Posts

TL;DR Annual access reviews alone won’t keep you safe. Real control requires a yin–yang operating model presented in the order you actually work: Yin (Secure AI-Assisted): risk-aware triage, context synthesis, toxic-combination detection, usage-based revocation suggestions, and policy-drift alerts—with human oversight for anything high-impact. Yang (Manual, Human-Led): clear ownership, accountable attestations by managers and app owners, strong evidence trails, and auditable decisions. Design your program around continuous and event-driven recertification—small, frequent, targeted reviews triggered by real changes—not a once-a-year scramble....

TL;DR AI is chewing through the repetitive, entry-level work that used to give newcomers their start in Identity & Access Management (IAM)—account audits, basic access reviews, routine onboarding/offboarding “click-ops,” and boilerplate policy writing. That means mentorship isn’t a nice-to-have; it’s the on-ramp. This post lays out (1) why the shift is happening, (2) what effective IAM mentorship looks like, (3) a practical 12-week plan any team can run, (4) how to blend AI as a co-mentor without outsourcing judgment, and (5) a vetted directory of communities and mentorship programs to join right now....

Tag: EverydayIdentity Editor’s Note (September 2025): This guide is aligned to the latest NIST publications issued last month, including SP 800-53 Release 5.2.0 (with new software-update/patch and cyber-resiliency emphasis) and SP 800-63 Revision 4 (updated Digital Identity Guidelines). We also reference the SP 1800-35 Zero Trust practice guide finalized this summer to ground CIEM in current best practice. :contentReference[oaicite:0]{index=0} TL;DR Multi-cloud is powerful—and dangerously permissive by default. Over time, identities (humans and workloads) accumulate access they no longer need....

Introduction: The End of the Password Era Imagine this: an employee’s corporate laptop is stolen from a café. Instead of panicking about whether the thief will guess the password, IT breathes easy—because the device uses passwordless authentication tied to the user’s biometric and hardware token. The attacker has nothing to exploit. This isn’t a futuristic scenario. Enterprises are already shifting toward passwordless authentication, not just for convenience but to protect against the relentless tide of credential theft....

Introduction: Why 2025 Is a Turning Point Digital onboarding has always been a balancing act: verify people quickly, securely, and seamlessly—without driving them away. In 2025, the balance is shifting once again. New regulations, emerging biometric technologies, AI-powered fraud, and rising consumer expectations are rewriting the rulebook on how organizations prove who someone really is. In this post, we’ll break down what’s changing in identity proofing and onboarding, why it matters, and how to build a secure, user-friendly digital identity journey....

From Passwords to Prompts: The AI Shift in Identity & IT Artificial intelligence (AI) has become a double-edged sword in IT and identity security. On one side, enterprises deploy AI for automation, fraud detection, adaptive authentication, and anomaly detection. On the other, cybercriminals are weaponizing the same tech to supercharge their intrusions. In 2023, U.S. consumers reported over $10 billion in fraud losses — the highest figure ever recorded. Analysts and regulators increasingly attribute this surge to AI-enhanced cybercrime, where phishing emails, romance scams, and business email compromise (BEC) are crafted by generative models....

Introduction: Why Context Is the New Secret Weapon In the world of digital security, the “who” is no longer enough. Identity and Access Management (IAM) has evolved beyond verifying a username and password. Today, the most resilient defenses are those that understand context—blending real-time signals about the user, their device, location, and behavior to make smarter access decisions. Welcome to the world of Context-Aware Access. If you’ve ever been prompted for a second factor when logging in from a new device, or denied access while traveling, you’ve seen context in action....

Six Essential IAM Policies Every Business Needs (Beyond Passwords) TL;DR If your security program starts and ends with a password policy, your business is exposed. To defend against breaches, insider threats, and regulatory penalties, you need a well-rounded suite of Identity & Access Management (IAM) policies—clear, actionable rules that leave no gaps for attackers (or auditors) to exploit. This post breaks down six foundational IAM policies, when to use them, why they matter, and how to link them together for real-world protection....

Access Reviews & Certifications: Why and How Everything you need to know about periodic reviews, compliance value, and common traps to avoid TL;DR Access reviews and certifications are your IAM safety net. Done right, they ensure that users have only the access they need—no more, no less. In this post, we’ll explain the what, why, and how, along with real-world examples and common mistakes to avoid. What Are Access Reviews?...

🧠 TL;DR IAM projects don’t succeed because of tools—they succeed because of project discipline. This post breaks down core project management pillars—scope, stakeholders, communications, risk, and delivery—and ties them to identity work like Okta, Adaxes, and JAMF rollouts. 🏗️ IAM Projects Are Still Projects While identity work is technical and security-driven, the project fundamentals are universal: Stakeholder alignment drives decisions Scope controls chaos Communication prevents surprises Testing builds confidence Governance ensures long-term success Every successful identity project I’ve led—whether rolling out JAMF, Okta, or ServiceNow—followed proven project management best practices....