Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Saviynt Identity Security Posture Management

Saviynt
07/03/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


Welcome to Savvy Talk, where conversations aren't just taught, they're the start of something bigger. Let's get rooted. Let's get real. Now, you can't have a great conversation by yourself, maybe some of you can, but not me. I've got to bring my friends with me, and that's who I've got. First, let's start with Simon. I'm Simon Gooch. I'm the field CIO, and I am the self-appointed eye candy for this show. Oh, my God. And next up is Enrique. Hi, guys. It's Enrique here. I'm the SVP of Strategia Saviant. And last, but definitely not least, Jim. My name is Jim Routh, and I'm the chief sommelier officer for Saviant. By the way, it's Routh like South, rhymes with South, but if I speak too much, then it's mouth. Okay? So, Routh like mouth. Like the mouth of the South? I like that. I'm going to talk to my agent about that. That's a great idea. We all got to talk to our agent. Right? Another good point. Right? Absolutely. Absolutely. This guy gets his own, like, special water. Like, ideally. We're going to talk to Ronnie about that. I think he'll make some changes. All right. So, listen, guys. Today's episode, we're going to talk about ISPM a little bit, but we're also going to talk about and get a chance to talk to a really great product leader, which you don't get a chance to say that a whole lot. There's a lot of people that say they're great product leaders, but ... I've known this guy for a while. I'm pretty stoked that he accepted to join us. I don't know why he accepted. Nice. Simon's here. I think the first question is, are great product leaders born or created? That's a brittle matter. I would ask him that. You mentioned ISPM. Yeah. I think ... I know there's sponsoring there. I don't know how many of the audience here would think, is this about yoga? Is about a good posture? What is this? So I think a lot of interesting questions about what identity security posture management may be. Oh, is that what it is? I thought we were going to start doing, like, downward dog. That's what I propose. Not exactly. I'm on the wrong side. We got to go. No. So, yeah. Identity security posture management. I kind of want to get your guys' thoughts on this. It's an area that's kind of grown over the last couple of years and just turned into this kind of new age for identity security. Where do you guys see this in the industry? Why do you guys think it's needed right now? David, this was the acronym that got away. Hmm. When I was at Gartner and we were talking a lot about ITDR, that was perhaps the follow-up. So you are on the Star Wars guy, right? So it was the sequel. A sequel to ITDR where ITDR was all the things on the sequels. Sequels are always my style, right? Are you sure it was the sequel? Hey, the prequels. Empire Strikes Back is much better than Star Wars. Like, do not, let's not. That's the best masterpiece. Exactly. All right. So, but I think there's a lot to that, too. So that acronym that got away in a sense that, um... Sorry, I've got to cut. Rocky 2. Not as good as Rocky 1. Am I going to be allowed to speak? Probably not. All right. Come on. You know the answer to that question? Has anyone ever stopped you speaking? Well, I have duct tape. All right. I'm excited. And with eye candy like this, it's inevitable there's going to be self-help today, but also hot takes. Self-help. And that's why I'm at the end, because you don't want too much distraction. But when we think about ISPM, I think there's a lot of hot takes about that in the industry as well. Right. Yes. So what you're saying is this is all your fault, because didn't you come up with ICDR at Gartner? That was me. Oh, my team came up with it. So are you gutted you didn't come up with ISPM, then? No. Are your top five things you wish you'd done? Is it number one, two, or three? Okay, let me answer that. But I lapsed to join Syrian before I could finish writing the thing. So you're saying it would have been yours. It could have been. That's why I was at Gartner, by the way. Well, you're no longer at Gartner. Now you can make it real. Fair the watch, Dale. All right. So with that, let's bring in our guests. Let's bring them on. Let's talk to them. We've got a great, we've got a visionary here, people. Like this is, I first met this man, we sat down in Atlanta a couple of years ago. And one of the things that really got to me is when you heard him talk about what it was that he wanted to do, it's rare that you find product leaders now that have such passion about building something. You can really tell that this was something he had spent time and energy thinking about. So real excited to bring him on. Vibhuti, Chief Product Officer of Xavier, let's bring him in. All right. So Vibhuti, welcome. Thanks for taking the time and hanging out with us today. And I really want to kind of start the conversation, like talk to us about why ISPM and like why now for this industry? First of all, it's so good to be here with all your prominent speakers. Yeah. Thanks for coming. Thank you. Oh, you are the best to begin. So coming to ISPM, David, if you look at two ends of the spectrum, what organizations have been doing is looking at the first end, which was doing identity security in a very reactive manner. And I think the time has come now to look at the other end of the spectrum, which is doing it in a productive manner. And the reason why it is more important now than ever is as the number of identities keep on growing, especially with NHIs coming in and the sprawl in AI agents, doing things in a reactive manner would not take you far. And doing it now is important because where you are as an organization, you will not be set for success in the coming years. So you have to start planning. You have to start strategizing it now before it becomes too late. So that's why our investment in ISPM has been going on for two years now. I'm really pumped. I'm really excited that it is coming to fruition. Thanks to our chats. Jim has been amazing in giving me brutal feedback. Only Jim? I'm coming to you too. These acronyms. Yes. Enrique, thank you for coming up with the acronym. Simon, the person who looked at my demo for the first time and said, hmm, it's okay. And I said, blowing praise from here. I genuinely thought it was okay. Yeah. I want to ask you a question about that. So the first time coming with the idea, and perhaps for people in the audience here that they're not product leaders like you. How did you make that fit into all the other roadmaps that you had to launch, had to plan for, and why did you decide, okay, now it's time for ISPM? And that's two questions. I'm going to give you a third just to make it really complicated for you. I'm going to prioritize, you know, that that's my job. And I think this is the most important part of these three questions. Where were you when you thought about those two questions you just had? So were you in a bath? Were you at home? Like, let's make this real for people. Were you driving? So I would say that majority of my ideas come when you talk to a customer. And this was two, two and a half years before when we were talking to a customer. Not sure if I can take their names, but for... Let's call them Edward. All right. So customer Edward. And they started mentioning about the challenges they were having, about how bad they were struggling with to certify their user access reviews. And they were worried that less than 1% of their users' access were getting certified. And they were now also dealing with a massive sprawl in non-human identities. So what led me thinking is that we are not even scaling up for human identities, what will happen beyond when we start looking into NHIs and AI agents. The point what started coming up was that currently the identity platforms, any incumbent platforms, they are not ready for what's coming. And that's where the whole moving from a reactive nature of solving an identity security problem to a proactive one becomes important. And it's more about also not just moving from reactive to proactive, but also fueling with intelligence to cut down the noise. So that's the time when this whole idea started building up. When was that? It was like two years ago, you said? So this was back in 2021 when the whole pandemic started. The explosion of identity started with respect to contractors, external contingent workers. It just snowballed, right? And organizations were starting to see the struggle and the stress in the system with respect to how their governance processes were not effective. And that was a time when Gen-AI also started picking up. So the whole notion of the sprawl with respect to non-human identities and Gen-AI or AI agents started. So what it resulted in was that you have a problem of the current systems not scaling for human identities and you have a massive problem coming up. So then that was a time we saw it as an opportunity and we started thinking and designing it. And you mentioned energy and I do have a really, really important question, which is what do you eat when you're trying to think about solving these problems? What's your go-to food? If you're working late, which I know you do pretty much every day, what's the thing that kind of gives you energy and keeps you going? Don't hold me accountable for it because this is something which the CEO of Savient and I both really enjoy, it's mutton biryani. What is that? Mutton biryani. Is it spicy? Yes, indeed it is. So tell us about ISPM as a definition of this, like Identity Security Posture Management. Is it something that, what it means to you and what is your definition by Vibhuti, the Chief Product Officer at Savient, what does that mean? So Enrique, to be very fair and square, when we started conceptualizing this idea, the first thing what we did was that what is there in the market and is there any existing product which is doing this? And to be honest, there were quite a few. There were quite a few. So the first thing was that we did an analysis of like what is the market already offering in this and is that the real definition of ISPM? And then when we started talking to the customers, we realized that it's not. If you look at holistically, I broke down ISPM into four different dimensions which it has to solve and what I found was that there was only one dimension and that to a sliver of that dimension which was being solved by the majority of the players and I'll break it down for you. Number one, if you look at it today, everybody is talking about investing in AI. The only long pole where you are not going to get the maximum returns of your investments with AI is the quality of data. And I think all of us sitting here know how poor identity data quality has been. So then that is when we started looking into it, we started analyzing the data, what we already have with our customers. So more of that identity hygiene perspective? Okay. Like I was shocked to see the numbers. It's like 80% of your roles and entitlements data are poorly described. It sounds very trivial, but any time when somebody picks up their phone or writes an email that, hey, what does this entitlement mean? It's a loss in productivity. It's a governance over it. Let's see who does that. Oh, that would be senior executives. We spent a lot of money on. Oh, okay. Got it. So when we looked at it, even vendors like us, we have not done enough when it comes to solving the data quality problem. And I truly believe that that is one very important pillar for our ISP. Nobody else in the market. I agree. Honestly, and I've heard you talk about this before and it heartens me for you to say it because we're admitting to the failures of the past, right? I mean, one of the key things for me in terms of that first bit, that first bit of I think your vision is us owning up to the fact that it wasn't good enough, right? Exactly, Simon. In fact, if you talk to the customers, the sad part is the customers have accepted that the quality is going to be bad. So like they don't even want to talk about it because they know and they have assumed that this is always going to be the state of affairs and we want to change that. Nobody else is in the market doing this and we want to change it because until and unless you do that, you are not going to achieve success in this new era of AI and NHI. Data quality will play a very, very important role. That's why I just think that's such an important starting point is to be able to just own up to this is why this is important. And we all have a part to play in the history that's led up to this point. Right, yeah. And as an industry, right, it's why, right? I'm going to put a little bit of words in your mouth for booty, but like it's why this is so necessary now is because of things like that. As an industry, we've kind of just led customers to believe it's like, yeah, we're not going to fix this problem. So like it, deal with it. Right. And that's kind of what we told the market. But now as we start to look at it, we realize that it's like both with technology, you know, lessons learned, we can start kind of solving these problems. I want to shift the conversation just a little bit to just yourself kind of being a product leader. And some of the things that you've already you've already shown this conversation, right, some very mature, you know, product leader ways for those of becoming a product leaders always prioritize when people ask you anything. Right. You take it in to go. I prioritize that, which basically is a nice way of saying, yeah, right. I'll get to it later. But like, talk about your journey, you know, coming into this. Right. Like we've we've had a conversation just about how you've been thinking about identity. And, you know, one of the things that I've admired by you, you've always had this very strategic lens on identity. Sometimes seeing things, you know, five, 10 years kind of down the road. But talk to me about that journey of becoming like the product leader, like some lessons learned, the things that how you got to where you are today. Yeah, I would say that if I have to sum up my journey of saving, I will put three tipping points or three inflection points on my journey. And first of all, I have done identity throughout my life. I don't know anything else. If you ask me, I don't. Yeah. I say I'm pretty usable. Oh, for that, I have to learn. Jim, I told you I'm a newcomer in that. So 2008, 2010, less than three percent of identity projects were successful worldwide. Less than three? Less than three percent. Why? Because massive sprawl of infrastructure. Like, imagine upgrading an identity infrastructure. It used to take months. It used to take months. Yeah. So 2010, 2011 was when Sachin asked me to join Saviant. And he asked me that, can we build this on cloud? I had zero knowledge about cloud, to be very honest. I said, yeah, fine. It sounds very exciting. Let me learn. I would say the first. I would say the first one, two, two years were all learning. But we took our time and the first identity governance as a platform was what I built and I would call that as my first inflection point in Savient. It took us four years, 2014, 2015. So that was like the first defining part. Do you think of that as your first, is that your first child? I would say. Because I've heard a lot of people refer to your products as your children. Yes, for sure. And I would also say that people think that once the launch happens, everything is good. No, that's when the shit fits the fast because you know, like we all know what happens when a kid gets born. That's when the real works. On top of what Simon asked you, so your first experience of product and why do you think Sachin picked you, right? So to other people aspiring to that profession, like leading product or product management. So what are the things that you learned through that journey that will be useful for the people to follow those same steps? So I think the only thing which matters, which I also look for when I hire for people are two things. One is passion and the other one is accountability. Everything else can be taught, can be learned. Sachin and I had worked in previous projects. He has seen me working with passion and dedication. I think that's what ticked him. And I also told him that I'm interested in doing something new, something radically different. So those were the two reasons. How about intellectual curiosity? Oh yes, that's a very good one. And how about because look, there's not any little exception or diplomacy. Only for you, Simon. Yeah, intellectual curiosity is definitely one. But to finish what David asked, then the second part of my journey was more about, I did IGA and Sachin and I, we were having again, a nice dinner in Miami, I still remember that. And he asked that, what should we do next? And I told him that we have done IGA, we are seeing good traction. Let's take PAM to cloud. And I still remember, his fork dropped. And he said, no, it cannot happen. I said, let's try. So then we did some paper napkin designs. And we tried that. Two years, I did close to 13 prototypes. It was all shot down. Good that it was shot. The 14th to 15th one was pretty good. We showed it to Gartner. They said, you guys are crazy. This is never going to work. Fine. We kept on cutting. No offense. Well, I was Enrique, that's like, for the record, I was opening IGA back then, not PAM. So it was a different. I think what happened was, and again, to what Enrique, you also asked, what made us keep going was, don't get deterred by what the industry is saying. Many times, industry doesn't know what they want. So we kept on doing PAM 2020. When Okta introduced their IG and PAM, they just legitimized the whole market. And that's when the philosophy of convergence got born. So we were the first ones to lay down what convergence means. Yes, we were a small player at that point of time. But then it helped us legitimize because the other big players started following, which they have been following for quite some time. So back to ISPM. You mentioned the first pillar of ISPM, the whole hygiene and the data problems it solves. What else? What are the other things that you think are fundamental in the definition of ISPM or Identity Security Posture Management for saving it? Sure. So the second one is all about effectiveness of your governance controls. Many times when you go and ask a customer, they'll say, oh, yeah, we have an annual or a half yearly certification process. When you ask them how effective it is, they get crickets most of the time. Or the numbers, they are just ridiculous numbers. If you ask them what's your percentage of revocations, if you ask them the same thing about what's your request fulfillment cycle times, those numbers tell you that they are just there for ticking a checkbox. Is it effective? Is it getting mature over a period of time? Is it helping in any way? Is it helping them in any way? The answer is usually no. The audits get passed. That's about the best it gets, right? Yeah. True. And the biggest shift what I started seeing was that IGA was still being used as a compliance tool, but compliance is not security. Yes. And the pivot in the market started happening was that we need IGA to also help us be a secure organization and not just a compliant organization. So don't just do certification for... Well, in other words, it's marginalized, right? It becomes... And it has been, it was for a long time, just a marginal activity. Yeah. So the second thing what we did in Rike was in ISPM, we started measuring the effectiveness of your governance controls and took you to a journey from... If you understand the analytics journey, you have something called the descriptive analytics, which tells you something has happened. But from there... The sack must be... And I would say that we are also equally responsible for just giving that view, save it as a vendor. But where we want to change the game is now... For the audience, right? So those types of analytics, right? So the descriptive would be more like a reporting, right? Yes. Like something is going on. Diagnostic. But where we are now going with ISPM is we are giving you diagnostic analytics, which is stage two. And that is about, yes, you have something, but why did it happen? Yes. And from there, we are saying that, what can you do to prevent it from happening again? And what are the policies you can put in place so that you can always measure that? So descriptive to diagnostic to predictive to prescriptive. That's the... Those four types, right? And I wrote research about that. That was one of the areas and I did it, I really excitedly. And I know you're going to be asking something about food. No, no, no, no. I think the interesting thing about that is, I mean, so that's a maturity thing. Yes. But it drives the people that are running those services to be more mature as well, right? So for me, it's an interesting relationship because as we give them some of those capabilities and ask them or talk to them about doing something different, they have to adapt and grow, right? Because I would argue that part of the challenge has been some of the things we've said just now about how mature were we offering stuff for our customers, but also honestly, how mature were our customers in thinking about what they were trying to do? It was a fairly kind of siloed, right? Do you think they're ready for prescriptive? Most clients. I mean, that's a good question. I think it will be a journey, Enrique, because customers who are still dealing with a lot of descriptive analytics, they will have to adapt to going from descriptive to diagnostic. Will they trust the AI to prescribe things, right? Yeah. I'll come to that. I don't know if it's, will they trust the AI? I think it's, can they, because that whole journey that we're providing them with, that whole moving to prevention means that actually you stop the input of the staff. You actually solve your problems before they happen. But to some degree, like, do you think that's a leap of faith for people? So I will quote what Jim taught me. This was, yes, this three years before when we were at a sales kickoff, Jim was presenting something about how the identity analyst job is changing. And one of the questions which was asked by him was that, how am I going to trust this data? And I'll certainly have Jim also add color to this is, it's not about asking somebody to trust that data on day one. You have to build that partnership, whether it is with your internal auditors, whether it is your external auditors. If you are starting on this journey, do not expect somebody to go and trust that data on day one. It's never going to happen. And that's what we are seeing now with all the things, what we are doing with customers. The customers are now building that partnership with different teams. So if they are using ISPM for an SAP owner, they're showing that data, getting their feedback, tweaking the algorithms, making sure that it meets the requirement. That's when they can start looking into this journey. Jim, feel free to add. Look, I think you have one of the most difficult jobs in the company because you have to figure out what the customers need and then coincide that with what they're asking for. And those are two very different things. It's a fine line as well, right? It is. Like telling someone you think that their needs aren't quite what they think they need is a really difficult position, right? Yep, absolutely. So that's the second dimension of ISPM on how we differentiate. And nobody does that in the existing market about governance control effectiveness. The third one is where about identity risk, everybody talks about it. But all the incumbent products in the market are looking at inherited risk. Yes, you have password policies not enforced, MFA accounts, MFA not enforced on your root accounts. Yes, it's a core part of your identity risk. But what about derived risk? When you are looking at access paths of an organization and your workhorse identity, how is that access path risky in a way that your users have access to something which their peers don't have access to? So peer access outliers, are you looking at SOD violations? Is this access given to you as an out of band? These are very derived risk signals which a core governance platform can calculate and that feeds into ISPM. That's our forte when we look at identity risk. Majority of the organizations who are investing their time and money with ISPM products, they're missing on this. They're looking at what inherited risks are, which are the usual products in the market are doing. And I think for, you know, real quick, I think for the industry, right? What this move to ISPM brains, any maturity of any program, right? Let's step outside of technology for a second. Like the maturation of anything. First you do something. Let's take a sport, right? It's the easiest thing for me. Like if you're learning football, first you got to go learn. Which kind of football? I was going to say, if you're going to say sport. All right. So we're going to talk about professional or some shit. Listen ponder, like real, let's get American football. That's not real football. Oh my God. Can we talk about some cricket? Cricket. Cricket. Cricket, I'm done. Cricket, no. Cricket, not a great scene. All right. After this we're going to go put pads on. We're going to go find a field. And you tell me after I'm done wiping you guys off the floor whether that's a real sport. Anyway, the point being at some point, we'll take cricket. I don't know enough about cricket. You guys correct? Do it? At some point you have to learn like what were the fundamentals? What do I do? Right. Whether it's swinging, whether it's catching, whatever. You learn that. And then. There's a batsman. Right. I don't, it's, there's wickets. There's, I don't. Yeah, we set the trap. Sorry, David. Somebody told me like the matches last for like 10 days or something. I was like, I don't ask. I don't care. But the point is you got to learn the basic and fundamentals and then how do you mature and get better at anything as a player? Like you have to measure it, right? So whether it's, let's, let's take golf. Can we golf? Like whether it's swing speed, whether it's how far I'm hitting, whether it's like whether I'm closing the club face. You do that by measuring, right? And that's how you start to mature and get better. The same thing with this industry right now, which I find exciting for identity is that for 30 years we'd given, you know, vendors and just the industry, we'd given customers, here's all these things to go do something, but they had no clue how to measure it. We didn't give them any tools of how to measure it. So how can we expect them to get better if they don't know how bad it, they just know it's bad. Yeah. And we just said, we have that stat that all of us kind of stuck with. Identity is really hard and only 3% is success. And we all just kind of lived in this area of, well, that's just what it is. It's never going to get any better. Now, what I find truly game changing about this to the industry is giving somebody the ability to measure something, you can now look at it and go, okay, well now I can see how effective my program was actually going. And once you can measure something, what happens after that? You can set goals, you can set milestones, you can improve quality and you know how to improve, right? I went from 60 to 70 to 80 to 90, right? On what? Versus like, I just got a bunch of stuff and it's like, hey boss, we deprovisioned 3,000 accounts today. So what? Is that good? Is that bad? Was that more than yesterday? So this moving the industry into this area of measurement and being able to take measurement and apply it to both derived risk and inherited risk, I think is going to transition a change over the next decade of how we look at identity. And so that's one of the things I'm really excited to see. And I love what we put out there and what's going to continue to grow with that. But I want to get your opinion. I'm going to ask you, Baboudi, just to kind of put your fortune teller hat on, right? So let's fast forward five years from now, right? And you know, ISPM as a entrance into the market does what we want it to do, right? People are able to see, they're able to get better data, get more predictive. What does an identity program look like now? By the way, I was still left with the fourth dimension, which was my most favorite one. So I'll come to that question. You're like a politician. You just answer the questions you want to. So he's been trying to answer. To Vibhu, he's trying to talk. We're interrupting him. Actually, this is the reason, because David, when I was talking to him, his eyes lit up when I told him about the fourth one, which was about, see, at the end of the day, when you have so much data, you know, and all these identities are coming, how are you going to crunch, sift, mine all this data? And this is where, I know I'm going a bit into the weeds here, but we built the industry's first identity security data lake. And when I told that word to David, I said, like, what, are you building a data lake? So I want to ensure that I stress on that point a bit. The whole notion of building this data lake, Jim, was that we bring structured, unstructured data from all the different sources, and whatever system can give me identity context, and then let users harness this power. The full notion was, how am I going to make it easy for you? And that's where the power of large language models come in. So today, if you look at Savian's ISPM, you don't have you don't have to invest in BI tools. You don't have to write any SQL queries. You don't have to rely on technology SMEs. Any CISO, any CIO, any CXO can tap into that data in any way in writing a simple English statement, and they will get that. I love it, and let me just summarize what you said, the four pillars, right? So number one was the hygiene one, right? And the quality of the data. The second one was the efficacy of those controls that we're implementing. Third was the risk, an identity risk, and fourth is a large model, language model for identity security data lake, as you called it, right? I'm an analogy type of guy, too, and I always thought of, not too far away from a sports analogy, right, of a fitness tracker, surfacing those metrics and visualizing how good you're doing, like, hey, are you taking the necessary 10,000 steps a day? And I think for the CISO, for the CIO, I think that's what ISPM is surfacing. Do you agree with that analogy of like, almost like an Apple Watch or a fitness tracker for identity security? So before you get to that question, can I share one bit? Let the men speak. Have you seen what he wrote on here? It's his food order. It's not those questions. It is, yeah, ooh, sushi. All right. So send person, and again, that brings to the, it also ties to what David asked. See, if you think about ISPM, it will be, or ISPM is going to be the orchestrator of any identity program you're going to work on, whether it is implementing IGA, PAM, doing GRC projects. The reason being is, and we are going to look at and solve some of the most hardest problems we have ever thought about it. And I'll start with giving you some examples. Access classification. Today, if you walk into Jim's room and ask him that, can you tell me all my privileged entitlements in Salesforce, it's incredibly hard. If you try to do that with Active Directory, there is no freaking way you can do it. So the reason why these problems are important to solve is that what is my starting point when I'm starting my identity governance or identity security program? And that starting point is so different for every organization. How can we standardize it? How can we give you a blueprint which tells you that this is what you have to do? So ISPM, think about a solution which goes into your ecosystem on day one, classifies all your identities, classifies all your access to begin with, right? You discovered, now I'm telling you, you have 60% of your identities being workforce, 40% as external, and the quality of your governance for those 40% external are banned. That is your step one. Launch a certification. Putting that step one, there's an important point, right? Because you just said it, like on day one, let's not forget that that's one of the key killer things here, isn't it? It's day one, not day 100, it's day one, right? And Simon, these are some things which have been overlooked for quite some time, like identity classification. It is so disturbing to see that even today, if you go and talk to majority of the organizations, classification of identities is always an afterthought. It should be done on day one, because the moment you have that compendious view of all your identities, you can strategize what you have to do. Like external identities, if they are not certified, the immediate step for you is to launch a certification campaign. That is not something you can do from an IGA tool because IGA tool will not give you that visibility. That's what ISPM is going to tell you. So access classification, why is that important? Because when you think about access, privileged access is discussed in so many forms and fashion, but privileged access, the tools what you have in the market they are predominantly solving infrastructure problems. There's a massive problem on the application side. And you go and talk to any CISO, the first thing they will say is at the moment audit starts, it's like pulling hairs because they don't know what they don't know. And they get beaten on the application side more as compared to infrastructure. Go ahead, Jim. No, I think you're absolutely right. That's exactly what happens. Do you think, you mentioned besides applications and infrastructure, non-human identities, right? And machine identity. That's a very hot topic in 2025. You think that goes together with ISPM? And if so, how? So Enrique, I'll tell you another interesting point about NHI. I think what the whole NHI industry, it's so convoluted right now. Every product, every vendor is trying to shape up in a way which is suiting to their needs. And so many angles too. Yeah, it's different types of certificates or API keys. They're very kind of different. So if you ask me, is NHI going to go with ISPM? The answer is no. NHI is going to go with IGA. NFI is going to go with PAM. NHI is going to go with ISPM as well. If you have service accounts in your organization, ISPM will give you visibility. ISPM will give you trends of the growth. But how are you going to certify those service accounts? That's an IGA problem. Yes. How are you going to manage the privileged access of those service accounts? That's a PAM problem. So NHI as a whole is not just what the vendors are talking about, like you will have visibility. It's a problem which only a converged platform can solve for. I agree. So don't you think that ISPM, like those basic constructs of ISPM in terms of observability and actionability, they are key constructs now when you think about NHI, aren't they? Absolutely. We need to start thinking about it from that perspective, which is why it's foundational for basically everything in the future, right? I mean, it's a new structure and a new way of thinking about the way we're going to have to address most things, isn't it? And I think NHI is just an example of that. Absolutely, because I think we're in a state where it's good to confuse the market and tune it to what I have to offer as a product. But like, especially we want to take the high road. We want to make sure that the industry understands that if you're looking to invest in securing your NHI, just having visibility, just having posture management is not enough. It's not enough, because you can have like authentication prioritization for machines, right? Like federated single sign-on for machines. We're going to have all the governance pieces, certification campaigns. We're going to have provisioning as well, right? No, very well. Why don't we switch gears towards Vibhuti as a person, right? And I think I'm super curious also for the audience to know more about that side of you. And so let me start, and perhaps we can everyone ask you a question from your personal life. But the one that perhaps I'm most curious about is what's your favorite part about launching a product? What is the, hey, this is the part that excites me. What makes you happiest about launching a product? Interesting one, let me think about it. I think the happiest thing to launch a product is to have a customer coming and saying that, yes, this is what it is solving my problem. That feeling, that moment when somebody comes and validates that what you have built is really solving my problem. There are no words to express that. Having that validation from a customer, even when they're coming and talking openly and publicly about it, I think that's the best part you can have. Because this is after launch, after adoption. But I'm interested then because, I mean, you talked about it earlier on. You said, you talked about some of your previous products and many iterations before you got to success. So how do you deal, and I don't want to call them failures necessarily, but how do you deal with that cycle of, yeah, that didn't work. Yeah, that didn't, is it that end state, that kind of affirmation from the customer that is the thing that ultimately makes all of those learnings and the journey worthwhile? Or what else kind of sustains you through? What can be quite hard to do on the project? Yeah, how do you cope with that? Obviously, I'm not sure I could cope with the constant, like, yeah, that sucks. I would say, Not that any of your stuff sucks, obviously. Oh, no, I had my fair shares of failure. I heard that actually, because that's what you said. So I keep referring this to my team, that blood, sweat, and tears. That's what it took to build this product. But we had our fair shares of ups and downs. I think it's the journey which excites me the most. I don't look for instant gratification. I think that's not what you can, if you're building with the- How do you do it? Well, is that something, I mean, if we had aspiring chief product officers listening to this, is that the thing you would probably give them as the number one guidance? Like, get enjoyment out of the journey, not about their destination, or? And how, yeah, teach us how to look ahead and not like, I'm so focused on this instant gratification, because- Firstly, I'm still not there. I'm still learning. Let me put it that way to any aspiring person. But if you're trying to launch a product, trying to build a product, be prepared for failures. Accept them as something which will help you. If, let's say, when Simon, I spoke to Simon and showed him the demo of ISP, we said, yeah, okay, that should not deter you. That should, like, what can I do to make him say, wow? And now when you shared this on LinkedIn publicly, like, I think I did a good job. But it took me one year to reach to that stage. So- Yeah, he's a good gatekeeper, right? Yeah. The grit, the passion which is required, that keeps you going. And just don't look for instant gratification. It will not happen on day one. This is very nice. Gudi, thanks very much for your time. And this is a great conversation. Appreciate you coming by and telling us all about ISPM and dropped some good nuggets there about how to not look at instant gratification. Definitely one that something as a product leader, you got to get used to. So appreciate it. And that's it. I'll go ahead and wrap this up. Yeah, let me ask a question. No, no. Where's the dog parents? No, no, that's called the end. Yeah. That was the last question. You guys see what I have to deal with with these people? Anyway, listen, that's it. Like, that's it for this every talk conversation. Listen, you can subscribe, like, on whatever platform you find us on. If you're on YouTube, you can see our wonderful eye candy and let us know whether or not you think that's good eye candy or not. You know, your own personal opinion. If you're on Spotify, whatever podcast platform, make sure to like, drop in the comments. We can't wait to hear about you. Keep the conversation going. Until next time, we'll see you guys. Thank you. I thought it was a good talk, right? It was a good conversation, right? I would have loved to focus and get kind of more around the industry and where it gets to, but I think overall the conversation was good. Yeah. He described like a lot of, I love that he did his acronym, like the blood, sweat, and tears. It's not an acronym, but that's, like, literally, I'm going to change this Slacnic. Like, I'm going to take a look at these blood, sweat, and tears, yeah. Because that's, you know, for anybody that's run product and been a product leader, it is a lot, right? It's a lot of no's, it's a lot of failures to kind of figure out and get a product to launch and into your vault. Jim, when you had asked about, like, you know, getting in front of customer and walking that line of what they tell you they want versus how to solve their problem is really hard, so. Did you like it? Yeah, I mean, I love the passion he brings to it. All the time, all the time. But for me, honestly, like, the passion is so required for this particular topic because this, I mean, it's so easy to use these words, game changer, but, like, it's the start of something new, right? I mean- Absolutely. And most people would be like, yeah, yeah, whatever. But genuinely, I think if we, and by we, I mean the industry does this right, this is actually what identity security should always have been. So you can't, I mean, that's why I love this topic because you can't underplay the importance of this. Oh, man, I'm, of course, that's right, attached to this one, but, Jim, what was your favorite thing of all the, oh, I think the self-proclaimed good-looking, I think that was, that was unexpected, I'll tell you that. Yeah, so, all right, I don't know. We'll make sure that that's who his title was, Boston. But I- I mean, we could vote on it. Yeah. You already know how that votes for me. I don't know. I can't know. That's the thing, putting my rider, I always get four votes, you got one, so I think I'm good. But I think from our guest, I think the thing I like the most is, hey, don't get so hung up onto the instant gratification thing. Look, I think, yeah, that's good. It's good advice. It's good advice, right? You can take it for life, you can take it for identity security or everything else. I think it was pretty cool. No, he is, of course, a very passionate guy. Great. I'll remind you of that. When people say, like, didn't really like what you said, which they say a lot, just not to your face. That they won't let me? Yeah, yeah, yeah. I mean, but honestly, like- Next game, man. Yeah. I'm Brazilian. I know, you can learn from the booty now. The guy gets an agent, look what's happening. Was he against? No. All right, let's go. We're out. Next conversation. We'll be right back.

TL;DR

  • Identity Security Posture Management (ISPM) represents a critical shift from reactive to proactive identity security, essential as non-human identities and AI agents proliferate across enterprise environments
  • Saviynt's ISPM approach uniquely measures governance control effectiveness, moving organizations through analytics maturity from descriptive reporting to prescriptive prevention
  • Derived risk analysis—examining access paths, peer outliers, and SOD violations—provides deeper security insights than traditional inherited risk assessments focused solely on policy enforcement
  • Building transformative products requires accepting failure, balancing customer requests with actual needs, and maintaining long-term focus over instant gratification
  • The maturation of identity security mirrors any discipline: organizations must measure their posture to improve it, just as athletes measure performance metrics to advance their skills

The Evolution from Reactive to Proactive Identity Security

Vibhuti Sinha, Chief Product Officer at Saviynt, discusses the critical shift from reactive identity security approaches to proactive Identity Security Posture Management (ISPM). With the exponential growth of identities—particularly non-human identities (NHIs) and AI agents—organizations can no longer afford reactive security models. Saviynt has invested two years in developing ISPM capabilities that move beyond traditional compliance-focused Identity Governance and Administration (IGA) toward true security outcomes. The conversation explores how ISPM represents a maturity evolution in the identity space, enabling organizations to measure, predict, and prevent identity-related risks before they materialize.

Measuring Governance Control Effectiveness

A key differentiator in Saviynt's ISPM approach is the focus on governance control effectiveness—moving from descriptive analytics (what happened) to diagnostic (why it happened), predictive (what will happen), and prescriptive (what to do about it) analytics. Sinha emphasizes that compliance is not security, and the industry has marginalized IGA as merely a compliance checkbox. Saviynt's ISPM measures whether governance controls are actually working, providing organizations with actionable insights to prevent security incidents rather than simply reporting on them after the fact. This requires building trust with internal and external auditors through partnership and iterative refinement of algorithms.

Derived Risk vs. Inherited Risk

Sinha introduces the concept of derived risk as a critical component of identity risk assessment that most ISPM products miss. While inherited risks (password policies, MFA enforcement on privileged accounts) are important, derived risks examine access paths and peer outliers—identifying when users have access their peers don't, detecting segregation of duties violations, and flagging out-of-band access grants. This approach leverages the core governance platform's deep understanding of access relationships to calculate risk signals that point-solution ISPM tools cannot detect. The combination of inherited and derived risk provides a more complete picture of an organization's identity security posture.

Product Leadership and the Journey to Market

The conversation shifts to product leadership philosophy, with Sinha sharing candid insights about the challenges of building transformative products. He emphasizes that product leaders must navigate the difficult balance between what customers ask for and what they actually need—two very different things. Success requires accepting failure as part of the journey, maintaining passion through setbacks, and avoiding the trap of instant gratification. Sinha describes the ISPM development process as requiring "blood, sweat, and tears," taking a full year to reach a point where early skeptics became advocates. For aspiring product leaders, he stresses the importance of grit, partnership with customers and auditors, and staying focused on long-term outcomes rather than short-term wins.

Chapters

0:00 - Introduction and Show Setup
1:03 - What is ISPM and Why Now?
4:30 - Guest Introduction: Vibhuti Sinha
5:01 - Reactive vs. Proactive Identity Security
19:18 - Compliance vs. Security in IGA
20:24 - Analytics Maturity: Descriptive to Prescriptive
23:53 - Inherited vs. Derived Identity Risk
26:10 - Measuring Identity Security Posture
37:42 - Product Leadership Philosophy
39:22 - Wrap-up and Key Takeaways

Key Quotes

5:01 "What organizations have been doing is looking at the first end, which was doing identity security in a very reactive manner. And I think the time has come now to look at the other end of the spectrum, which is doing it in a productive manner."
19:23 "IGA was still being used as a compliance tool, but compliance is not security. And the pivot in the market started happening was that we need IGA to also help us be a secure organization and not just a compliant organization."
20:24 "Where we are now going with ISPM is we are giving you diagnostic analytics, which is stage two. And that is about, yes, you have something, but why did it happen? And from there, we are saying that, what can you do to prevent it from happening again? ..."
23:53 "All the incumbent products in the market are looking at inherited risk. But what about derived risk? When you are looking at access paths of an organization and your workhorse identity, how is that access path risky in a way that your users have access to something which their peers don't have access to? ..."
26:39 "For 30 years we'd given customers, here's all these things to go do something, but they had no clue how to measure it. We didn't give them any tools of how to measure it. So how can we expect them to get better if they don't know how bad it is? ..."
38:43 "If you're trying to launch a product, trying to build a product, be prepared for failures. Accept them as something which will help you. That should not deter you. That should, like, what can I do to make them say, wow? ..."

FAQ

What is Identity Security Posture Management (ISPM) and why does it matter now?

ISPM is a proactive approach to identity security that measures, predicts, and prevents identity-related risks before they materialize. It matters now because the explosive growth of non-human identities and AI agents makes reactive security approaches unsustainable. Organizations need to start planning and strategizing their identity security posture today to be successful in coming years.

How does Saviynt's ISPM differ from other products in the market?

Saviynt's ISPM differentiates in three ways: it measures governance control effectiveness (not just compliance), it assesses both inherited and derived identity risks (including access paths and peer outliers that only a governance platform can detect), and it moves organizations through analytics maturity from descriptive reporting to prescriptive prevention.

How do organizations build trust in ISPM data and recommendations?

Building trust requires partnership with internal and external auditors from day one. Organizations should start by showing ISPM data to application owners (like SAP teams), gathering feedback, and iteratively refining algorithms to meet requirements. Trust is earned through demonstrated accuracy over time, not expected immediately.


Categories:
  • » Cybersecurity » Cloud Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Identity & Access
  • Cloud Security
  • Compliance & Governance
  • Technical Deep Dive
  • Best Practices
  • AI & Machine Learning
  • Identity Security Posture Management
  • Identity Governance and Administration
  • Non-Human Identities
  • AI Agents
  • Governance Control Effectiveness
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Saviynt Identity Security Posture Management

              Upcoming Webinar Calendar

              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting an Elite Security Team to Achieve Championship-Level Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-an-elite-security-team-to-achieve-championship-level-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Mastering the DPDP Framework
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-mastering-the-dpdp-framework/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                09

                The HUMAN Experience: Empowering Agentic Trust in Practice

                07/09/202601:00 PM ET
                • Jul
                  14

                  Crafting an Elite Security Team to Achieve Championship-Level Defense

                  07/14/202601:00 PM ET
                  • Jul
                    14

                    Understanding the Crucial Role of Context in AI Data

                    07/14/202602:00 PM ET
                    • Jul
                      21

                      Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                      07/21/202604:00 AM ET
                      • Jul
                        21

                        HUMAN Dialogue: Insights from Attackers During the FIFA World Cup

                        07/21/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version