Posts

From Passwords to Prompts: The AI Shift in Identity & IT Artificial intelligence (AI) has become a double-edged sword in IT and identity security. On one side, enterprises deploy AI for automation, fraud detection, adaptive authentication, and anomaly detection. On the other, cybercriminals are weaponizing the same tech to supercharge their intrusions. In 2023, U.S. consumers reported over $10 billion in fraud losses — the highest figure ever recorded. Analysts and regulators increasingly attribute this surge to AI-enhanced cybercrime, where phishing emails, romance scams, and business email compromise (BEC) are crafted by generative models....

Introduction: Why Context Is the New Secret Weapon In the world of digital security, the “who” is no longer enough. Identity and Access Management (IAM) has evolved beyond verifying a username and password. Today, the most resilient defenses are those that understand context—blending real-time signals about the user, their device, location, and behavior to make smarter access decisions. Welcome to the world of Context-Aware Access. If you’ve ever been prompted for a second factor when logging in from a new device, or denied access while traveling, you’ve seen context in action....

Six Essential IAM Policies Every Business Needs (Beyond Passwords) TL;DR If your security program starts and ends with a password policy, your business is exposed. To defend against breaches, insider threats, and regulatory penalties, you need a well-rounded suite of Identity & Access Management (IAM) policies—clear, actionable rules that leave no gaps for attackers (or auditors) to exploit. This post breaks down six foundational IAM policies, when to use them, why they matter, and how to link them together for real-world protection....

Access Reviews & Certifications: Why and How Everything you need to know about periodic reviews, compliance value, and common traps to avoid TL;DR Access reviews and certifications are your IAM safety net. Done right, they ensure that users have only the access they need—no more, no less. In this post, we’ll explain the what, why, and how, along with real-world examples and common mistakes to avoid. What Are Access Reviews?...

🧠 TL;DR IAM projects don’t succeed because of tools—they succeed because of project discipline. This post breaks down core project management pillars—scope, stakeholders, communications, risk, and delivery—and ties them to identity work like Okta, Adaxes, and JAMF rollouts. 🏗️ IAM Projects Are Still Projects While identity work is technical and security-driven, the project fundamentals are universal: Stakeholder alignment drives decisions Scope controls chaos Communication prevents surprises Testing builds confidence Governance ensures long-term success Every successful identity project I’ve led—whether rolling out JAMF, Okta, or ServiceNow—followed proven project management best practices....

Breached Passwords and Modern Authentication: How Clerk Protects Your App from Known Risks TL;DR Using passwords found in previous breaches is like leaving your door unlocked for attackers. Developers can stop this risk cold—tools like Clerk Authentication and its competitors (Auth0, Okta, Microsoft Entra ID, and others) automatically block known breached passwords during signup and reset. Let’s break down why this matters, what the latest password dumps look like, and how you can protect your users (and your reputation) in a few lines of code....

IAM 101: Zero Trust and Identity – Continuous Verification in Practice EverydayIdentity TL;DR Zero Trust isn’t a product—it’s a security philosophy. At its core is continuous verification: a principle that access decisions should never rely on a one-time check. This post breaks down how identity, context, device posture, and dynamic access policies form the foundation of Zero Trust, and how IAM teams can implement this model in practice. What Is Zero Trust?...

Hidden Workers Lost in the ATS Hiring Black Hole An Opinion From the Other Side of the Algorithm There’s an uncomfortable truth most HR leaders won’t say out loud: Applicant Tracking Systems (ATS) aren’t finding your next best hire—they’re hiding them. Over the past decade, automation in recruiting was sold as a revolution. More candidates. More efficiency. Less bias. But walk into any organization struggling to fill open roles, and you’ll hear a different story: “We just aren’t seeing enough qualified people....

When a Phished Employee Has Admin Rights TL;DR Phishing remains one of the most effective initial access methods for attackers—but the real risk begins when the compromised user has admin or privileged rights. In this post, we’ll dissect how privilege escalation turns a single click into a breach, the downstream impacts, and practical steps to contain the blast radius in your own organization. The Real-World Scenario: One Click, Total Compromise Let’s paint a picture....

What Does an IAM Manager Actually Do? First-Hand Insights from a 15-Year IAM Pro Introduction Fifteen years ago, I stumbled into Identity and Access Management (IAM) when “cloud SSO” was still a buzzword and the biggest access threat was a sticky note password. Fast-forward to today, and I manage an IAM team responsible for protecting thousands of users, devices, and applications. If you’re wondering what an IAM Manager actually does—and what it takes to thrive in the role—this post is for you....