No one went to school for this. Everyone fell into it. And so it was just this really neat. Well, when I guess Guy got was born into Identity, but sorry, go on. One person. One person, maybe. But then we ran out of funding. And almost exactly at that time, Identity at the Center was like, hey, you know, we could partner. And I'm like, you're a nonprofit now, aren't you? And they said, yeah. And I'm like, yes. So the values aligned, the mission aligned. It was such a great partnership. It's fantastic. And they are such a wonderful team. Even though last night at the Identiverse, Identisquabble, Identity Feud, Idipro did kick their butts. I'm just saying. Yeah, I was curious. Who won it? Was it even close? We had 380 points and they had 100 and something. So there's another thing I wanted to ask you about that it was a spherical cow. Yes. And I'm one of those guys, English is not my first language. So it's spherical, is it? Yeah. And I know the analogy of that. It comes from what a perfect cow would look like. Kinda. To make hamburger. It's the reference to a really old joke about theoretical physicists. Which in many areas of tech, people just use that to refer to how they end up needing to talk to management about something that's really complicated. I'm not gonna go through the whole joke. If you're curious about it, it's such an old joke and such an established joke. It has its own Wikipedia entry. Type in spherical cow, you will get the whole record. Well, I'm famous for the dad joke. So yeah. There you go. But what it boils down to is you're taking a hugely complex universe-sized problem, which of course we never have to deal with in IAM, and squish it down into something you can actually work with. Something you actually make traction on. Is it a perfect analogy to all the complexity in the universe? No. Does it necessarily need to be? No. Not to get started, not to make movement. An approximation is sufficient. Enough information is sufficient. And since my very first clients were almost the Laser Interferometer Gravitational Wave Observatory people, also known as LIGO, black holes, don't worry about it, when I was picking a name for my very new one-person LLC, Spherical Cow, and I'm like, yeah, that's what I do. I take everybody's super complicated problems and I squish them down to something really, really simple to work with. And the physicists I'm dealing with will think I'm hilarious, and in fact, they made me an honorary physicist at the time. And thus, the company name is born. And who is the typical client? Is it like a CISO? So a typical client for me is actually usually a collaboration. So ICANN, which is a great big multi-stakeholder model, they were a client for a while. The IETF was a client for a while. I have people sponsoring my work with standards right now. Thank you very much for your sponsorship. And that would be like Google is sponsoring me for some of the standards work I do with W3C, but so is the International Association of Scientific, Technical, and Medical Publishers. Medical publishers? Oh, wow. The STM publishers. They're everywhere, Heather. Kind of. Well, it's about the internet, right? And it's about identity. This is not a localized subject. Hence why she was number one on the list. What? Yeah. I read the logic. I thought it was sound. Easy choice, right? Easy choice. Easy choice. Easiest choice I ever made. Well, my mother was certainly very proud when I sent her a picture of me over Times Square. She has no idea what I do. She's pretty sure I'm just like this international spy. Yeah. But she's like... Yeah, I got calls. Enrique, the internet is low today. Do you get those type of calls, too? No, I found a way around that. Oh, tell me. Okay. So people talk about AI as like, oh, it's coming for your jobs. It hallucinates. It's really scary. Yes. But I found a service and I'm like, okay, they'll set up your AI bot that is you when you're asleep or something like that. And I trained it with my blog posts and some other material. And then when my mother called, she's like, hey, I've got this question. And I'm like, that would be really neat if you talk to my bot, mom. What do you think of that? She did. She did. And her response was, this is amazing. Can I talk to it instead of you? I'm like, yes, you can. And she says it's much more polite than I am to her. Well, you trained it well. I know. Right. It was actually a configurable setting. You know, how funny, how polite, all this type of thing. I'm like, well, if my mom's going to use it, let me set it this way. I had a similar interaction with my mom. And she's a doctor, pediatrician. And I remember vividly, now AI is mainstream. And she gave me a call, Enrique, do you know this thing about chat GPT? It's amazing. And then it types in English, I say Portuguese, English come out. And I'm like, yeah, all right, OK. She's not in IT, not in cyber, not in identity. And that's OK, now AI is mainstream. Because AI is not new, right? So any of those standards, and ICANN, and all those organizations, where do you think is the intersection of those standards and identity? And I keep thinking about this, Heather. And perhaps our clients, they keep them awake at night with non-human identities, AI agents, identity as a whole. What could we do in terms of regulation, right? I had this, and I promise I'm going to get to the point. I had this hypothesis the other day of among all the risks of AI and AI agents, yes, taking away or replacing jobs. But yeah, that's a concern. But the biggest one was around culture. And we had a discussion about culture and how AI can generate such individualized content that we miss the human interactions of shared experiences. So with that, and perhaps other risks around AI and agentic AI, what do you think we could do in terms of standards to help mitigate that and other risks? It's a really interesting question, because right now, especially given the hype around AI, vendors and a lot of other people who think using this will suddenly let them lay off all of their staff and make all the money in the world, right? They're not willing to go slow. I'm going to pick on the model context protocol for a minute. MCP, right? OK, so MCP is serving a very, very important function in the ecosystem. It is like that universal adapter you bring with you when you travel so that you can plug it into anything in any country and still get power. Amazing knowledge. I love it. So cool. That's awesome. You know that's not a standard, right? That's not being standardized. It's an anthropic thing they developed. And bless them, they're doing the right thing in terms of making it an open source project. Anybody can look at the code. That's cool. But that doesn't make it a standard, right? To bring it to a standards organization, for all I care, make a standards organization. Do a FIDO alliance model of, OK, we've got this really very specific thing. We're going to build something up. Because what that structure brings is it makes you slow down. It makes you think. It makes you say, what are the security considerations involved here? What are the privacy considerations? What are the accessibility considerations? It may be happening, kind of haphazard. But there is no structure around it to force that question to say, is this actually the right thing? And that worries me. And all of AI worries me like that. The speed they want to go where I don't think people want to standardize it because they want to go fast. Yeah. This is a hindrance. And you speak of standards, right? What comes to mind? And being in this industry for as long as I have, I'm so old. But I remember standards like SPML, things like dead standards, right? So what do you think makes a good standard or a standard that doesn't last? And have you seen standards that, oh my god, this is so wrong. Why are we even writing about this? Yes. That's the answer, yeah. OK. Well, it was funny. Since it's been many years and all the people that were on the Internet Engineering Steering Group have now moved off. For the record, no offense, guys. Yeah, absolutely. I mean, it didn't work. Right? So they're now not there. They've rolled over. There's a whole new set. Maybe they don't use this acronym the way they used to, which was HBU. What happens when you're going through the RFC publication process is, of course, a draft is created. Consensus is formed around the draft. And then it goes to the IASG to sort of just make sure that all the different areas, the Internet Engineering Steering Group that sort of oversees the IETF. And they go through and they're like, OK, but does this overlap or conflict or do anything weird with these other areas, with transport, with internet, with security, with routings? But there would be stuff coming in and they'd go, yeah, HBU. Harmless but useless. And they'd say, yeah, just go ahead and publish it. It's harmless but useless. It's harmless. And I would light on fire because, of course, I'm looking at the reputation of the whole series. And I'm like, you're willing to publish completely useless? Such a low bar. It's like, well, it didn't do it any harm. And we just don't have enough time in the day to push back on stuff like that. And I was like, oh, man. And that happens a lot? It happens enough that they had an acronym for it. Again, I don't know if they still use that. That's new to me. Harmless but useless. And maybe we're using that in the office. You bring up a good point about the standards of AI and basically not wanting to slow down. And I think that's. Yeah. I think it's very accurate, I think, the way that the industry wants to move and innovate with this. They don't want to take the time and slow down because we're getting very close into the Ian Malcolm of, we're just trying to see what can we do, not whether we should or what it's supposed to look like. And it's that dangerous part of the curiosity side of an engineer or a scientist where you start to see these things and you're just like, can I do this? And then can I do this? And I think the amazing thing about it is that the more you ask those questions, it evolves and gets even better. And then you're now, can I go do this? But to a point, I think we talked in a previous episode, we're still in this cycle of, especially in security and technology, we're going to do things until something bad happens that makes us go, oh, guess we should go put these things in place. Now it's standard. My fear with this, though, is that I think this bad thing is going to be exponentially worse than we've ever seen because how fast it's moving and how fast reaching it can get. I think CrowdStrike level stuff, that was huge. That affected so much of just commerce in the US and even outside of that what we saw. And I'm like, the explosion of this and how fast we're moving this, and if we're just going to sit and do our normal thing, it was like, we'll just wait till something bad happens. And then all of a sudden, we're like, OK, now we'll put these things in place. I don't know, I fear that that bad thing is going to be really, really bad because we're going to be so far down the pipe. We're not used to technology moving this fast. I'm going to die on that hill. People will tell me, oh, but what about SaaS? I'm like, OK. But SaaS was like, yes, you can go and get a credit card and sign up for this application, cool. And SaaS to me was like horizontal. I've got a bunch of people who are also creating these applications. So it spread that way, right? And I'll call vertical, meaning adoption of how many people are using it, right? SaaS went really fast this way. It was vertical adoption, but it was kind of slowed because organizations were still kind of risky or they would find it. This thing is both ways, right? Not only is it like, hey, here's all these other different people who are creating how you can use AI, but also in itself, the adoption rate of it and the actual technology is changing. The SaaS application you bought in January didn't completely change in June. It was still the same application, right? Maybe they launched you some new features, but like ChatGPT, when it launched, and then like 18 months later, almost completely different. Four new models were published, I think, right? The ability of features that it had. And so that's the part that I'm like, this is cool, but like. What is the standard? Well, so one of my, you have those interviews and they say, what's your greatest weakness and what's your greatest strength? And yeah, it's usually the same thing. I am super Gemini in how I think about things and pretty much about how I live. But on the one hand, that whole speed and the risks that it brings is terrifying. On the other hand, I have a whole lot of sympathy for, you know, we talk about, well, where does harmless but useless come from? It comes from not having any experience. You can't just theoretically come up with, well, I think it will look like this and not test it. You know, you've got to test it. I think where it gets squirrely and that we haven't found a way around yet is the scale of the internet and the scale of digital identity has exploded. So when you are testing, let's talk about what Google did a few years back when they were talking about cookies. And they said, all right, well, we really don't understand what will happen. So we're just gonna turn it off for 1%. That was a lot of fricking people, right? And for organizations that we're all trying to, it's like, which 1%? You know, it might be one person out of who knows how many and your help desk was gonna go, well, it works for me. You know, but what was Google supposed to do in terms of, well, we don't, we won't know until we try. But you can't try anything these days without suddenly hitting it at a scale that you've never hit it before. So you need the experience. It's hard to get the experience without suddenly breaking all the things. And I think we're getting to the point, Heather. If you could give advice to listeners here, both IAM leaders and vendors like us, how could we perhaps collaborate better with standards-making organizations to expedite it? Wow, let me tell you about how hard it is to find consensus, right? Learn about what it means. Yeah, you made a company around this, right? Pretty much, pretty much. So one of the biggest gaps in standards development is how few people participate. Like any given IETF meeting these days has, I mean, think about it, the IETF, the RFC series covers how the internet routes, BGP, DNS, SMTP for email, OAuth for the identity space, remote attestations. I mean, it's the breadth of how much it touches. Yeah, that's about 1200 people show up. It's not even half the size of Identiverse, right? In terms of how many people actually go to a meeting. There's more participants that participate on mailing lists and whatnot, but it's still, where is everybody? And yet the internet is relying on these standards. Did we get all the right voices in the room? Did we have enough diversity of thought from different vendors, different cultures? Since standards take so long, vendors look at it and go, well, that's cute, charming. I got products I gotta get out now. And so on the one hand, I really wish vendors and enterprises and whatnot would take the time to say, okay, but there is a long game to this. And yes, you have to make sure that you exist long enough to reach the long game. But. But you really would do better to just build in some amount of time to participate in the process, to give feedback to what's going on and to be willing to compromise such that we can reach consensus and keep it moving at a reasonable pace. I would love to help in making that message stronger and say, hey, there are benefits. Yeah, it's a delayed reward, but I can understand, for example, some benefits of a vendor participating in the definition of a new draft of a standard. So you come out of the gate already supporting that standard. It's called first move for advantage. Yeah. Do you think that makes it harder to get consensus then when you have like, so let's say vendor community did a better job of participating. Now, it's already a struggle to get consensus. Now you gotta get consensus amongst competitors who are like, well, no, I think it should be this way. Right? Because it's human to be competitive, right? I mean, that's not, why do standards take so long to develop? That's very much why. And that's why I said, please become willing to compromise. Because yeah, people will come in and say, no, my product does this, therefore the standard needs to match my product because this is what's being implemented. Yeah, but your competitor is doing something slightly different. And if you ultimately want something that will improve the whole internet, then you're gonna need to find some common ground into how to make this work. Brief exposure to standards in a previous life. I can't get there as often as I was like, but on the Ipsy working group. And listen, it is tough, right? Like to get consensus and then like go down to such depth. And so I can definitely see the challenge for somebody who's like, hey, maybe I wanna give up. Let me jump onto this. And it's like, holy crap, right? Like, it's like no matter where you start, you have to just start running on the treadmill. Cause it's like, we had these five meetings before you got here. We had all these discussions and you're like, whoa, wait, but what about that? But then you don't wanna hold up this meeting cause it's like, go read that. So it is a challenge, right? I do think it does need more people to kind of be involved and kind of help move these things along. Because I think the other thing that we have to do is realize for like the vendors. And on that side, it's like, standards aren't going to stop you from competing. If anything, standards accelerate your ability to go in and do the things you want. Because now it's like, okay, why don't have to focus on how are we gonna go do this thing? If there's a standard that I can follow, I can put my intellectual capital and build my IP around something over here that utilizes that standard. And I think that's one of the perspectives that it takes in vendors to kind of flip. You still have the whole capitalist thing of the day. At the end of the day, it's like, I gotta go build a product. I gotta be here long enough. Do I want to commit resources to a standard that may never get adopted? Because that's the other thing, right? There's creating the standards and then hoping that people actually use the standards. HBU stuff, which goes back to that point. So do you see a common thread between the standards? Okay, this really works. This was a very productive meeting versus other meetings. Oh man, this is just a waste of time. Well, I can tell you one thing that differentiates useful meetings from not useful meetings. It's a key thing. Like if you do nothing else, get someone to take notes. And interestingly enough, that's not something most standards organizations are willing to let AI do. Because there will be times where you're like, no, pick up the pen. We need to have- You gotta do the work, right? Don't necessarily want this recorded, but some human judgment needs to go into it. But yeah, having those notes, because a couple of months down the road, if someone comes back and says, wait, no, that's not what I said. Write it down, write it down. So much write it down. It's huge, just huge, huge. I love this type of advice. It's pragmatic and oh man, it's just achievable. One thing that, another thing, especially vendors of a certain size and- Stature. If you have, like one of the things that I do is for those groups that are sponsoring me with the standards that I do work directly with, I create a report every month that says, all right, here's what this means for your industry, but that's like the TLDR. And then there's another section saying, okay, let me remind you what these specs are. And then it's like the detail of here's what goes in the actual issues, quick summaries, what opened, what closed in the last month. Having someone on your team dedicated to just create those reports, because then you take the top part and say, okay, executives, poof, that's what you need to worry about. Engineers, is there anything in here we care about? And it's just a structured thing. Those are really useful. And you are already writing those reports, let's say. For some things. I don't scale infinitely. I can't write them for everything. But the model makes a lot of sense when you're trying to promote this in your own organization. Were you involved in CAPE? I was not involved in CAPE. I was not involved in CAPE. I watch it from the sidelines, such that when the Shared Signals Framework and the CAPE profile happens, I'm aware of it. But I'm currently a lot more involved in that moment when you click on the login button in a browser. That's complicated stuff, man. Oh, yeah, yeah. That's complicated. I'm also getting involved in the, okay, assuming, again- Are you talking about tracking pixels? No, no, no. I'm talking about, once upon a time, when you go to login to the New York Times, you click on the login button, stuff happens, right? And that stuff that happens could very well be all off behind the scenes. The browser didn't care. The browser basically was just this rendering window to take you from here to here, and that's all it did. It was a rendering window. And then companies were like, well, wait, but you are enabling tracking behavior. You are enabling stuff that's not safe for users. You, big tech, the owners of the browsers, you need to take some responsibility for all of this, which I get the logic. And of course, when you are a Google or an Apple, that moment of logging in, of signing up, making that easier for users is desirable behavior. But the protocols, the underlying protocols, OAuth, SAML, they were never designed for the browser to actually step in the middle and go, excuse me, traffic cop, are you all okay with this? Everybody? Everybody's okay with this, right? Yeah. There's API calling, there's other API, and there's other IP attacks. Right. It's like, are you okay with it? End user individual is, are you okay for this relying party to talk to that identity provider? Identity provider, are you okay to talk to this? RP, are you okay to talk to that? And like, multidimensional, are you okay with this? Which is a really awful user experience if you don't get the specification right. And so, yeah, working on that kind of specification. Yeah, which is very runtime. And... Come to my Identiverse session on Thursday. Just talking about that. I love it, I love it. And then, by the way, this is being recorded during Identiverse, right? And for me, it was kind of obvious how much attention we're giving to machine identities, I think, is overdue. Yeah, yeah. And... A lot of attention to wallets, which is another area that I have to pay a lot of attention to. It comes down to that account choosing, the credential choosing, potentially the wallet choosing, all of which are not the same thing, but overlap from the user's perspective. Do you think, because the U.S., and we had a discussion about this in another episode, on U.S., it's the United States, right, of America, so each state has specific regulations and laws. Does it make it more difficult for standards to work? Because the way the U.S. is versus, let's say, Canada or other countries? It doesn't make it more difficult for standards to work. It makes it more difficult for people to implement, choose what to implement. So, a current, for instance, is, when we're talking about Apple wallets or Google wallets, or independent third-party wallets, like the Cyrus Foundation Dub Dub Wallet Project, it's an open-source project that will allow for white-label wallets. But looking at those three areas, okay, what protocols will Google be willing to support, right? They lean more towards the OpenID for verifiable credentials. Open standards work, great. But Apple leans more towards the ISO, Mobile Driver's License, MDOC specifications. And they sort of look cross-eyed at each other, going, wait, I don't know if I want, do I have to support that other credential standard? I mean, I'm not sure I, hmm. Right, and in the meantime, the states are going, look, I just needed to hold a thing. Could y'all just sort this out so we could figure out what we're trying to do here? So, yeah, it's not the standards in that case that's the problem, it's everything else. It makes sense. All right, so, a couple of rapid-fire questions as we wrap up, Heather. Thanks so much for your time. Thank you. We know you're a very busy woman, because, you know, you created the internet and all, so. Sorry, yes? All right, so, first one. All-time favorite identifier session. All the time. Yep, all the time. I don't even get to go to sessions. Dr. Greissig ran around behind the scenes. Okay, the best one you reviewed. Oh, good heavens. The best one that I've ever seen. You know what, I'm going to promote my own one. Okay. Yes, I am. Let's do it. I'm going to promote one I did in 2022 that actually talked about the different standards organizations in terms of what's the difference between an industry-based standards organization, an open standards organization, and a treaty-based standards organization. I mean, it actually was like a 50-minute, went into what are all these things as they relate to identity. Yes, six people showed up for that, because they put me right against the past key session that was brand new at the time. I had to do it at the time, yeah. So, I'm going to pick that one. Can I ask a question? Yeah. Favorite band. U2. Right, cool. So, the reason I ask, I like asking this type of question, so people out there that, hey, I'm too intimidated, even approach Heather, and say, hey, Sunday, bloody Sunday, they'll have something to talk and approach you. I'm sorry, if someone comes up to me and goes, Sunday, bloody Sunday, I'm going to have perhaps different reactions. Probably like. Thank you, Heather. No, such a, well, delightful experience here with you. It's internet royalty, right? So, yeah, I really. What, David? I'm laughing at Heather's face. No, you are. You are. I am responsible for a lot of words. Do you want to say something else that people don't know about you, maybe would make you have to talk about? Just that, you know, if anyone happens to be listening to this who doesn't think they're technical, I hate that, by the way. It's like, I'm not technical, therefore I couldn't possibly. Remember, medieval English history degree, library science background. Love it. Heather, you're amazing. Thank you very much for coming to the show. It was a pleasure. Thank you so much. Thanks, Heather. So, yeah, public service announcement. Maybe don't write Heather. Say, hashtag you too, or something like that. Or maybe you do. But I love how real and how approachable Heather is. Oh, yes, man. I had some, you know, starstruck moments, and said, wow, it's such a celebrity with us here in the show. That was one of those times. Yeah. But she was so cool. And the human part of that. Don't say you're not technical. No, just go and talk to people. But more important, listen to people. Yeah, no, Heather's been a driving force behind a lot of things for a long time. So I'm really, as somebody who's her friend, I'm glad to see her get that recognition. And I love her enthusiasm for it. Like, because we need it. Because I couldn't do it. Like, I could not do it. I've tried a couple of times being part of Standers Buddies. And it's just, it is a lot of work. Getting consensus is hard. It really is. It is really hard to get, you know, three people in a room to agree about somebody, let alone 15, 20. And her enthusiasm for it, her love for it, and being able to organize it, put things together, is fantastic. A lot of work. I'm just happy that you and I, we agree about everything. So far. Not. That's life, though, man. Man, that was fun. Thank you, David. Yeah, thanks to you. Thank you. Good rep, man. All right, guys, we'll see you. Bye.

TL;DR

  • Heather Flanagan, former RFC Series Editor for IETF, emphasizes that effective standards work requires communication and consensus-building skills rather than pure technical expertise, drawing on her library science background to facilitate collaboration across diverse technical communities.
  • AI development is moving dangerously fast without corresponding standards or governance frameworks, with vendors prioritizing speed over the security, privacy, and accessibility considerations that formal standards processes enforce.
  • The digital wallet ecosystem faces fragmentation as Apple and Google support different credential standards (ISO MDOC vs. OpenID for Verifiable Credentials), creating implementation challenges for states and organizations.
  • Standards organizations use the term 'harmless but useless' (HBU) for specifications that pass publication despite adding no real value, highlighting the tension between maintaining quality and managing limited review resources.
  • Non-technical professionals can make significant contributions to internet infrastructure and standards development, as demonstrated by Flanagan's career path from medieval English history and library science to shaping core internet protocols.

The Role of Standards in Identity and Internet Infrastructure

Heather Flanagan, former RFC Series Editor for the Internet Engineering Task Force (IETF) and a leading voice in identity standards, discusses her unique career path from library science to shaping internet protocols. With eight years overseeing RFC publications and involvement in multiple standards organizations including IETF, OpenID Foundation, and ICANN, Flanagan explains how standards work is fundamentally about communication, organization, and consensus-building rather than pure technical development. She describes her role as translating complex technical concepts for both users and management, facilitating collaboration across diverse communities, and ensuring that standards processes consider security, privacy, and accessibility implications. The conversation explores the differences between open standards organizations, industry-based groups, and treaty-based bodies, highlighting how each approaches consensus and publication differently.

AI Development Outpacing Standards and Governance

A central concern raised in the discussion is the dangerous speed at which AI technology is advancing without corresponding standards development or governance frameworks. Flanagan points to the Model Context Protocol (MCP) from Anthropic as an example — while it serves an important function as a universal adapter for AI systems, it remains an open-source project rather than a formal standard. The rush to commercialize AI is preventing the industry from slowing down to address critical questions around security, privacy, and accessibility that standards processes typically enforce. This represents a fundamental tension: vendors and organizations want to move fast and capitalize on AI opportunities, viewing standards work as a hindrance rather than a safeguard. Flanagan warns that without structured governance, the industry risks a catastrophic failure far worse than previous incidents like the CrowdStrike outage, because AI's reach and speed of adoption are unprecedented.

Digital Wallets, Verifiable Credentials, and Implementation Challenges

The conversation addresses the complexity of implementing digital identity standards, particularly around verifiable credentials and digital wallets. Flanagan explains the current fragmentation where Apple favors ISO Mobile Driver's License (MDOC) specifications while Google leans toward OpenID for Verifiable Credentials, creating confusion for states and organizations trying to implement wallet solutions. This highlights a broader challenge: even when open standards exist, competing implementations and vendor preferences can create practical barriers to adoption. The discussion also touches on the nuances of account selection, credential selection, and wallet selection — concepts that overlap from a user perspective but represent distinct technical challenges. Flanagan's work spans multiple standards bodies addressing these issues, demonstrating the interconnected nature of identity standards work and the need for coordination across organizations.

Chapters

0:00 - Introduction and Guest Welcome
1:47 - Heather's Background and Career Path
3:28 - What Standards Work Actually Involves
5:41 - Standards Organizations and Their Cultures
17:44 - AI, Standards, and the Speed Problem
21:11 - Dead Standards and 'Harmless but Useless'
24:12 - The Coming AI Catastrophe
36:53 - Digital Wallets and Credential Standards
38:44 - Rapid Fire and Closing Thoughts

Key Quotes

1:47 "I have touched the Internet in many ways, but all of them have been completely appropriate."
4:41 "The reason we don't have plain text ASCII anymore. Yeah, it took eight years, but by gosh, I got them to change."
20:24 "To bring it to a standards organization, for all I care, make a standards organization. Do a FIDO alliance model of, OK, we've got this really very specific thing. We're going to build something up. Because what that structure brings is it makes you slow down."
22:31 "Harmless but useless. And they'd say, yeah, just go ahead and publish it. It's harmless but useless."
24:38 "My fear with this, though, is that I think this bad thing is going to be exponentially worse than we've ever seen because how fast it's moving and how fast reaching it can get."
40:50 "If anyone happens to be listening to this who doesn't think they're technical, I hate that, by the way. It's like, I'm not technical, therefore I couldn't possibly. Remember, medieval English history degree, library science background."

FAQ

What does an RFC Series Editor do, and why does it matter?

The RFC Series Editor oversees the publication process for Request for Comments (RFC) documents at the Internet Engineering Task Force (IETF), which define core internet protocols and standards. Heather Flanagan held this role for eight years and led the transition from plain text ASCII format to a modern multi-format publication system, ensuring that internet standards documentation remains accessible and relevant.

Why is AI development moving faster than standards can keep up?

Vendors and organizations want to capitalize on AI opportunities quickly and view standards processes as hindrances that slow innovation. Unlike traditional technology development, AI is advancing at unprecedented speed without the structured governance that typically addresses security, privacy, and accessibility concerns. This creates risk of catastrophic failures because there's no framework forcing developers to consider these critical questions before deployment.

Do you need to be a developer to contribute to internet standards?

No. Heather Flanagan's career demonstrates that standards work requires communication, organization, and consensus-building skills rather than pure technical development expertise. Her background in medieval English history and library science enabled her to translate complex technical concepts, facilitate collaboration, and ensure standards processes consider broader implications beyond just technical functionality.


Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Identity & Access
  • AI & Machine Learning
  • Compliance & Governance
  • Technical Deep Dive
  • Best Practices
  • Internet standards development
  • RFC publication process
  • AI governance and regulation
  • Digital identity standards
  • Verifiable credentials
  • Digital wallets
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Saviynt: Standards, AI Speed, and the Future of Identity

              Upcoming Webinar Calendar

              • 07/02/2026
                10:00 AM
                07/02/2026
                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges
                https://www.truthinit.com/index.php/channel/2011/building-resilience-insights-from-hybrid-threats-amid-cloud-challenges/
              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting an Elite Security Team to Achieve Championship-Level Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-an-elite-security-team-to-achieve-championship-level-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Mastering the DPDP Framework
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-mastering-the-dpdp-framework/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                02

                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges

                07/02/202610:00 AM ET
                • Jul
                  09

                  The HUMAN Experience: Empowering Agentic Trust in Practice

                  07/09/202601:00 PM ET
                  • Jul
                    14

                    Crafting an Elite Security Team to Achieve Championship-Level Defense

                    07/14/202601:00 PM ET
                    • Jul
                      14

                      Understanding the Crucial Role of Context in AI Data

                      07/14/202602:00 PM ET
                      • Jul
                        21

                        Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                        07/21/202604:00 AM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version