Episode 178 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Who Governs the Bots?

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Lalit Choda, Mr. NHI

Channels

• Linkedin Event
• Youtube Video

Description

Enterprises institutions now operate vast ecosystems of non-human identities: service accounts, APIs, RPA bots, and increasingly, autonomous AI agents. These entities move money, access sensitive data, and make operational decisions at machine speed—yet oversight models still assume humans are the primary actors. What does it mean to govern non-human identity? Who is accountable when software acts? What must be governed beyond credentials (behavior, permissions, data usage, and decision authority)? And why aren't compliance checklists alone enough to manage real-time operational risk. The discussion will address the expanding attack surface created by machine-to-machine trust, the limits of “AI will manage it” thinking, and how enterprises can design scalable governance architectures that keep automation fast while keeping risk, auditability, and accountability firmly under human control.

Homework

• GovOps WG Proposal
• We Let AI Run a Vending Machine. It Lost All the Money. | WSJ

Takeaways

• ⚡ CEOs are under-informed while risk is compounding fast and product opportuntities are slipping away.

• ⚡ Compliance frameworks are obsolete for agentic systems. Audits (SOC2, ISO) validate point-in-time correctness. Traditional compliance doesn't give you any indication that your business is safe.

• ⚡ Identity-centric governance is breaking under scale and ephemerality. Identity is important for accountability. But it should not be the starting point to organize your enterprise defense.

• ⚡ Organizations still struggle with basic visibility. Agentic systems amplify this gap. If enterprises have no organizing principal for cybersecurity governance, vendors will continue to sell them fragmented tools whose opportunity costs dwarf their sticker price.

Livestream Audio Archive

here