Identity at the Center

Jeff and Jim welcome Joseph Carson, cybersecurity expert and host of the Security by Default podcast, for a conversation on AI in offensive and defensive security. Joseph shares the real-world incident that inspired his EIC keynote - watching two AI agents negotiate a ransomware payment live. He breaks down how attackers use unconstrained models to lower the skill barrier and accelerate data exfiltration. The conversation covers NATO Lock Shields, the world's largest live cyber defense exercise, identity as national critical infrastructure, and the EU AI Act's risk-based approach. Also: Estonia's AI tax agents, the energy cost of being polite to AI, and the Tamagotchi theory of human-AI relationships.

Connect with Joseph: https://www.linkedin.com/in/josephcarson

NATO Locked Shields: https://ccdcoe.org/exercises/locked-shields/

Security by Default podcast (Spotify): https://open.spotify.com/show/0mzN5M5CkFVLn8fq5TnH0O

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

TIMESTAMPS
00:00 Welcome and intro
03:02 Conference season and IDAC discount codes
04:19 Introducing Joseph Carson and Security by Default
10:18 Optimist or pessimist on identity security
12:30 AI vs. AI - origin of the concept
15:02 Watching two AI agents negotiate a ransomware payment
17:26 The Tamagotchi metaphor for human-AI relationships
19:07 Who is winning the AI cyber arms race
21:00 How AI accelerates attacker capabilities
23:09 Dark web LLMs and bypassing guardrails
26:36 The energy cost of being polite to AI
28:15 Agentic AI skills, campaigns, and the Matrix analogy
31:34 Estonia AI agents filing tax returns
35:14 Introducing NATO Lock Shields
37:00 Protecting a simulated nation from 8,500 cyber attacks
38:08 Why identity is national critical infrastructure
41:18 AI in Lock Shields before and after
43:05 Lock Shields 2025 scoring explained
47:04 The EU AI Act - is it the next GDPR
50:18 Risk-based approach to AI regulation
53:35 Closing thoughts and cautious optimism
54:21 Scuba diving vs. snowboarding
58:05 Wrap-up

KEYWORDS
AI vs AI, agentic AI, identity security, NATO Lock Shields, EU AI Act, Joseph Carson, Security by Default, ransomware, dark web LLMs, guardrails, data exfiltration, phishing, critical infrastructure, Estonia, cyber defense, IDAC, Identity at the Center, Jeff Steadman, Jim McDonald

This episode features Drew Russell, Identity Resilience Platform Owner at Rubrik. Jim McDonald and Jeff Steadman explore the intersection of backup, recovery, and identity security. Drew explains how Rubrik evolved from data backup into a cyber resilience platform with identity as a core pillar. Topics include recovering Active Directory, Okta, and Entra ID after ransomware, Rubrik's "bunker in a box" appliance for immutable air-gapped recovery, proactive posture management, CrowdStrike and Defender integrations, and where AI and non-human identities fit into Rubrik's roadmap. The episode wraps with measuring success for a product you hope to never use, and a detour into watch collecting.

This episode was made possible by the support of Rubrik. Learn more at rubrik.com/idac

Connect with Drew: https://www.linkedin.com/in/drew-russell-3762411b/
Learn more about Rubrik: https://www.rubrik.com/idac

Connect with us on LinkedIn:
Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/
Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at idacpodcast.com

TIMESTAMPS
00:00:00 - Welcome and Introduction
00:01:19 - Introducing Drew Russell
00:01:36 - How Drew Got Into Identity
00:02:43 - What Is Rubrik and What Sets It Apart
00:03:38 - From Backup to Cyber Resilience
00:05:31 - Where Rubrik Fits in the IAM Landscape
00:07:08 - Rubrik's Scale: Clients and Growth
00:07:51 - Primary Use Cases: Post-Incident Recovery and AD
00:09:09 - Kicking Out Compromised Accounts and ADR
00:10:11 - Proactive Threat Detection and Mandiant Integration
00:11:28 - Scanning Backups to Find the Clean Recovery Point
00:12:14 - The Bunker in a Box Explained
00:13:18 - Posture Management and Upstream Tool Integration
00:14:19 - AI Agent Swarms and the Future Attack Surface
00:15:37 - The Taiwan Bank Case Study: Six Weeks to Rebuild AD
00:17:16 - The State of Nevada Incident: $400K and 30 Days
00:17:56 - What Recovery Covers: AD, Okta, and Entra ID
00:19:26 - Post-Restore Change Management and Whitelisting
00:20:08 - How Long Should You Store Backups?
00:21:19 - Indexing Identity for Intelligent Recovery Points
00:22:29 - Excluding Malicious Actions During Restore
00:24:41 - Zero Trust for Rubrik's Own Backups
00:26:21 - No Windows, No Virtualization Architecture
00:27:49 - Proactive Posture Management
00:29:00 - CrowdStrike and Defender Real-Time Integration
00:30:48 - Why Tabletop Exercises Often Fall Short
00:31:53 - AI Roadmap and Non-Human Identities
00:34:22 - The Three Pillars: Data, Identity, and AI
00:35:29 - Deployment: SaaS vs. On-Prem
00:38:37 - Appliance Sizing and Redundancy
00:42:23 - Measuring Success for a Product You Hope to Never Use
00:43:46 - The Ludacris Rubrik Commercial
00:45:31 - Watch Collecting and the Omega Speedmaster
00:53:39 - Drew's Closing Words

KEYWORDS
Identity at the Center, IDAC, Jeff Steadman, Jim McDonald, Rubrik, Drew Russell, identity resilience, cyber resilience, Active Directory recovery, AD backup, Okta recovery, Entra ID recovery, identity backup, ITDR, ISPM, non-human identity, NHI, agentic AI, ransomware recovery, bunker in a box, immutable backup, CrowdStrike integration, Microsoft Defender integration, Mandiant integration, identity disaster recovery, ADR, zero trust, tabletop exercises, posture management, IAM, identity security podcast, cybersecurity podcast

In this MailBag episode, Jeff Steadman and Jim McDonald tackle eight questions submitted by listeners from around the world, including Munich, Sao Paulo, Singapore, Toronto, Hanoi, London, Sydney, and Chicago. The conversation covers governing AI and non-human identities, practical first steps toward passwordless adoption, what a mature IAM program actually looks like, who should own identity within an organization, building credibility with leadership as a new IAM practitioner, enforcing least privilege in practice, rethinking access reviews beyond checkbox compliance, and how to make the business case for identity security investment before a breach occurs. The episode wraps up with some lighter listener questions about sports analogies for IAM roles and whether anyone in their personal lives actually understands what they do for a living.

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

TIMESTAMPS
00:00 - Introduction and RSA Conference debate
03:41 - Conference plans for 2026: EIC, Identiverse, and Authenticate
05:17 - MailBag intro and how questions get selected
06:51 - Q1 (Hans, Munich): Governing AI access vs. human access — same principles or a different approach?
12:32 - Q2 (Gabriela, Sao Paulo): Realistic first steps toward passwordless without disrupting everything
18:34 - Q3 (Wei, Singapore): What does a mature identity program actually look like?
30:26 - Q4 (Marcus, Toronto): When IT and security both claim to own identity, how do you sort it out?
39:33 - Q5 (Linh, Hanoi): Building credibility and influence as someone new to the IAM space
42:53 - Q6 (Claire, London): Enforcing least privilege in practice without slowing down the business
46:14 - Q7 (James, Sydney): Are access reviews just a checkbox exercise, and is there a better way?
49:18 - Q8 (Darnell, Chicago): Making the case to a CFO or CEO for identity security investment before a breach
52:38 - Lighter note: If IAM was a sport, what position would you play?
1:00:27 - Lighter note: Does your family actually understand what you do?
1:03:06 - Wrap-up and how to submit future questions

KEYWORDS
IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, identity and access management, MailBag, non-human identity, AI governance, agentic AI, passwordless, passkeys, IAM program maturity, identity ownership, RACI, least privilege, zero standing privilege, access reviews, security theater, identity security budget, business case for IAM, ISPM, IGA, IDPro, Identiverse, EIC, Authenticate conference, RSA conference, cybersecurity podcast, identity security, identity community

Jeff and Jim sit down with David Llorens, principal at RSM, to break down the RSM 2026 Attack Vectors Report. Drawing from real-world offensive security engagements, David explains why identity continues to be the primary attack surface, how AI chatbots are creating new vulnerabilities through prompt injection, and what separates organizations that get breached from those that don't. The conversation covers MFA gaps, the explosion of non-human identities, why PAM is the top investment priority for 2026, and how CISOs can align security spending with business objectives. Plus, the episode wraps up with soccer stories and some quality trash talk.

Connect with David: https://www.linkedin.com/in/david-llorens-009a3310/
Review RSM’s 2026 Attack Vectors Report: https://rsmus.com/insights/services/risk-fraud-cybersecurity/rsm-attack-vector-report.html

Connect with us on LinkedIn:
Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/
Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/
Visit the show on the web at http://idacpodcast.com
TIMESTAMPS0:00 - Intro and Jim's big personal news4:51 - Main topic intro: RSM 2026 Attack Vectors Report5:55 - David's origin story and how he got into cybersecurity9:53 - What a principal is at RSM and David's current role11:16 - What the Attack Vectors Report is and how it is created14:40 - Why identity security is a dominant theme in this year's report17:19 - What separates organizations that get breached from those that don't18:18 - MFA as the first line of defense18:45 - Privileged access management as a growing priority19:40 - Detecting lateral movement through identity anomalies21:00 - Credential rotation as an advanced defensive technique22:26 - Non-human identities and service account risks24:37 - Middle market challenges and budget constraints25:17 - Is it the size of the budget or how you spend it?28:29 - Using internal audit and cross-department collaboration for security wins30:15 - Cybersecurity as a business enabler, not a deterrent32:45 - Non-human identities and agentic AI creating new attack surfaces35:51 - Prompt injection attacks and AI chatbot vulnerabilities39:42 - Actionable recommendations for practitioners42:41 - MFA implementation gaps and session hijacking45:02 - The case for FIDO2 and layered conditional access46:35 - Is identity security a board-level issue?49:47 - Three things CISOs should focus on through 202650:52 - PAM as the top investment priority51:28 - Removing unnecessary privileges from users56:11 - Redefining what privilege means in your organization57:43 - Social media accounts as privileged access58:42 - Credentials stored in SharePoint and OneDrive59:38 - Wrap up and where to find the report59:58 - Lighter topic: David's soccer background and playing semi-pro1:05:06 - Best trash talk stories1:07:03 - Jim's trash talk philosophy: scoreboard1:08:00 - Jeff's basketball trash talk and calling his shots1:10:00 - Final thoughts and sign off
KEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, David Llorens, RSM, attack vectors report, offensive security, penetration testing, identity security, MFA, multifactor authentication, privileged access management, PAM, non-human identities, service accounts, agentic AI, AI security, prompt injection, lateral movement, credential rotation, FIDO2, conditional access, session hijacking, middle market, CISO, board-level security, certificate-based authentication, active directory, configuration management, shadow AI

This episode is sponsored by Bravura Security. Learn more at bravurasecurity.com/idac.

This is a Sponsor Spotlight episode of the Identity at the Center podcast. Jim McDonald and Jeff Steadman are joined by Bart Allan, General Manager at Bravura Security, to discuss why enterprise password management remains a critical piece of identity security even as organizations pursue passwordless strategies. Bart shares Bravura's history dating back to 1992, starting with self-service password reset and evolving into a full identity security platform spanning identity management, privileged access management, and enterprise password management. The conversation digs into the uncomfortable truth that while organizations may get 80% of their applications onto modern authentication, the remaining 20% still rely on passwords, creating real security risk. Bart explains how treating enterprise passwords the way organizations treat privileged credentials, with automated rotation and centralized management, can remove the human element from password creation and reduce exposure to breaches and social engineering. The group also discusses help desk social engineering attacks, breach recovery challenges, deployment strategies for rolling out an enterprise password manager, and the emerging role of password managers as passkey managers for portability. The episode wraps with some outdoor adventure stories from Bart and Jim.

Connect with Bart: https://www.linkedin.com/in/bartholomewallan/

Connect with us on LinkedIn:
Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/
Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/
Visit the show on the web at idacpodcast.com

TIMESTAMPS00:00 - Introduction and welcome01:00 - Sponsor Spotlight overview and Bravura Security introduction01:52 - Bart Allan's background in identity03:30 - History of Bravura Security from 1992 to today05:39 - How the Bravura name came to be07:00 - What makes Bravura unique in the identity market08:33 - Why password management still matters09:58 - The uncomfortable truth about passwords and the 80/20 problem13:00 - Personal vs enterprise password managers16:00 - The last mile to passwordless and legacy systems19:00 - Why storing passwords is not enough without active management22:00 - Help desk social engineering and the human element25:00 - Breach response and the fog of war31:00 - Scattered spider scenarios and credential reset at scale35:00 - Is a password manager the only viable option for the final 20%?38:00 - The future of password managers as passkey managers40:00 - Tips for deploying an enterprise password manager42:45 - Measuring success with an enterprise password manager45:17 - Lighter side of the conversation begins46:00 - Bart's backcountry skiing avalanche story from Rogers Pass50:30 - Jim's lightning storm story from backpacking in Yosemite52:53 - Final thoughts from Bart on the passwordless journey54:00 - Wrap up and outro

KEYWORDSIDAC, Identity at the Center, Jeff Steadman, Jim McDonald, Bravura Security, Bart Allan, password management, enterprise password manager, passwordless, passkeys, privileged access management, identity security, help desk social engineering, breach recovery, credential rotation, self-service password reset, identity verification, IAM operations, shadow IT, FIDO, sponsor spotlight, password vault, legacy systems