What's Up with Tech?

Identity Security After RSAC 2026

Evan Kirstel

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 26:23

Interested in being a guest? Email us at admin@evankirstel.com

Identity is where the fight is moving fastest, and RSAC 2026 proved it. Fresh off the show floor, we sit down with Jim Taylor, President, Chief Product and Strategy Officer at RSA Security, to break down what’s truly changing in identity security as AI reshapes both the threat landscape and the defenses enterprises rely on.

We dig into why “sovereign” and “deploy anywhere” identity deployments are suddenly mission critical. Cloud convenience can quietly trade away resiliency and control, and recent disruptions show how quickly authentication outages can become business outages. Jim explains what customers are asking for now: the same identity platform capabilities whether it runs as SaaS, in a private cloud, on-prem, or in highly constrained environments where failure is not an option.

Then we get practical about modern identity attacks beyond phishing. If passkeys and phishing resistant MFA harden the front door, attackers pivot to the session with token theft, adversary-in-the-middle scams, and help desk bypass that exploits people and process. We also explore agentic AI and the rise of non-human identities, including how to inventory agents, set entitlements, and apply identity governance so “mini workers” don’t inherit unlimited permissions.

We close with a grounded take on passwordless authentication as a step-by-step journey and what we hope the industry looks like by RSAC 2027 and 2028. If this helped you rethink IAM strategy, subscribe, share with your security team, and leave a review. What identity risk are you most worried about right now?

PodMatch
PodMatch Automatically Matches Ideal Podcast Guests and Hosts For Interviews

Support the show

More at https://linktr.ee/EvanKirstel

RSAC 2026 And Identity Stakes

SPEAKER_00

Hey everybody, fresh off of RSAC 2026, we're diving into what's actually changing in identity security from sovereign deployments to AI-driven threats and so much more and what it means for the enterprise trying to stay one step ahead. Jim, how are you?

SPEAKER_01

I'm doing great, Heaven. How are you? Did you enjoy the show?

Jim Taylor On RSA’s Mission

SPEAKER_00

Yes. You know, it's very busy times. So still trying to catch up. Before that, maybe introduce yourself and your journey to RSA security and what you're up to there these days.

SPEAKER_01

Yeah, sure, absolutely. So uh Jim Taylor, official title, president, chief product and strategy officer for RSA Security, uh, horrendously long title. Uh, what it really means is I'm the techie. So uh I've spent all of my life, all of my career, 25 plus years. I know I don't look it uh in uh cyber, particularly focused around identity privilege, a little bit of network and endpoint, but you know, the vast majority, 89% of my life uh in cyber focused in the identity space. So uh worked for just about every company out there. Uh I won't I won't list them, you can go look them up, but uh always been on the product, the technical side. So my journey uh into RSA really began four and a bit years ago when RSA uh was acquired and exited Dell and became an independent company again. I like to say we reclaimed our own identity at that point. Um, and really it was uh, you know, my job as the chief cook in the kitchen was to uh return RSA to its roots of being an innovator and a pioneer. And, you know, luckily the world uh complied and was very helpful by ushering in a new technology frontier around the same time. So, you know, lots of very cool and exciting and innovative stuff for us to do. And so, you know, I'm uh I'm a techie that works for, you know, probably one of the best security brands in the industry who's known for innovating and pioneering. So I get to do what I love all day, and they pay me the fools.

The Show Shifts Toward Security

SPEAKER_00

Wow, what a wonderful introduction. Well, look, RSAC just wrapped. It's off top of all our minds. What was your biggest takeaway or takeaways? What did you hear loud and clear from customers, from partners, others?

SPEAKER_01

Yeah, I mean, other than the fact that it's no longer a cyber show and has become entirely an AI show, you you know, the elephant in the room. Um, no, I think it was actually a really good show this year. It was very interesting. It was a lot of energy. Uh, whenever there's a big shift or a big change in the technology, in that dynamic, you tend to find, you know, the water cooler, the barroom, the restaurant conversations are a lot more heated and animated. And so the world has dramatically changed over the last few years, and so is the threat landscape. The uh velocity of the change in technology, particularly with things like AI, but not just AI, is really impacting, you know, cyber. I would say there was the the biggest kind of cultural shift I saw was that the show is very much more security focused and security-oriented than it was before. Maybe a strange thing to say because it's a security show, but it used to be a lot about convenience and implementation and those kinds of things. But I think the world has become quite a scary place, and RSA was really a buzz about what to do about that. Um, so good to see in some respects that it's being taken a lot more seriously and there's a lot more energy in the room than there used to be.

SPEAKER_00

Indeed. And you had so many announcements. One in particular was the ID plus sovereign deployment announcement. Um, what does that mean in practice? Deploy anywhere. Why why is it so mission critical at the moment?

SPEAKER_01

Yeah, I think that that really lines up with my previous answer, right? I mean, the world has become a scary place, and we're seeing new threats, new threat vectors. Um, I mean, just looking at what's been going on, you know, in the Middle East a couple of weeks ago, you know, critical infrastructure's been hit by missiles and shrapnel, and you know, various uh hyperscaler cloud infrastructure has gone down, and that's affected real businesses like banks unable to operate, for example, right? You know, I'm avoiding naming names because it's uh, you know, something that could happen to any of us. We saw, you know, over the last 12 months critical infrastructure go down. You know, I will name CrowdStrike, but the CrowdStrike uh events really make people kind of stop and think. And I think over time, over the last sort of five or six years, technology as an industry, we've been giving control to the SaaS vendors, to infrastructure as a service, you know, to Azure, AWS, GCP, you know, name your cloud of choice. Why? Because it's convenient to have them do some of the work. It's, you know, cost effective to not have to buy and manage those server rooms. It's, you know, easier for me to manage my stuff if I don't have to have Sony IT stuff on hand to manage my own data center. But I think what's happened is we is all of that has come into focus, and people have realized, hey, I'm giving up control. I'm giving up resiliency, I'm giving up having my destiny in my own hands. Essentially, I'm putting my destiny in somebody else's hands and I'm crossing my fingers and I'm really hoping that they do a really, really good job. So, what our customers have been telling us, and you know, we at ours say pride ourselves on securing the most secure, you know, we live in the part of identity where failure is just not an option, right? If we go down, really, really bad stuff happens. So we've always taken that kind of view that minimal acceptable uptime for us is anything slightly north of 100%. Um, you know, that's the kind of world that we live in. So our customers have been saying, we need some of that control back, but what we don't want to do is sacrifice capability, which is the traditional model, right? If it's a SaaS company and they have an on-prem offering, it's a slightly degraded, you don't get quite all the good features and stuff. If it's an on-prem company and they move to cloud, it's really not quite the same. So our premise in working with our customers was hey, we should be out of that conversation. It's not our job to dictate where or how you want to consume that technology. We should provide you the option, the same stack. You know, if you consume our SaaS service, you know, from us, we host and manage it. If you want to deploy it, you should get the same capabilities, right? So it really is uh kind of agnostic deploy anywhere. We, of course, will give guidance, advice, you know, we will uh consult as to the best models. But if you decide that the right thing for you is to consume that software in a deploy anywhere model on a submarine in an air gap network in your own data center, if you want physical, you know, server-to-server reliability and redundancy, if you want cloud to uh, you know, whatever, the the connotations, the matrix is never-ending, then we should provide you that choice. So it was really a conscious effort by us to remove ourselves from that conversation, Evan, and say, as a vendor, we should not be dictating how you consume and how you get value from our technology. We should give you that choice and ensure that however you consume it, you get the same value, you get the same benefit, you get the same capability.

SPEAKER_00

Amazing. So identity-based attacks are evolving fast. I just had one today that was the most sophisticated I've ever seen with a corporate uh website, a corporate email, professional sounding, um fake social profiles, fake website. I mean, it was I almost fell for it. So, but what are the most advanced threats you're seeing beyond the traditional phishing uh so far?

SPEAKER_01

Yeah, I mean, it's a little bit crazy. Uh, it's kind of scary and exciting all at the same time. And I need to qualify that, right? So it's exciting because the pace of technology is exponential. You know, we are going faster and faster and faster. I have never seen the technology evolve at the speed that it is today. Um, so that's you know, crazy good, but also crazy bad. And so what we generally see is, you know, for the longest time, the login credential was the soft point, right? We all know humans are the problem. If we could just get rid of all of the humans, like security would be easy. Apparently, I'm not allowed to do that. So, you know, we have to live with them. Um, but now it's moved beyond that, right? We introduced FIDO-based credentials, passkeys, things like that. We introduced strong, uh, non-fishable or phishing resistant credentials. So, what does a bad guy do? If you put a really big lock on the front door, he goes around the back and breaks in the window that you forgot to leave open. So we're seeing incredible diversity in the attack. Some of the more advanced things are things like not targeting the login, but targeting the session. So, session and token, right? O authors are compromised. If I if it's too difficult for me to compromise your uh your phishing resistant token, then let me attack you that way. We're seeing things like help desk bypass, right? Social engineering, um, help desks. Look at every headline for the last 12 months. Uh, there's at least a billion dollars in damages through help desk compromise. Uh, that in itself, right? We're seeing more advanced threats. So a new one that's particularly interesting is the uh AITM or adversary in the middle attack, which is similar to the one that you described. So, you know, I put up a really compelling, really convincing facade. You log into me with your credentials, I log into the real website, and I'm hijacking your credentials. So security working as designed, right? Without session controls, without, you know, uh location-based, you know, very, very difficult. So, you know, I guess what I'm saying is we've blocked the primary entry point pretty effectively with the login credential. So now cyber adversaries are surrounding the house and looking for every open window, every crack, everything to log in. We're seeing it become more and more sophisticated with tools like AI. I mean, you know, I I don't have to be clever enough to mount a phishing campaign anymore. I can just tell AI to do it for me. It's getting pretty good at it. So a little bit scary.

[Ad] PodMatch

SPEAKER_00

Scary indeed. And the good news is most organizations aren't complacent anymore. But do you think many are still underestimating risk when it comes to identity as as you as this new attack surface?

Why Identity Risk Still Gets Missed

SPEAKER_01

100%. Um, you know, it's uh identity uh is the number one attack surface. I mean, you can go read, you know, look at your Verizon data read surface, look at your IBM survey, whatever survey of choice, right? Let's just, you know, average them all out and say roughly 80% of all attacks are identity or credential based. Um so identity is the number one attack vector. How they're getting in, phishing bypass, you know, whatever, all of the different types of attacks, they're all different. But I think because it's moving so fast, organizations are dramatically uh underestimating or not keeping pace. Some may be aware of the problem, but they haven't, you know, got a plan in place or technology in place to uh solve it. The reason I know that, unfortunately, Erin, is because every time I wake up and I read the headlines, I see another major compromise, I see another major breach. Um, you know, and eight out of ten times it's identity-based. So unfortunately, the evidence, the data speaks for itself. Um on the bright side, I do see that as an industry, we're getting better at collaborating, we're getting better at adopting standards. FIDE was a great example of that. So there is light, you know, there is there is positive, but right now it's definitely a very high threat, very high risk landscape. And every organization, I don't just build the products for RSA, I also look after the IT for RSA. So I'm a CIO and you know, have to have that role in it within RSA as well. Um, and I'm very, very conscious of what we as a company are doing, right? What our controls are, what our protections are. Um, it's challenging, it's a challenging time.

SPEAKER_00

Indeed. And I see RSA Security is expanding its partnership with Microsoft. Um, talk about uh Microsoft's agentic vision and what does that unlock in terms of uh new opportunities and and uh authentication.

RSA And Microsoft Partnership Strategy

SPEAKER_01

Yeah, I mean, we really love a partnership with Microsoft, and it's very uh two ways, very bi-directional, which you know isn't always the case with you know one extremely large vendor and and one that's you know uh a hundred times smaller. But I would say we bring specialized skills to the party. They bring scale and breadth and resources than you know than Microsoft, right? So um, you know, for us, what we've really found is there's a one plus one equals two type relationship where Microsoft is really developing and doing a great job of introducing capabilities, particularly in their security stack, right? We see a lot more intras, Sentinel, Purview, Defender. The Microsoft security suite is becoming really good, really, really strong. Um, but they don't cover every use case. A good example would be in the in the past, yet would be around passwordless. So we do passwordless on every machine across every operating system. Microsoft doesn't always necessarily do that, right? They don't cover Macs, they don't cover Chromebooks, et cetera, et cetera. Um, you know, that's where a partner like us can take that, you know, core foundation of Microsoft security capabilities and expand it to whatever is in your enterprise. Uh, we also obviously have a legacy of 40-year history. Uh, we're 40 some odd years young, you know, we we deny our real age, but you know, we've been working on mainframes and Unix systems and legacy infrastructure. We've been working in network systems, um, you know, all of those things that are outside of the traditional Microsoft ecosystem. We have connectors, we have agents, we have skills, we have knowledge, we have experience. Uh, so we're able to bring those specialist skills to Microsoft. Now, Microsoft is obviously, you know, really pushing on the AI side, particularly the Agentich side. We were a launch partner uh with Microsoft. And if you look at everything they've announced in the security space over the last two or three years, you'll see consistently RSA has been a launch partner with them. We were actually one of the first that built an Agentic agent for RSA, feeding data into the Sentinel Data Lake and perusing all of the data in the Sentinel Data Lake looking for threats. Um that's using our specialist knowledge to enhance and expand the capabilities of the Microsoft ecosystem.

SPEAKER_00

Wonderful. Uh, of course, autonomous agents and agentic is the topic of the day. I've personally got in my little business three agents working as we speak. In the background here, it really is uh game-changing for so many businesses. But uh, what does it mean for security and securing with these these machine identities?

SPEAKER_01

Yeah, I mean, it's really interesting. And I think uh it it's been it's been the wild, wild west for the last 12 months, right? Because this is a technology that's just moving so fast. So, you know, what I would always say to people is just get this, get the basic core principles in your head, right? So an agentic agent is just like a little mini worker that can go off and do stuff, right? And maybe it's uh, you know, one in your environment that you created, uh, maybe that's one that's coming from outside, right? Every application, you know, every time I look, there's another, you know, there's another AI announcement from an application, you know, and and they now have their AI and their identity agents and so on and so forth. So they're really just uh identities. And and we really need to think of the world in two colors or two flavors. There are human identities and there are non-human identities. Now, when I break down non-human identities, there's uh you know, machine identities, there's service accounts, and of course, there's agentic agents. But the problem that we want to solve, I mean, it's the same problem no matter what type of an identity is. We want to be able to invent or catalog all of the agents. You say you have three, that probably puts you ahead of most people in the world, and then you know how many agents are running around in your enterprise. Are there really three though? Can you be sure there's not, you know, one of them didn't invite a friend over, you don't have a fourth one that you don't know about, right? So inventory catalog, right? That's critical. We have to know what we're trying to secure. And then we want to treat it like any other identity. We want to give it an identity, we want to authenticate it, we want to authorize it, we want to govern it, right? We want to provision it, deprovision it, give it entitlements. Yes, it's a thing, and yes, that thing has inherited permissions, usually from me or you, uh, or maybe from an application, but it should have some boundaries, it should have some entitlements, things it's allowed to do, not allowed to do. It shouldn't be forced to prove it is who it says it is, right? It should be forced to authenticate. So that's how I always tell people to think about it, right? Just understand it's an identity, and the same core problems that you're trying to solve with any identity, you need to apply to a gentech.

SPEAKER_00

So well said. So let's talk passwordless. It's uh, you know, such an exciting opportunity. Personally, I would love to see it, but it's it's kind of been next year's priority for a while for many organizations. What's holding some people back?

Securing Agentic And Machine Identities

SPEAKER_01

Okay, so so I would say not anymore. Um, I would say it was it was one of those uh problems that we had a little bit of failure to launch as an industry, or you know, passwords have been around forever, we all know they're bad, right? We've been talking about it for a very long time. I honestly truly believe that uh, you know, the next couple of years, maybe one to three years, is when passwordless becomes real in the enterprise. Now, the challenge is you know, enterprises need to commit and they need to understand that passwordless is a journey. I wish we could provide them a big red button that they could just press and pay press over passwordless. It doesn't work like that, but there's an awful lot of low-hanging fruit in the passwordless journey. You know, there's a lot of capabilities with standards-based credentials, FIDOs, passwords, things like that, that are enabling that journey. So usually the biggest barrier to an enterprise really achieving or beginning or progressing on their passwordless journey is really one of like not knowing where to start, right? It's like, how do I how do I tackle this, right? And it's the same answer for how do I eat an elephant? And the answer is one bite at a time, right? You know, we we always give the same advice. One, you know, do an honest, open survey, establish where you are, what's your baseline, right? How many passwords do you have? What technology are you using? What does this thing that we're trying to solve look like, right? To make a plan, have a strategy, uh, decide what's important. Is it really, really important to you know, protect the secret data, you know, data store that has, you know, the secret recipe to coke in it? Or is it more important to protect uh you know the vacation booking system? Right? Companies know this stuff. They've been doing data classification, they know where their assets are, they know what the value of those assets are. So define a plan, right? And then get it started. Uh obviously the goal is no passwords, passwordless, the clue is in the name. Um but removing passwords and fewer passwords is also reducing your risk. So it's not the solution, and you shouldn't go, hey, I got rid of 10% of all of our passwords, right now, passwordless. But you should take the credit for having 10% less of a risk surface. So it's a journey, and I think the biggest barrier is for people is you know, where to start. And so I always say speak to, you know, an advisor, a vendor, speak to another customer, speak to some other company that's on this journey, right? Collaborate. We all do this together. Figure out where you are, make a plan and start knocking them off. Once you get started, it gets pretty easy to accelerate that journey.

SPEAKER_00

Brilliant. Well said. So if we were to fast forward to RSAC 2027 or RSAC 2028, where would you hope the vision of the industry would be for identity security? Any predictions you can offer or desires, best wishes?

Passwordless Adoption As A Journey

Future Outlook And Closing Thanks

SPEAKER_01

Yeah, I mean, you know, that's a that's actually a really hard question because, you know, the horizon is so much closer than it used to be. You know, we used to think of long-term strategic planning or vision type stuff as being, you know, five to ten years out, right? Then maybe three to five, right? Well, with the speed of change, but the way things are happening, particularly with AI technology today, I think long-term planning is six months, 12 months that are pushed. You know, it really is moving that fast. So, you know, where will we be in in 12 months? We'll be in a dramatically different place. I think uh there'll be a lot more capability around AI and agentech, and I hope that we will have just either extended uh or added the capability to deal with all identities, right? Uh, no matter what. I hope that we will have dealt with things like the reliability, the resilience. You know, there are some fairly weak and critical points of failure in the system today, if you kind of step back and look at it. You know, one missile to the wrong data center takes down the financial infrastructure of a country. That's not a good position to be in. We need to be better than that. Um, so I think you'll see a lot of that, but then I think, you know, slightly less exciting, slightly closer to the ground. I am really, really honestly positively encouraged with the momentum in cyber and particularly identity over the last five years. As the problem has accelerated, so is our understanding. So is our, you know, we became the center of the conversation. We're getting attention, we're getting resources, we're getting conversation. That's how you solve things, right? You don't solve a problem by ignoring it, you solve it by really focusing on it. So I'm super encouraged by that. So I think basic things like passwordless, I think there will be a blueprint for solving passwordless. I think identity governance or who has access to what, I think that will essentially be almost an AI-driven function and will be ubiquitous across enterprises. Not just the domain of the Fortune 1000, right? Because it's complicated. I see that technology coming to small to medium-sized enterprises as well. No one else. It's very encouraging. Uh, you know, the solution is, you know, I won't say always, but certainly on some days we're keeping pace with the problem. You know, it's it's a it's an arms race, um, but we're certainly not falling behind. So that is encouraging.

SPEAKER_00

Well, on that very positive and optimistic note, which I love. Thank you so much for sharing your insights as always, uh, so unique and timely. And look forward to keeping in touch as this evolves, Jim.

SPEAKER_01

Yeah, absolutely. And and thank you so much for everything that you do, Evan. It's always a pleasure to spend a little time with you. I love and enjoy our chat.

SPEAKER_00

Thank you. And thanks everyone for listening, watching, sharing this episode. And be sure to check out our TV show, techimpact.tv on Bloomberg Television and Fox Business. Thanks, everyone. Thanks, Jim. Thanks, Evan.