And we're here at EIC 2024 discussing the future of identity. And who better to discuss the future of identity than the CEO and founder of EmpowerID? Patrick Parker. Welcome.
Thank you. Thank you for having me here. It's a pleasure.
So I guess the standard kickoff question is, in your vast experience in identity and access management, what is the one innovation in identity that you think has had or will have the biggest impact on identity in the future?
I think honestly, this year, I can say wholeheartedly that there has been a inflection point, that last year we were getting the inklings, that something had happened in the world of AI, and it was going to have big implications. And now we've had a year to digest that, to get our feet wet, to learn it. And now, completely, I see that the AI LLM revolution will redesign software and even society entirely. So in my whole history of my career, I haven't seen anything as big as this.
Okay. Well, so to ask you specifically a question about LLMs, I would say, how do you see the integration of LLMs as autonomous agents revolutionizing identity governance and administration, specifically?
Once I realize the implications from a software perspective, you really have to rethink the application from a completely different paradigm. Today's applications, you have static user interfaces with buttons, with data that click, and they call functions. And those functions may be micro services on the back, and they may be what we used to call agile. In the new world, all of those different capabilities that your APIs could perform, creating identities, assessing risk, adding users to roles. Those will be deconstructed into tools. And now the user interface will be a conversational user interface. It'll be a chat interface. And instead of designing static user interfaces or even what we're considered dynamic low code processes, you will be providing those tools to the LLM agent, the user will query to ask it to accomplish a task. It will plan, given the tools it has access to, which of those tools to use, in which sequence to accomplish a task like onboarding a user, like assessing a risk. And then you'll have lots and lots of autonomous agents performing specific mission focused tasks like looking for risk, reducing risk, optimizing risk, recertifying access, and all constantly crawling through all your data and events and each one with a singular purpose. So it's really deconstructing the whole way we do software.
Okay. So now what are the implications for business operations on the one hand and security on the other? Because there's always this delicate balance, isn't there, between keeping the business running, keeping people happy, onboarding and so on. And then you've just got to take care of security along the way.
It will, it will. From a business operations perspective it will allow... they say it'll allow small startups to have the same impact and power as large global corporations.
Okay, wow.
Which will completely tilt the landscape and make small companies with bright ideas competitive within completely global infrastructure, because you'll be able to have thousands of agents performing these tasks under the direction of very few humans. Now, the challenge from that, from a security perspective is in a static process or static applications, you could easily understand via roles, Who should see this page, who should be able to click the button to approve a purchase order? It was very concrete, very RBAC friendly. In this new dynamic phase where everything is just a tool that could be reassembled at any time, you're going to have to implement fine grained, external dynamic authorization, because you're going to have to say, if this user asked it to do something when it looks at the tools, does that user actually have access to the tool that it needs to perform the action, and then, let's say, it's to terminate on an identity. Coarse grained, can it terminate an identity? Fine grained, can it terminate the CEO's identity? So you're going to have to embed this external authorization into these dynamically one time assembled processes, which is a whole new challenge for us.
Yeah. So but I guess basically one of the arguments around AI though, is as the complexity increases, the AI capabilities are increasing. So what's your outlook in terms of like the balance between these? Is the AI developmental maturity going to be able to keep pace with the added complexity that we're getting? Because it just seems to be more and more every day.
I think the AI capabilities will increase faster. Our ability to understand how to direct it and what it is doing will not increase as quickly.
Okay.
There's a lag there.
Well, that's always been the way, isn't it? But, sort of theoretically speaking. Then when do you see these kinds of facilitation from AI coming to, you know, coming into reality, becoming part of business as usual, where people are just using LLMs in their identity in the context of identity, wouldn’t do you expect that to be...?
It'll be common. You'll have whole departments where you have silicon employees, where maybe 80% of the workforce are non-human agents, and 20% are human carbon based that are driving, you know, that human in the middle process, verifying, instructing. But a lot of the work is going to be done by non-human employees. So it will make small companies seem larger. And then we'll have to see what the impacts are on employment overall, that’s some scary thoughts there.
Okay. Maybe we'll get if we have time we can get into those. But that's the long term vision. The question is really what sort of time frame do you envisage? I mean is that something we're going to be seeing next year, next two years? Five years? You know, how soon can we expect this to become commonplace?
I would say any software organization that wants to be around in five years is furiously rewriting or starting from scratch on rethinking their software. So I would say the major impact will be in the next 1 to 3 years.
Okay. So that's relatively soon.
Very short time.
So if people, if organizations aren’t sort of thinking along those lines and starting to gear up for that, they should be?
Yeah, governance wise. So organizations should not try to keep AI out because the users are never going to want to write their own documents and all those tasks they become too accustomed to not having AI do that for them. So instead of having shadow AI, you're going to have to try to give them a channel where they can have properly governed enterprise AI. So they have the capabilities, but you have some oversight and governance about where the data goes, you know, how the data is getting shared, how it's getting used to train the model. So you definitely want to provide a enterprise AI facility where you can start formulating a team, how we're going to govern it, how we're going to secure it, and continuously just, it's going to be a learning experience for everyone. Yeah.
So okay, this is a huge topic, but I just wondered whether there were any other digital identity innovations that you were excited about, that are perhaps complimentary to AI?
I'd say verifiable credentials in the wallet because as soon as you have these non-human entities, some of them will act as a digital twin, your assistant that is acting on your behalf. And it will need to independently have authorization to perform actions that you’re allowed to perform. So it's kind of like almost like you have, a conservatorship over its wallet and lending it the verifiable credentials that it can then present to do tasks. But then you have these completely independent autonomous agents, the silicon workers, or the just these mission focused bots, that they will need an identity and they will need verifiable credentials or something transportable, something real time, something that doesn't point back to a central IGA system, the phone home. It's going to have to be disconnected offline, real time and visible and transparent. So I see it. This is going to drive a lot of the adoption of verifiable credentials and wallets.
I think a lot of people would find it sort of scary that there are things that are acting on their behalf. But I know that you already use this within your own company. I mean, I how do you feel about the adoption, I mean, are people within your organization comfortable with it?
They'll only feel comfortable if you have good controls and guardrails and you clearly know the boundaries of what you've authorized it to do or to spend [...] and not. So I mean, and until they feel confident of that and we've developed that, then everyone's going to feel like it's a little bit out of control.
So for years now we've been saying, okay, multi-factor authentication was all about that. But do you see in terms of technological development, what will surpass MFA? What's kind of like, in your view, going to be a better plan?
I'd say we're going to do I mean, in a sense, it's never going away. And it just seems to be getting more important. Some form of PKI will be the underpinning for these identities, and then you'll be adding on the signals, the AI, the behavioral analytics, the, you know, all the context around of verifying that identity and to try to prove not liveness anymore because it's not live, but just authenticity.
Okay. So, you know, to wrap up then, what advice would you be giving, or are you giving organizations who are saying, well, you know, there's this whole new world happening, Patrick, what do we do? What do we do first? What are the things that we've got to have in place? Just make sure that we're not left behind.
From an organizational perspective, I would form a cross collaborative team, a working group that is starting to meet to learn the technologies, to get educated, to do small pilots, to do POCs, to see what looks risky, what can we control, what can we not control, and to form the policies, you know, that the organization is going to follow. And then from an individual perspective, I say we all take a deep dive into it, because when certain things click in your brain, and then you're looking on the other side of the looking glass, then you will think differently about almost everything you do when you really understand what it means. Because, I mean, and it's hard to explain, but it's like a paradigm shift. Once it happens, you see everything very differently.
And then we wonder how we ever managed before, like with many other things like digital devices. I mean, how have we ever managed before?
Probably poorly. I mean, if you look at drug discovery, the ability to generate novel drugs and test them, instead of like in a three year cycle, in a 30 day cycle, at some point, it'll seem like the days before we developed penicillin. We’ll wonder, you know, people lived hard lives back then. Hopefully, as long as we don't see the bad side.
Well, it sounds like the future of identity is bright and exciting and, in capable hands like yourself. Thank you so much for joining us today, Patrick Parker.
Thank you. Has been a pleasure. Thank you very much.
