Identity Strategy and Target State Design Artwork

The Identity Blueprint

Enterprise identity and access management isn't a product you buy — it's a program you build. The Identity Blueprint covers the full spectrum: seven-phase IAM frameworks, zero trust architecture, JIT access, FIDO2 passkeys, identity governance, and the operational models that hold up at enterprise scale. Built for practitioners who are past the basics. Hosted by Ernie and Josée.

All Episodes

The Identity Blueprint

Identity Strategy and Target State Design

May 30, 2026 • Ernie Prescott • Season 1 • Episode 3

0:00 | 46:20

Season 1, Episode 3: Identity isn't a technology problem. It's a strategy problem. And until your executive team agrees on where you're going, every platform you buy and every policy you write is just expensive guesswork.

In this episode, Ernie and Josée map out Phase 2 of the IAM engagement blueprint: Identity Strategy and Target State Design. From building an executive vision that gets the CFO to write the check, to designing a target state capability map that governs employees, contractors, and autonomous AI agents — this is the episode that turns discovery into direction.

You'll leave knowing how to design a zero-trust architecture that actually gets funded, and why skipping the decision gate guarantees failure regardless of the technology you choose.

If you're an architect ready to stop fighting fires and start building something that lasts — this is your blueprint.

Connect with Ernie Prescott on LinkedIn at linkedin.com/in/ernieprescott

SPEAKER_01 0:00

Welcome back to the Identity Blueprint, the podcast where Enterprise IAM gets the depth it deserves. I'm Ernie Prescott, Principal IAM Architect, and today Jose and I are moving from the autopsy table to the architect's desk. In episode two, we ripped apart your current state and surfaced everything hiding in the dark. The ghost accounts, the orphaned credentials, the 80-hour termination gaps. Now in episode three, Identity Strategy and Target State Design, we take everything the autopsy uncovered and build something from it. A zero trust capability map, an executive vision that actually gets funded, a business case designed to survive CFO scrutiny, and a closing paradox that will make you question everything you thought you knew about automation. If you're an IAM architect, an IT director tired of fighting fires, or a security leader trying to get a transformation funded, this is the episode that hands you the blueprint. Let's get into it. You know, usually when we talk about a medical diagnosis, there's this um this expectation of clinical precision.

SPEAKER_00 1:05

Right, like a clear-cut answer.

SPEAKER_01 1:06

Yeah, exactly. You break your arm, the x-ray shows a jagged white line, and the doctor just points to the film and says, Yeah, there's the problem.

SPEAKER_00 1:14

It's binary, broken or not broken.

SPEAKER_01 1:17

Exactly. But then you step into the world of enterprise identity and access management, and suddenly that X-ray machine is, well, it's completely broken.

SPEAKER_00 1:25

Oh, absolutely.

SPEAKER_01 1:26

We're looking at a diagnostic landscape that is entirely murky. I mean, you've got employees logging in from coffee shops, contractors using unmanaged devices. Trevor Burrus, Jr.

SPEAKER_00 1:36

Third-party supply chain vendors, too.

SPEAKER_01 1:37

Aaron Ross Powell Right. And now, you know, thousands of AI agents swimming around the network, all requesting access to your most sensitive corporate data.

SPEAKER_00 1:45

Aaron Powell It is the absolute definition of diagnostic muddy waters because unlike a broken bone, you know, access isn't static, it's fluid.

SPEAKER_01 1:53

Aaron Powell It changes minute by minute.

SPEAKER_00 1:54

Aaron Powell Exactly. And if you don't have a structured mathematical way to visualize and govern that fluidity, the entire security perimeter of an organization just well, it dissolves. Aaron Powell Yeah.

SPEAKER_01 2:05

And that muddy diagnostic water is exactly what we are fixing today.

SPEAKER_00 2:08

Aaron Powell We've got a lot to cover.

SPEAKER_01 2:10

We really do. We're opening up a massive stack of source material for you today. We've got the IAM program engagement blueprint, the 2025 and 2026 architectural blueprints for Microsoft Intra ID and SalePoint Identities Security Cloud, and uh the latest NIST digital identity guidelines.

SPEAKER_00 2:28

Some heavy reading there.

SPEAKER_01 2:29

Seriously. Yeah. But our mission for you today is singular. We are going to master phase two of an enterprise identity and access management or IAM transformation.

SPEAKER_00 2:41

Because phase one is always the discovery phase, right? The audit.

SPEAKER_01 2:44

The messy part.

SPEAKER_00 2:45

Yeah. That's where you look under the hood and realize wow, we have twice as many active accounts as we have human beings actually employed at this company.

SPEAKER_01 2:51

The skeletons in the IT closet. But phase two is the antidote. Phase two is strategy and target state design.

SPEAKER_00 2:57

Right.

SPEAKER_01 2:58

If you are, say, an IT director tired of fighting fires or an architect trying to get a massive security overhaul funded, this deep dive is your blueprint.

SPEAKER_00 3:05

It really is.

SPEAKER_01 3:06

We are going to translate raw business needs into an identity strategy that a CFO will actually sign a check for.

SPEAKER_00 3:14

Which is the hardest part, honestly.

SPEAKER_01 3:15

Oh, totally. We'll outline the core principles that guard the modern network and map out the specific capabilities that define enterprise security in 2026. So let's unpack this shift in mindset because identity is no longer just, you know, the IT help desk resetting your password for the fifth time this month.

SPEAKER_00 3:34

Thank goodness for that.

SPEAKER_01 3:35

Right. It is a high ROI strategic security platform.

SPEAKER_00 3:38

Uh huh.

SPEAKER_01 3:39

But the blueprint says you have to start at the top. You have to start with the executive vision.

SPEAKER_00 3:43

Yeah. Phase two fundamentally asks where do we need to be and why?

SPEAKER_01 3:47

Right.

SPEAKER_00 3:48

The blueprint is really emphatic about this. If you just start, you know, buying software licenses and plugging in tools, you will fail.

SPEAKER_01 3:55

You need a map first.

SPEAKER_00 3:56

Exactly. The architect must translate the business context into an identity strategy that the executive team can literally take ownership of. And that begins with the IMM vision statement.

SPEAKER_01 4:06

So I actually pulled the target state vision statement right from the blueprint. I'm going to read it, but I warn you, my initial reaction to this is pretty cynical.

SPEAKER_00 4:15

Let's hear it.

SPEAKER_01 4:15

Okay, here it is. Every person, workload, and device accessing our systems will be continuously verified, appropriately authorized, and fully auditable, enabling the business to move fast without accepting unmanaged risk.

SPEAKER_00 4:29

A bit of a mouthful.

SPEAKER_01 4:31

I mean, I have to call a timeout here. This sounds like corporate buzzword bingo.

SPEAKER_00 4:35

It does. I get that.

SPEAKER_01 4:36

Why does a highly technical systems architect need to sit in a conference room spending weeks wordsmithing a vision statement for executives?

SPEAKER_00 4:45

Well, engineers want to engineer. I totally get that. But let's look at the psychology of the C-suite. If you don't agree on where you are going at the executive level, the downstream technology deployment will inevitably fragment.

SPEAKER_01 4:56

Aaron Powell Because everyone has a different idea of what success looks like.

SPEAKER_00 5:00

Exactly. Let's say an architect walks into the CFO's office and says, um, we need $2 million to implement SIM 2.0 APIs, establish a new identity provider, and configure OOT flows across our Sauce application stack.

SPEAKER_01 5:14

Aaron Powell The CFO just hears IT expense.

SPEAKER_00 5:17

Right. They hear a cost center asking for a bigger budget for like digital plumbing, they don't understand. Aaron Powell They don't know what an OOuth flow is. They don't care about the technical protocols passing identity tickets between servers. But if that same architect walks in and says, we need to accelerate our AI enablement without taking on unmanaged risk. We need to ensure that when our business units deploy new generative AI models, they can't accidentally exfiltrate our proprietary financial data and we can prove it to our auditors.

SPEAKER_01 5:50

Oh wow. Yeah. That gets funding.

SPEAKER_00 5:53

That gets funding immediately. The vision statement is the translator.

SPEAKER_01 5:56

It bridges the server room and the boardroom. So let's look closer with the actual words in that statement, because I assume they aren't chosen at random. It says every person, workload, and device.

SPEAKER_00 6:06

Yeah. And that immediately tells the business that we aren't just talking about human employees anymore. Machines have identities now.

SPEAKER_01 6:12

Aaron Powell Right. And then continuously verified.

SPEAKER_00 6:15

Aaron Powell Which signals the death of the old, you know, login once in the morning and you're good all day model.

SPEAKER_01 6:22

Aaron Powell Gotcha. And appropriately authorized implies least privilege. Trevor Burrus, Jr.

SPEAKER_00 6:28

Right. You only get what you absolutely need. And fully auditable is basically music to the chief risk officer's ears.

SPEAKER_01 6:35

Aaron Powell Because when the regulators come knocking, we have the forensic evidence.

SPEAKER_00 6:38

Exactly.

SPEAKER_01 6:39

So the vision gets the executive head nod. The CFO says, yes, I want to move fast without unmanaged risk. Here is your budget. But you can't just let the developers run wild at that point, right? You need rules to keep the architecture on track.

SPEAKER_00 6:52

Aaron Powell Right. You need the guardrails of identity. The blueprint defines these as the strategic guiding principles.

SPEAKER_01 6:58

Which are what? Exactly.

SPEAKER_00 6:59

They're basically five to eight constraints for all future design decisions. If a vendor pitches a new shiny software tool, or say an application owner demands a security bypass to launch a product faster, you hold that request up against these principles.

SPEAKER_01 7:14

And if it violates them?

SPEAKER_00 7:15

The answer is an immediate no.

SPEAKER_01 7:17

Aaron Ross Powell Wow. Okay. So the first principle in the blueprint is uh it seems like the absolute foundation of the modern approach. It says identity is the primary security perimeter.

SPEAKER_00 7:28

Aaron Powell Yes.

SPEAKER_01 7:28

This is the essence of zero trust. But let's break down why the old perimeter failed.

SPEAKER_00 7:32

Aaron Powell So historically, the perimeter was the physical corporate network, the castle and moat model.

SPEAKER_01 7:38

Trevor Burrus Right.

SPEAKER_00 7:38

If you were inside the building, plugged into the wall or dialed into the corporate VPN, the system assumed you were a trusted employee. You were inside the castle walls.

SPEAKER_01 7:47

Aaron Powell But the cloud completely blew up the castle.

SPEAKER_00 7:50

Aaron Powell It leveled it. I mean, with Sauce applications hosted all over the world, remote workforces, mobile devices, the network perimeter just evaporated.

SPEAKER_01 7:58

Aaron Powell Yeah, you can't put a firewall around a sales rep working from an airport lounge who's accessing a database hosted in an Azure data center.

SPEAKER_00 8:06

Aaron Powell Exactly. The only thing you can reliably verify is the identity of the user or the machine trying to gain access. Identity is the new firewall.

SPEAKER_01 8:16

Aaron Ross Powell Which flows naturally into the second principle. Access is context-based, meaning you aren't granted access just because you type the correct password.

SPEAKER_00 8:24

Aaron Powell Context is everything. Is the user logging in from their managed corporate-issued laptop? Is the antivirus software on that laptop up to date? Right. What time of day is it? What country are they in? Is there any impossible travel detected?

SPEAKER_01 8:40

Aaron Ross Powell, wait, impossible travel being like I logged in from New York at 9.0 a.m. and then my account tries to log in from Eastern Europe at 9 15 AM.

SPEAKER_00 8:49

Exactly. Basic physics dictates you cannot travel that fast. So the context has changed drastically. Under this principle, even if the username and password are 100% correct, the access is blocked because the context indicates a compromised credential.

SPEAKER_01 9:04

That makes a lot of sense. Let's move to the third principle, and this is where I think a lot of legacy organizations really start to feel the pain of transformation.

SPEAKER_00 9:11

Oh, yeah.

SPEAKER_01 9:12

Least privileged by default. This establishes that standing access is the exception, and just in time access or JIT is the norm.

SPEAKER_00 9:20

Right.

SPEAKER_01 9:21

Let me throw an analogy at you because standing access sounds very benign, almost supportive, but it's actually incredibly dangerous.

SPEAKER_00 9:27

Let's hear the analogy.

SPEAKER_01 9:29

Okay. It's the difference between giving a plumber a master key to your house that works twenty-four hours a day, seven days a week, forever. That's standing access.

SPEAKER_00 9:38

A terrible idea.

SPEAKER_01 9:39

Right. Sure, you hired them to fix the sink on Tuesday, but they have the key on Saturday night, too. If they lose that key at a bar, anyone could pick it up and walk into your house at any time.

SPEAKER_00 9:48

Exactly.

SPEAKER_01 9:48

Contrast that with just in time access. JIT is like giving that plumber a digital smart lock code. The code only works on Tuesday, strictly between 1 p.m. and 3 p.m., and it only opens the front door and the basement where the pipes are. And then the second the job is done or the clock strikes 3.01 PM, the code mathematically evaporates.

SPEAKER_00 10:09

The plumber analogy is perfect. And what's fascinating here is the technological mechanism that enforces that digital smart lock in the enterprise.

SPEAKER_01 10:17

How does it work?

SPEAKER_00 10:18

Well, legacy systems evaluated your access only at the point of login. The bouncer checks your ID at the door, and once you are inside the club, you can stay as long as you want and do whatever you want.

SPEAKER_01 10:28

But modern architectures, according to the 2026 NTRID materials, use continuous access evaluation or CAE. Yes. I need you to unpack the mechanics of CAE. Yeah. Because how does a system continuously evaluate someone without slowing the network to a crawl?

SPEAKER_00 10:46

It requires a fundamental shift in how authentication tokens are handled. Historically, a system would issue an access token that lived for, say, 12 hours. Right. During those 12 hours, the application never checked back with the central identity provider, but with continuous access evaluation, the identity provider and the application establish a real-time two-way communication channel. They are constantly exchanging telemetry.

SPEAKER_01 11:09

What kind of telemetry? Like what are they looking for?

SPEAKER_00 11:12

It's looking for critical event triggers. If a risk signal suddenly changes mid-session, for instance, the telemetry shows the user's laptop just had its firewall disabled, or the user's IP address suddenly changed from a corporate subnet to an anonymous proxy server.

SPEAKER_01 11:26

Oh wow.

SPEAKER_00 11:27

Yeah, the policy engine reacts instantly. It doesn't wait for the 12-hour token to expire. It issues a revocation command in real time.

SPEAKER_01 11:34

So it just cuts them off.

SPEAKER_00 11:35

Exactly. The application instantly kicks the user out, severing the connection mid-keystroke, or it forces them to reauthenticate with a stronger method, like a physical hardware security key.

SPEAKER_01 11:47

So the smart lock doesn't just expire at 3 p.m. It kicks the plumber out at 2.15 p.m. if it detects them walking toward the master bedroom instead of the basement.

SPEAKER_00 11:56

That's it, exactly. The bouncer isn't just at the door anymore. The bouncer is walking the floor with you, watching every single move.

SPEAKER_01 12:02

That is wild. And that leads us directly to the fourth principle Auditable access. Every single access decision, every elevation of privilege, every GIT request must trace back to a documented business justification.

SPEAKER_00 12:16

Aaron Powell Because when the forensic auditors arrive after a breach saying, I don't know why that account had access to the financial database is a failing answer.

SPEAKER_01 12:24

Expensive, failing answer.

SPEAKER_00 12:25

Very expensive. Massive regulatory fines.

SPEAKER_01 12:28

Right. And the final two principles automation over manual process, meaning humans only handle exceptions, and one authoritative identity, which aims to eliminate the fragmentation, where you know John Smith exists as five disconnected user accounts across the enterprise.

SPEAKER_00 12:44

Aaron Powell Which is so common. But if you are relying on human beings in the IT department to manually create accounts, assign permissions, and delete accounts when people leave, you are guaranteeing human error.

SPEAKER_01 12:56

Plus it's just slow.

SPEAKER_00 12:57

You introduce delays, and you inflate your operational costs. Automation is literally the only way to scale zero trust.

SPEAKER_01 13:05

Okay, so we have the executive vision, we have the strategic principles, we have the destination and the rules of the road. But what exactly are we building?

SPEAKER_00 13:13

Now we need the map.

SPEAKER_01 13:14

Right. The blueprint translates these rules into something called the target state capability map, and it's an imposing document. It looks like the architectural blueprints for a skyscraper.

SPEAKER_00 13:23

It really does. The capability map is where business capability modeling meets hardcore identity architecture. It does not list specific products. It doesn't say buy this Microsoft license or install this cell point server. It defines the capabilities the business must possess to function securely.

SPEAKER_01 13:40

Let's pull this map apart then. The first major domain focuses on workforce identity and access governance, basically the human element.

SPEAKER_00 13:48

Right. Workforce identity manages the automated joiner, mover, lever lifecycle. The industry calls this JML.

SPEAKER_01 13:55

Joiner, mover, lever. The three phases of an employee's life at a company. Let's put a face to this to make it tangible. Let's say we have an employee, Sarah. She joins the marketing department.

SPEAKER_00 14:06

So as a joiner, Sarah needs access to function on day one. Historically, she would sit at an empty desk for a week waiting for IT tickets to clear.

SPEAKER_01 14:15

We've all been there.

SPEAKER_00 14:16

Exactly. But under the capability map, the moment HR enters her into the system, the identity fabric triggers birthright access.

SPEAKER_01 14:22

Birthright access, yeah.

SPEAKER_00 14:23

She automatically receives an email account, access to the marketing Slack channels, and a license for design software. It is zero touch provisioning.

SPEAKER_01 14:31

That's amazing. And as a part of that workforce identity pillar, the map mandates phishing resistant MFA. This is a pretty big shift. Yeah. We are moving away from having like a six-digit code texted to your phone. Why are SMS texts no longer considered secure?

SPEAKER_00 14:47

SS texts are incredibly vulnerable to sim swapping attacks and basic man in the middle phishing.

SPEAKER_01 14:53

How so?

SPEAKER_00 14:54

Think about it. If I build a fake login page that looks exactly like your corporate portal, you type in your password, and then the page asks for your text message code, you type that in too. I capture both on my fake page and I log in as you on the real page.

SPEAKER_01 15:08

Oh wow. Yeah, that's scary. But how does that stop the fake login page?

SPEAKER_00 15:20

Aaron Powell The cryptographic key physically checks the domain name of the website it is interacting with. Oh, I see. So if the key sees that the website is um Microsoft dash login update.com instead of the actual authentic domain, the hardware key simply refuses to transmit the cryptographic challenge. The human can be tricked by a fake web page, but the cryptography cannot.

SPEAKER_01 15:40

I love that. Taking the human gullibility completely out of the equation. But let's go back to our employee Sarah. She joined marketing, she has her hardware key. Six months later, she gets promoted and transfers to the enterprise sales team.

SPEAKER_00 15:54

The mover phase.

SPEAKER_01 15:55

Right, the mover phase. And based on historical breach data, the mover phase is where organizations accumulate massive amounts of hidden risk, right? The permissions creep.

SPEAKER_00 16:05

It is a systemic vulnerability. When Sarah moves to sales, the IT department is very quick to grant her access to the Salesforce database because she needs it to do her new job.

SPEAKER_01 16:14

Of course.

SPEAKER_00 16:15

But IT rarely remembers to remove her access to the marketing of social media accounts. Over five years, an employee might change roles three times. They accumulate a toxic, overlapping combination of access rights.

SPEAKER_01 16:27

And that introduces the governance domain of the capability map. Periodic access reviews, entitlement management, and enforcing separation of duties.

SPEAKER_00 16:36

Separation of duties, or SOD, is critical here. The system must automatically ensure that the person who submits a massive purchase order to a vendor is never the exact same person who has the system authority to approve that payment.

SPEAKER_01 16:50

Right. That's basic fraud prevention.

SPEAKER_00 16:52

Exactly. If Sarah accumulated access from two different roles that allowed her to both submit and approve, that is a catastrophic compliance violation.

SPEAKER_01 17:01

So to achieve this flawless JML lifecycle at an enterprise scale in 2026, the architectural blueprints advocate for a specific design pattern called strategic coexistence. Yes. It essentially states that one vendor cannot solve everything. Many of the largest enterprises use Microsoft Intra ID as the primary identity provider, or IDP, alongside SailPoint Identity Security Cloud, serving as the identity governance and administration or IGA engine.

SPEAKER_00 17:29

It's an acknowledgement of architectural reality, really. IntraID is deeply embedded into the Microsoft and Azure ecosystem. It excels at the real-time access enforcement, that continuous access evaluation we discussed earlier.

SPEAKER_01 17:41

It is the intelligent front door.

SPEAKER_00 17:42

Exactly. CellPoint, conversely, manages the incredibly deep, complex compliance requirements. It handles the cross-platform role mining, the automated SOD checks, and the vast compliance reporting required by federal regulators.

SPEAKER_01 17:57

So they work together.

SPEAKER_00 17:58

Right. They coexist, constantly passing data back and forth to create a unified fabric.

SPEAKER_01 18:03

Aaron Powell I want to stop here and look under the hood of how they actually pass that data, because the manual provisioning of these accounts is what causes the risk in the first place.

SPEAKER_00 18:11

Absolutely.

SPEAKER_01 18:12

The source documents detail that this coexistence relies heavily on enter ID's SACM 2.0 inbound provisioning APIs. Yes. I have to admit, SCM 2.0 inbound provisioning API is about as dense as technical jargon gets. Walk me through the actual mechanism. If the HR system changes Sarah's title from marketing to sales, how does the IT infrastructure know to revoke her old access without a human submitting a ticket?

SPEAKER_00 18:36

Okay, so SCIN stands for the system for cross-domain identity management. Think of it as a universal translator for identity data.

SPEAKER_01 18:42

No universal translator.

SPEAKER_00 18:44

When the HR system, let's say workday updates Sarah's profile, Workday generates a specific data package. Because we are using the SPM protocol, SalePoint constantly listens for these standardized packages.

SPEAKER_01 19:00

Okay, so SalePoint sees the change. What does it do then?

SPEAKER_00 19:03

Sale point has the master map of what a sales role requires versus a marketing role. It recalculates her access instantaneously. Wow. It identifies that she needs Salesforce but must lose access to the Adobe Creative Cloud. SalePoint then uses that same SEM protocol to send a direct machine-to-machine command to Intra ID.

SPEAKER_01 19:24

Telling it what to do.

SPEAKER_00 19:25

Right. It says remove Sarah from the marketing security group, add Sarah to the sales security group. Intra ID executes the change and the downstream applications update.

SPEAKER_01 19:34

Just like that.

SPEAKER_00 19:35

Groups are updated, old access is revoked, new access is granted, the help desk didn't get a single ticket, central IT didn't lift a finger, it happens in milliseconds.

SPEAKER_01 19:44

That automation closes the window of vulnerability so fast. I mean, if it takes three weeks for a help desk ticket to be processed to remove her marketing access, that is three weeks where her account, if compromised, has a massive blast radius.

SPEAKER_00 19:59

Exactly. Automation shrinks that window to zero.

SPEAKER_01 20:02

So we've spent all this time locking down the human employees. But if a sophisticated hacker realizes that human accounts are now protected by phishing resistant hardware keys and continuous evaluation, where do they go next?

SPEAKER_00 20:16

They follow the path of least resistance.

SPEAKER_01 20:18

Which brings us to the second domain of the capability map: external, privileged, and non-human identities.

SPEAKER_00 20:23

Because the fastest growing attack surface in the modern enterprise isn't human at all.

SPEAKER_01 20:28

Let's break these down. First, external identity, often called CIM customer identity and access management. This is like B2B partners, external supply chain vendors, logistics contractors.

SPEAKER_00 20:38

Right. You absolutely do not want a third-party vendor sitting inside your internal employee active directory.

SPEAKER_01 20:43

That mixes your core trusted users with external variables.

SPEAKER_00 20:47

Exactly. But you still need to govern their access strictly. CIM platforms allow organizations to securely collaborate with outsiders while maintaining a strict logical boundary.

SPEAKER_01 20:59

Basically, keep the guests in the guest house, but still make sure the smart locks on the guest house doors work perfectly.

SPEAKER_00 21:06

That's a good way to look at it.

SPEAKER_01 21:07

Then we have privileged access management or PAM, the keys to the kingdom.

SPEAKER_00 21:12

We use the term blast radius a lot in architecture. If a standard marketing employee gets hacked, the attacker might be able to read some emails or access a departmental file share. The blast radius is contained.

SPEAKER_01 21:23

But if an admin gets hacked.

SPEAKER_00 21:24

If a global administrator or a cloud infrastructure engineer gets hacked, the attacker can literally delete the entire company's cloud hosting environment. The blast radius is apocalyptic.

SPEAKER_01 21:36

So how does the capability map govern these superusers? You can't just revoke their access. They literally need it to keep the servers running.

SPEAKER_00 21:43

You eliminate standing administrative privileges.

SPEAKER_01 21:45

Okay.

SPEAKER_00 21:46

Using PAM solutions like CyberArc or UNTRA PM, the architect designs a system where the admin logs in every day as a standard unprivileged user.

SPEAKER_01 21:56

Just like everyone else.

SPEAKER_00 21:57

Exactly. If they need to restart a critical server. They must request temporary elevation. That request is verified, often requiring a secondary approval from another human. Okay. Once approved, the system grants them admin rights for a strictly time-bound window, say 60 minutes. Furthermore, that entire 60-minute session is actively recorded.

SPEAKER_01 22:18

Wait, recorded?

SPEAKER_00 22:19

Literally, a video screen capture of every mouse click and keystroke. When the 60 minutes expire, the privilege is automatically stripped away.

SPEAKER_01 22:28

So a hacker who steals that admin's daily password only gets standard user access. They can't access the server without triggering the elevation request, which requires hardware MFA and approvals.

SPEAKER_00 22:38

It's a brilliant choke point.

SPEAKER_01 22:39

It really is. But external vendors and IT admins are still humans. The third pillar here, workload identity. This feels like the wild west of enterprise architecture. We're talking about managing machine identities.

SPEAKER_00 22:51

This is the most urgent challenge facing the industry right now. In a mature enterprise, for every one human employee, you might have 40 or 50 machine identities.

SPEAKER_01 23:02

That many.

SPEAKER_00 23:02

Oh, yeah. These are automated scripts talking to SQL databases, microservices authenticating against APIs, and background cron jobs running financial calculations.

SPEAKER_01 23:13

How are these governed in the past?

SPEAKER_00 23:15

Terribly. Honestly. Developers would simply hard-code passwords or static API keys directly into the software code to make the systems talk to each other. Nikes. If a hacker breached a server and found that plain text API key, they had permanent unmonitored access to the database.

SPEAKER_01 23:32

A total security nightmare. And now the source documents indicate we are injecting generative AI into this already chaotic mix. The blueprint calls this the era of shadow AI.

SPEAKER_00 23:42

Do you remember Shadow IT?

SPEAKER_01 23:44

Yeah, that was the era when business units got frustrated with how slow IT was, so a marketing director would just put a new SAUS application on their corporate credit card.

SPEAKER_00 23:51

Exactly. Security had no idea it existed, but corporate data was flowing into it.

SPEAKER_01 23:55

Right. And shadow AI is the 2026 equivalent.

SPEAKER_00 23:59

Completely. Business units are rapidly deploying autonomous AI agents to parse unstructured data, summarize meetings, call external web services, and automate complex workflows.

SPEAKER_01 24:10

Aaron Powell They're basically little digital employees.

SPEAKER_00 24:13

Right. These agents are acting autonomously on behalf of the human users. They have identities, they require access rates to function, but if the security architecture doesn't officially register them, they are unmanaged, ungoverned vulnerabilities operating at machine speed.

SPEAKER_01 24:29

So if an AI agent has access to the finance directory to summarize reports, and a hacker injects a prompt into that AI, the AI could instantly exfiltrate the entire directory.

SPEAKER_00 24:40

In seconds.

SPEAKER_01 24:40

How are the major platforms responded to this?

SPEAKER_00 24:42

Microsoft's architecture is attacking this via the Agent 365 ecosystem, specifically utilizing something called agent ID.

SPEAKER_01 24:49

Agent ID.

SPEAKER_00 24:50

The paradigm shift is that an AI agent must be treated as a first class identity. It gets an agent ID and it is brought under the exact same rigorous governance, conditional access policies, and lifecycle management as Sarah in the marketing department.

SPEAKER_01 25:03

Wait, I have to push back here. How do you actually govern a piece of code? What do you mean? Let's go back to the human example. If Sarah needs access to a restricted financial folder, she clicks a button. The system routes the request to our manager. The manager looks at it and says, Yes, Sarah needs this for the Q3 campaign and clicks approve. Right. But an AI agent doesn't have a human manager in the traditional sense. It's code. How do you govern an access request from an autonomous bot operating at thousands of actions per second? Doesn't that just create a massive flood of false positives with human managers clicking approve all day long until they just ignore the alerts?

SPEAKER_00 25:42

That is the exact trap legacy systems fall into. You cannot use human speed governance for machine speed identities. Alert fatigue will destroy the security posture.

SPEAKER_01 25:52

Aaron Powell So what's the solution?

SPEAKER_00 25:54

The answer, according to the architecture, lies in systems like the SailPoint Adaptive Identity Framework.

SPEAKER_01 25:59

Aaron Powell Unpack that framework for me. What is the mechanism behind it?

SPEAKER_00 26:02

SalePoint recognized that static manual rules fail against AI. So their adaptive identity framework relies on its own AI services and machine learning to establish a behavioral baseline.

SPEAKER_01 26:14

Okay, so it watches the bot.

SPEAKER_00 26:16

It performs continuous anomaly detection by ingesting massive amounts of telemetry. It monitors the volume of API calls the agent makes, the specific subnets it originates from, the time of day it usually operates, and the exact classifications of data it normally touches.

SPEAKER_01 26:31

Aaron Powell for that specific bot.

SPEAKER_00 26:35

Precisely. Let's say our financial summary AI agent normally accesses 20 PDF documents a day from a specific internal SharePoint site.

SPEAKER_01 26:43

Aaron Powell That's its normal day.

SPEAKER_00 26:44

Right. One day, that exact same AI agent suddenly requests access to a massive trove of European customer privacy data stored in a different cloud environment, and it requests it at 3.am.

SPEAKER_01 26:56

A massive deviation from the baseline.

SPEAKER_00 26:57

Huge. The AI governance framework flags the anomaly instantaneously. Using dynamic workflow infrastructure, it doesn't just blindly grant the access because the bot has the right API key.

SPEAKER_01 27:07

It blocks it.

SPEAKER_00 27:08

It automatically blocks the request. Or if the confidence level is ambiguous, maybe it's quarter-end and behavior patterns naturally shift. It routes the request along a dynamic approval path.

SPEAKER_01 27:19

So it does escalate it sometimes.

SPEAKER_00 27:21

Yes. It sends a highly contextualized alert to a human security officer. Agent X is exhibiting a 92% deviation from its baseline behavior and is requesting restricted PII data. Approve or deny.

SPEAKER_01 27:35

So the AI governance platform acts as the highly intelligent manager for the AI agents, filtering out the noise and only escalating to human oversight when the machine mathematically detects an anomaly it can't resolve. You are literally fighting AI with AI.

SPEAKER_00 27:49

Machine speed threats require machine speed defense and governance. Humans simply cannot calculate the risk matrix fast enough.

SPEAKER_01 27:56

Which is mind-bending, but it perfectly transitions us into the final domain of the target state capability map. This level of advanced oversight requires incredible visibility. You can't govern what you can't see.

SPEAKER_00 28:07

Absolutely not.

SPEAKER_01 28:07

And that brings us to the brain of the operation: identity analytics and the underlying NIST risk frameworks.

SPEAKER_00 28:13

We've talked about the doors, the locks, and the bouncers. Now we are talking about the security cameras, the analytics engines, and the architectural standards that tie them all together.

SPEAKER_01 28:23

Aaron Powell The map highlights identity analytics. Yeah. And specifically the concept of a permissions creep index. I want to know exactly how this is calculated, because in the past, an auditor would look at a spreadsheet and ask a department head, does this user have too much access? And the department head would just, you know, guess.

SPEAKER_00 28:40

It was entirely subjective. The permissions creep index removes the guesswork. It is a quantifiable algorithmic metric.

SPEAKER_01 28:48

Aaron Powell How does it calculate it?

SPEAKER_00 28:49

The system analyzes every single digital entitlement a user holds across the entire enterprise. It then cross-references those entitlements against the user's actual verified usage logs over a rolling window, usually the last 90 days.

SPEAKER_01 29:04

It compares what you can do with what you actually do.

SPEAKER_00 29:07

Yes. But it goes a step further through peer group analysis. The algorithm looks at the other 50 employees in the exact same role. If Sarah has 500 discrete permissions, but the telemetry shows she only actively uses 12 of them, and her peers only have 15 permissions total, her index score spikes into the critical zone.

SPEAKER_01 29:26

Because she has way too much access compared to what she needs.

SPEAKER_00 29:28

Exactly. It is a mathematical, data-driven mechanism to enforce the principle of least privilege. The system can then automatically suggest revoking the 488 unused permissions.

SPEAKER_01 29:45

How does a graph database differ from what administrators used to look at?

SPEAKER_00 29:49

Traditionally, administrators looked at a flat list view. Think of a standard SQL database or an Excel spreadsheet.

SPEAKER_01 29:55

Just rows and columns.

SPEAKER_00 29:56

Right. It's linear. User A is a member of group B. Group B has access to folder C. That's easy to read. But modern enterprise architecture is not linear. It's messy. It is a massive tangled web of nested groups, inherited permissions, localized administrative roles, and overlapping trust relationships.

SPEAKER_01 30:14

Right. A flat list doesn't show you the chain reactions. If I look at a flat list, I'm going to see that user A only has basic access to a testing server.

SPEAKER_00 30:21

But what the flat list hides is that user A is a member of a nested group, which is granted localized admin rights to that testing server.

SPEAKER_01 30:31

Oh, I see where this is going.

SPEAKER_00 30:32

And that testing server inadvertently shares an active trust relationship with the primary production database. Therefore, user A effectively has administrative rights to the production database through a hidden multi-hop pathway.

SPEAKER_01 30:47

It's like the six degrees of Kevin Bacon, but for cyber vulnerabilities.

SPEAKER_00 30:51

That is an excellent analogy. The Sailpoint identity graph uses graphical database technology nodes and edges to visually map all of those hidden multi-hop privilege pathways. They can literally see the blast radius. They can identify a toxic access path that spans six different nested groups and remediate it instantly. In a standard spreadsheet, that vulnerability is completely invisible until a hacker exploits it.

SPEAKER_01 31:16

That visual observability is crucial. Running parallel to all this technology, the architect must ensure the system complies with federal standards.

SPEAKER_00 31:25

Right. Compliance is non-negotiable.

SPEAKER_01 31:26

The blueprint leans heavily on the NIST SP 863 Digital Identity Guidelines. And the recent revisions to this framework fundamentally change how architects evaluate risk.

SPEAKER_00 31:37

NIST 800 T63 is the gold standard for digital identity risk management. And you're right, the recent unbundling of assurance levels was a massive paradigm shift.

SPEAKER_01 31:47

Let's explore that. In the older versions, there was a single concept called level of assurance, or LA. It was just a scale from LOA1 to LOA4. If a system was high risk, it was LOA4. Why did NIST dismantle that?

SPEAKER_00 32:01

Because a single monolithic number was too rigid. It forced organizations to implement terrible user experiences in the name of blanket security. Let's imagine a federal agency that needs extremely high confidence in who someone is before they open a case file. But the actual daily transaction of checking the status of that file is low risk.

SPEAKER_01 32:20

Okay, that makes sense.

SPEAKER_00 32:20

Under the old LOA model, if the overall system was rated high, the agency was forced to make the user login with a complex cryptographic smart card every single time they wanted to check a web page.

SPEAKER_01 32:31

Just to check a status.

SPEAKER_00 32:32

Right. It was massive overkill, incredibly expensive, and users hated it.

SPEAKER_01 32:36

So NIST unbundled the risk into three separate independent components. IAL, AAL, and FAL. Let's define these.

SPEAKER_00 32:44

First is IAL, identity assurance level. This strictly refers to the proofing process, the onboarding.

SPEAKER_01 32:50

Like proving who you are.

SPEAKER_00 32:52

Exactly. How confident are we that the human being creating the account is who they claim to be in the physical world? IAL 1 is entirely self-asserted. You type in a name, we believe you.

SPEAKER_01 33:02

And IAL 2.

SPEAKER_00 33:03

IAL2 requires remote evidence like uploading a scan of a driver's license and a selfie, which software compares. IAL 3 is the highest. It requires strict in-person physical presence, handing a biometric passport to a highly trained verification officer.

SPEAKER_01 33:18

Okay, so IAL is just about proving who you are on day one. What is the second component?

SPEAKER_00 33:22

ALL Authenticator Assurance Level. This is the daily login process. AL1 might be a standard password or a PIN. AL2 requires multi-factor authentication, something you know and something you have, like a time-based code on your phone. AL3 requires a physical cryptographic hardware token bound to the device.

SPEAKER_01 33:38

And the final piece.

SPEAKER_00 33:42

This evaluates the cryptographic strength of the assertion protocol, like SAML or OpenID Connect, that passes the authentication ticket between the identity provider and the downstream application.

SPEAKER_01 33:55

Just making sure it's secure in transit.

SPEAKER_00 33:57

Right. It ensures the ticket can't be intercepted or manipulated.

SPEAKER_01 34:00

So if you're an IT director listening to this, why does this unbundling actually matter to your daily life?

SPEAKER_00 34:06

I think it matters because it allows you to mix and match the security controls based on the specific, nuanced risk of the transaction rather than applying a blunt instrument to everything.

SPEAKER_01 34:17

Exactly. And we give you a really powerful privacy-enhancing scenario.

SPEAKER_00 34:21

Let's hear it.

SPEAKER_01 34:21

Imagine an organization that runs a highly sensitive whistleblower portal. The organization must absolutely guarantee that the person submitting the data is an active, verified federal employee. They require IAL 3 strict, in-person physical proof of your identity at a central office.

SPEAKER_00 34:38

But if they tie your real verified name to your login every time you access the portal, you aren't anonymous anymore. The whistleblowing is compromised. Right. By unbundling the standards, the architect can solve this. They verify the human at IAL3. But once verified, the system issues a pseudonymous digital credential. Oh, that's clutter. When the user logs into the online forum from home, they don't broadcast their real name. They just broadcast that they are a verified entity. And the architect can protect that daily login with standard MFAA.

SPEAKER_01 35:11

So you separate the proof from the daily login.

SPEAKER_00 35:14

You have completely separated the heavy physical proof of identity from the daily authentication mechanism. You protect the user's anonymity and privacy while mathematically maintaining the integrity of the system.

SPEAKER_01 35:25

It's elegant. It's really nuanced risk management. So we've mapped out a beautiful, airtight, AI-powered future state. We have the executive vision, the zero trust principles, the capability map governing humans and machines, the deep analytics, and the NIST frameworks guiding the risk. It is an enterprise architect's absolute dream.

SPEAKER_00 35:43

It is a phenomenal blueprint.

SPEAKER_01 35:45

But there is a massive reality check waiting at the end of phase two. None of this. Not the hardware keys, not the SCM 2.0 provisioning, not the AI anomaly detection. None of it happens if the business won't write the check.

SPEAKER_00 35:59

That is a harsh reality. You can design the most sophisticated identity graph in the world, but if the software licensing and implementation costs are $5 million, and you cannot articulate the financial return on that investment, the project is dead in the water.

SPEAKER_01 36:15

Which brings us to the final hurdle: the business case and the decision gate. Surviving CFO scrutiny. The blueprint outlines how to build the business case around four specific value levers: risk reduction, operational efficiency, compliance cost avoidance, and business enablement.

SPEAKER_00 36:32

Those are the four pillars of ROI here.

SPEAKER_01 36:34

Let's break those down. How do you quantify risk reduction? That always feels like trying to prove a negative to an executive. Like, hey, we didn't suffer a ransomware attack this year, so my expensive software worked.

SPEAKER_00 36:43

It requires an actuarial mindset. You don't deal in hypotheticals, you deal in probabilities and historical data.

SPEAKER_01 36:48

Okay, how so?

SPEAKER_00 36:49

You calculate the average cost of a credential compromise in your specific industry. You factor in legal fees, regulatory fines, lost operational revenue during downtime, customer churn, and potential ransomware payouts. Let's say, based on industry reports, the average cost of a breach for your sector is $6 million, and your historical data shows your company faces a high probability incident every three years.

SPEAKER_01 37:14

So you have a baseline risk cost of $2 million a year.

SPEAKER_00 37:17

Correct. If your proposed target state architecture, specifically implementing fishing resistant MFA and the continuous access evaluation we discussed, reduces the mathematical probability of successful account takeover by 90%, you can assign a hard dollar value to that risk reduction.

SPEAKER_01 37:33

Oh, I see.

SPEAKER_00 37:34

You are buying a highly effective insurance policy.

SPEAKER_01 37:36

That makes us to a CFO, it's risk math. What about the second lever, operational efficiency? That feels much easier to calculate because it's tangible labor.

SPEAKER_00 37:43

It is entirely tangible. You look at the current labor costs within the IT department. How many hours a week does the help desk spend manually verifying users over the phone and resetting passwords?

SPEAKER_01 37:54

Probably hundreds.

SPEAKER_00 37:55

How many hours are spent manually provisioning accounts for the 200 new employees hired every month? You multiply those hours by the fully burdened hourly labor rate of the IT staff.

SPEAKER_01 38:05

And then compare it.

SPEAKER_00 38:06

When you implement sale point and entra ID to automate the entire joiner move reliever process via SEMM 2.0, those labor costs plimit to near zero. You reclaim thousands of hours of highly paid engineering time. That is direct, measurable operational savings.

SPEAKER_01 38:24

And the third lever, compliance cost avoidance.

SPEAKER_00 38:28

Preparing for a federal audit like SOX or HIPAA manually is agonizing. It takes cross-functional teams of people, weeks, sometimes months, to pull spreadsheets, verify access logs, and prove to auditors that separation of duties was maintained.

SPEAKER_01 38:42

It's a huge drain on resources.

SPEAKER_00 38:44

Furthermore, if the auditors find gaps, if they find that toxic combination of access we discussed earlier, the remediation costs and regulatory fines can be staggering.

SPEAKER_01 38:52

So automation fixes that.

SPEAKER_00 38:54

By deploying automated SOD checks and continuous compliance reporting, you avoid the fines entirely and you drastically reduce the internal labor required to facilitate the audit itself.

SPEAKER_01 39:02

And finally, business enablement. This is the one lever that actually accelerates the business making money rather than just protecting it or saving it.

SPEAKER_00 39:11

Exactly. Time is money. If a highly specialized software engineer is hired at $180,000 a year and the legacy IT process takes three weeks to grant them the necessary access to the code base and development servers, the company just wasted over $10,000 of raw productivity.

SPEAKER_01 39:27

They're just sitting there.

SPEAKER_00 39:28

If your automated IAM architecture gets them fully provisioned and coding on day one, you are actively enabling the business to hit its product deadlines faster. Similarly, if your external identity CIM solution makes it frictionless for a supply chain partner to log in, onboard themselves, and place bulk orders, you are directly accelerating revenue.

SPEAKER_01 39:48

And the data backs up this financial narrative. The SalePoint 2025 report cited in our sources provide some phenomenal empirical statistics on this. They found that IMM consistently delivers twice the return on investment of other generalized security domains.

SPEAKER_00 40:02

And it goes even further for mature organizations. For enterprises that treat identity strategically, meaning they have progressed beyond basic password management and integrated the advanced AI governance and adaptive trust frameworks we mapped out today, they report ROI multiples of up to 10x.

SPEAKER_01 40:23

When you put that multiple in front of a CFO, alongside the actuarial risk reduction, the funding gets approved.

SPEAKER_00 40:29

But you must package it correctly. Which brings us to the formal deliverables that close out phase two. The architect cannot just walk in with a slide deck. They must present the formal IAM strategy document, the comprehensive business case we just modeled, the conceptual target state architecture blueprints, and a granular gap analysis showing exactly where the organization's technical debt is today versus the 2026 standard.

SPEAKER_01 40:54

All this culminates in what the Blueprint calls the decision gate.

SPEAKER_00 40:57

The decision gate is the ultimate test of the architect's ability to align deeply complex technology with cold, hard business reality. You present the strategy, the capability map, and the financial case to the executive steering committee.

SPEAKER_01 41:11

And if they say no.

SPEAKER_00 41:12

If executive sign-off and most importantly budget commitment are not achieved at this exact point, the architect must stop the project.

SPEAKER_01 41:20

Wait, stop entirely. You don't just proceed with a smaller pilot program to prove the concept.

SPEAKER_00 41:26

No. The blueprint is emphatic and uncompromising on this point. You cannot build a downstream enterprise-wide architecture on an unfunded or unapproved strategy. Why not? If you try to hack together a solution using only half the budget, you will deploy a fragmented system that introduces more vulnerabilities than it solves. If you don't pass the decision gate, you must go back to the drawing board, rescope the strategy, and align it with the reality of what the business is willing to support. Moving to phase three without passing this gate guarantees a failed program.

SPEAKER_01 41:58

That is a stark, almost brutal discipline, but it makes perfect sense. You cannot build a massive skyscraper if the client only funded a residential foundation. Well, we have covered an immense amount of ground today. We started in the rookie, diagnostic, muddy waters of phase one, looking at a shattered perimeter. We mapped out the path to absolute clarity. We explored the necessity of translating technical protocols into an executive vision statement that bridges the server room and the boardroom. We established the strategic guardrails, recognizing that identity is the new firewall, and the continuous access evaluation must replace the static bouncer at the door.

SPEAKER_00 42:34

We unpacked a massive interconnected target state capability map, too.

SPEAKER_01 42:39

Yes, we explored how Enter ID and SailPoint coexist using protocols like SEIM 2.0 to automate the human lifecycle, shrinking the window vulnerability to zero. And we tackled the explosive new frontier of workload identities, detailing how adaptive AI frameworks provide machine speed governance over autonomous AI agents.

SPEAKER_00 42:56

It's a whole new world.

SPEAKER_01 42:58

It really is. We looked at the intelligence engine, the mathematical rigor of the permissions creep index, the visual observability of the identity graph, and the nuanced privacy-enhancing unbundling of NIST's ILL, AAL, and FAL frameworks. And we wrapped it all up in a rock solid, mathematically defensible business case designed to survive the ultimate test of the CFO's decision gate. It really is a masterclass in modern enterprise architecture.

SPEAKER_00 43:25

It's the blueprint for the future.

SPEAKER_01 43:26

But before we sign off, I want to leave you with a final provocative pubble to mull over. Something that builds on the very foundation of everything we've discussed today. We spent a significant amount of time praising automation, specifically automating the entire identity lifecycle based on an authoritative source, usually the HR system like Workday or SAP.

SPEAKER_00 43:45

Right, the zero touch engine.

SPEAKER_01 44:00

Zero touch engine.

SPEAKER_00 44:01

It is the absolute pinnacle of operational efficiency and risk mitigation.

SPEAKER_01 44:05

But consider this scenario. What happens to this beautiful, mathematically perfect, zero trust architecture if the HR system itself is compromised by a malicious insider?

SPEAKER_00 44:15

Oh wow.

SPEAKER_01 44:16

What if a disgruntled HR administrator or a sophisticated attacker who hijacked an HR account simply logs into workday and changes a user's department code from janitorial staff to executive finance manager? The system would just execute it. Exactly. If the ultimate authoritative source of truth tells a lie, your perfectly designed automation engine won't catch it. It will simply execute that lie at enterprise scale. It will obediently and flawlessly grant toxic administrative access across every downstream financial application in milliseconds.

SPEAKER_00 44:49

That is the ultimate paradox of identity automation. The faster and more efficiently you can provision access, the faster you can provision a catastrophic breach if the root source of trust is poisoned.

SPEAKER_01 44:58

Remember our opening metaphor. We wanted to build a high-resolution X-ray machine for identity to replace the muddy waters. We succeeded. But if the actual film inside the X-ray machine is corrupted at the source, the clear diagnosis you get is worse than useless. It's actively misleading. It forces us to ask a terrifying question in a fully automated machine speed world, who is guarding the ultimate source of truth. Thank you for joining us on this deep dive. Keep questioning your digital perimeters, keep exploring the architecture, and we'll see you next time. That's a wrap on identity strategy and target state design. But before you go, sit with the question we left you with. In a fully automated, machine speed identity architecture, who is actually guarding the source of truth? Because in episode four, that question gets darker. We're going to show you exactly what happens when an organization buys a world-class identity platform, deploys it flawlessly, and still fails catastrophically. Not because the technology was wrong, because the governance wasn't there first. If you think IAM is a procurement exercise, episode four will change how you see this discipline permanently. Connect with me on LinkedIn at LinkedIn.com forward slash IN forward slash Ernie Prescott, and subscribe now so you don't miss it. Until next time.