Transcript
As AI is reshaping how businesses operate, we're witnessing not just a technological revolution, right? It's all about the fundamental shift in terms of how we think about identity within our organization. Today, we're no longer just managing human identities. Chandra earlier spoke about this. He spoke about, you know, the shift, the structural shifts. We are now responsible for securing an expanding ecosystem of AI identities with different levels of autonomy, from simple chatbots that we look at every single day, to complex autonomous systems making consequential decisions. I'm really excited today to explore how companies can embrace AI innovation while building a robust identity security framework. Today, Tyler and I are going to discuss practical strategies for securing AI agents, leveraging AI to strengthen identity protection, and most importantly, preparing for tomorrow's security challenges, right? Before we dive in, I'd like to, you know, introduce Tyler McDonnell to, of course, introduce himself and share one identity security challenge that keeps him up at night. So Tyler, let's go for it. Well, thank you so much for having me, Jayshree. Really excited to be here. I lead our AI group at SailPoint. I've been working in the AI field for about 15 years now across both industry and academia. And you know, in that time, I've had the opportunity to work on a lot of different, you know, difficult problems. But most recently, I have been now for a few years at SailPoint working on applying AI machine learning to really solve some of our fundamental challenges in the identity security space. In terms of what keeps me up at night, you know, that's a good question. I would say the thing that keeps me up the most is the pace of innovation and adoption that we're seeing in AI right now versus the maturity of the tools that we have to secure some of these new systems. You know, it's really exciting for me in particular as someone that gets to every day use and experiment with and, you know, put these tools to use. But it does represent a new major risk for organizations. And you know, if that's something that keeps me up at night, I guess something that helps me sleep at night is knowing that this problem is not being ignored. We're working on this at SailPoint and there's many other people out in the industry building the foundation now that we're going to need to secure these AI identities in the future. Awesome. Tyler, we have our work cut out, right, when it comes to AI. So let's start with a few questions. I have a few questions prepared and you're going to sort of share with everyone, you know, what the strategies are, what you're seeing, what the best practices are, right? So let's start with the first question. What's the most significant identity security risks that organizations face today as they deploy AI systems across their organizations? Yeah. The biggest risk today is just unmanaged identities. So, you know, AI systems, bots, AI agents that are not being governed in the same ways that an organization would think about for a human. You know, these systems are, like you said, growing autonomous and it makes it, it represents a huge area of risk for businesses that aren't tracking these agents, understanding what they do, why they do it, and, you know, ensuring and remediating any unexpected things that might happen. That's interesting, right? So agents, you know, would you say agents are really becoming first class, you know, citizens right now? I do think so. Yes. Yeah. It's just really interesting, right? So let's dive into that a little further. How are AI identities fundamentally different from, you know, human identities? There are very clear differences. We know that. But let's sort of dive into it in an enterprise context, right? And what are the new security paradigms that they require at this stage? Yeah, that's a great question. You know, when you ask that question, my mind immediately jumps to AI agents, which are, you know, this class of AI identity that does have this level of autonomy in the way they operate. And in a lot of ways, I actually think of them being more like humans than, you know, service accounts or bots or other types of automation that we've seen in the past. Because of that autonomy, you know, they can carry out actions that they aren't necessarily exactly scripted to do. They can even request new accesses that they don't have. And all of that autonomy really demands a robust governance program, very similar to what we would use for a person. On the other hand, there are differences between AI identities. You know, one of the main ones that come to mind is that these agents, these identities don't have to sleep like people. They can operate continuously all day and all night. And they can do that at machine speed and machine scale. And that really does motivate some new paradigms to secure them because it's not practical for a human to be in the loop and tracking every single action and approving every single action for these agents. We really need a new paradigm that emphasizes continuous oversight and auditability of these systems. That's just really exciting, right, in terms of just the world that we're going to be living in. What frameworks should organizations use to classify all of these AI agents and manage these different types of AI identities based on the capabilities and access needs, right? How should permissions and access controls for AI systems be designed? And how should they be different from human identities? Can we sort of dive into that? Yeah. Organizations should really adopt a policy-driven, identity-centric view to managing these AI identities that really classifies their function, access needs, and criticality. SailPoint's approach to identity security really advocates for this unified approach to governance where all of these different identities can be kind of tracked and managed and ultimately governed in one place. But that framework also has to recognize and account for the different needs of different types of identities when it comes to security. Kind of going back to what I was saying a minute ago, because of how these agents can operate, they can operate at machine scale, machine speed, a successful framework here really needs to incorporate ideas of dynamic access control and auditability so that organizations really have that visibility into what AI identities are doing at every step along the way. So is it going to be very similar to machine identities where there's going to be a human associated with a group of these AI agents as well? I think it's safe to say that there will definitely be a level of human oversight involved. But the difference is going to be that there also needs to be support for real-time decision making if we're going to get the full benefits of these agents. So talking about the real-time, what's your approach to creating that least privilege model for AI identities that still allow them to function effectively and, of course, nonstop in a nonstop way? My approach to thinking about least privilege in this context is really using AI to continuously monitor the usage data and activity data across different systems and using that as a mechanism to really enable real-time assessment of access risk and also to enable just-in-time access provisioning for these systems. Because you do need that automation layer in terms of granting the access that these systems need automatically without having a human in the loop, which is going to slow them down. But you also have to make sure that the access that the AI identities are being granted is consistent with their business intent. And also, you need to be able to revoke that access as soon as they're done with the action that justified use. So really that automation is going to be key here. Perfect. You spoke about governance, the unified governance side of it, right? What governance structures have you seen work very effectively for AI identities in terms of how we're managing AI identities today? Yeah, that's a great question. Honestly, I have not seen many governance structures for AI identities that have been fully operationalized today. And I think that is a big gap right now. But fortunately, you know, SailPoint has a lot of experience here. And we're going to continue to be a thought leader and an innovator in this space because not only do we have decades of experience in the identity security space, but we've actually also been building and deploying and governing our own AI systems for many years now. So we have that skin in the game that's going to help us bring the right frameworks to our customers. And you know, I think a lot of it does go back to what you said earlier about considering AI identities as first-class citizens in the identity security landscape. And you know, I really think what that entails is applying some of the same lifecycle management approaches that we do for people to AI identities. So you know, onboarding them and also applying role or policy-based access control to help govern them. It's really interesting, right? It's still at the very early stages. So the joiner, the mover, the lever, you know, it all applies to AI agents as well moving forward, right? So it's just the pace of change is so fast and there are regulations being put in place across different regions, right? What emerging identity security standards and regulations should organizations be really looking at and be prepared for as AI agents become more prevalent in a month after month? Yeah. I'd say there's increased regulatory attention right now focused on AI accountability and data security. You know, we're seeing a lot of legislation out there start to materialize. And you know, a lot of these regulations have specific guidelines that they're putting out in terms of having human oversight and transparency and auditability of high-risk AI systems. And these regulations are going to continue to materialize. In terms of what organizations can do to prepare for that today, I think the biggest thing is to incorporate AI into your identity security program. Because that means when these regulations do inevitably catch up to the state of the current technology, the companies that have done that are going to be ahead of the curve. Fantastic. And I'm sure, you know, you're looking at those regulations and standards across all different regions as well, right? There are several that companies should be looking at moving forward. How about the capabilities? What capabilities do you predict AI identity systems will have in the next three to five years? Maybe next two years, right? Or 18 to, you know, 18 months, I would say, because it's moving really fast. But, you know, let's sort of talk about that in terms of what companies should be prepared for. I'm terrified to answer that question because it's really difficult to imagine where AI is going to be 12 months from now, let alone three to five years. But I would say if there's one macro trend that's becoming a lot more clear to me, it's that we are going to continue to see this evolution from passive AI systems to active AI systems. And what I mean when I say that is that these systems are going to continue to become more and more autonomous. They're going to continue to interact with more people and other AI systems. And really, that just reinforces the need for some of the things we've been talking about today, like real-time policy enforcement and automation when it comes to identity governance for these AI identities. And also the accountability aspect of it as well, right? Yeah, absolutely. We're going to need new systems that allow us to better track intent, impact, and, like you said, ultimately, accountability for the systems. And it's just going to be really interesting. There has to be a very clear-cut process. You know, if you're saying it's first-class citizens, you know, we really have to have those first-class processes in place as well, right? It's just fantastic. How about security teams? How should these security teams collaborate with the AI development teams today, right? And making sure security is built in from the ground up, any thoughts there? Yeah, I think the key here is really starting the security conversations early and integrating security in every step of the AI development process. This is something we've learned firsthand at SailPoint from the AI governance program that we've developed internally. It's not enough for security teams to just be a gate at the end of the development process. It needs to start way earlier than that. You know, this is really a collaborative effort between multiple parts of the business that needs to happen. For instance, security teams do need to engage AI teams early, and they need to collaboratively build threat models and risk analyses that account for the specifics of the use case that they're trying to solve. On top of that, AI teams and security teams need to collaborate more closely with DevOps teams and platform engineering teams because a lot of these AI identities are being created by AI pipelines or using infrastructure as code or other types of automation at the platform level. And if you don't have security embedded into those levels, you can't secure the whole end-to-end AI identity. And it also includes collaboration with legal to understand what are the upcoming compliance requirements that organizations need to adhere to. So I'd say it's securing AI identities is really a team sport within organizations. And the earlier that security teams get involved, the more that security is considered at every step along the way, the better the outcomes are going to be for organizations. Yeah. We spoke about the process. We spoke about the pace of change. What metrics? Let's sort of touch on metrics, right? What metrics should organizations be looking at in terms of how they should track the effectiveness of the AI programs at the very early stages? Start simple. I would say start with getting coverage and visibility of the AI identities that you have in your organization. If you don't know what AI systems are deployed in your organization, if you don't know what systems and sensitive data they're accessing, you're not going to be able to secure them. So start with coverage and visibility. And then the rest of the pieces will fall into place. Once you do have that visibility of what AI systems are intended to do and what they're accessing, it makes it a lot easier to identify potential risk. And then you can move on to additional improvements when it comes to auditability and explainability. But I would say start simple. All right. That was really good insights. Thank you, Tyler. And so here's what I was thinking about, the key takeaways, right? The key takeaway is based on what Tyler just shared in terms of the best practices, what he's hearing from customer conversations as well, right? AI identities require the purpose-built security frameworks that are very distinct from human identity management. It's important to implement policy-driven models with dynamic access controls based on function and the criticality. It's important to balance least privilege with operational effectiveness through continuous monitoring. And it's really important to prepare for emerging regulations across the different regions by extending governance programs to AI systems. We can't take this lightly. And also, you spoke about fostering the collaboration between different teams, the security teams, the DevOps teams, and also AI development and also the platform teams as well, right? And Tyler spoke about how important it is to track meaningful metrics like coverage, identity coverage, visibility, and the auditability, right? Have I covered everything, Tyler? Is there anything more in terms of the key takeaways? I think you covered a lot of it. The last thing I would say is it's just really important right now to establish that strong AI identity governance foundation so that you can safely leverage these tools moving into the future. That's awesome. Thank you, Tyler. So, thank you, everyone. I hope this was helpful for all of you.