Now Reading: The Resilience Mandate in AI Security
-
01
The Resilience Mandate in AI Security
1
00:00:00,000 –> 00:00:02,960
Most organizations think securities are checklist, MFA,
2
00:00:02,960 –> 00:00:06,680
EDR, a pile of policies, and a dashboard that’s mostly green.
3
00:00:06,680 –> 00:00:09,560
That setup feels like control, it isn’t, it’s coverage,
4
00:00:09,560 –> 00:00:11,360
and coverage doesn’t equal resilience.
5
00:00:11,360 –> 00:00:14,640
This episode is about the uncomfortable shift leaders have to make,
6
00:00:14,640 –> 00:00:16,840
from buying controls to designing trust
7
00:00:16,840 –> 00:00:19,040
and from chasing no incidents to engineering,
8
00:00:19,040 –> 00:00:21,000
fast containment and recovery.
9
00:00:21,000 –> 00:00:23,080
We’ll anchor it in three Microsoft realities,
10
00:00:23,080 –> 00:00:25,560
intra-governance and identity threat detection,
11
00:00:25,560 –> 00:00:27,400
continuous access evaluation,
12
00:00:27,400 –> 00:00:29,960
and defender signals routed into service now,
13
00:00:29,960 –> 00:00:33,480
because the goal is decision speed, not feature completeness.
14
00:00:33,480 –> 00:00:36,760
Why well-secured organizations still get breached?
15
00:00:36,760 –> 00:00:38,200
Here’s what most people miss.
16
00:00:38,200 –> 00:00:41,400
Breaches don’t happen because an organization forgot to buy a product.
17
00:00:41,400 –> 00:00:44,600
They happen because the organization never updated its trust model,
18
00:00:44,600 –> 00:00:46,680
security teams deploy controls.
19
00:00:46,680 –> 00:00:50,200
The business keeps operating on assumptions that were true 10 years ago,
20
00:00:50,200 –> 00:00:53,600
that the network is a boundary, that authentication is a finish line,
21
00:00:53,600 –> 00:00:55,440
that permissions represent intent,
22
00:00:55,440 –> 00:00:58,000
and that alerts are the same thing as response.
23
00:00:58,000 –> 00:01:01,440
Those assumptions don’t fail loudly, they decay quietly.
24
00:01:01,440 –> 00:01:03,240
And attackers don’t need to break in anymore.
25
00:01:03,240 –> 00:01:05,160
They walk the pathways you already built.
26
00:01:05,160 –> 00:01:07,480
A modern breach story usually starts with identity,
27
00:01:07,480 –> 00:01:10,200
not because identity is weak, but because identity is everywhere.
28
00:01:10,200 –> 00:01:13,520
Cloud, SAS, API’s, automation, contractors, service accounts,
29
00:01:13,520 –> 00:01:15,680
and now agents, identity isn’t the directory,
30
00:01:15,680 –> 00:01:17,640
it’s the control plane, that distinction matters
31
00:01:17,640 –> 00:01:21,200
because your control plane isn’t protected by the existence of controls.
32
00:01:21,200 –> 00:01:24,320
It’s protected by whether those controls enforce your intent.
33
00:01:24,320 –> 00:01:28,080
Most well-secured environments are rich in prevention and poor in constraint.
34
00:01:28,080 –> 00:01:31,320
You see it in the gap between authentication and authorization.
35
00:01:31,320 –> 00:01:34,760
They might have fishing-resistant MFA and still have reckless entitlements.
36
00:01:34,760 –> 00:01:36,720
They might have conditional access policies
37
00:01:36,720 –> 00:01:39,680
and still allow broad access packages that never expire.
38
00:01:39,680 –> 00:01:41,360
They might have privileged access tooling
39
00:01:41,360 –> 00:01:42,800
and still tolerate standing power
40
00:01:42,800 –> 00:01:45,320
because approvals are slow and exceptions are easier.
41
00:01:45,320 –> 00:01:46,600
Attackers understand this.
42
00:01:46,600 –> 00:01:50,360
They don’t fight your MFA head-on if they can steal a token after the MFA challenge.
43
00:01:50,360 –> 00:01:52,320
They don’t brute force a firewall
44
00:01:52,320 –> 00:01:55,560
if they can use a perfectly valid identity to call an API.
45
00:01:55,560 –> 00:01:57,720
They don’t need to exploit a vulnerability
46
00:01:57,720 –> 00:02:00,880
if the environment already grants the privileges that do the damage.
47
00:02:00,880 –> 00:02:02,760
So when leaders ask, “How did this happen?”
48
00:02:02,760 –> 00:02:04,080
We had everything turned on.
49
00:02:04,080 –> 00:02:07,560
The correct answer is, “You had controls, but you didn’t have enforced trust.”
50
00:02:07,560 –> 00:02:09,400
Then there’s the green dashboard problem.
51
00:02:09,400 –> 00:02:12,520
Dashboards show deployment state, not risk reality.
52
00:02:12,520 –> 00:02:15,000
We enabled feature X is not the same as feature X
53
00:02:15,000 –> 00:02:17,040
is constraining the right pathways.
54
00:02:17,040 –> 00:02:18,640
Attendant can show high compliance
55
00:02:18,640 –> 00:02:21,040
while still carrying structural exposure.
56
00:02:21,040 –> 00:02:23,800
Dormant accounts, stale guest access,
57
00:02:23,800 –> 00:02:25,560
over-permissioned applications,
58
00:02:25,560 –> 00:02:27,480
service principles with broad rights
59
00:02:27,480 –> 00:02:30,200
and exception policies that never die.
60
00:02:30,200 –> 00:02:32,440
Controls drift because organizations drift.
61
00:02:32,440 –> 00:02:35,800
Entitlements accumulate, policy exceptions become permanent
62
00:02:35,800 –> 00:02:37,280
and the system keeps working,
63
00:02:37,280 –> 00:02:39,400
which is exactly why the risk stays invisible.
64
00:02:39,400 –> 00:02:41,160
This is why compliance isn’t the finish line.
65
00:02:41,160 –> 00:02:44,880
It’s a snapshot and snapshots don’t stop moving systems from eroding.
66
00:02:44,880 –> 00:02:47,120
A breach in that sense is not a moral failure.
67
00:02:47,120 –> 00:02:48,680
It’s system behavior.
68
00:02:48,680 –> 00:02:50,240
Systems optimize for throughput.
69
00:02:50,240 –> 00:02:52,000
People optimize for getting work done.
70
00:02:52,000 –> 00:02:54,480
Security teams optimize for what they can measure.
71
00:02:54,480 –> 00:02:57,160
If the organization measures how many controls are deployed,
72
00:02:57,160 –> 00:02:58,600
it will get deployed controls.
73
00:02:58,600 –> 00:03:02,000
If it measures how fast can we contain identity-driven incidents
74
00:03:02,000 –> 00:03:04,920
end to end, it will build the ability to contain them.
75
00:03:04,920 –> 00:03:08,080
That is the difference between prevention, theater and resilience.
76
00:03:08,080 –> 00:03:09,480
And AI doesn’t make this easier.
77
00:03:09,480 –> 00:03:10,440
It makes it faster.
78
00:03:10,440 –> 00:03:13,680
AI amplifies the speed of both offense and defense.
79
00:03:13,680 –> 00:03:15,600
It reduces the cost of generating fishing,
80
00:03:15,600 –> 00:03:17,600
social engineering and automation.
81
00:03:17,600 –> 00:03:20,200
But it also reduces the cost of correlating signals
82
00:03:20,200 –> 00:03:22,520
summarizing incidents and orchestrating response
83
00:03:22,520 –> 00:03:24,760
if you design the system to act on those signals.
84
00:03:24,760 –> 00:03:27,880
And if you don’t, AI just accelerates your alert volume.
85
00:03:27,880 –> 00:03:30,320
You end up with higher telemetry, more noise
86
00:03:30,320 –> 00:03:31,920
and the same decision latency.
87
00:03:31,920 –> 00:03:32,920
That is not progress.
88
00:03:32,920 –> 00:03:34,240
That is expensive confusion.
89
00:03:34,240 –> 00:03:38,160
So what does well-secured but still breached look like in executive terms?
90
00:03:38,160 –> 00:03:42,000
It looks like an organization that can detect but can’t decide.
91
00:03:42,000 –> 00:03:45,480
Or can decide but can’t enforce or can enforce but can’t recover quickly.
92
00:03:45,480 –> 00:03:46,800
Each hand of ads time.
93
00:03:46,800 –> 00:03:48,520
Each manual step adds delay.
94
00:03:48,520 –> 00:03:50,040
Each exception adds ambiguity.
95
00:03:50,040 –> 00:03:52,720
Over time you don’t have a deterministic security model anymore.
96
00:03:52,720 –> 00:03:53,960
You have conditional chaos.
97
00:03:53,960 –> 00:03:56,440
And that’s why organizations still get breached.
98
00:03:56,440 –> 00:03:58,000
Not because they lacked tools.
99
00:03:58,000 –> 00:04:01,200
Because the trust system was never engineered as a closed loop.
100
00:04:01,200 –> 00:04:04,440
Identity signals into policy decisions, decisions into enforcement,
101
00:04:04,440 –> 00:04:08,040
enforcement into response, response into recovery and recovery into learning.
102
00:04:08,040 –> 00:04:12,840
Without that loop, every control is just a static gate on a dynamic highway.
103
00:04:12,840 –> 00:04:14,280
Redefining success.
104
00:04:14,280 –> 00:04:16,880
From prevention fantasy to resilience discipline,
105
00:04:16,880 –> 00:04:20,360
leaders keep getting trapped by a definition of success that sounds reasonable
106
00:04:20,360 –> 00:04:22,160
but collapses in practice.
107
00:04:22,160 –> 00:04:23,600
Fewer incidents.
108
00:04:23,600 –> 00:04:24,480
It’s a nice headline.
109
00:04:24,480 –> 00:04:25,720
It’s also not a strategy.
110
00:04:25,720 –> 00:04:26,600
Prevention matters.
111
00:04:26,600 –> 00:04:28,800
Nobody is arguing for neglect.
112
00:04:28,800 –> 00:04:30,600
But prevention is probability management.
113
00:04:30,600 –> 00:04:32,640
It reduces the likelihood of an incident.
114
00:04:32,640 –> 00:04:34,720
Resilience is impact management.
115
00:04:34,720 –> 00:04:36,680
It reduces the cost, the downtime,
116
00:04:36,680 –> 00:04:39,480
and the organizational confusion when the incident happens anyway.
117
00:04:39,480 –> 00:04:42,400
That distinction matters because probability is never zero
118
00:04:42,400 –> 00:04:45,040
and the business still has to operate while you’re cleaning up.
119
00:04:45,040 –> 00:04:48,760
The uncomfortable truth is that the goal is not no breaches.
120
00:04:48,760 –> 00:04:50,240
The goal is bounded failure.
121
00:04:50,240 –> 00:04:53,240
Bounded failure means the system anticipates compromise
122
00:04:53,240 –> 00:04:55,400
and limits what a compromise identity can do,
123
00:04:55,400 –> 00:04:58,080
how far it can move and how long it can persist.
124
00:04:58,080 –> 00:05:00,800
It treats incidents as inevitable system states,
125
00:05:00,800 –> 00:05:03,040
not unexpected moral violations.
126
00:05:03,040 –> 00:05:07,040
And it builds the muscle to contain those states quickly and repeatedly.
127
00:05:07,040 –> 00:05:08,960
This is where security programs get honest.
128
00:05:08,960 –> 00:05:11,320
A prevention first program tends to behave like this.
129
00:05:11,320 –> 00:05:13,840
Deploy more controls, tighten policies, increase friction,
130
00:05:13,840 –> 00:05:15,400
and hope the incident curve goes down.
131
00:05:15,400 –> 00:05:16,480
Sometimes it does.
132
00:05:16,480 –> 00:05:18,440
But the second order effect shows up later.
133
00:05:18,440 –> 00:05:20,920
The business finds workarounds, the exceptions pile up,
134
00:05:20,920 –> 00:05:23,040
and security becomes a cue.
135
00:05:23,040 –> 00:05:25,200
You’ve improved security in the dashboard sense
136
00:05:25,200 –> 00:05:28,080
while increasing organizational entropy in the real sense.
137
00:05:28,080 –> 00:05:30,440
A resilience first program behaves differently.
138
00:05:30,440 –> 00:05:33,200
It assumes compromise designs for rapid revocation,
139
00:05:33,200 –> 00:05:35,880
reduces standing privilege, automates containment steps,
140
00:05:35,880 –> 00:05:37,520
and rehearses decision making.
141
00:05:37,520 –> 00:05:39,280
It doesn’t chase perfect defense.
142
00:05:39,280 –> 00:05:40,720
It builds repeatable recovery.
143
00:05:40,720 –> 00:05:42,560
If you want board-facing language for this,
144
00:05:42,560 –> 00:05:43,960
don’t talk about products.
145
00:05:43,960 –> 00:05:45,080
Talk about three outcomes.
146
00:05:45,080 –> 00:05:48,040
Continuity, trust preservation, and decision speed.
147
00:05:48,040 –> 00:05:49,480
Continuity is obvious.
148
00:05:49,480 –> 00:05:50,840
Can the business keep operating?
149
00:05:50,840 –> 00:05:53,480
Or does an identity incident turn into a multi-day outage
150
00:05:53,480 –> 00:05:55,440
because nobody can tell what access is safe?
151
00:05:55,440 –> 00:05:57,920
Trust preservation is less obvious, but more expensive.
152
00:05:57,920 –> 00:05:59,720
Can customers, partners, and regulators
153
00:05:59,720 –> 00:06:01,840
believe you’re in control during the incident?
154
00:06:01,840 –> 00:06:04,600
Or does the story become, we didn’t know what we had,
155
00:06:04,600 –> 00:06:06,520
so we shut everything down?
156
00:06:06,520 –> 00:06:08,760
Decision speed is the actual multiplier.
157
00:06:08,760 –> 00:06:11,280
How fast can the organization detect, decide,
158
00:06:11,280 –> 00:06:14,440
and enforce, end to end without a dozen handoffs and three committees?
159
00:06:14,440 –> 00:06:16,520
This is why MTTR is not SOC trivia.
160
00:06:16,520 –> 00:06:18,480
It’s executive telemetry.
161
00:06:18,480 –> 00:06:21,680
Mean time to respond or recover depending on how you define it
162
00:06:21,680 –> 00:06:23,400
turns an abstract security posture
163
00:06:23,400 –> 00:06:25,440
into a measurable operating capability.
164
00:06:25,440 –> 00:06:27,320
It forces the right conversations.
165
00:06:27,320 –> 00:06:29,480
Who has authority to disable an identity?
166
00:06:29,480 –> 00:06:31,720
Who can revoke access across critical apps?
167
00:06:31,720 –> 00:06:33,120
Which actions are automated?
168
00:06:33,120 –> 00:06:35,120
Which require approval and why?
169
00:06:35,120 –> 00:06:36,480
Where are the manual steps?
170
00:06:36,480 –> 00:06:39,920
And what risk are those steps supposedly managing?
171
00:06:39,920 –> 00:06:41,320
And it exposes the usual lie.
172
00:06:41,320 –> 00:06:42,760
We can respond quickly.
173
00:06:42,760 –> 00:06:44,800
Most organizations can respond quickly
174
00:06:44,800 –> 00:06:47,600
if the right person is awake, available, and empowered.
175
00:06:47,600 –> 00:06:50,040
That is not a capability, that is a dependency.
176
00:06:50,040 –> 00:06:52,600
Resilience discipline replaces heroics with design.
177
00:06:52,600 –> 00:06:55,280
It builds the response pathways before the incident.
178
00:06:55,280 –> 00:06:56,880
When everyone is calm and rational,
179
00:06:56,880 –> 00:06:58,560
instead of inventing their mid-breach
180
00:06:58,560 –> 00:07:00,880
when fear and politics take over.
181
00:07:00,880 –> 00:07:02,880
It also acknowledges a basic system law.
182
00:07:02,880 –> 00:07:05,000
Every manual handoff is a latency generator.
183
00:07:05,000 –> 00:07:07,200
Every exception is an ambiguity generator.
184
00:07:07,200 –> 00:07:09,120
Every ambiguity increases blast radius
185
00:07:09,120 –> 00:07:11,600
because people hesitate and attackers don’t.
186
00:07:11,600 –> 00:07:14,840
This is also where AI is either your advantage or your tax.
187
00:07:14,840 –> 00:07:16,760
If AI is only used to summarize alerts,
188
00:07:16,760 –> 00:07:18,920
you get prettier descriptions of the same delays.
189
00:07:18,920 –> 00:07:21,840
If AI is used to compress the detect to decide phase
190
00:07:21,840 –> 00:07:24,880
and trigger auditable, reversible containment actions,
191
00:07:24,880 –> 00:07:27,480
then you get something that looks like real resilience.
192
00:07:27,480 –> 00:07:30,040
Less time spent arguing about what’s happening,
193
00:07:30,040 –> 00:07:32,160
more time spent making it stop.
194
00:07:32,160 –> 00:07:34,080
So success needs a different definition.
195
00:07:34,080 –> 00:07:36,520
Success is not, we didn’t have incidents this quarter.
196
00:07:36,520 –> 00:07:39,080
That’s whether or not engineering success is,
197
00:07:39,080 –> 00:07:41,800
when identity-driven incidents occur and they will,
198
00:07:41,800 –> 00:07:43,680
the organization contains them in business time
199
00:07:43,680 –> 00:07:45,520
recovers without panic and learns
200
00:07:45,520 –> 00:07:47,320
without repeating the same failure mode.
201
00:07:47,320 –> 00:07:48,800
That’s resilience.
202
00:07:48,800 –> 00:07:50,680
And once you adopt that definition,
203
00:07:50,680 –> 00:07:52,520
the rest of the strategy becomes obvious.
204
00:07:52,520 –> 00:07:54,120
You stop chasing control coverage
205
00:07:54,120 –> 00:07:55,680
and start designing the trust system
206
00:07:55,680 –> 00:07:57,680
that controls are supposed to enforce.
207
00:07:57,680 –> 00:08:00,320
Identity is the control plane, not a directory.
208
00:08:00,320 –> 00:08:02,320
Most organizations still talk about identity
209
00:08:02,320 –> 00:08:04,840
like it’s a shared phone book, a place where users live,
210
00:08:04,840 –> 00:08:06,840
a place where groups live, a place you sync to,
211
00:08:06,840 –> 00:08:08,360
so Microsoft 365 works.
212
00:08:08,360 –> 00:08:09,800
That mental model is obsolete.
213
00:08:09,800 –> 00:08:11,240
Identity is not a directory.
214
00:08:11,240 –> 00:08:13,240
It is the control plane for the enterprise.
215
00:08:13,240 –> 00:08:14,960
It is the distributed decision engine
216
00:08:14,960 –> 00:08:16,720
that decides who can touch what,
217
00:08:16,720 –> 00:08:18,560
from where, using which device,
218
00:08:18,560 –> 00:08:21,360
under which conditions, with which level of confidence.
219
00:08:21,360 –> 00:08:23,040
Every time an employee opens a file,
220
00:08:23,040 –> 00:08:24,680
a workload calls an API,
221
00:08:24,680 –> 00:08:26,920
a contractor accesses a project site
222
00:08:26,920 –> 00:08:29,000
or an admin attempts a privileged action.
223
00:08:29,000 –> 00:08:30,920
The business is not logging in.
224
00:08:30,920 –> 00:08:33,400
The business is running an authorization decision.
225
00:08:33,400 –> 00:08:35,320
And the uncomfortable part is that the system
226
00:08:35,320 –> 00:08:37,000
makes those decisions continuously
227
00:08:37,000 –> 00:08:39,240
at scale across hundreds of services
228
00:08:39,240 –> 00:08:41,960
with a default posture that does not care about your intent.
229
00:08:41,960 –> 00:08:43,680
It cares about your configuration.
230
00:08:43,680 –> 00:08:46,360
This is why identity strategy is not an IT topic.
231
00:08:46,360 –> 00:08:47,880
It’s operational architecture.
232
00:08:47,880 –> 00:08:49,760
The control plane is where business workflows
233
00:08:49,760 –> 00:08:51,120
become enforceable rules.
234
00:08:51,120 –> 00:08:53,480
If you design it well, autonomy becomes safe.
235
00:08:53,480 –> 00:08:56,040
If you design it poorly, autonomy becomes an incident.
236
00:08:56,040 –> 00:08:58,360
But this is also why the network stop being your boundary.
237
00:08:58,360 –> 00:08:59,840
Networks are still useful.
238
00:08:59,840 –> 00:09:02,600
They still matter for segmentation, routing, inspection,
239
00:09:02,600 –> 00:09:03,920
and reducing exposure.
240
00:09:03,920 –> 00:09:06,920
But they are no longer the thing that defines inside.
241
00:09:06,920 –> 00:09:09,640
Cloud and SAS dissolve that assumption years ago.
242
00:09:09,640 –> 00:09:12,040
Users sit on unmanaged networks, devices,
243
00:09:12,040 –> 00:09:14,280
roam, apps live outside your perimeter,
244
00:09:14,280 –> 00:09:17,240
and internal traffic often never touches your infrastructure.
245
00:09:17,240 –> 00:09:18,440
So trust moved.
246
00:09:18,440 –> 00:09:20,200
Not because Microsoft had a marketing moment,
247
00:09:20,200 –> 00:09:22,760
but because the architecture forced it to move.
248
00:09:22,760 –> 00:09:25,320
Trust now attaches to claims who the subject is,
249
00:09:25,320 –> 00:09:26,520
what the device looks like,
250
00:09:26,520 –> 00:09:28,280
how risky the behavior appears,
251
00:09:28,280 –> 00:09:31,000
what the session is doing, and what the resource is.
252
00:09:31,000 –> 00:09:33,080
In this terms, every access flow becomes
253
00:09:33,080 –> 00:09:36,040
subject policy decision, policy enforcement resource.
254
00:09:36,040 –> 00:09:37,480
Leaders don’t need the diagram.
255
00:09:37,480 –> 00:09:38,760
They need the implication.
256
00:09:38,760 –> 00:09:41,480
Authorization is now the primary business risk surface.
257
00:09:41,480 –> 00:09:42,760
And that surface is huge.
258
00:09:42,760 –> 00:09:43,960
It’s humans, yes.
259
00:09:43,960 –> 00:09:45,960
But it’s also service principles,
260
00:09:45,960 –> 00:09:47,800
managed identities, automation accounts,
261
00:09:47,800 –> 00:09:49,320
connectors, third party apps,
262
00:09:49,320 –> 00:09:52,680
and increasingly AI agents that act on behalf of users.
263
00:09:52,680 –> 00:09:55,320
This is where the human machine blur becomes a governance problem,
264
00:09:55,320 –> 00:09:57,160
not a futuristic curiosity.
265
00:09:57,160 –> 00:09:59,560
Machine identities can outnumber humans dramatically
266
00:09:59,560 –> 00:10:00,840
in real enterprises,
267
00:10:00,840 –> 00:10:03,000
and they don’t complain when you over-permission them.
268
00:10:03,000 –> 00:10:05,000
They just keep running, quietly.
269
00:10:05,000 –> 00:10:07,160
Perfectly, until they’re abused.
270
00:10:07,160 –> 00:10:09,800
When identity is the control plane,
271
00:10:09,800 –> 00:10:12,680
then security maturity becomes less about how many tools you bought
272
00:10:12,680 –> 00:10:15,800
and more about how accurately you can answer a few basic questions.
273
00:10:15,800 –> 00:10:16,760
Who has access?
274
00:10:16,760 –> 00:10:17,640
Why do they have it?
275
00:10:17,640 –> 00:10:19,320
For how long? Under what conditions?
276
00:10:19,320 –> 00:10:21,400
And what happens when those conditions change?
277
00:10:21,400 –> 00:10:23,800
Most organizations can answer the first question
278
00:10:23,800 –> 00:10:25,640
incompletely, the second question,
279
00:10:25,640 –> 00:10:27,320
narratively, the third question,
280
00:10:27,320 –> 00:10:28,760
rarely, and the fourth question
281
00:10:28,760 –> 00:10:31,000
with a policy document, nobody enforces.
282
00:10:31,000 –> 00:10:33,880
The last question is the one that decides whether you have resilience
283
00:10:33,880 –> 00:10:35,080
or just optimism,
284
00:10:35,080 –> 00:10:37,320
because identity isn’t only about allowing access,
285
00:10:37,320 –> 00:10:39,160
it’s about revoking it, fast.
286
00:10:39,160 –> 00:10:40,280
In a directory mindset,
287
00:10:40,280 –> 00:10:42,520
revocation is an administrative event.
288
00:10:42,520 –> 00:10:43,800
Someone disables an account,
289
00:10:43,800 –> 00:10:45,240
someone removes a group membership,
290
00:10:45,240 –> 00:10:46,600
someone closes a ticket.
291
00:10:46,600 –> 00:10:47,880
In a control plane mindset,
292
00:10:47,880 –> 00:10:50,200
revocation is a containment mechanism.
293
00:10:50,200 –> 00:10:51,800
It is part of incident response.
294
00:10:51,800 –> 00:10:53,480
It is supposed to happen in business time,
295
00:10:53,480 –> 00:10:54,600
not IT time.
296
00:10:54,600 –> 00:10:57,240
This is also why the identity plane is where governance
297
00:10:57,240 –> 00:10:58,760
either exists or it doesn’t.
298
00:10:58,760 –> 00:11:01,160
Governance isn’t a compliance activity you do annually.
299
00:11:01,160 –> 00:11:02,440
Governance is the mechanism
300
00:11:02,440 –> 00:11:04,280
that prevents entitlement drift
301
00:11:04,280 –> 00:11:06,200
from turning into permanent over-pimission.
302
00:11:06,200 –> 00:11:08,120
Drift is what happens when every joiner,
303
00:11:08,120 –> 00:11:09,560
mover, lever, contractor,
304
00:11:09,560 –> 00:11:12,520
and exception creates a small, reasonable access decision
305
00:11:12,520 –> 00:11:14,040
and nobody ever takes it back.
306
00:11:14,040 –> 00:11:17,000
Over time, the organization doesn’t have access by design.
307
00:11:17,000 –> 00:11:18,440
It has access by archaeology
308
00:11:18,440 –> 00:11:20,440
and the control plane preserves all of it.
309
00:11:20,440 –> 00:11:22,280
So when leaders say we trust our people,
310
00:11:22,280 –> 00:11:24,360
that’s fine, but the system doesn’t trust people.
311
00:11:24,360 –> 00:11:25,880
It trusts claims and permissions.
312
00:11:25,880 –> 00:11:27,960
If permissions don’t reflect business intent,
313
00:11:27,960 –> 00:11:29,480
then the system will authorize things
314
00:11:29,480 –> 00:11:31,480
the business never consciously approved.
315
00:11:31,480 –> 00:11:33,000
That’s not a security failure.
316
00:11:33,000 –> 00:11:34,520
That’s predictable system behavior.
317
00:11:34,520 –> 00:11:36,360
Once identity becomes the control plane,
318
00:11:36,360 –> 00:11:38,520
you stop asking, did they authenticate?
319
00:11:38,520 –> 00:11:39,880
And you start asking,
320
00:11:39,880 –> 00:11:42,120
what does this identity allow them to change,
321
00:11:42,120 –> 00:11:44,760
exfiltrate, approve, disable or persist?
322
00:11:44,760 –> 00:11:46,120
That’s where business impact lives.
323
00:11:46,120 –> 00:11:48,600
And that is the transition point for the rest of this episode.
324
00:11:48,600 –> 00:11:50,520
The failure mode is not login.
325
00:11:50,520 –> 00:11:53,000
It’s authorization and entitlement drift.
326
00:11:53,000 –> 00:11:55,640
Authorization failures beat authentication failures.
327
00:11:55,640 –> 00:11:57,640
MFA can be perfect and you can still lose.
328
00:11:57,640 –> 00:11:59,080
That sentence annoys people
329
00:11:59,080 –> 00:12:02,120
because MFA is the sacred cow of identity security.
330
00:12:02,120 –> 00:12:02,920
And it should be.
331
00:12:02,920 –> 00:12:06,040
Strong authentication removes an entire class of cheap attacks.
332
00:12:06,040 –> 00:12:07,800
But authentication is a gate.
333
00:12:07,800 –> 00:12:09,080
Authorization is the map.
334
00:12:09,080 –> 00:12:10,840
If the map is wrong, the gate doesn’t matter.
335
00:12:10,840 –> 00:12:13,400
Most incident reviews obsess over how the attacker got in.
336
00:12:13,400 –> 00:12:15,560
The more useful question is what the attacker could do
337
00:12:15,560 –> 00:12:16,600
after they were in.
338
00:12:16,600 –> 00:12:17,640
That’s authorization.
339
00:12:17,640 –> 00:12:18,600
That’s entitlements.
340
00:12:18,600 –> 00:12:20,360
That’s the permissions graph you built
341
00:12:20,360 –> 00:12:23,240
over years of reasonable decisions and never revisited.
342
00:12:23,240 –> 00:12:24,680
And the real failure mode is that
343
00:12:24,680 –> 00:12:26,840
authorization errors look like normal business.
344
00:12:26,840 –> 00:12:28,360
A privileged user downloads data.
345
00:12:28,360 –> 00:12:30,360
An automation account exports content.
346
00:12:30,360 –> 00:12:32,040
A service principle reads a directory.
347
00:12:32,040 –> 00:12:33,560
An admin disables a control.
348
00:12:33,560 –> 00:12:36,280
These are all legitimate actions in the right context.
349
00:12:36,280 –> 00:12:39,880
That’s why authorization failures beat authentication failures.
350
00:12:39,880 –> 00:12:41,720
They hide inside allowed behavior.
351
00:12:41,720 –> 00:12:43,720
They’re not break class events.
352
00:12:43,720 –> 00:12:45,800
They are business as usual events performed
353
00:12:45,800 –> 00:12:48,680
by the wrong actor at the wrong time for the wrong reason.
354
00:12:48,680 –> 00:12:50,840
This is also why token theft is so effective.
355
00:12:50,840 –> 00:12:53,160
The attacker doesn’t need to defeat authentication
356
00:12:53,160 –> 00:12:55,880
if they can reuse the session after authentication.
357
00:12:55,880 –> 00:12:57,560
Now the system sees a valid token
358
00:12:57,560 –> 00:12:59,960
and the policy engine does what it was configured to do.
359
00:12:59,960 –> 00:13:02,840
Authorize your expensive identity controls become irrelevant
360
00:13:02,840 –> 00:13:04,920
because the attacker is no longer trying to log in.
361
00:13:04,920 –> 00:13:07,240
They’re trying to act which brings us to privilege creep.
362
00:13:07,240 –> 00:13:09,000
Privileged creep is not a misconfiguration.
363
00:13:09,000 –> 00:13:10,440
It is an organizational default.
364
00:13:10,440 –> 00:13:13,560
Every organization hires, promotes, reorganizes,
365
00:13:13,560 –> 00:13:15,960
uses contractors, launches projects
366
00:13:15,960 –> 00:13:18,840
and grants temporary access to get work done.
367
00:13:18,840 –> 00:13:21,800
Access accumulates because removing access costs time
368
00:13:21,800 –> 00:13:23,480
and creates risk of breaking something.
369
00:13:23,480 –> 00:13:24,440
So people avoid it.
370
00:13:24,440 –> 00:13:26,840
Over time the default posture becomes
371
00:13:26,840 –> 00:13:29,240
keep access unless there’s a reason to remove it.
372
00:13:29,240 –> 00:13:31,720
That is backwards but it feels safe operationally
373
00:13:31,720 –> 00:13:32,680
so it persists.
374
00:13:32,680 –> 00:13:35,080
This is where least privilege becomes a slogan
375
00:13:35,080 –> 00:13:36,440
instead of a system property.
376
00:13:36,440 –> 00:13:38,280
Least privilege is not something you declare.
377
00:13:38,280 –> 00:13:41,080
It is something you enforce through life cycle design,
378
00:13:41,080 –> 00:13:44,520
time limits, approvals, reviews and clear ownership.
379
00:13:44,520 –> 00:13:47,560
If those mechanisms aren’t built into the way access is granted,
380
00:13:47,560 –> 00:13:50,920
the organization will drift toward maximum privilege over time.
381
00:13:50,920 –> 00:13:51,560
Always.
382
00:13:51,560 –> 00:13:52,680
That’s not cynicism.
383
00:13:52,680 –> 00:13:53,720
That’s entropy.
384
00:13:53,720 –> 00:13:55,640
And privilege creep isn’t limited to humans.
385
00:13:55,640 –> 00:13:57,880
Non-human identities accumulate faster
386
00:13:57,880 –> 00:13:59,640
because they don’t show up in org charts
387
00:13:59,640 –> 00:14:01,320
and they don’t rotate roles.
388
00:14:01,320 –> 00:14:03,400
An application gets permissions for a project.
389
00:14:03,400 –> 00:14:04,200
The project ends.
390
00:14:04,200 –> 00:14:05,240
The permissions remain.
391
00:14:05,240 –> 00:14:07,000
A connector gets broad graph access
392
00:14:07,000 –> 00:14:08,440
because it needed it once.
393
00:14:08,440 –> 00:14:09,720
Nobody narrows it later.
394
00:14:09,720 –> 00:14:12,680
These identities are quiet, powerful and rarely reviewed.
395
00:14:12,680 –> 00:14:14,440
They are ideal attack infrastructure.
396
00:14:14,440 –> 00:14:16,440
So when leaders think identity risk,
397
00:14:16,440 –> 00:14:18,760
they picture stolen passwords and fishing.
398
00:14:18,760 –> 00:14:20,680
That’s the entry point, not the impact surface.
399
00:14:20,680 –> 00:14:23,080
The impact surface is who can approve spend,
400
00:14:23,080 –> 00:14:24,920
who can access regulated data,
401
00:14:24,920 –> 00:14:27,560
who can create or modify conditional access policies,
402
00:14:27,560 –> 00:14:29,000
who can grant app consent,
403
00:14:29,000 –> 00:14:30,520
who can create new identities,
404
00:14:30,520 –> 00:14:32,120
who can change audit settings,
405
00:14:32,120 –> 00:14:34,280
and who can disable the tools you rely on
406
00:14:34,280 –> 00:14:35,480
to detect compromise.
407
00:14:35,480 –> 00:14:38,680
In other words, the risk concentrates in change authority.
408
00:14:38,680 –> 00:14:40,600
If an identity can change the environment,
409
00:14:40,600 –> 00:14:43,320
then that identity is effectively part of your control plane.
410
00:14:43,320 –> 00:14:45,640
And control plane identities need different rules,
411
00:14:45,640 –> 00:14:46,920
reduced standing privilege,
412
00:14:46,920 –> 00:14:48,120
stronger session constraints,
413
00:14:48,120 –> 00:14:50,360
more scrutiny and faster revocation.
414
00:14:50,360 –> 00:14:51,960
This is also where over permission
415
00:14:51,960 –> 00:14:53,800
becomes business process debt.
416
00:14:53,800 –> 00:14:56,680
IT didn’t accidentally grant broad access.
417
00:14:56,680 –> 00:14:57,960
The business demanded speed,
418
00:14:57,960 –> 00:14:59,560
and the easiest way to deliver speed
419
00:14:59,560 –> 00:15:01,000
was to grant access broadly
420
00:15:01,000 –> 00:15:02,360
and hope nobody abuses it.
421
00:15:02,360 –> 00:15:04,360
That decision doesn’t show up as a line item.
422
00:15:04,360 –> 00:15:07,240
It shows up later as incident cost, audit friction,
423
00:15:07,240 –> 00:15:08,360
and emergency cleanup
424
00:15:08,360 –> 00:15:11,640
when the access graph is too messy to trust under pressure.
425
00:15:11,640 –> 00:15:14,680
And the most expensive moment to discover authorization debt
426
00:15:14,680 –> 00:15:15,880
is during an incident.
427
00:15:15,880 –> 00:15:17,720
Because now you can’t answer simple questions
428
00:15:17,720 –> 00:15:19,560
if we disable this account, what breaks?
429
00:15:19,560 –> 00:15:21,720
If we revoke this app’s permissions, what stops?
430
00:15:21,720 –> 00:15:24,360
If we remove this group, which business process fails?
431
00:15:24,360 –> 00:15:26,760
So you hesitate, you negotiate, you open tickets,
432
00:15:26,760 –> 00:15:27,880
you call the system owners,
433
00:15:27,880 –> 00:15:29,400
meanwhile the attacker keeps moving.
434
00:15:29,400 –> 00:15:31,960
That’s why authorization failures beat authentication failures.
435
00:15:31,960 –> 00:15:33,560
They don’t require sophistication.
436
00:15:33,560 –> 00:15:35,800
They require patience and a permission path.
437
00:15:35,800 –> 00:15:37,480
So the leadership take away is blunt.
438
00:15:37,480 –> 00:15:38,520
If you want resilience,
439
00:15:38,520 –> 00:15:41,160
you need to manage authorization as a first class asset.
440
00:15:41,160 –> 00:15:43,240
Not a byproduct, not a quarterly spreadsheet,
441
00:15:43,240 –> 00:15:44,440
a living decision model.
442
00:15:44,440 –> 00:15:45,880
And this is the transition point.
443
00:15:45,880 –> 00:15:47,480
If identity is the control plane,
444
00:15:47,480 –> 00:15:49,960
an authorization is the primary failure mode,
445
00:15:49,960 –> 00:15:52,600
then identity governance is where strategy becomes real
446
00:15:52,600 –> 00:15:54,360
because it is the mechanism that turns
447
00:15:54,360 –> 00:15:56,520
who should have access into enforceable,
448
00:15:56,520 –> 00:15:57,560
reviewable truth.
449
00:15:57,560 –> 00:16:01,240
Identity governance as a business discipline.
450
00:16:01,240 –> 00:16:03,960
Identity governance is where security stops being
451
00:16:03,960 –> 00:16:06,440
a collection of settings and becomes a management system.
452
00:16:06,440 –> 00:16:07,960
Not a tool, a discipline.
453
00:16:07,960 –> 00:16:10,440
Because governance answers the only questions
454
00:16:10,440 –> 00:16:11,720
that matter in a breach.
455
00:16:11,720 –> 00:16:12,920
Who should have access?
456
00:16:12,920 –> 00:16:13,800
Why do they have it?
457
00:16:13,800 –> 00:16:15,800
For how long, under what conditions?
458
00:16:15,800 –> 00:16:18,360
And who is accountable when those answers are wrong?
459
00:16:18,360 –> 00:16:21,240
Most organizations treat those as documentation questions.
460
00:16:21,240 –> 00:16:21,880
They are not.
461
00:16:21,880 –> 00:16:23,160
They are designed questions.
462
00:16:23,160 –> 00:16:25,560
If the organization can’t express intent
463
00:16:25,560 –> 00:16:27,320
in a way the control plane can enforce,
464
00:16:27,320 –> 00:16:30,520
then the control plane will default to what it always defaults to.
465
00:16:30,520 –> 00:16:32,840
Whatever grants, access, and avoids outages,
466
00:16:32,840 –> 00:16:34,920
that’s why governance has to be owned like finance,
467
00:16:34,920 –> 00:16:35,880
not like a project.
468
00:16:35,880 –> 00:16:38,840
Finance doesn’t turn on budgeting and declare victory.
469
00:16:38,840 –> 00:16:42,440
It runs a cadence, controls, approvals, reconciliation,
470
00:16:42,440 –> 00:16:43,960
audits, and corrective actions.
471
00:16:43,960 –> 00:16:46,840
Identity governance needs the same shape.
472
00:16:46,840 –> 00:16:49,240
Otherwise, access becomes a one-way valve.
473
00:16:49,240 –> 00:16:51,960
Granted quickly, removed slowly, reviewed rarely.
474
00:16:51,960 –> 00:16:53,320
That’s not a security posture.
475
00:16:53,320 –> 00:16:54,920
That’s entitlement inflation.
476
00:16:54,920 –> 00:16:57,080
So start with the foundational misunderstanding.
477
00:16:57,080 –> 00:16:59,320
People think governance is about saying no.
478
00:16:59,320 –> 00:17:00,040
It isn’t.
479
00:17:00,040 –> 00:17:02,280
Governance is about making yes, safe.
480
00:17:02,280 –> 00:17:04,520
It creates predictable pathways for access,
481
00:17:04,520 –> 00:17:06,760
so the business doesn’t need informal workarounds,
482
00:17:06,760 –> 00:17:08,760
shared accounts, or permanent exceptions.
483
00:17:08,760 –> 00:17:12,280
It is the system that turns autonomy into something you can tolerate.
484
00:17:12,280 –> 00:17:15,720
This is also why joiner, mover, lever is not an HR workflow.
485
00:17:15,720 –> 00:17:17,080
It is the access supply chain.
486
00:17:17,080 –> 00:17:17,800
Joiners are easy.
487
00:17:17,800 –> 00:17:19,480
The organization knows they need something,
488
00:17:19,480 –> 00:17:20,760
so it provisions access.
489
00:17:20,760 –> 00:17:22,120
Movers are where damage starts.
490
00:17:22,120 –> 00:17:24,120
People change roles, projects overlap.
491
00:17:24,120 –> 00:17:26,280
People keep their old permissions just in case,
492
00:17:26,280 –> 00:17:28,360
because removing access might break a process.
493
00:17:28,360 –> 00:17:29,880
So access accumulates.
494
00:17:29,880 –> 00:17:31,320
Leavers are the obvious part.
495
00:17:31,320 –> 00:17:32,360
Accounts get disabled.
496
00:17:32,360 –> 00:17:33,640
That’s table stakes.
497
00:17:33,640 –> 00:17:35,480
But the real governance failure is that
498
00:17:35,480 –> 00:17:38,440
movers and temporary workers are treated like edge cases.
499
00:17:38,440 –> 00:17:40,680
In most enterprises, contractors, partners,
500
00:17:40,680 –> 00:17:42,040
and vendors are not edge cases.
501
00:17:42,040 –> 00:17:43,720
They are core operating capacity.
502
00:17:43,720 –> 00:17:45,720
That means the identities are first-class risk.
503
00:17:45,720 –> 00:17:48,040
Their access has to be time-bound by default,
504
00:17:48,040 –> 00:17:50,440
with explicit sponsorship and an expiration date
505
00:17:50,440 –> 00:17:51,560
that actually expires.
506
00:17:51,560 –> 00:17:53,640
If access doesn’t expire, it is not governed.
507
00:17:53,640 –> 00:17:54,840
It is merely granted.
508
00:17:54,840 –> 00:17:56,760
And that’s the difference between access reviews
509
00:17:56,760 –> 00:17:59,400
as a checkbox and access reviews as a control loop.
510
00:17:59,400 –> 00:18:01,560
An access review is not a spreadsheet exercise.
511
00:18:01,560 –> 00:18:04,440
It is the mechanism that forces intent to be restated.
512
00:18:04,440 –> 00:18:07,640
If nobody can explain why an identity still needs access,
513
00:18:07,640 –> 00:18:09,000
that access is dead.
514
00:18:09,000 –> 00:18:11,320
If the reviewer can’t confidently remove access
515
00:18:11,320 –> 00:18:12,840
because nobody knows what it impacts,
516
00:18:12,840 –> 00:18:14,520
that’s not a reason to keep it.
517
00:18:14,520 –> 00:18:17,640
That is evidence the system has become ungovernable.
518
00:18:17,640 –> 00:18:20,440
Governance is also where least privilege becomes practical.
519
00:18:20,440 –> 00:18:22,440
Least privilege isn’t achieved by telling people
520
00:18:22,440 –> 00:18:23,640
to have less access.
521
00:18:23,640 –> 00:18:26,120
It’s achieved by designing access as a package.
522
00:18:26,120 –> 00:18:28,280
Scoped, conditional, and temporary.
523
00:18:28,280 –> 00:18:30,200
Access packages, approval parts,
524
00:18:30,200 –> 00:18:33,240
and periodic recertification are not extra-process.
525
00:18:33,240 –> 00:18:35,160
They are how an organization prevents
526
00:18:35,160 –> 00:18:38,280
privilege creep from becoming an incident-response problem.
527
00:18:38,280 –> 00:18:40,120
Now apply that logic to privileged access
528
00:18:40,120 –> 00:18:41,880
because that’s where business impact concentrates.
529
00:18:41,880 –> 00:18:44,840
Privileged access governance is not just admin roles.
530
00:18:44,840 –> 00:18:46,920
It is any identity that can change data,
531
00:18:46,920 –> 00:18:49,560
change systems, change controls, or change other identities.
532
00:18:49,560 –> 00:18:52,120
Those identities must be designed around two truths.
533
00:18:52,120 –> 00:18:53,480
Standing privilege is risk,
534
00:18:53,480 –> 00:18:55,880
and manual elevation is a latency generator.
535
00:18:55,880 –> 00:18:58,200
So the discipline is reduce standing privilege,
536
00:18:58,200 –> 00:19:00,280
make elevation fast and auditable,
537
00:19:00,280 –> 00:19:02,520
and enforce expiration without negotiation.
538
00:19:02,520 –> 00:19:04,600
If elevation requires three days and five approvals,
539
00:19:04,600 –> 00:19:05,560
people will bypass it.
540
00:19:05,560 –> 00:19:07,720
If it requires five minutes and leaves a perfect audit,
541
00:19:07,720 –> 00:19:08,760
trail people will use it.
542
00:19:08,760 –> 00:19:10,520
Systems train behavior.
543
00:19:10,520 –> 00:19:12,760
This is also where separation of duties
544
00:19:12,760 –> 00:19:14,280
stops being a policy statement
545
00:19:14,280 –> 00:19:16,280
and becomes a control plane property.
546
00:19:16,280 –> 00:19:17,640
The person who requests access
547
00:19:17,640 –> 00:19:19,240
should not be the person who approves it.
548
00:19:19,240 –> 00:19:21,400
The person who deploys should not be the only person
549
00:19:21,400 –> 00:19:22,520
who can disable logging.
550
00:19:22,520 –> 00:19:25,000
Governance is where those boundaries become enforceable,
551
00:19:25,000 –> 00:19:26,120
not aspirational.
552
00:19:26,120 –> 00:19:27,480
And one more uncomfortable truth,
553
00:19:27,480 –> 00:19:28,920
governance has a licensing model,
554
00:19:28,920 –> 00:19:30,600
but it also has an ownership model.
555
00:19:30,600 –> 00:19:32,120
Someone has to own access decisions
556
00:19:32,120 –> 00:19:33,480
the way someone own spend.
557
00:19:33,480 –> 00:19:35,320
That means business owners for resources.
558
00:19:35,320 –> 00:19:37,400
Not just IT, not the security team,
559
00:19:37,400 –> 00:19:39,000
the security team enforces.
560
00:19:39,000 –> 00:19:40,280
The business defines intent
561
00:19:40,280 –> 00:19:42,120
because when an identity incident happens,
562
00:19:42,120 –> 00:19:43,320
you don’t need more dashboards.
563
00:19:43,320 –> 00:19:44,200
You need authority.
564
00:19:44,200 –> 00:19:46,280
So identity governance as a business discipline
565
00:19:46,280 –> 00:19:48,120
is the mechanism that turns identity
566
00:19:48,120 –> 00:19:49,560
from a sprawling permission graph
567
00:19:49,560 –> 00:19:51,320
into a manageable decision system.
568
00:19:51,320 –> 00:19:53,560
It creates bounded access, predictable change,
569
00:19:53,560 –> 00:19:54,760
and fast revocation.
570
00:19:54,760 –> 00:19:56,040
And that’s the transition point.
571
00:19:56,040 –> 00:19:57,400
Once governance exists,
572
00:19:57,400 –> 00:19:59,960
identity becomes a foundation you can build on.
573
00:19:59,960 –> 00:20:02,040
Without it, every advance control you add
574
00:20:02,040 –> 00:20:04,520
is just another policy layered on top of drift.
575
00:20:04,520 –> 00:20:05,560
Scenario one,
576
00:20:05,560 –> 00:20:06,600
Entra ID,
577
00:20:06,600 –> 00:20:09,640
Identity governance plus ITDR as the foundation.
578
00:20:09,640 –> 00:20:11,480
Scenario one is Entra ID,
579
00:20:11,480 –> 00:20:13,880
done the way leadership assumes it already is.
580
00:20:13,880 –> 00:20:15,400
Governance plus identity,
581
00:20:15,400 –> 00:20:17,000
threat detection and response.
582
00:20:17,000 –> 00:20:19,000
Treat it as a control plane capability,
583
00:20:19,000 –> 00:20:21,560
not a portal someone logs into when they remember.
584
00:20:21,560 –> 00:20:23,240
Start with the clean definition.
585
00:20:23,240 –> 00:20:25,240
Entra is not where identities live.
586
00:20:25,240 –> 00:20:28,200
Entra is where trust decisions compile.
587
00:20:28,200 –> 00:20:30,520
It takes signals, applies policy intent,
588
00:20:30,520 –> 00:20:31,720
and issues the tokens
589
00:20:31,720 –> 00:20:34,360
that let humans and machines act inside your business.
590
00:20:34,360 –> 00:20:36,840
When that engine is governed, you get bounded access.
591
00:20:36,840 –> 00:20:38,920
When it isn’t, you get an authorization lottery
592
00:20:38,920 –> 00:20:39,960
with a nice UI.
593
00:20:39,960 –> 00:20:42,040
So the foundation is two linked disciplines.
594
00:20:42,040 –> 00:20:43,320
First identity governance,
595
00:20:43,320 –> 00:20:46,360
this is the part that answers should this identity have this access
596
00:20:46,360 –> 00:20:48,040
and forces time into the equation.
597
00:20:48,040 –> 00:20:49,160
Access packages,
598
00:20:49,160 –> 00:20:51,800
expiration, sponsorship, reviews,
599
00:20:51,800 –> 00:20:54,040
privileged elevation with justification,
600
00:20:54,040 –> 00:20:55,400
the goal isn’t bureaucracy,
601
00:20:55,400 –> 00:20:57,400
the goal is to stop entitlement drift
602
00:20:57,400 –> 00:20:59,800
from becoming your default security model.
603
00:20:59,800 –> 00:21:01,960
Second, ITDR identity threat,
604
00:21:01,960 –> 00:21:04,360
detection and response is the part that answers
605
00:21:04,360 –> 00:21:06,360
is this identity behaving like itself
606
00:21:06,360 –> 00:21:08,520
and how fast can we contain it when it doesn’t.
607
00:21:08,920 –> 00:21:10,040
Not as a SO-key hobby,
608
00:21:10,040 –> 00:21:11,240
as an operating requirement.
609
00:21:11,240 –> 00:21:13,640
Most organizations treat identity telemetry
610
00:21:13,640 –> 00:21:14,920
like a forensic archive.
611
00:21:14,920 –> 00:21:17,800
Sign-in logs, audit logs, risky users, risky sign-ins.
612
00:21:17,800 –> 00:21:19,320
Useful, but not decisive.
613
00:21:19,320 –> 00:21:20,920
ITDR is decisive.
614
00:21:20,920 –> 00:21:21,880
It’s the shift from,
615
00:21:21,880 –> 00:21:23,080
we can investigate later,
616
00:21:23,080 –> 00:21:24,280
to we can revoke now.
617
00:21:24,280 –> 00:21:26,680
Because identity incidents are not technical events.
618
00:21:26,680 –> 00:21:29,160
They are business events with business blast radius.
619
00:21:29,160 –> 00:21:30,840
The attacker doesn’t want your login page.
620
00:21:30,840 –> 00:21:32,120
They want your approval chains,
621
00:21:32,120 –> 00:21:33,720
your data export paths,
622
00:21:33,720 –> 00:21:35,400
your automation identities,
623
00:21:35,400 –> 00:21:36,520
and your admin surface.
624
00:21:36,520 –> 00:21:39,400
So what does Entra governance pass ITDR actually look like
625
00:21:39,400 –> 00:21:41,240
in practical terms without turning this
626
00:21:41,240 –> 00:21:42,840
into a configuration tutorial?
627
00:21:42,840 –> 00:21:44,840
It looks like the organization treating access
628
00:21:44,840 –> 00:21:46,600
as a product with a life cycle.
629
00:21:46,600 –> 00:21:48,920
A new contractor needs access to a project space
630
00:21:48,920 –> 00:21:50,520
and they requested through an access package.
631
00:21:50,520 –> 00:21:53,000
The package is scoped to what the contractor should touch,
632
00:21:53,000 –> 00:21:54,600
not what’s convenient to grant.
633
00:21:54,600 –> 00:21:56,680
It requires a sponsor who is accountable,
634
00:21:56,680 –> 00:21:58,440
it expires automatically.
635
00:21:58,440 –> 00:21:59,800
And there is a review cadence
636
00:21:59,800 –> 00:22:01,720
that doesn’t depend on someone remembering.
637
00:22:01,720 –> 00:22:02,680
That seems simple.
638
00:22:02,680 –> 00:22:03,560
Here’s the weird part.
639
00:22:03,560 –> 00:22:04,920
It is rare.
640
00:22:04,920 –> 00:22:07,080
Most contractors get access via group membership.
641
00:22:07,080 –> 00:22:08,360
The membership doesn’t expire.
642
00:22:08,360 –> 00:22:09,560
The sponsor changes jobs.
643
00:22:09,560 –> 00:22:10,440
The project ends.
644
00:22:10,440 –> 00:22:11,560
The access remains.
645
00:22:11,560 –> 00:22:12,600
That’s not malicious.
646
00:22:12,600 –> 00:22:13,400
That’s drift.
647
00:22:13,400 –> 00:22:15,400
And drift is the raw material of breaches.
648
00:22:15,400 –> 00:22:16,920
Now layer in privileged access.
649
00:22:16,920 –> 00:22:18,920
Entra PIM is not a nice to have.
650
00:22:18,920 –> 00:22:21,000
It’s the mechanism that prevents standing power
651
00:22:21,000 –> 00:22:22,840
from becoming standing exposure.
652
00:22:22,840 –> 00:22:24,840
If an identity can change conditional access,
653
00:22:24,840 –> 00:22:27,480
modify app consent, create new service principles,
654
00:22:27,480 –> 00:22:29,480
reset credentials, or turn off logging,
655
00:22:29,480 –> 00:22:31,400
that identity is part of your control plane.
656
00:22:31,400 –> 00:22:33,720
Control plane power cannot be permanently assigned
657
00:22:33,720 –> 00:22:35,880
and still be called least privilege.
658
00:22:35,880 –> 00:22:37,400
It becomes inherited risk.
659
00:22:37,400 –> 00:22:39,800
So the model is, eligible by default,
660
00:22:39,800 –> 00:22:42,360
active only when needed, time bound, always,
661
00:22:42,360 –> 00:22:43,800
and auditable without effort.
662
00:22:43,800 –> 00:22:45,640
If elevation is slow, people bypass.
663
00:22:45,640 –> 00:22:47,960
If elevation is fast and logged, people comply.
664
00:22:47,960 –> 00:22:49,400
Your design trains your culture.
665
00:22:49,400 –> 00:22:51,640
Now the ITDR half.
666
00:22:51,640 –> 00:22:53,800
Identity incidents rarely announce themselves
667
00:22:53,800 –> 00:22:56,120
with a single obvious alert.
668
00:22:56,120 –> 00:22:57,720
They show up as weak signals.
669
00:22:57,720 –> 00:23:00,520
Unusual token use, a sign in that’s technically valid
670
00:23:00,520 –> 00:23:02,040
but behaviorally wrong,
671
00:23:02,040 –> 00:23:04,680
a new OAuth app consent that shouldn’t exist,
672
00:23:04,680 –> 00:23:06,840
an admin role activation at an odd time
673
00:23:06,840 –> 00:23:09,160
an account that starts enumerating directory objects
674
00:23:09,160 –> 00:23:11,720
it never touched before, the system has those signals.
675
00:23:11,720 –> 00:23:14,040
The question is whether you connected them to response.
676
00:23:14,040 –> 00:23:16,040
This is where Entra becomes an execution layer,
677
00:23:16,040 –> 00:23:17,080
not a reporting layer.
678
00:23:17,080 –> 00:23:18,840
Risk signals can drive policy actions.
679
00:23:18,840 –> 00:23:21,160
Session risk can trigger step-up requirements.
680
00:23:21,160 –> 00:23:23,000
Compromised accounts can be disabled.
681
00:23:23,000 –> 00:23:24,440
Tokens can be invalidated.
682
00:23:24,440 –> 00:23:26,200
Privileged sessions can be constrained
683
00:23:26,200 –> 00:23:27,960
and the moment you can do that quickly,
684
00:23:27,960 –> 00:23:29,800
you change the economics of an attack.
685
00:23:29,800 –> 00:23:32,120
Because the attacker’s best advantage is time
686
00:23:32,120 –> 00:23:34,280
and governance is what makes response safe.
687
00:23:34,280 –> 00:23:37,560
Without governance, every containment action becomes political.
688
00:23:37,560 –> 00:23:40,360
If we disable this account, we’ll payroll break.
689
00:23:40,360 –> 00:23:43,160
If we revoke this app, will the sales team lose access?
690
00:23:43,160 –> 00:23:44,760
So the organization hesitates.
691
00:23:44,760 –> 00:23:46,280
Governance reduces that hesitation
692
00:23:46,280 –> 00:23:49,000
by making access intentional, scoped and owned.
693
00:23:49,000 –> 00:23:50,840
You can be decisive because you understand
694
00:23:50,840 –> 00:23:52,920
what normal access looks like.
695
00:23:52,920 –> 00:23:55,800
There’s also a 2026 reality leaders should not ignore.
696
00:23:55,800 –> 00:23:58,600
Entra is tightening the rules around application identities
697
00:23:58,600 –> 00:24:01,800
and service principle less authentication behavior is being retired.
698
00:24:01,800 –> 00:24:02,760
That is not a nuisance.
699
00:24:02,760 –> 00:24:03,800
That is a forcing function.
700
00:24:03,800 –> 00:24:05,720
It’s Microsoft telling you in policy
701
00:24:05,720 –> 00:24:08,360
that invisible identities don’t get to exist anymore,
702
00:24:08,360 –> 00:24:09,640
which is the point.
703
00:24:09,640 –> 00:24:11,080
Scenario one is the foundation
704
00:24:11,080 –> 00:24:12,520
because it restores determinism.
705
00:24:12,520 –> 00:24:13,880
It makes access time-bound.
706
00:24:13,880 –> 00:24:15,240
It makes privilege temporary.
707
00:24:15,240 –> 00:24:16,840
It makes ownership explicit.
708
00:24:16,840 –> 00:24:19,560
And it turns identity signals into actions instead of evidence.
709
00:24:19,560 –> 00:24:21,000
Then you can build zero trust
710
00:24:21,000 –> 00:24:24,360
that actually works because now your trust model has teeth.
711
00:24:24,360 –> 00:24:26,280
Zero trust is not a product rollout.
712
00:24:26,280 –> 00:24:28,120
Zero trust is where a lot of security programs
713
00:24:28,120 –> 00:24:30,840
go to die because it gets treated like a procurement event.
714
00:24:30,840 –> 00:24:33,320
A vendor pitches a zero trust solution.
715
00:24:33,320 –> 00:24:35,080
The organization buys licenses.
716
00:24:35,080 –> 00:24:36,840
Someone turns on conditional access.
717
00:24:36,840 –> 00:24:38,360
A slide gets shown to the board.
718
00:24:38,360 –> 00:24:40,920
And everybody quietly agrees the journey is complete.
719
00:24:40,920 –> 00:24:42,440
It isn’t zero trust is not a product.
720
00:24:42,440 –> 00:24:43,320
It is not a portal.
721
00:24:43,320 –> 00:24:44,840
It is not a single policy set.
722
00:24:44,840 –> 00:24:45,800
In architectural terms,
723
00:24:45,800 –> 00:24:49,000
it is a replacement for your old trust assumptions.
724
00:24:49,000 –> 00:24:51,160
The idea that inside means safe,
725
00:24:51,160 –> 00:24:53,080
that authenticated means trusted
726
00:24:53,080 –> 00:24:55,560
and that compliant means controlled.
727
00:24:55,560 –> 00:24:57,720
Zero trust says none of that is true by default.
728
00:24:57,720 –> 00:24:59,800
Trust has to be earned continuously
729
00:24:59,800 –> 00:25:02,360
per request and revoked when reality changes.
730
00:25:02,360 –> 00:25:03,480
That distinction matters
731
00:25:03,480 –> 00:25:06,200
because product rollouts create coverage.
732
00:25:06,200 –> 00:25:08,760
Zero trust requires behavior change in the system.
733
00:25:08,760 –> 00:25:11,560
The foundational misunderstanding is that people translate
734
00:25:11,560 –> 00:25:13,880
“Never trust, always verify”
735
00:25:13,880 –> 00:25:15,240
into “add more prompts”.
736
00:25:15,240 –> 00:25:17,720
More MFA prompts, more approvals, more blocks,
737
00:25:17,720 –> 00:25:19,880
that’s not zero trust, that’s friction.
738
00:25:19,880 –> 00:25:22,680
Zero trust unproperly reduces friction for normal work
739
00:25:22,680 –> 00:25:24,840
and increases constraint for abnormal work.
740
00:25:24,840 –> 00:25:27,960
It does that by making policy decisions dynamic,
741
00:25:27,960 –> 00:25:30,280
contextual and enforceable close to the resource.
742
00:25:30,280 –> 00:25:32,040
That’s the NIST model in plain language.
743
00:25:32,040 –> 00:25:33,480
A subject requests access,
744
00:25:33,480 –> 00:25:35,800
a policy decision happens using real signals
745
00:25:35,800 –> 00:25:38,200
and a policy enforcement point applies that decision.
746
00:25:38,200 –> 00:25:40,040
And that loop never stops existing
747
00:25:40,040 –> 00:25:42,040
just because the user passed a login screen once.
748
00:25:42,040 –> 00:25:44,360
This is why the phrase we turned on conditional access
749
00:25:44,360 –> 00:25:45,480
is such a warning sign.
750
00:25:45,480 –> 00:25:47,320
Conditional access is a policy engine.
751
00:25:47,320 –> 00:25:48,120
It’s powerful.
752
00:25:48,120 –> 00:25:51,160
But if the program around it is built on exception culture,
753
00:25:51,160 –> 00:25:52,680
shared responsibility gaps,
754
00:25:52,680 –> 00:25:54,680
and unowned entitlements,
755
00:25:54,680 –> 00:25:57,320
then conditional access becomes conditional chaos,
756
00:25:57,320 –> 00:25:59,800
a pile of policies that look sophisticated
757
00:25:59,800 –> 00:26:01,640
and behave inconsistently.
758
00:26:01,640 –> 00:26:03,960
The system doesn’t degrade because it’s malicious.
759
00:26:03,960 –> 00:26:06,840
It degrades because organizations are, they merge, they reorganize,
760
00:26:06,840 –> 00:26:08,680
they acquire, they ship new apps,
761
00:26:08,680 –> 00:26:11,400
they onboard third parties, they add automation.
762
00:26:11,400 –> 00:26:14,600
And every one of those changes generates just one exception.
763
00:26:14,600 –> 00:26:16,760
Remember this detail, it’s going to matter later.
764
00:26:16,760 –> 00:26:18,360
Exceptions are entropy generators.
765
00:26:18,360 –> 00:26:20,200
Every exception is a trust assumption
766
00:26:20,200 –> 00:26:21,880
you are choosing not to enforce.
767
00:26:21,880 –> 00:26:23,880
It becomes a permanent alternate pathway
768
00:26:23,880 –> 00:26:25,640
unless you govern it like a liability,
769
00:26:25,640 –> 00:26:27,560
expiration, justification, and review.
770
00:26:27,560 –> 00:26:29,240
If you don’t, your zero trust program
771
00:26:29,240 –> 00:26:31,160
becomes a museum of past urgency.
772
00:26:31,160 –> 00:26:32,840
Nobody knows which policies still matter,
773
00:26:32,840 –> 00:26:35,000
nobody knows which applications rely on them.
774
00:26:35,000 –> 00:26:37,320
And when an incident hits, you cannot act decisively
775
00:26:37,320 –> 00:26:39,720
because you can’t predict the blast radius of enforcement.
776
00:26:39,720 –> 00:26:41,880
That’s why zero trust is not a technical rollout.
777
00:26:41,880 –> 00:26:43,000
It’s an operating model.
778
00:26:43,000 –> 00:26:45,480
Operating model means ownership boundaries are explicit.
779
00:26:45,480 –> 00:26:47,160
Someone defines policy intent.
780
00:26:47,160 –> 00:26:49,240
Someone implements it, someone monitors drift,
781
00:26:49,240 –> 00:26:50,680
someone owns exceptions.
782
00:26:50,680 –> 00:26:53,240
Someone is accountable for outcomes, not configuration.
783
00:26:53,240 –> 00:26:56,360
And in most organizations, that’s exactly where the program fails.
784
00:26:56,360 –> 00:26:59,960
Identity teams own identity, endpoint teams own devices,
785
00:26:59,960 –> 00:27:01,640
network teams own connectivity,
786
00:27:01,640 –> 00:27:03,400
application teams own uptime,
787
00:27:03,400 –> 00:27:06,040
security teams own alerts, nobody owns trust end to end.
788
00:27:06,040 –> 00:27:08,600
So the attacker gets gaps between teams, always.
789
00:27:08,600 –> 00:27:11,960
A real zero trust transformation collapses
790
00:27:11,960 –> 00:27:14,840
those gaps by defining the trust system as one loop.
791
00:27:14,840 –> 00:27:17,800
Signals into decision, decision into enforcement,
792
00:27:17,800 –> 00:27:19,480
enforcement into response.
793
00:27:19,480 –> 00:27:21,400
It becomes less about do we have the feature
794
00:27:21,400 –> 00:27:25,480
and more about does the system reliably constrain the pathways that matter?
795
00:27:25,480 –> 00:27:28,760
This is also where leadership has to stop rewarding the wrong behavior.
796
00:27:28,760 –> 00:27:31,400
If teams are punished for outages and not punished for drift,
797
00:27:31,400 –> 00:27:32,360
they will choose drift.
798
00:27:32,360 –> 00:27:34,680
If teams are rewarded for fast delivery
799
00:27:34,680 –> 00:27:37,000
and not rewarded for revocation discipline,
800
00:27:37,000 –> 00:27:38,440
they will accumulate permissions.
801
00:27:38,440 –> 00:27:41,320
If security is measured by how many requested blocks,
802
00:27:41,320 –> 00:27:42,520
it will block more.
803
00:27:42,520 –> 00:27:44,040
And the business will root around it.
804
00:27:44,040 –> 00:27:46,520
Zero trust done right has a different success condition.
805
00:27:46,520 –> 00:27:47,640
Safe autonomy.
806
00:27:47,640 –> 00:27:49,000
People should be able to work quickly
807
00:27:49,000 –> 00:27:50,920
because the system makes low-risk work easy
808
00:27:50,920 –> 00:27:52,280
and high-risk work controlled.
809
00:27:52,280 –> 00:27:53,480
That requires two things.
810
00:27:53,480 –> 00:27:55,000
Leaders rarely fund explicitly.
811
00:27:55,000 –> 00:27:56,600
Decision quality and enforcement speed.
812
00:27:56,600 –> 00:27:59,000
Decision quality comes from identity governance
813
00:27:59,000 –> 00:28:01,000
and clean entitlement design.
814
00:28:01,000 –> 00:28:03,080
Enforcement speed comes from capabilities
815
00:28:03,080 –> 00:28:05,000
like continuous access evaluation
816
00:28:05,000 –> 00:28:06,520
and automated response loops.
817
00:28:06,520 –> 00:28:09,240
Without those, zero trust stays a diagram.
818
00:28:09,240 –> 00:28:11,960
A beautiful policy model with no runtime authority.
819
00:28:11,960 –> 00:28:15,640
So the product rollout mindset needs to die.
820
00:28:15,640 –> 00:28:17,640
What replaces it is a program mindset.
821
00:28:17,640 –> 00:28:19,240
Trust assumptions are explicit,
822
00:28:19,240 –> 00:28:20,360
exceptions are governed,
823
00:28:20,360 –> 00:28:22,600
sessions are continuously evaluated
824
00:28:22,600 –> 00:28:25,560
and revocation happens fast enough that it matters.
825
00:28:25,560 –> 00:28:26,520
And once you accept that,
826
00:28:26,520 –> 00:28:28,040
the next point becomes obvious.
827
00:28:28,040 –> 00:28:29,480
Trust doesn’t decay at login.
828
00:28:29,480 –> 00:28:31,960
It decays continuously inside the session.
829
00:28:31,960 –> 00:28:35,640
Trust decays continuously, not at login.
830
00:28:35,640 –> 00:28:37,720
Most organizations still design trust
831
00:28:37,720 –> 00:28:39,080
like it’s a moment in time.
832
00:28:39,080 –> 00:28:41,240
You authenticate, you pass MFA, you’re good.
833
00:28:41,240 –> 00:28:43,000
Then you get a token
834
00:28:43,000 –> 00:28:45,000
and that token becomes a little permission slip
835
00:28:45,000 –> 00:28:46,600
that travels with you for hours.
836
00:28:46,600 –> 00:28:48,920
That model made sense when the network was the boundary
837
00:28:48,920 –> 00:28:50,280
and sessions were short.
838
00:28:50,280 –> 00:28:51,880
In cloud and sass, it’s backwards.
839
00:28:51,880 –> 00:28:54,200
The reality is that the session is the attack surface.
840
00:28:54,200 –> 00:28:55,480
Not the login screen,
841
00:28:55,480 –> 00:28:56,840
because the attacker doesn’t care
842
00:28:56,840 –> 00:28:58,200
about proving who they are.
843
00:28:58,200 –> 00:29:00,440
They care about inheriting what you already proved.
844
00:29:00,440 –> 00:29:02,280
If they can get hold of the session token
845
00:29:02,280 –> 00:29:03,160
or the refresh token,
846
00:29:03,160 –> 00:29:04,920
they’re not trying to authenticate anymore.
847
00:29:04,920 –> 00:29:06,600
They’re trying to operate as you
848
00:29:06,600 –> 00:29:08,520
after the platform already granted trust.
849
00:29:08,520 –> 00:29:10,680
This is why we have strong MFA
850
00:29:10,680 –> 00:29:13,640
can be true and still irrelevant to the event that hurts you.
851
00:29:13,640 –> 00:29:15,960
It’s also why leaders keep hearing the same sentence
852
00:29:15,960 –> 00:29:17,000
after incidents.
853
00:29:17,000 –> 00:29:19,080
The user successfully completed MFA.
854
00:29:19,080 –> 00:29:21,400
Yes, and then the session lived long enough to be abused.
855
00:29:21,400 –> 00:29:22,920
So the core shift is this.
856
00:29:22,920 –> 00:29:24,920
Authentication is not the end of trust.
857
00:29:24,920 –> 00:29:28,040
It’s the beginning of a continuously evaluated relationship
858
00:29:28,040 –> 00:29:29,800
between an identity, a device,
859
00:29:29,800 –> 00:29:31,160
a session, and a resource.
860
00:29:31,160 –> 00:29:32,760
And that relationship decays.
861
00:29:32,760 –> 00:29:36,520
Sometimes it decays because the device posture changes.
862
00:29:36,520 –> 00:29:38,680
A laptop goes from compliant to not compliant.
863
00:29:38,680 –> 00:29:41,320
An endpoint alert fires, a risky sign in is detected.
864
00:29:41,320 –> 00:29:43,800
A user is disabled, a role assignment changes.
865
00:29:43,800 –> 00:29:46,760
Or a credential reset happens for suspected compromise.
866
00:29:46,760 –> 00:29:49,720
Those are all state changes that should alter trust immediately.
867
00:29:49,720 –> 00:29:51,960
But in a point in time model, none of them matter
868
00:29:51,960 –> 00:29:54,200
until the session naturally expires.
869
00:29:54,200 –> 00:29:57,320
That gap between the world changed and enforcement caught up
870
00:29:57,320 –> 00:29:58,840
is where modern incidents live.
871
00:29:58,840 –> 00:30:01,400
It’s the difference between knowing a door should be locked
872
00:30:01,400 –> 00:30:03,960
and waiting eight hours for the lock to engage
873
00:30:03,960 –> 00:30:05,400
because the key card still works.
874
00:30:05,400 –> 00:30:07,480
This is where it gets uncomfortable for leadership
875
00:30:07,480 –> 00:30:10,360
because IT time is not the time unit that matters.
876
00:30:10,360 –> 00:30:11,480
Business time is.
877
00:30:11,480 –> 00:30:13,320
If it takes you six hours to revoke access
878
00:30:13,320 –> 00:30:15,400
because you rely on token expiration,
879
00:30:15,400 –> 00:30:17,400
the attacker has six hours of clean runway.
880
00:30:17,400 –> 00:30:18,600
They don’t need persistence.
881
00:30:18,600 –> 00:30:21,240
They need time and your organization usually gives it to them
882
00:30:21,240 –> 00:30:23,320
because it designed trust as a single event,
883
00:30:23,320 –> 00:30:24,760
not a continuous state.
884
00:30:24,760 –> 00:30:26,680
Now, layer in the things leaders don’t see.
885
00:30:26,680 –> 00:30:29,720
Sessions aren’t only for humans, workloads have sessions,
886
00:30:29,720 –> 00:30:32,600
automation has sessions, integrations have sessions,
887
00:30:32,600 –> 00:30:34,360
third party apps have sessions.
888
00:30:34,360 –> 00:30:36,360
And these identities often have broader permissions
889
00:30:36,360 –> 00:30:39,160
because someone wanted the workflow to just work.
890
00:30:39,160 –> 00:30:40,360
When those sessions are abused,
891
00:30:40,360 –> 00:30:42,680
you don’t get a helpful prompt or user complaint.
892
00:30:42,680 –> 00:30:44,760
You get silent high throughput actions
893
00:30:44,760 –> 00:30:46,840
that look like normal system activity.
894
00:30:46,840 –> 00:30:49,560
That’s the human machine blur, operationalized.
895
00:30:49,560 –> 00:30:51,640
So when people say continuous verification,
896
00:30:51,640 –> 00:30:53,880
they tend to imagine constant MFA prompts.
897
00:30:53,880 –> 00:30:55,160
That’s the wrong mental model.
898
00:30:55,160 –> 00:30:57,160
The system doesn’t need to keep asking the user
899
00:30:57,160 –> 00:30:58,280
to prove their human.
900
00:30:58,280 –> 00:30:59,960
The system needs to keep validating
901
00:30:59,960 –> 00:31:03,000
whether the conditions that justified access still exist.
902
00:31:03,000 –> 00:31:05,080
In zero trust terms, the policy decision point
903
00:31:05,080 –> 00:31:07,160
should not be consulted once and then ignored.
904
00:31:07,160 –> 00:31:08,280
It should stay relevant.
905
00:31:08,280 –> 00:31:09,560
It should be able to say
906
00:31:09,560 –> 00:31:11,960
that session was valid, but now it isn’t.
907
00:31:11,960 –> 00:31:14,040
Which implies something simple and brutal.
908
00:31:14,040 –> 00:31:15,480
Trust must be revocable,
909
00:31:15,480 –> 00:31:17,160
not in an annual access review,
910
00:31:17,160 –> 00:31:18,200
not in a ticket queue,
911
00:31:18,200 –> 00:31:19,400
not after a meeting,
912
00:31:19,400 –> 00:31:20,760
revocable in near real time
913
00:31:20,760 –> 00:31:23,080
and in a way, your critical apps actually honor.
914
00:31:23,080 –> 00:31:25,240
Because the most expensive form of security control
915
00:31:25,240 –> 00:31:26,440
is one that detects risk
916
00:31:26,440 –> 00:31:29,000
and cannot enforce consequences quickly enough to matter.
917
00:31:29,000 –> 00:31:31,880
This is also where exception culture quietly destroys you.
918
00:31:31,880 –> 00:31:34,680
If you’ve carved out bypasses for business critical apps
919
00:31:34,680 –> 00:31:36,920
or you allow legacy auth because it’s complicated
920
00:31:36,920 –> 00:31:38,760
or you exempt privileged identities
921
00:31:38,760 –> 00:31:41,000
because they can’t be disrupted,
922
00:31:41,000 –> 00:31:42,440
you have effectively declared
923
00:31:42,440 –> 00:31:45,480
that the most important pathways are the least governable.
924
00:31:45,480 –> 00:31:46,760
That’s not a security program.
925
00:31:46,760 –> 00:31:48,840
That’s a liability register you refuse to name.
926
00:31:48,840 –> 00:31:51,480
And the reason this matters to leaders is not philosophical.
927
00:31:51,480 –> 00:31:52,520
It’s operational.
928
00:31:52,520 –> 00:31:54,440
If trust decays continuously,
929
00:31:54,440 –> 00:31:57,160
then your organization must be able to revoke continuously.
930
00:31:57,160 –> 00:31:59,480
Otherwise, you’re running a probabilistic security model.
931
00:31:59,480 –> 00:32:01,160
Sometimes revocation happens fast,
932
00:32:01,160 –> 00:32:02,120
sometimes it doesn’t,
933
00:32:02,120 –> 00:32:04,200
and you just hope the attacker lands in the slow lane.
934
00:32:04,200 –> 00:32:07,400
So the ahaha to hold on to is this.
935
00:32:07,400 –> 00:32:09,400
Resilience in identity-driven incidents
936
00:32:09,400 –> 00:32:11,080
is mostly about collapsing the time
937
00:32:11,080 –> 00:32:12,760
between a trust decision changing
938
00:32:12,760 –> 00:32:14,360
and enforcement taking effect.
939
00:32:14,360 –> 00:32:15,720
That’s why the next scenario matters.
940
00:32:15,720 –> 00:32:18,120
Continuous access evaluation is where zero trust
941
00:32:18,120 –> 00:32:21,320
stops being a diagram and starts being lived reality.
942
00:32:21,320 –> 00:32:22,360
Scenario three.
943
00:32:22,360 –> 00:32:24,040
Continuous access evaluation.
944
00:32:24,040 –> 00:32:26,680
CAE as lived zero trust.
945
00:32:26,680 –> 00:32:29,000
CAE is what happens when an organization
946
00:32:29,000 –> 00:32:31,800
stops pretending that access granted is a permanent state.
947
00:32:31,800 –> 00:32:32,520
It is not.
948
00:32:32,520 –> 00:32:34,520
It is a temporary decision that should collapse
949
00:32:34,520 –> 00:32:36,360
the moment the conditions behind it change.
950
00:32:36,360 –> 00:32:39,080
CAE is the mechanism that makes that collapse real
951
00:32:39,080 –> 00:32:41,160
and fast in the Microsoft ecosystem,
952
00:32:41,160 –> 00:32:43,720
not as a concept as runtime behavior.
953
00:32:43,720 –> 00:32:44,920
Here’s the simple version.
954
00:32:44,920 –> 00:32:48,120
CAE lets entra tell participating applications.
955
00:32:48,120 –> 00:32:50,200
This session is no longer acceptable.
956
00:32:50,200 –> 00:32:52,280
And have the app enforce that in near real time
957
00:32:52,280 –> 00:32:54,040
instead of waiting for token expiry.
958
00:32:54,040 –> 00:32:56,440
That’s the gap it closes, decision versus enforcement.
959
00:32:56,440 –> 00:32:59,080
Most security programs have decent decision making.
960
00:32:59,080 –> 00:33:00,760
They know when something is risky,
961
00:33:00,760 –> 00:33:02,960
they can flag a user, they can disable an account,
962
00:33:02,960 –> 00:33:04,440
they can mark a sign in as high risk,
963
00:33:04,440 –> 00:33:06,920
they can detect a device falling out of compliance.
964
00:33:06,920 –> 00:33:09,160
But then nothing happens quickly enough to matter
965
00:33:09,160 –> 00:33:11,240
because the user’s session keeps running.
966
00:33:11,240 –> 00:33:14,680
CAE is how you stop granting attackers the courtesy of time.
967
00:33:14,680 –> 00:33:17,000
Why leaders should care is straightforward.
968
00:33:17,000 –> 00:33:20,200
It converts trust revocation from an administrative workflow
969
00:33:20,200 –> 00:33:21,640
into an operational control.
970
00:33:21,640 –> 00:33:24,040
It turns we noticed into we contained
971
00:33:24,040 –> 00:33:26,680
without a help desk ticket and without waiting six hours
972
00:33:26,680 –> 00:33:27,960
for a token to die naturally.
973
00:33:27,960 –> 00:33:29,320
But CAE is not magic.
974
00:33:29,320 –> 00:33:30,040
It’s a contract.
975
00:33:30,040 –> 00:33:31,240
Entra can emit the signal.
976
00:33:31,240 –> 00:33:32,920
The application has to honor it.
977
00:33:32,920 –> 00:33:34,440
And that’s where reality shows up.
978
00:33:34,440 –> 00:33:37,640
Microsoft services like Exchange Online, SharePoint Online, Teams
979
00:33:37,640 –> 00:33:39,800
and others support CAE in specific ways.
980
00:33:39,800 –> 00:33:41,320
Many third party SaaS apps don’t.
981
00:33:41,320 –> 00:33:44,280
Some claim they do, but implemented partially or inconsistently.
982
00:33:44,280 –> 00:33:46,680
So we enabled CAE is not an end state.
983
00:33:46,680 –> 00:33:50,680
It’s the start of verifying which of your critical applications
984
00:33:50,680 –> 00:33:53,400
actually behave like they live in a zero trust system.
985
00:33:53,400 –> 00:33:55,800
That distinction matters because CAE creates
986
00:33:55,800 –> 00:33:57,560
an uncomfortable inventory problem.
987
00:33:57,560 –> 00:33:59,640
Which sessions can you actually revoke quickly
988
00:33:59,640 –> 00:34:00,840
across the apps that matter?
989
00:34:00,840 –> 00:34:02,360
This is where leaders get leverage
990
00:34:02,360 –> 00:34:05,080
because CAE forces a clean separation
991
00:34:05,080 –> 00:34:07,040
between two types of work.
992
00:34:07,040 –> 00:34:10,120
First, the policy work deciding which events should trigger
993
00:34:10,120 –> 00:34:12,440
revocation and for which resources.
994
00:34:12,440 –> 00:34:15,560
Account disabled, password reset, risk level elevated,
995
00:34:15,560 –> 00:34:18,800
device non-compliant, role change, those are business decisions
996
00:34:18,800 –> 00:34:20,520
framed are security conditions.
997
00:34:20,520 –> 00:34:23,280
Second, the application work, ensuring critical apps
998
00:34:23,280 –> 00:34:26,000
honor revocation signals and that your user experience
999
00:34:26,000 –> 00:34:28,440
doesn’t collapse into constant reauthentication.
1000
00:34:28,440 –> 00:34:31,400
Now, the part nobody likes, exceptions.
1001
00:34:31,400 –> 00:34:34,280
CAE works exactly as well as your exception governance.
1002
00:34:34,280 –> 00:34:37,040
Every time someone says don’t enforce this for executives
1003
00:34:37,040 –> 00:34:39,320
or exclude this app because it breaks,
1004
00:34:39,320 –> 00:34:40,840
you’ve created a permanent bypass
1005
00:34:40,840 –> 00:34:43,800
around your revocation model and bypasses don’t stay rare.
1006
00:34:43,800 –> 00:34:44,720
They replicate.
1007
00:34:44,720 –> 00:34:47,440
This is where CAE exposes the program’s maturity.
1008
00:34:47,440 –> 00:34:49,080
If exception handling is informal,
1009
00:34:49,080 –> 00:34:51,480
CAE becomes another half-deployed capability.
1010
00:34:51,480 –> 00:34:53,280
If exception handling is governed,
1011
00:34:53,280 –> 00:34:55,560
expiration justification, review cadence,
1012
00:34:55,560 –> 00:34:57,600
CAE becomes a control you can trust.
1013
00:34:57,600 –> 00:34:59,840
There’s also a dependency most people miss.
1014
00:34:59,840 –> 00:35:03,280
CAE pushes you toward cleaner identity architecture.
1015
00:35:03,280 –> 00:35:05,000
If your environment still relies heavily
1016
00:35:05,000 –> 00:35:06,640
on legacy authentication patterns
1017
00:35:06,640 –> 00:35:08,600
or your application estate treats tokens
1018
00:35:08,600 –> 00:35:11,200
as long-lived entitlements, then CAE becomes
1019
00:35:11,200 –> 00:35:14,120
a compatibility argument instead of a security capability.
1020
00:35:14,120 –> 00:35:15,480
That’s not a reason to avoid it.
1021
00:35:15,480 –> 00:35:17,680
That’s a reason to treat application modernization
1022
00:35:17,680 –> 00:35:19,000
as part of security resilience
1023
00:35:19,000 –> 00:35:21,320
because the business depends on revocation speed.
1024
00:35:21,320 –> 00:35:23,760
A concrete scenario makes this obvious.
1025
00:35:23,760 –> 00:35:25,880
An employee’s account gets flagged as high risk
1026
00:35:25,880 –> 00:35:27,640
after anomalous activity.
1027
00:35:27,640 –> 00:35:29,200
In the old model, the security team
1028
00:35:29,200 –> 00:35:30,200
disables the account,
1029
00:35:30,200 –> 00:35:32,000
but the attacker’s token remains valid
1030
00:35:32,000 –> 00:35:34,000
in a browser session connected to SharePoint
1031
00:35:34,000 –> 00:35:35,600
or another SaaS service.
1032
00:35:35,600 –> 00:35:37,240
The attacker continues downloading data
1033
00:35:37,240 –> 00:35:38,520
until the session expires.
1034
00:35:38,520 –> 00:35:40,880
The organization responded, but impact continued.
1035
00:35:40,880 –> 00:35:42,520
With CAE, disabling the account
1036
00:35:42,520 –> 00:35:44,280
or changing the risk state can trigger
1037
00:35:44,280 –> 00:35:45,880
a near real-time re-evaluation.
1038
00:35:45,880 –> 00:35:47,840
The app receives the revocation signal.
1039
00:35:47,840 –> 00:35:49,880
The session is forced to re-authenticate
1040
00:35:49,880 –> 00:35:51,640
and the attacker’s runway collapses.
1041
00:35:51,640 –> 00:35:53,760
The cost of compromise becomes bounded,
1042
00:35:53,760 –> 00:35:55,800
not because the attacker failed to get in,
1043
00:35:55,800 –> 00:35:57,040
but because they couldn’t stay.
1044
00:35:57,040 –> 00:35:58,320
That is lived zero trust.
1045
00:35:58,320 –> 00:35:59,560
Not a poster, not a slide,
1046
00:35:59,560 –> 00:36:02,040
a system that revokes trust inside the session.
1047
00:36:02,040 –> 00:36:03,640
And CAE has a second order benefit
1048
00:36:03,640 –> 00:36:04,960
that leaders tend to miss.
1049
00:36:04,960 –> 00:36:07,320
It reduces the need for blanket shutdowns.
1050
00:36:07,320 –> 00:36:09,200
When you can revoke precisely
1051
00:36:09,200 –> 00:36:11,480
this identity, these sessions, these apps,
1052
00:36:11,480 –> 00:36:13,520
you stop reaching for the blunt instrument
1053
00:36:13,520 –> 00:36:16,920
of turn-off access for everyone until we figure it out.
1054
00:36:16,920 –> 00:36:20,120
Precision is how you preserve continuity while you contain.
1055
00:36:20,120 –> 00:36:22,320
That is resilience measured in business uptime,
1056
00:36:22,320 –> 00:36:23,760
not in policy documents.
1057
00:36:23,760 –> 00:36:26,800
So CAE is not a feature you enable to feel modern.
1058
00:36:26,800 –> 00:36:28,800
It is a forcing function that makes you prove
1059
00:36:28,800 –> 00:36:30,560
your trust model is enforceable.
1060
00:36:30,560 –> 00:36:32,880
Your app estate is compatible with revocation
1061
00:36:32,880 –> 00:36:34,760
and your exception culture is governed.
1062
00:36:34,760 –> 00:36:36,480
If you can’t revoke trust quickly,
1063
00:36:36,480 –> 00:36:37,760
you don’t have zero trust.
1064
00:36:37,760 –> 00:36:39,880
You have conditional chaos with nicer branding.
1065
00:36:39,880 –> 00:36:42,520
Why adding controls often slows the business.
1066
00:36:42,520 –> 00:36:45,000
Now here’s the part leaders feel in their bones.
1067
00:36:45,000 –> 00:36:47,840
Every time security improves, the business feels slower,
1068
00:36:47,840 –> 00:36:50,320
more prompts, more tickets, more waiting,
1069
00:36:50,320 –> 00:36:52,720
more people saying, “I can’t do my job.”
1070
00:36:52,720 –> 00:36:54,360
And then the predictable conclusion,
1071
00:36:54,360 –> 00:36:56,520
security is the department of no.
1072
00:36:56,520 –> 00:36:58,520
That conclusion is convenient, it’s also wrong.
1073
00:36:58,520 –> 00:37:00,920
The system is doing exactly what it was designed to do.
1074
00:37:00,920 –> 00:37:04,000
Most organizations add controls the way they add speed bumps,
1075
00:37:04,000 –> 00:37:07,040
reactively, locally, and without redesigning the road.
1076
00:37:07,040 –> 00:37:09,480
A fishing incident happens so MFA prompts increase.
1077
00:37:09,480 –> 00:37:12,040
A data leak happens so downloads get blocked
1078
00:37:12,040 –> 00:37:13,440
and audit finding appears.
1079
00:37:13,440 –> 00:37:15,720
So an approval step gets inserted.
1080
00:37:15,720 –> 00:37:17,080
None of these are irrational.
1081
00:37:17,080 –> 00:37:19,760
But stack together, they create a security program
1082
00:37:19,760 –> 00:37:21,200
that behaves like a queue.
1083
00:37:21,200 –> 00:37:23,040
Cue’s create latency.
1084
00:37:23,040 –> 00:37:25,440
Latency creates workarounds.
1085
00:37:25,440 –> 00:37:27,440
This is where the real failure happens.
1086
00:37:27,440 –> 00:37:29,840
The business doesn’t break security because it’s malicious.
1087
00:37:29,840 –> 00:37:32,160
It roots around security because security behaves
1088
00:37:32,160 –> 00:37:34,400
like an obstacle course bolted onto workflows
1089
00:37:34,400 –> 00:37:35,560
that were never redesigned.
1090
00:37:35,560 –> 00:37:37,720
People will always optimize for outcomes.
1091
00:37:37,720 –> 00:37:39,040
If the system blocks outcomes,
1092
00:37:39,040 –> 00:37:40,960
people will find alternate pathways.
1093
00:37:40,960 –> 00:37:43,280
And the alternate pathways are never the safe ones.
1094
00:37:43,280 –> 00:37:45,920
This is also why security teams are stuck in a losing pattern.
1095
00:37:45,920 –> 00:37:48,040
They add a control, the business adapts,
1096
00:37:48,040 –> 00:37:51,080
exceptions multiply, the control loses force.
1097
00:37:51,080 –> 00:37:54,080
The dashboard stays green because the control exists.
1098
00:37:54,080 –> 00:37:57,320
But the organization is now operating on a shadow model.
1099
00:37:57,320 –> 00:38:00,240
What the policies say versus what people actually do
1100
00:38:00,240 –> 00:38:02,240
to get work done, that distinction matters
1101
00:38:02,240 –> 00:38:03,960
because leadership often measures security
1102
00:38:03,960 –> 00:38:05,160
by visible friction.
1103
00:38:05,160 –> 00:38:07,040
Look, we’re blocking risky behavior.
1104
00:38:07,040 –> 00:38:08,720
Meanwhile, the most dangerous behaviors
1105
00:38:08,720 –> 00:38:10,400
are now happening invisibly.
1106
00:38:10,400 –> 00:38:13,120
Shared admin access because approvals are too slow,
1107
00:38:13,120 –> 00:38:15,680
unsanctioned SaaS because procurement takes months,
1108
00:38:15,680 –> 00:38:18,880
personal devices because corporate enrollment is painful,
1109
00:38:18,880 –> 00:38:21,640
or OAuth app consent because it’s faster
1110
00:38:21,640 –> 00:38:23,560
than requesting integration support.
1111
00:38:23,560 –> 00:38:25,320
Security didn’t prevent risk.
1112
00:38:25,320 –> 00:38:26,480
It displaced it.
1113
00:38:26,480 –> 00:38:28,600
This is what happens when controls aren’t embedded
1114
00:38:28,600 –> 00:38:29,720
in the way work is done.
1115
00:38:29,720 –> 00:38:31,160
They become after the fact checkpoints
1116
00:38:31,160 –> 00:38:34,040
and checkpoints create backlogs, backlogs create pressure.
1117
00:38:34,040 –> 00:38:35,240
Pressure creates bypass.
1118
00:38:35,240 –> 00:38:37,440
Over time, you don’t get higher security.
1119
00:38:37,440 –> 00:38:40,480
You get conditional compliance, people comply when it’s easy
1120
00:38:40,480 –> 00:38:41,840
and evade when it’s hard.
1121
00:38:41,840 –> 00:38:43,440
This is also why just add more approvals
1122
00:38:43,440 –> 00:38:45,040
is such a dangerous reflex.
1123
00:38:45,040 –> 00:38:46,840
Approvals feel like governance, but approvals
1124
00:38:46,840 –> 00:38:47,880
are just decision gates.
1125
00:38:47,880 –> 00:38:50,840
If those gates are slow, inconsistent, or unclear,
1126
00:38:50,840 –> 00:38:53,600
you’ve traded technical risk for operational risk.
1127
00:38:53,600 –> 00:38:55,560
Now the business can’t execute quickly
1128
00:38:55,560 –> 00:38:57,360
and when the business can’t execute quickly,
1129
00:38:57,360 –> 00:38:59,840
the business creates its own execution layer.
1130
00:38:59,840 –> 00:39:02,000
That is shadowite and it is not a moral problem.
1131
00:39:02,000 –> 00:39:03,200
It is a systems outcome.
1132
00:39:03,200 –> 00:39:04,440
So why does this keep happening?
1133
00:39:04,440 –> 00:39:07,240
Because controls are being deployed as independent artifacts
1134
00:39:07,240 –> 00:39:09,200
instead of as parts of a trust system,
1135
00:39:09,200 –> 00:39:11,560
each control is optimized for its own purpose.
1136
00:39:11,560 –> 00:39:13,520
The combined effect is rarely modeled.
1137
00:39:13,520 –> 00:39:15,640
Nobody asks the core question,
1138
00:39:15,640 –> 00:39:18,080
what decision latency are we introducing
1139
00:39:18,080 –> 00:39:20,800
and what behaviors will that latency incentivize?
1140
00:39:20,800 –> 00:39:23,480
Security teams also get trapped by the wrong success metric.
1141
00:39:23,480 –> 00:39:26,440
If success is reduced incidents, teams will add friction.
1142
00:39:26,440 –> 00:39:27,960
A friction reduces some incidents,
1143
00:39:27,960 –> 00:39:30,160
but friction also creates bypass and resentment
1144
00:39:30,160 –> 00:39:31,920
which creates new incidents later.
1145
00:39:31,920 –> 00:39:34,600
It’s the same pattern as poorly designed compliance.
1146
00:39:34,600 –> 00:39:37,080
It produces paperwork, not capability.
1147
00:39:37,080 –> 00:39:38,760
The better metric is still MTTR
1148
00:39:38,760 –> 00:39:40,360
because when you measure MTTR,
1149
00:39:40,360 –> 00:39:42,080
you get forced to remove friction
1150
00:39:42,080 –> 00:39:43,560
that doesn’t produce containment.
1151
00:39:43,560 –> 00:39:46,440
You start asking which steps are genuinely necessary
1152
00:39:46,440 –> 00:39:49,840
and which steps exist because we don’t trust our own systems.
1153
00:39:49,840 –> 00:39:51,200
Which checks can be automated
1154
00:39:51,200 –> 00:39:52,360
and which require humans
1155
00:39:52,360 –> 00:39:54,440
because the decision is truly business sensitive.
1156
00:39:54,440 –> 00:39:56,200
That’s where automation matters, not as a gadget
1157
00:39:56,200 –> 00:39:58,400
but as a way to restore human decision time.
1158
00:39:58,400 –> 00:40:00,600
Automation doesn’t eliminate accountability.
1159
00:40:00,600 –> 00:40:02,520
It collapses the boring latency,
1160
00:40:02,520 –> 00:40:06,000
enrichment, correlation, ticket creation, routing
1161
00:40:06,000 –> 00:40:07,760
and reversible containment actions
1162
00:40:07,760 –> 00:40:10,280
that should not require a human to copy paste data
1163
00:40:10,280 –> 00:40:12,320
across tools at 2AM.
1164
00:40:12,320 –> 00:40:14,920
The human should be deciding intent and impact.
1165
00:40:14,920 –> 00:40:17,640
The system should be executing repeatable mechanics
1166
00:40:17,640 –> 00:40:19,480
and the reason leaders should care is simple.
1167
00:40:19,480 –> 00:40:22,880
When you make security slow, you make the business unsafe.
1168
00:40:22,880 –> 00:40:24,360
Not because users are careless
1169
00:40:24,360 –> 00:40:27,600
because the system taught them that speed requires evasion.
1170
00:40:27,600 –> 00:40:29,600
So the problem is not too many controls.
1171
00:40:29,600 –> 00:40:32,400
The problem is controls added without redesigning workflows
1172
00:40:32,400 –> 00:40:33,800
into safe autonomy.
1173
00:40:33,800 –> 00:40:35,760
Controls that don’t create safe autonomy
1174
00:40:35,760 –> 00:40:37,720
will always be experienced as friction
1175
00:40:37,720 –> 00:40:38,840
and friction is not neutral.
1176
00:40:38,840 –> 00:40:40,280
It is an entropy generator.
1177
00:40:40,280 –> 00:40:41,600
If you want speed and security,
1178
00:40:41,600 –> 00:40:43,280
you don’t negotiate with human nature.
1179
00:40:43,280 –> 00:40:44,480
You redesign the system
1180
00:40:44,480 –> 00:40:47,040
so the safe path is the fast path.
1181
00:40:47,040 –> 00:40:49,040
Human behavior is not the weak link.
1182
00:40:49,040 –> 00:40:52,160
Design is human behavior isn’t the weak link.
1183
00:40:52,160 –> 00:40:52,920
That’s the story.
1184
00:40:52,920 –> 00:40:55,240
Security tells itself when it can’t admit the system
1185
00:40:55,240 –> 00:40:57,960
is poorly designed, people don’t wake up wanting to create risk.
1186
00:40:57,960 –> 00:40:59,680
They wake up wanting to finish work,
1187
00:40:59,680 –> 00:41:02,240
ship the release, close the quarter, onboard the partner,
1188
00:41:02,240 –> 00:41:04,800
respond to the customer, unblock the executive.
1189
00:41:04,800 –> 00:41:06,160
When security makes that harder,
1190
00:41:06,160 –> 00:41:07,800
people don’t ignore policy.
1191
00:41:07,800 –> 00:41:08,960
They optimize around it.
1192
00:41:08,960 –> 00:41:09,880
That’s not negligence.
1193
00:41:09,880 –> 00:41:12,600
That’s predictable behavior inside a constrained system.
1194
00:41:12,600 –> 00:41:15,040
This is why blaming users is such a comfortable mistake.
1195
00:41:15,040 –> 00:41:17,400
It turns a design failure into a training problem.
1196
00:41:17,400 –> 00:41:20,160
It converts architecture into morality.
1197
00:41:20,160 –> 00:41:22,120
And it lets leadership believe the solution
1198
00:41:22,120 –> 00:41:23,520
is another awareness module
1199
00:41:23,520 –> 00:41:25,720
instead of fixing the way access workflow
1200
00:41:25,720 –> 00:41:27,320
and response actually function.
1201
00:41:27,320 –> 00:41:30,040
The system creates the behavior, always.
1202
00:41:30,040 –> 00:41:32,800
If privileged access elevation takes two days,
1203
00:41:32,800 –> 00:41:35,000
people will find a standing admin account.
1204
00:41:35,000 –> 00:41:36,720
If app onboarding takes six weeks,
1205
00:41:36,720 –> 00:41:39,640
teams will use personal tokens and unsanctioned CES.
1206
00:41:39,640 –> 00:41:41,880
If approvals require three different managers,
1207
00:41:41,880 –> 00:41:44,280
someone will share credentials temporarily
1208
00:41:44,280 –> 00:41:45,960
and temporary will become permanent
1209
00:41:45,960 –> 00:41:48,560
because the business still needs to operate tomorrow.
1210
00:41:48,560 –> 00:41:50,760
Your policies don’t fail because people are bad.
1211
00:41:50,760 –> 00:41:52,640
They fail because the path of least resistance
1212
00:41:52,640 –> 00:41:53,760
is the unsafe path.
1213
00:41:53,760 –> 00:41:57,000
This is where workarounds stop being a human failure
1214
00:41:57,000 –> 00:41:58,680
and start being system telemetry.
1215
00:41:58,680 –> 00:41:59,840
A workaround is a signal
1216
00:41:59,840 –> 00:42:02,200
that the intended workflow doesn’t match reality.
1217
00:42:02,200 –> 00:42:03,760
It’s evidence that the control plane
1218
00:42:03,760 –> 00:42:06,280
isn’t aligned with how work actually happens.
1219
00:42:06,280 –> 00:42:09,280
And when security treats workarounds as insubordination,
1220
00:42:09,280 –> 00:42:10,880
it guarantees two outcomes.
1221
00:42:10,880 –> 00:42:12,160
Workarounds go underground
1222
00:42:12,160 –> 00:42:13,960
and the organization loses visibility
1223
00:42:13,960 –> 00:42:15,800
into its true operating model.
1224
00:42:15,800 –> 00:42:18,000
Silent non-compliance is the default state
1225
00:42:18,000 –> 00:42:19,720
of mature bureaucracies.
1226
00:42:19,720 –> 00:42:21,800
The policy exists, the dashboard is green,
1227
00:42:21,800 –> 00:42:24,080
the audit passes, the behavior diverges anyway
1228
00:42:24,080 –> 00:42:25,800
because the system rewards throughput
1229
00:42:25,800 –> 00:42:27,360
more than it rewards adherents.
1230
00:42:27,360 –> 00:42:29,760
Meanwhile, the organization tells itself a story.
1231
00:42:29,760 –> 00:42:31,640
We’re secure because we have controls.
1232
00:42:31,640 –> 00:42:33,040
The attacker enjoys that story.
1233
00:42:33,040 –> 00:42:35,760
This is also why security fatigue is not a user problem.
1234
00:42:35,760 –> 00:42:36,720
It’s a design problem.
1235
00:42:36,720 –> 00:42:38,240
If MFA prompts a constant,
1236
00:42:38,240 –> 00:42:40,440
users learn to approve without reading.
1237
00:42:40,440 –> 00:42:42,200
If warning banners appear on every email,
1238
00:42:42,200 –> 00:42:43,600
people stop seeing them.
1239
00:42:43,600 –> 00:42:45,680
If every request is treated like a crisis,
1240
00:42:45,680 –> 00:42:46,920
the workforce becomes numb.
1241
00:42:46,920 –> 00:42:48,360
The control becomes noise.
1242
00:42:48,360 –> 00:42:50,880
And noise is not protection, it’s attacks.
1243
00:42:50,880 –> 00:42:53,200
A well-designed system doesn’t require heroic attention.
1244
00:42:53,200 –> 00:42:55,840
It assumes attention is scarce and builds guardrails
1245
00:42:55,840 –> 00:42:58,640
that work even when people are tired, rushed or distracted.
1246
00:42:58,640 –> 00:43:01,360
That’s not cynical, that’s operational realism.
1247
00:43:01,360 –> 00:43:03,720
So when organizations say people are the weakest link,
1248
00:43:03,720 –> 00:43:05,320
they’re usually describing a mismatch
1249
00:43:05,320 –> 00:43:07,920
between two speeds, the speed of business
1250
00:43:07,920 –> 00:43:09,440
and the speed of security.
1251
00:43:09,440 –> 00:43:11,400
Security responds by slowing the business
1252
00:43:11,400 –> 00:43:13,600
and the business responds by rooting around security.
1253
00:43:13,600 –> 00:43:14,440
That is the loop.
1254
00:43:14,440 –> 00:43:16,440
It repeats until either leadership intervenes
1255
00:43:16,440 –> 00:43:17,720
or the attacker does.
1256
00:43:17,720 –> 00:43:19,520
And AI makes the mismatch sharper.
1257
00:43:19,520 –> 00:43:21,040
AI accelerates work.
1258
00:43:21,040 –> 00:43:23,800
Drafting, coding, summarizing, automating, integrating,
1259
00:43:23,800 –> 00:43:26,440
the organization’s appetite for speed increases.
1260
00:43:26,440 –> 00:43:29,000
If security remains a manual gate, tickets, approvals,
1261
00:43:29,000 –> 00:43:32,000
reviews done quarterly, then security becomes the bottleneck
1262
00:43:32,000 –> 00:43:33,400
that the business will circumvent,
1263
00:43:33,400 –> 00:43:35,040
not because it wants to, because it has to.
1264
00:43:35,040 –> 00:43:37,480
This is why secure by design is not a slogan.
1265
00:43:37,480 –> 00:43:39,400
It’s a requirement for maintaining control
1266
00:43:39,400 –> 00:43:41,400
when the systems throughput doubles.
1267
00:43:41,400 –> 00:43:44,160
Design is how you scale trust without scaling friction.
1268
00:43:44,160 –> 00:43:47,360
Design means the safest path is also the fastest path.
1269
00:43:47,360 –> 00:43:49,520
Users shouldn’t need to choose between compliance
1270
00:43:49,520 –> 00:43:50,600
and productivity.
1271
00:43:50,600 –> 00:43:52,360
If they do, they will choose productivity
1272
00:43:52,360 –> 00:43:54,960
because that’s what the organization actually rewards.
1273
00:43:54,960 –> 00:43:57,120
So what does design look like in this context?
1274
00:43:57,120 –> 00:43:58,920
It looks like making identity governance
1275
00:43:58,920 –> 00:44:01,640
and privileged access not only strict but usable.
1276
00:44:01,640 –> 00:44:03,200
It looks like time-bound access
1277
00:44:03,200 –> 00:44:05,280
that can be requested and approved quickly
1278
00:44:05,280 –> 00:44:06,920
with clear accountability.
1279
00:44:06,920 –> 00:44:09,360
It looks like conditional access policies
1280
00:44:09,360 –> 00:44:11,000
that are consistent and predictable,
1281
00:44:11,000 –> 00:44:12,600
not a maze of exceptions.
1282
00:44:12,600 –> 00:44:14,480
It looks like continuous session revocation,
1283
00:44:14,480 –> 00:44:16,880
so compromised access doesn’t linger.
1284
00:44:16,880 –> 00:44:18,320
It looks like response workflows
1285
00:44:18,320 –> 00:44:20,040
that trigger actions automatically.
1286
00:44:20,040 –> 00:44:21,920
So humans spend time deciding impact,
1287
00:44:21,920 –> 00:44:23,920
not moving data between portals.
1288
00:44:23,920 –> 00:44:26,600
And it looks like explicitly designing for failure,
1289
00:44:26,600 –> 00:44:28,720
assume compromise, reduce blast radius
1290
00:44:28,720 –> 00:44:30,160
and make containment normal.
1291
00:44:30,160 –> 00:44:32,680
If those properties exist, humans don’t need to be perfect.
1292
00:44:32,680 –> 00:44:34,840
The system catches them, the system constrains them,
1293
00:44:34,840 –> 00:44:37,240
the system corrects quickly when reality changes.
1294
00:44:37,240 –> 00:44:39,720
If those properties don’t exist, humans are asked
1295
00:44:39,720 –> 00:44:41,480
to compensate for architectural gaps
1296
00:44:41,480 –> 00:44:42,800
with attention and discipline.
1297
00:44:42,800 –> 00:44:43,800
That is not a strategy.
1298
00:44:43,800 –> 00:44:44,800
That is a fragile wish.
1299
00:44:44,800 –> 00:44:46,640
So stop saying the user is the problem.
1300
00:44:46,640 –> 00:44:48,040
The user is the environment
1301
00:44:48,040 –> 00:44:51,840
and your environment behaves exactly as you designed it to behave.
1302
00:44:51,840 –> 00:44:52,960
Safe autonomy.
1303
00:44:52,960 –> 00:44:55,320
The real objective of modern security.
1304
00:44:55,320 –> 00:44:57,880
Safe autonomy is the objective leaders actually want
1305
00:44:57,880 –> 00:44:59,400
even if they keep funding the opposite.
1306
00:44:59,400 –> 00:45:00,760
They want teams to move fast
1307
00:45:00,760 –> 00:45:02,720
without creating new existential risks.
1308
00:45:02,720 –> 00:45:05,040
They want developers shipping, finance approving,
1309
00:45:05,040 –> 00:45:06,760
sales sharing and operations running
1310
00:45:06,760 –> 00:45:09,080
without every meaningful action turning into a security
1311
00:45:09,080 –> 00:45:11,080
exception or a SOC incident.
1312
00:45:11,080 –> 00:45:13,400
And they want that speed to be reliable,
1313
00:45:13,400 –> 00:45:16,320
not dependent on which senior engineer happens to be awake.
1314
00:45:16,320 –> 00:45:18,640
Security that cannot produce safe autonomy
1315
00:45:18,640 –> 00:45:20,160
becomes a break you never tuned.
1316
00:45:20,160 –> 00:45:22,720
It still slows the car, but it doesn’t prevent the crash.
1317
00:45:22,720 –> 00:45:25,240
It just makes everyone angry on the way there.
1318
00:45:25,240 –> 00:45:26,640
So define it cleanly.
1319
00:45:26,640 –> 00:45:29,160
Autonomy means people and systems can act
1320
00:45:29,160 –> 00:45:31,920
without waiting for a central authority on every decision.
1321
00:45:31,920 –> 00:45:33,880
It means access is available when needed.
1322
00:45:33,880 –> 00:45:35,440
It means change is possible.
1323
00:45:35,440 –> 00:45:37,240
It means the organization can execute.
1324
00:45:37,240 –> 00:45:40,440
But autonomy without guardrails is just distributed risk creation.
1325
00:45:40,440 –> 00:45:42,920
Safe autonomy is autonomy with constraints
1326
00:45:42,920 –> 00:45:45,760
that are dynamic, enforceable and fast.
1327
00:45:45,760 –> 00:45:48,160
Dynamic means the control plane uses context,
1328
00:45:48,160 –> 00:45:49,640
not static assumptions.
1329
00:45:49,640 –> 00:45:53,320
Identity and device posture, risk signals, session state,
1330
00:45:53,320 –> 00:45:56,360
resource sensitivity, those inputs shape the decision
1331
00:45:56,360 –> 00:45:57,200
continuously.
1332
00:45:57,200 –> 00:45:59,280
If the context changes, the decision changes.
1333
00:45:59,280 –> 00:46:00,120
That’s not a feature.
1334
00:46:00,120 –> 00:46:02,160
That’s the only model that survives modern SAS
1335
00:46:02,160 –> 00:46:03,560
and AI accelerated work.
1336
00:46:03,560 –> 00:46:06,400
Enforceable means the decision isn’t just policy text.
1337
00:46:06,400 –> 00:46:08,600
It is honored by the system’s people actually use.
1338
00:46:08,600 –> 00:46:10,600
If a privileged role requires elevation,
1339
00:46:10,600 –> 00:46:13,120
the elevation path has to exist and work.
1340
00:46:13,120 –> 00:46:15,520
If a session is revoked, the app has to comply.
1341
00:46:15,520 –> 00:46:17,720
If an access package expires, the access
1342
00:46:17,720 –> 00:46:19,560
must disappear without negotiation.
1343
00:46:19,560 –> 00:46:20,960
Otherwise, you don’t have governance.
1344
00:46:20,960 –> 00:46:22,800
You have aspiration.
1345
00:46:22,800 –> 00:46:25,600
Fast means the safe path is the easy path.
1346
00:46:25,600 –> 00:46:27,800
This is the mistake security keeps making.
1347
00:46:27,800 –> 00:46:30,320
It builds a safe path that is correct but slow.
1348
00:46:30,320 –> 00:46:32,920
Then it acts surprised when the business roots around it.
1349
00:46:32,920 –> 00:46:35,240
If you want safe autonomy, your control mechanisms
1350
00:46:35,240 –> 00:46:36,960
must operate at business speed.
1351
00:46:36,960 –> 00:46:39,680
Access requests must be fulfilable without weeks of tickets.
1352
00:46:39,680 –> 00:46:42,280
Privilege elevation must be minutes, not days.
1353
00:46:42,280 –> 00:46:46,160
Revocation must be near real time, not when the token times out.
1354
00:46:46,160 –> 00:46:48,280
Response must be orchestrated, not tribal.
1355
00:46:48,280 –> 00:46:50,360
This is also where least privilege stops
1356
00:46:50,360 –> 00:46:53,280
being a purity test and becomes a design pattern.
1357
00:46:53,280 –> 00:46:55,040
These privilege in a safe autonomy model
1358
00:46:55,040 –> 00:46:57,560
is not, you get less access forever.
1359
00:46:57,560 –> 00:47:00,560
It’s, you get exactly what you need, exactly when you need it,
1360
00:47:00,560 –> 00:47:02,520
and it disappears when you don’t.
1361
00:47:02,520 –> 00:47:05,240
Time is the missing dimension in most access models.
1362
00:47:05,240 –> 00:47:07,320
At time and the whole system becomes easier
1363
00:47:07,320 –> 00:47:09,280
to secure without slowing work.
1364
00:47:09,280 –> 00:47:11,120
Remove time and privilege is accumulate
1365
00:47:11,120 –> 00:47:13,600
until your environment is permanently overauthorized
1366
00:47:13,600 –> 00:47:15,600
and autonomy doesn’t just apply to humans.
1367
00:47:15,600 –> 00:47:17,960
Work loads, connectors, service principles
1368
00:47:17,960 –> 00:47:21,560
and increasingly AI agents are acting on behalf of the business.
1369
00:47:21,560 –> 00:47:23,280
If those identities aren’t governed,
1370
00:47:23,280 –> 00:47:26,560
scoped permissions, explicit ownership, rotation, and monitoring,
1371
00:47:26,560 –> 00:47:27,840
you don’t have autonomy.
1372
00:47:27,840 –> 00:47:29,280
You have unattended authority.
1373
00:47:29,280 –> 00:47:31,200
That is the fastest way to create a breach
1374
00:47:31,200 –> 00:47:33,720
with no obvious user mistake to blame.
1375
00:47:33,720 –> 00:47:36,120
So safe autonomy requires two loops
1376
00:47:36,120 –> 00:47:38,320
to be built into the platform experience.
1377
00:47:38,320 –> 00:47:41,640
Loop one is the trust loop signals to decision to enforcement
1378
00:47:41,640 –> 00:47:43,080
continuously.
1379
00:47:43,080 –> 00:47:45,080
This is where entra governance, conditional access,
1380
00:47:45,080 –> 00:47:46,440
and CAE live.
1381
00:47:46,440 –> 00:47:48,240
It’s where trust is earned, constrained,
1382
00:47:48,240 –> 00:47:49,760
and revoked without drama.
1383
00:47:49,760 –> 00:47:53,280
Loop two is the response loop, detection to action to recovery.
1384
00:47:53,280 –> 00:47:56,040
Because safe autonomy doesn’t mean nothing goes wrong.
1385
00:47:56,040 –> 00:47:57,280
It means when something goes wrong,
1386
00:47:57,280 –> 00:47:58,800
the system contains it fast enough
1387
00:47:58,800 –> 00:48:00,320
that the business can keep moving.
1388
00:48:00,320 –> 00:48:01,840
This is the part leaders often miss.
1389
00:48:01,840 –> 00:48:04,720
Autonomy increases the number of actions taken without oversight,
1390
00:48:04,720 –> 00:48:06,640
so the system must be able to correct quickly
1391
00:48:06,640 –> 00:48:08,840
when an action turns out to be risky.
1392
00:48:08,840 –> 00:48:11,560
The faster you can revoke, isolate, and remediate,
1393
00:48:11,560 –> 00:48:13,840
the more autonomy you can safely allow.
1394
00:48:13,840 –> 00:48:15,480
That’s the trade.
1395
00:48:15,480 –> 00:48:16,960
If your response loop is slow,
1396
00:48:16,960 –> 00:48:19,480
you will inevitably compensate by reducing autonomy,
1397
00:48:19,480 –> 00:48:23,000
more approvals, more gates, more centralized control.
1398
00:48:23,000 –> 00:48:24,400
Not because it’s philosophically better,
1399
00:48:24,400 –> 00:48:26,440
but because it’s the only way to reduce blast radius
1400
00:48:26,440 –> 00:48:27,840
when you can’t contain quickly.
1401
00:48:27,840 –> 00:48:30,480
That is the real reason security slows the business.
1402
00:48:30,480 –> 00:48:32,360
It is compensating for weak revocation
1403
00:48:32,360 –> 00:48:34,320
and weak response with human friction.
1404
00:48:34,320 –> 00:48:36,040
Safe autonomy flips that equation.
1405
00:48:36,040 –> 00:48:38,880
It says, invest in control, plane clarity, and response speed,
1406
00:48:38,880 –> 00:48:40,960
so the organization can decentralize execution
1407
00:48:40,960 –> 00:48:42,280
without decentralizing risk.
1408
00:48:42,280 –> 00:48:43,640
And the executive level marker
1409
00:48:43,640 –> 00:48:45,800
that you’re building it correctly is simple,
1410
00:48:45,800 –> 00:48:48,840
fewer emergency exceptions, fewer escalations,
1411
00:48:48,840 –> 00:48:52,000
fewer security needs to approve this right now moments.
1412
00:48:52,000 –> 00:48:53,200
Not because you blocked more,
1413
00:48:53,200 –> 00:48:56,200
because you designed the trusted path to be the default path.
1414
00:48:56,200 –> 00:48:59,680
When safe autonomy exists, security stops being a queue.
1415
00:48:59,680 –> 00:49:02,120
It becomes an operating property of the business.
1416
00:49:02,120 –> 00:49:05,200
Detection without response is expensive telemetry.
1417
00:49:05,200 –> 00:49:07,640
Once you accept safe autonomy as the objective,
1418
00:49:07,640 –> 00:49:09,320
the next failure becomes obvious.
1419
00:49:09,320 –> 00:49:12,000
Most security programs are built like observatories.
1420
00:49:12,000 –> 00:49:13,840
They collect signals, they classify events,
1421
00:49:13,840 –> 00:49:16,080
they generate alerts, then they stop.
1422
00:49:16,080 –> 00:49:17,440
And then everyone acts surprised
1423
00:49:17,440 –> 00:49:19,880
when incidents still turn into business outages.
1424
00:49:19,880 –> 00:49:21,880
Detection by itself doesn’t reduce impact,
1425
00:49:21,880 –> 00:49:23,280
it documents impact.
1426
00:49:23,280 –> 00:49:24,320
That distinction matters
1427
00:49:24,320 –> 00:49:26,720
because dashboards are emotionally comforting.
1428
00:49:26,720 –> 00:49:28,800
A high severity alert feels like progress,
1429
00:49:28,800 –> 00:49:32,040
a unified incident view feels like control.
1430
00:49:32,040 –> 00:49:33,680
But none of it changes the outcome
1431
00:49:33,680 –> 00:49:36,560
if the organization can’t convert signal into action
1432
00:49:36,560 –> 00:49:37,760
fast enough to matter.
1433
00:49:37,760 –> 00:49:40,720
This is why so many well-secured organizations still fail.
1434
00:49:40,720 –> 00:49:42,360
Not because they lack detection,
1435
00:49:42,360 –> 00:49:45,160
because they lack decision speed and enforcement speed.
1436
00:49:45,160 –> 00:49:47,920
You can think of response as a pipeline with four stages.
1437
00:49:47,920 –> 00:49:50,600
Detect, decide, enforce, recover.
1438
00:49:50,600 –> 00:49:53,520
Most organizations over-invest in the first stage,
1439
00:49:53,520 –> 00:49:55,440
under-invest in the second and third
1440
00:49:55,440 –> 00:49:57,480
and treat the fourth as an annual exercise.
1441
00:49:57,480 –> 00:49:59,120
So the system behaves like a camera,
1442
00:49:59,120 –> 00:50:00,280
not like a control system.
1443
00:50:00,280 –> 00:50:02,080
A camera is valuable after the fact.
1444
00:50:02,080 –> 00:50:03,880
It tells you what happened, it can help you learn.
1445
00:50:03,880 –> 00:50:05,800
But it doesn’t stop the car from hitting the wall.
1446
00:50:05,800 –> 00:50:07,240
For that, you need brakes.
1447
00:50:07,240 –> 00:50:09,440
In security terms, you need orchestration.
1448
00:50:09,440 –> 00:50:12,280
Consistent, auditable actions that reduce blast radius quickly.
1449
00:50:12,280 –> 00:50:15,240
The core issue is that response is usually human middleware
1450
00:50:15,240 –> 00:50:16,200
and alert fires.
1451
00:50:16,200 –> 00:50:17,160
It lands in a queue.
1452
00:50:17,160 –> 00:50:20,280
Someone triages it, they copy information from one portal to another,
1453
00:50:20,280 –> 00:50:22,440
they ask an app owner what the identity does.
1454
00:50:22,440 –> 00:50:24,480
They ask I’d to isolate a device.
1455
00:50:24,480 –> 00:50:27,160
They ask identity administrators to disable an account.
1456
00:50:27,160 –> 00:50:29,360
They ask messaging teams to purge an email.
1457
00:50:29,360 –> 00:50:31,360
They ask someone else to reset credentials.
1458
00:50:31,360 –> 00:50:33,080
Each step is rational in isolation.
1459
00:50:33,080 –> 00:50:34,680
Collectively, it’s a latency engine.
1460
00:50:34,680 –> 00:50:36,400
An attacker’s exploit latency.
1461
00:50:36,400 –> 00:50:37,480
They don’t need to be brilliant.
1462
00:50:37,480 –> 00:50:38,520
They need you to be slow.
1463
00:50:38,520 –> 00:50:41,400
This is where leadership gets trapped in the wrong conversation.
1464
00:50:41,400 –> 00:50:43,360
They ask, do we have a sock?
1465
00:50:43,360 –> 00:50:45,000
They ask, are we monitoring?
1466
00:50:45,000 –> 00:50:47,040
They ask, how many alerts did we close out?
1467
00:50:47,040 –> 00:50:48,320
Those are activity metrics.
1468
00:50:48,320 –> 00:50:50,680
They don’t tell you whether the organization can contain
1469
00:50:50,680 –> 00:50:52,840
an identity-driven incident in business time.
1470
00:50:52,840 –> 00:50:55,160
The question that matters is, how long does it take
1471
00:50:55,160 –> 00:50:57,720
from first signal to first meaningful containment?
1472
00:50:57,720 –> 00:51:00,600
Not to a ticket, not to a slack thread, to containment?
1473
00:51:00,600 –> 00:51:03,880
Because that’s the moment you stop paying compounding interest on the breach.
1474
00:51:03,880 –> 00:51:07,160
Now, the uncomfortable part, detection without response is not neutral.
1475
00:51:07,160 –> 00:51:07,920
It’s expensive.
1476
00:51:07,920 –> 00:51:09,160
It consumes licensing.
1477
00:51:09,160 –> 00:51:10,240
It consumes storage.
1478
00:51:10,240 –> 00:51:11,720
It consumes analyst time.
1479
00:51:11,720 –> 00:51:13,560
It consumes executive attention.
1480
00:51:13,560 –> 00:51:15,520
And when it’s not connected to action,
1481
00:51:15,520 –> 00:51:17,800
it creates a worse outcome than ignorance.
1482
00:51:17,800 –> 00:51:22,400
A alert fatigue, where the organization learns to ignore its own warning systems.
1483
00:51:22,400 –> 00:51:24,840
Once that happens, you have telemetry theatre.
1484
00:51:24,840 –> 00:51:25,840
Lots of data.
1485
00:51:25,840 –> 00:51:27,120
Little control.
1486
00:51:27,120 –> 00:51:30,160
This is also why more sensors is a weak investment posture.
1487
00:51:30,160 –> 00:51:32,680
If you add more signals, without fixing the response loop,
1488
00:51:32,680 –> 00:51:33,600
you increase noise.
1489
00:51:33,600 –> 00:51:34,920
Noise reduces trust.
1490
00:51:34,920 –> 00:51:35,840
Reduced trust.
1491
00:51:35,840 –> 00:51:37,040
Slows decisions.
1492
00:51:37,040 –> 00:51:38,600
Slower decisions increase impact.
1493
00:51:38,600 –> 00:51:39,280
That’s the loop.
1494
00:51:39,280 –> 00:51:42,360
It’s the security equivalent of adding more gauges to a cockpit
1495
00:51:42,360 –> 00:51:44,880
while leaving the control surfaces unresponsive.
1496
00:51:44,880 –> 00:51:46,880
So what does a good response loop look like
1497
00:51:46,880 –> 00:51:48,720
without turning this into a tool demo?
1498
00:51:48,720 –> 00:51:52,320
It looks like the organization pre-defining a small set of reversible actions
1499
00:51:52,320 –> 00:51:55,360
that can happen fast with clear authority and clear logging.
1500
00:51:55,360 –> 00:51:58,320
If an identity exhibits a high confidence compromise signal,
1501
00:51:58,320 –> 00:52:02,120
the system can, revoke sessions, require reauthentication,
1502
00:52:02,120 –> 00:52:05,160
block risky sign-ins, disable the account,
1503
00:52:05,160 –> 00:52:08,240
remove standing privilege, quarantine a device,
1504
00:52:08,240 –> 00:52:11,360
suspend an OAuth app or route a case to the system owner
1505
00:52:11,360 –> 00:52:13,200
with context already attached.
1506
00:52:13,200 –> 00:52:14,640
Not all at once, not everywhere,
1507
00:52:14,640 –> 00:52:17,720
but as a designed set of bounded responses.
1508
00:52:17,720 –> 00:52:19,440
Bounded matters because leaders here
1509
00:52:19,440 –> 00:52:21,440
automation and picture chaos.
1510
00:52:21,440 –> 00:52:23,440
Accidental lockouts, business disruption,
1511
00:52:23,440 –> 00:52:25,720
the wrong account disabled at the wrong time.
1512
00:52:25,720 –> 00:52:29,040
That fear is rational when automation is built as an improvisation.
1513
00:52:29,040 –> 00:52:32,160
It becomes less rational when automation is built as policy.
1514
00:52:32,160 –> 00:52:34,960
Explicit triggers, reversible actions, audit trails,
1515
00:52:34,960 –> 00:52:37,320
and human approval where the blast radius is large.
1516
00:52:37,320 –> 00:52:41,320
That is how you turn response speed into a capability instead of a gamble.
1517
00:52:41,320 –> 00:52:43,800
And this ties directly back to identity as the control plane.
1518
00:52:43,800 –> 00:52:46,840
If your fastest containment actions live in identity,
1519
00:52:46,840 –> 00:52:49,640
session revocation, privilege reduction, access blocks,
1520
00:52:49,640 –> 00:52:51,440
then response becomes feasible.
1521
00:52:51,440 –> 00:52:54,000
If your containment requires days of coordination
1522
00:52:54,000 –> 00:52:57,480
across disconnected teams, response becomes aspirational.
1523
00:52:57,480 –> 00:52:58,880
So the takeaway is blunt.
1524
00:52:58,880 –> 00:53:00,960
You don’t buy resilience with telemetry.
1525
00:53:00,960 –> 00:53:03,560
You buy resilience by funding the conversion layer
1526
00:53:03,560 –> 00:53:05,000
between signal and action.
1527
00:53:05,000 –> 00:53:06,800
And that conversion layer is not glamorous.
1528
00:53:06,800 –> 00:53:09,200
It’s workflow, it’s ownership, it’s automation,
1529
00:53:09,200 –> 00:53:10,680
it’s rehearsed authority.
1530
00:53:10,680 –> 00:53:12,960
Without it, you don’t have a resilience program.
1531
00:53:12,960 –> 00:53:15,280
You have a very expensive record of how you lost.
1532
00:53:15,280 –> 00:53:18,760
Scenario 2, Microsoft Defender, ServiceNow Automation.
1533
00:53:18,760 –> 00:53:22,880
If identity is the control plane, and CAE is the revocation muscle,
1534
00:53:22,880 –> 00:53:25,640
then this scenario is the nervous system connection.
1535
00:53:25,640 –> 00:53:27,960
How signals become coordinated action
1536
00:53:27,960 –> 00:53:31,520
without turning your SOC into a human API.
1537
00:53:31,520 –> 00:53:34,640
Microsoft Defender gives you signals, ServiceNow gives you execution.
1538
00:53:34,640 –> 00:53:37,400
Most organizations own both categories of tooling,
1539
00:53:37,400 –> 00:53:39,240
but treat them like separate religions.
1540
00:53:39,240 –> 00:53:42,360
Security detects, IT operates, and the business weights.
1541
00:53:42,360 –> 00:53:44,280
That separation is where MTR is born.
1542
00:53:44,280 –> 00:53:46,080
Defender is already doing aggregation
1543
00:53:46,080 –> 00:53:49,440
across endpoint identity, email, SAS, and cloud activity.
1544
00:53:49,440 –> 00:53:53,120
It can correlate activity that looks unrelated in isolation,
1545
00:53:53,120 –> 00:53:56,000
a risky sign-in, a suspicious mailbox rule,
1546
00:53:56,000 –> 00:53:57,960
an endpoint alert and OAuth app consent,
1547
00:53:57,960 –> 00:53:59,800
a new admin role activation.
1548
00:53:59,800 –> 00:54:02,000
The value isn’t that any single alert exists.
1549
00:54:02,000 –> 00:54:04,640
The value is that the platform can form an incident story
1550
00:54:04,640 –> 00:54:07,320
without asking an analyst to manually stitch it together.
1551
00:54:07,320 –> 00:54:09,160
But correlation doesn’t contain anything.
1552
00:54:09,160 –> 00:54:10,840
Containment happens when the organization
1553
00:54:10,840 –> 00:54:14,280
executes a bounded set of actions fast with clear authority
1554
00:54:14,280 –> 00:54:17,840
and with an audit trail that survives the post-incident review.
1555
00:54:17,840 –> 00:54:20,640
That’s where ServiceNow becomes useful, not as a ticket factory,
1556
00:54:20,640 –> 00:54:23,800
as the system of action that codifies decisions, approvals,
1557
00:54:23,800 –> 00:54:25,840
handoffs, and remediation steps
1558
00:54:25,840 –> 00:54:27,520
in a way that is repeatable under stress.
1559
00:54:27,520 –> 00:54:30,400
The simple version is Defender detects and enriches service.
1560
00:54:30,400 –> 00:54:31,440
Now roots and governs.
1561
00:54:31,440 –> 00:54:33,960
Automation executes the first response steps.
1562
00:54:33,960 –> 00:54:37,000
Humans handle the exceptions and the irreversible decisions.
1563
00:54:37,000 –> 00:54:39,680
That’s the 1080-10 model in practice.
1564
00:54:39,680 –> 00:54:42,080
Without pretending the platform can replace judgment.
1565
00:54:42,080 –> 00:54:44,280
So what does good automation look like here?
1566
00:54:44,280 –> 00:54:46,400
It looks like defining a small number of playbooks
1567
00:54:46,400 –> 00:54:48,040
that are intentionally boring.
1568
00:54:48,040 –> 00:54:50,840
When Defender raises a high confidence identity incident,
1569
00:54:50,840 –> 00:54:53,360
the system can automatically create a ServiceNow Security
1570
00:54:53,360 –> 00:54:56,080
incident with the right context already attached.
1571
00:54:56,080 –> 00:55:00,600
Effected identity, impacted assets, correlated alerts, timestamps,
1572
00:55:00,600 –> 00:55:02,600
and suggested containment actions.
1573
00:55:02,600 –> 00:55:05,600
No copy-paste, no, what’s the UPN back and forth?
1574
00:55:05,600 –> 00:55:08,280
No analyst spending 20 minutes collecting screenshots
1575
00:55:08,280 –> 00:55:09,560
for a ticket nobody will read.
1576
00:55:09,560 –> 00:55:11,760
Then automation does the first reversible moves.
1577
00:55:11,760 –> 00:55:14,160
Reversible means you can undo the action
1578
00:55:14,160 –> 00:55:16,680
without negotiating with half the organization.
1579
00:55:16,680 –> 00:55:19,440
Reauthentication prompts, session revocation,
1580
00:55:19,440 –> 00:55:22,640
blocking risky sign-ins, disabling a single account,
1581
00:55:22,640 –> 00:55:25,440
removing a role activation, isolating a device,
1582
00:55:25,440 –> 00:55:28,680
quarantining an email, suspending an OAuth app consent,
1583
00:55:28,680 –> 00:55:30,720
depending on what signal fired and what authority
1584
00:55:30,720 –> 00:55:31,920
you’ve pre-approved.
1585
00:55:31,920 –> 00:55:34,040
This is the key leadership decision,
1586
00:55:34,040 –> 00:55:36,160
which actions are allowed to happen automatically
1587
00:55:36,160 –> 00:55:37,760
and under what confidence threshold.
1588
00:55:37,760 –> 00:55:39,880
If everything requires a human you get latency,
1589
00:55:39,880 –> 00:55:41,240
if everything is automated,
1590
00:55:41,240 –> 00:55:44,520
you get accidental outages and political backlash.
1591
00:55:44,520 –> 00:55:47,160
The only stable model is a tiered model.
1592
00:55:47,160 –> 00:55:49,480
Automatic containment for high confidence,
1593
00:55:49,480 –> 00:55:51,760
low blast radius actions, human approval
1594
00:55:51,760 –> 00:55:53,400
for high blast radius actions,
1595
00:55:53,400 –> 00:55:55,160
and explicit escalation when the system
1596
00:55:55,160 –> 00:55:56,600
can’t determine impact.
1597
00:55:56,600 –> 00:55:59,480
ServiceNow is where that tearing becomes enforceable.
1598
00:55:59,480 –> 00:56:00,960
It can embed approval workflows
1599
00:56:00,960 –> 00:56:02,400
in forced segregation of duties
1600
00:56:02,400 –> 00:56:05,040
and ensure every exception has an owner and an expiration.
1601
00:56:05,040 –> 00:56:07,560
It can also track recovery tasks as actual work,
1602
00:56:07,560 –> 00:56:10,160
not as tribal knowledge, credential resets,
1603
00:56:10,160 –> 00:56:13,080
access-reviewed triggers, device re-enrollment,
1604
00:56:13,080 –> 00:56:16,160
application owner confirmation, customer communications,
1605
00:56:16,160 –> 00:56:18,560
and post-incident backlog items.
1606
00:56:18,560 –> 00:56:19,880
That last part matters.
1607
00:56:19,880 –> 00:56:24,080
Most organizations can contain when the right people are awake.
1608
00:56:24,080 –> 00:56:25,480
They can’t recover consistently
1609
00:56:25,480 –> 00:56:27,160
because recovery is treated as cleanup,
1610
00:56:27,160 –> 00:56:30,000
not as an engineered loop, service.
1611
00:56:30,000 –> 00:56:33,000
Now forces recovery to be legible, tasks, owners,
1612
00:56:33,000 –> 00:56:34,920
deadlines, evidence.
1613
00:56:34,920 –> 00:56:36,680
Now the counterintuitive part,
1614
00:56:36,680 –> 00:56:38,920
this automation isn’t about speed for its own sake,
1615
00:56:38,920 –> 00:56:40,960
it’s about restoring human decision time.
1616
00:56:40,960 –> 00:56:42,320
Humans should decide intent.
1617
00:56:42,320 –> 00:56:44,080
Is this identity business critical?
1618
00:56:44,080 –> 00:56:45,400
Is this activity expected?
1619
00:56:45,400 –> 00:56:46,360
Do we accept the risk?
1620
00:56:46,360 –> 00:56:47,520
Do we shut down a workflow?
1621
00:56:47,520 –> 00:56:48,680
Do we notify customers?
1622
00:56:48,680 –> 00:56:50,560
Do we escalate to legal?
1623
00:56:50,560 –> 00:56:52,320
The system should execute mechanics.
1624
00:56:52,320 –> 00:56:54,440
Collect data, correlate, create the case,
1625
00:56:54,440 –> 00:56:56,240
root it, apply reversible containment,
1626
00:56:56,240 –> 00:56:57,480
and maintain the audit trail.
1627
00:56:57,480 –> 00:57:00,080
If your analysts are doing mechanics, you don’t have a so key.
1628
00:57:00,080 –> 00:57:02,080
You have a very expensive workflow gap.
1629
00:57:02,080 –> 00:57:04,040
And the reason this scenario belongs
1630
00:57:04,040 –> 00:57:06,440
in an executive briefing is that it changes
1631
00:57:06,440 –> 00:57:07,560
what leaders fund.
1632
00:57:07,560 –> 00:57:09,080
Instead of buying more detection,
1633
00:57:09,080 –> 00:57:11,880
you invest in the conversion layer, integrations,
1634
00:57:11,880 –> 00:57:15,720
playbooks, ownership models, and rehearsed authority.
1635
00:57:15,720 –> 00:57:17,320
You build the muscle that turns,
1636
00:57:17,320 –> 00:57:20,200
we saw something into, we contained something,
1637
00:57:20,200 –> 00:57:21,920
because the board doesn’t care that you detected
1638
00:57:21,920 –> 00:57:24,160
an identity incident at 2.03 AM.
1639
00:57:24,160 –> 00:57:28,000
They care whether the attacker still had access at 2.33 AM.
1640
00:57:28,000 –> 00:57:29,920
This is also where you stop measuring success
1641
00:57:29,920 –> 00:57:31,560
by ticket volume and start measuring it
1642
00:57:31,560 –> 00:57:34,600
by decision latency, time to detect, time to decide,
1643
00:57:34,600 –> 00:57:36,680
time to enforce, time to recover.
1644
00:57:36,680 –> 00:57:39,400
Service now gives you the workflow time stamps.
1645
00:57:39,400 –> 00:57:41,240
Defender gives you the signal time stamps.
1646
00:57:41,240 –> 00:57:43,800
Together, they give you the only metric that matters.
1647
00:57:43,800 –> 00:57:45,560
MTR becomes visible.
1648
00:57:45,560 –> 00:57:49,360
And once MTR is visible, leadership can actually manage it.
1649
00:57:49,360 –> 00:57:51,400
Either resilience is an operating capability,
1650
00:57:51,400 –> 00:57:52,640
not an incident plan.
1651
00:57:52,640 –> 00:57:54,400
Resilience is what the organization can do
1652
00:57:54,400 –> 00:57:56,040
on a bad day without improvising,
1653
00:57:56,040 –> 00:57:58,200
not what it wrote down in a binder two years ago.
1654
00:57:58,200 –> 00:58:01,360
Most enterprises have an incident response plan.
1655
00:58:01,360 –> 00:58:04,760
It exists, it has owners, it has a PDF, it satisfies audits.
1656
00:58:04,760 –> 00:58:06,920
And it fails at the exact moment it’s needed,
1657
00:58:06,920 –> 00:58:08,880
because plans don’t execute themselves
1658
00:58:08,880 –> 00:58:11,320
and stressed humans don’t behave like flowcharts.
1659
00:58:11,320 –> 00:58:13,320
An incident plan is documentation.
1660
00:58:13,320 –> 00:58:15,840
Resilience is an operating capability, practiced,
1661
00:58:15,840 –> 00:58:18,480
funded, measured and continuously improved.
1662
00:58:18,480 –> 00:58:20,200
It lives in the muscle memory of teams
1663
00:58:20,200 –> 00:58:23,680
and the design of systems, not in the phrasing of a policy.
1664
00:58:23,680 –> 00:58:25,360
This is the uncomfortable truth.
1665
00:58:25,360 –> 00:58:28,040
Modern incidents are not puzzles, they are time games.
1666
00:58:28,040 –> 00:58:29,800
The attacker’s advantage is not brilliance.
1667
00:58:29,800 –> 00:58:31,600
It’s that your organization needs a meeting
1668
00:58:31,600 –> 00:58:32,800
before it can act.
1669
00:58:32,800 –> 00:58:34,960
Resilience is the decision to remove that meeting
1670
00:58:34,960 –> 00:58:36,240
from the critical path.
1671
00:58:36,240 –> 00:58:39,000
So resilience engineering starts with one stance,
1672
00:58:39,000 –> 00:58:42,680
expect failure, not as pessimism as design input.
1673
00:58:42,680 –> 00:58:44,640
Your human identity will be compromised,
1674
00:58:44,640 –> 00:58:46,760
your sumatoken will be stolen, your sumatown,
1675
00:58:46,760 –> 00:58:48,440
or O-Auth app will get consented,
1676
00:58:48,440 –> 00:58:50,600
your sumatement will make a mistake.
1677
00:58:50,600 –> 00:58:52,520
Then you design for bounded failure,
1678
00:58:52,520 –> 00:58:55,240
small blast radius, fast revocation
1679
00:58:55,240 –> 00:58:57,600
and recovery that doesn’t require heroics.
1680
00:58:57,600 –> 00:59:00,000
Bounded failure is the opposite of prevention fantasy.
1681
00:59:00,000 –> 00:59:02,640
It’s not nothing bad happens, it’s it’s it’s bad
1682
00:59:02,640 –> 00:59:05,440
things happen and the organization keeps operating.
1683
00:59:05,440 –> 00:59:08,120
That implies three capabilities leaders can actually fund.
1684
00:59:08,120 –> 00:59:09,840
First, containment readiness.
1685
00:59:09,840 –> 00:59:13,520
This is the existence of kill switches that work.
1686
00:59:13,520 –> 00:59:16,000
Rapid account disabling, privilege stripping,
1687
00:59:16,000 –> 00:59:18,880
session revocation, conditional access escalation,
1688
00:59:18,880 –> 00:59:21,920
device isolation and application level blocks,
1689
00:59:21,920 –> 00:59:26,040
pre-approved, auditable and reversible, where possible.
1690
00:59:26,040 –> 00:59:28,560
If containment actions require ad hoc approvals,
1691
00:59:28,560 –> 00:59:30,280
you don’t have containment readiness,
1692
00:59:30,280 –> 00:59:33,760
you have hope, second, recovery readiness.
1693
00:59:33,760 –> 00:59:36,760
Containment stops the bleeding, recovery restores the business.
1694
00:59:36,760 –> 00:59:39,640
Most organizations skip designing recovery as a system,
1695
00:59:39,640 –> 00:59:41,480
so they pay for it in chaos.
1696
00:59:41,480 –> 00:59:44,040
Recovery readiness means the organization knows
1697
00:59:44,040 –> 00:59:47,520
how to restore access safely, rebuild trust in identities
1698
00:59:47,520 –> 00:59:49,920
and reestablish clean operating conditions.
1699
00:59:49,920 –> 00:59:53,280
Credential resets with verification, reissuing tokens,
1700
00:59:53,280 –> 00:59:56,720
validating device posture, re-onboarding service accounts,
1701
00:59:56,720 –> 00:59:59,080
verifying that privileged roles are clean,
1702
00:59:59,080 –> 01:00:01,520
and proving that logging and controls are still intact.
1703
01:00:01,520 –> 01:00:03,520
If the org can’t reestablish trust quickly,
1704
01:00:03,520 –> 01:00:05,120
it will either stay offline too long
1705
01:00:05,120 –> 01:00:06,920
or come back online too early.
1706
01:00:06,920 –> 01:00:08,240
Both are expensive.
1707
01:00:08,240 –> 01:00:12,440
Third, learning loop discipline.
1708
01:00:12,440 –> 01:00:14,200
Resilience isn’t we survived.
1709
01:00:14,200 –> 01:00:17,480
Resilience is we survived and we made it harder next time.
1710
01:00:17,480 –> 01:00:19,240
That requires turning incident lessons
1711
01:00:19,240 –> 01:00:21,360
into owned backlog items with deadlines,
1712
01:00:21,360 –> 01:00:23,640
not we should review access,
1713
01:00:23,640 –> 01:00:26,200
not we should tighten conditional access,
1714
01:00:26,200 –> 01:00:28,800
specific changes, which entitlement gets rescoped,
1715
01:00:28,800 –> 01:00:31,960
which exception expires, which workflow becomes automated,
1716
01:00:31,960 –> 01:00:33,560
which app must support CAE,
1717
01:00:33,560 –> 01:00:36,080
which privileged role gets moved to eligible only,
1718
01:00:36,080 –> 01:00:38,560
which detection trigger now roots to action.
1719
01:00:38,560 –> 01:00:40,760
This is where most programs rot.
1720
01:00:40,760 –> 01:00:42,840
The incident becomes a post-mortem presentation,
1721
01:00:42,840 –> 01:00:44,240
not an engineering input.
1722
01:00:44,240 –> 01:00:45,360
Now to make this real,
1723
01:00:45,360 –> 01:00:47,640
leaders need to stop treating tabletop exercises
1724
01:00:47,640 –> 01:00:48,760
as compliance theater.
1725
01:00:48,760 –> 01:00:50,040
A tabletop isn’t a quiz.
1726
01:00:50,040 –> 01:00:51,480
It’s a rehearsal of decisions.
1727
01:00:51,480 –> 01:00:53,960
Who has authority to disable an executive account?
1728
01:00:53,960 –> 01:00:56,840
Who can revoke access for a third party integration
1729
01:00:56,840 –> 01:00:57,880
that drives revenue?
1730
01:00:57,880 –> 01:01:00,680
Who can force reauthentication for a business critical SaaS app?
1731
01:01:00,680 –> 01:01:02,360
Who can approve isolating a device
1732
01:01:02,360 –> 01:01:04,000
used for production deployment?
1733
01:01:04,000 –> 01:01:04,960
Who talks to legal?
1734
01:01:04,960 –> 01:01:06,040
Who talks to customers?
1735
01:01:06,040 –> 01:01:07,120
Who owns the timeline?
1736
01:01:07,120 –> 01:01:08,480
Those are not technical questions.
1737
01:01:08,480 –> 01:01:10,800
They are governance questions under stress.
1738
01:01:10,800 –> 01:01:13,120
A good tabletop produces two outputs,
1739
01:01:13,120 –> 01:01:15,960
decision clarity and remediation backlog.
1740
01:01:15,960 –> 01:01:18,200
If it only produces, we learned a lot.
1741
01:01:18,200 –> 01:01:19,400
It produced nothing.
1742
01:01:19,400 –> 01:01:21,600
There’s also a structural implication to resilience
1743
01:01:21,600 –> 01:01:23,800
that security teams dislike admitting.
1744
01:01:23,800 –> 01:01:26,880
Resilience requires alignment between identity, IT,
1745
01:01:26,880 –> 01:01:29,600
and the business, not cooperation, alignment.
1746
01:01:29,600 –> 01:01:31,920
Because response actions always affect operations.
1747
01:01:31,920 –> 01:01:33,440
If the business refuses disruption,
1748
01:01:33,440 –> 01:01:35,120
the attacker gets persistence.
1749
01:01:35,120 –> 01:01:38,280
If security refuses accountability, the business gets chaos.
1750
01:01:38,280 –> 01:01:40,800
Resilience is the negotiated operating model
1751
01:01:40,800 –> 01:01:42,440
that makes decisive action possible
1752
01:01:42,440 –> 01:01:44,040
without endless escalation.
1753
01:01:44,040 –> 01:01:45,400
And AI doesn’t change this.
1754
01:01:45,400 –> 01:01:47,080
It accelerates it.
1755
01:01:47,080 –> 01:01:48,440
AI makes attacks faster,
1756
01:01:48,440 –> 01:01:50,200
but it also makes defense more scalable
1757
01:01:50,200 –> 01:01:51,680
if the organization has the workflow
1758
01:01:51,680 –> 01:01:53,360
to convert signals into action.
1759
01:01:53,360 –> 01:01:56,120
Without that, AI just increases the volume of insights
1760
01:01:56,120 –> 01:01:57,400
you fail to operationalize.
1761
01:01:57,400 –> 01:01:59,040
So resilience isn’t the binder.
1762
01:01:59,040 –> 01:01:59,960
It’s the loop.
1763
01:01:59,960 –> 01:02:01,760
Contain, recover, learn, repeat it
1764
01:02:01,760 –> 01:02:04,520
until the system becomes harder to break than it is to run.
1765
01:02:04,520 –> 01:02:07,160
And once you treat resilience as an operating capability,
1766
01:02:07,160 –> 01:02:10,280
you can finally put it on a scoreboard leadership understands.
1767
01:02:10,280 –> 01:02:12,440
The leadership metric, reduce MTTR
1768
01:02:12,440 –> 01:02:14,120
for identity-driven incidents.
1769
01:02:14,120 –> 01:02:16,480
This is where leadership usually asks for a dashboard
1770
01:02:16,480 –> 01:02:18,440
and security hands them the wrong one.
1771
01:02:18,440 –> 01:02:19,440
They get counts.
1772
01:02:19,440 –> 01:02:21,600
Number of incidents, number of blocked sign-ins,
1773
01:02:21,600 –> 01:02:24,080
number of risky users, number of alerts closed.
1774
01:02:24,080 –> 01:02:24,880
That’s activity.
1775
01:02:24,880 –> 01:02:26,120
It’s not capability.
1776
01:02:26,120 –> 01:02:28,960
Capability is what happens when an identity-driven incident
1777
01:02:28,960 –> 01:02:31,360
is already in motion and the business is bleeding time.
1778
01:02:31,360 –> 01:02:32,520
The only metric that translates
1779
01:02:32,520 –> 01:02:36,320
cleanly from security to operations to the board is MTTR.
1780
01:02:36,320 –> 01:02:37,880
Mean time to respond and to end.
1781
01:02:37,880 –> 01:02:39,480
Not time to create a ticket.
1782
01:02:39,480 –> 01:02:40,480
Not time to acknowledge.
1783
01:02:40,480 –> 01:02:42,280
Respond means containment has occurred
1784
01:02:42,280 –> 01:02:45,280
and the attack as ability to act has been materially reduced.
1785
01:02:45,280 –> 01:02:47,640
If you can’t define that moment, you can’t manage it.
1786
01:02:47,640 –> 01:02:48,960
That distinction matters.
1787
01:02:48,960 –> 01:02:51,320
Identity-driven incidents dominate business impact
1788
01:02:51,320 –> 01:02:53,760
because identity is the permission fabric for everything else.
1789
01:02:53,760 –> 01:02:56,400
When an endpoint is compromised, you might lose a machine.
1790
01:02:56,400 –> 01:02:57,960
When an identity is compromised,
1791
01:02:57,960 –> 01:03:01,040
you can lose data, approvals, code, financial workflows,
1792
01:03:01,040 –> 01:03:02,840
and the ability to trust your own systems.
1793
01:03:02,840 –> 01:03:05,280
It is the difference between a local fire
1794
01:03:05,280 –> 01:03:07,600
and a fire in the building’s electrical panel.
1795
01:03:07,600 –> 01:03:09,240
So the leadership mandate is simple.
1796
01:03:09,240 –> 01:03:11,680
Reduce the time window in which a compromise identity
1797
01:03:11,680 –> 01:03:12,520
can operate.
1798
01:03:12,520 –> 01:03:14,800
The 40-60% reduction target is not magic.
1799
01:03:14,800 –> 01:03:16,640
It is the difference between a system
1800
01:03:16,640 –> 01:03:19,320
that relies on humans to stitch context together
1801
01:03:19,320 –> 01:03:21,640
and a system that treats identity as a control plane
1802
01:03:21,640 –> 01:03:23,400
with enforcement and workflow.
1803
01:03:23,400 –> 01:03:26,160
If your current MTTR is measured in hours,
1804
01:03:26,160 –> 01:03:28,360
cutting it roughly in half is entirely plausible
1805
01:03:28,360 –> 01:03:31,080
when you move the first actions from manual to orchestrate it
1806
01:03:31,080 –> 01:03:34,000
and when you stop waiting for token expiry to do your job.
1807
01:03:34,000 –> 01:03:36,760
But leaders need to understand what they are actually measuring.
1808
01:03:36,760 –> 01:03:38,360
MTTR is not a single stopwatch.
1809
01:03:38,360 –> 01:03:40,840
It’s a chain and chains fail at the weakest link,
1810
01:03:40,840 –> 01:03:42,520
so break it into four timestamps
1811
01:03:42,520 –> 01:03:45,040
that are board legible and operationally honest.
1812
01:03:45,040 –> 01:03:46,080
Time to detect.
1813
01:03:46,080 –> 01:03:48,280
When did the system first have a credible signal
1814
01:03:48,280 –> 01:03:49,440
that something was wrong?
1815
01:03:49,440 –> 01:03:52,120
Not when someone looked at it, when it existed.
1816
01:03:52,120 –> 01:03:53,480
Time to decide.
1817
01:03:53,480 –> 01:03:56,520
How long did it take for a human or a policy engine to decide?
1818
01:03:56,520 –> 01:03:58,360
This is real enough to act?
1819
01:03:58,360 –> 01:04:02,000
This is where alert fatigue and unclear severity definitions
1820
01:04:02,000 –> 01:04:03,840
turn into business exposure.
1821
01:04:03,840 –> 01:04:04,960
Time to enforce.
1822
01:04:04,960 –> 01:04:07,360
How long did it take for the decision to change reality?
1823
01:04:07,360 –> 01:04:08,320
Disable the account.
1824
01:04:08,320 –> 01:04:10,960
Revoque sessions, block the sign in, remove privilege,
1825
01:04:10,960 –> 01:04:11,920
quarantine the device.
1826
01:04:11,920 –> 01:04:14,600
If it took two hours to get approval, that’s not governance.
1827
01:04:14,600 –> 01:04:15,920
That’s latency.
1828
01:04:15,920 –> 01:04:17,120
Time to recover.
1829
01:04:17,120 –> 01:04:20,320
How long until the business can operate safely again?
1830
01:04:20,320 –> 01:04:22,160
Not we stopped the attacker.
1831
01:04:22,160 –> 01:04:24,760
We restored trusted access and verified the control plane
1832
01:04:24,760 –> 01:04:25,680
is intact.
1833
01:04:25,680 –> 01:04:27,920
That model gives leaders something they can fund
1834
01:04:27,920 –> 01:04:29,640
because each stage has different blockers.
1835
01:04:29,640 –> 01:04:32,160
Time to detect is usually a signal coverage and correlation
1836
01:04:32,160 –> 01:04:33,040
problem.
1837
01:04:33,040 –> 01:04:35,720
Defender and entra can help, but only if the environment is
1838
01:04:35,720 –> 01:04:38,840
instrumented and identity signals aren’t treated as optional.
1839
01:04:38,840 –> 01:04:41,800
Time to decide is usually a clarity problem.
1840
01:04:41,800 –> 01:04:44,360
Who owns the call, what thresholds matter,
1841
01:04:44,360 –> 01:04:45,920
and what actions are pre-approved?
1842
01:04:45,920 –> 01:04:48,320
Ambiguity is the most expensive security control
1843
01:04:48,320 –> 01:04:49,320
you can deploy.
1844
01:04:49,320 –> 01:04:51,640
Time to enforce is an architecture problem.
1845
01:04:51,640 –> 01:04:53,760
If revocation depends on token expiry,
1846
01:04:53,760 –> 01:04:55,080
you chose slow enforcement.
1847
01:04:55,080 –> 01:04:57,360
If enforcement depends on three teams in a meeting,
1848
01:04:57,360 –> 01:04:58,880
you chose slow enforcement.
1849
01:04:58,880 –> 01:05:00,560
CAE and privileged access governance
1850
01:05:00,560 –> 01:05:02,280
exist to collapse this gap.
1851
01:05:02,280 –> 01:05:04,560
Time to recover is an operating model problem.
1852
01:05:04,560 –> 01:05:07,360
If recoveries at Hock, it is slow by design.
1853
01:05:07,360 –> 01:05:09,600
If recovery tasks are templated, owned,
1854
01:05:09,600 –> 01:05:12,520
and automated where possible, it becomes repeatable.
1855
01:05:12,520 –> 01:05:15,520
Now here’s what blocks MTTR improvement in real organizations,
1856
01:05:15,520 –> 01:05:16,680
unclear authority.
1857
01:05:16,680 –> 01:05:19,080
Nobody wants to be the person who disabled the CFO’s
1858
01:05:19,080 –> 01:05:21,200
account during quarter close, so they escalate
1859
01:05:21,200 –> 01:05:22,720
until the attacker is done.
1860
01:05:22,720 –> 01:05:23,720
Manual handoffs.
1861
01:05:23,720 –> 01:05:26,160
Signals move from defender to email to chat to ticket,
1862
01:05:26,160 –> 01:05:27,880
with context lost every time.
1863
01:05:27,880 –> 01:05:28,920
Exception sprawl.
1864
01:05:28,920 –> 01:05:30,600
The most critical identities and apps
1865
01:05:30,600 –> 01:05:33,080
are often the most exempt, which means your highest risk
1866
01:05:33,080 –> 01:05:34,960
pathways are your least governable ones.
1867
01:05:34,960 –> 01:05:36,480
An entitlement ambiguity.
1868
01:05:36,480 –> 01:05:38,000
If you don’t know what an identity can do,
1869
01:05:38,000 –> 01:05:39,440
you can’t contain it confidently.
1870
01:05:39,440 –> 01:05:40,080
You hesitate.
1871
01:05:40,080 –> 01:05:41,120
The attacker doesn’t.
1872
01:05:41,120 –> 01:05:44,200
So leadership should treat MTTR like a resilience KPI,
1873
01:05:44,200 –> 01:05:45,240
not a SOC KPI.
1874
01:05:45,240 –> 01:05:47,160
It’s how you measure whether the enterprise
1875
01:05:47,160 –> 01:05:50,280
can make trust decisions and enforce them in business time.
1876
01:05:50,280 –> 01:05:52,440
Everything you funded earlier, intra-governance,
1877
01:05:52,440 –> 01:05:55,040
ITDI discipline, CIE, and defender to service
1878
01:05:55,040 –> 01:05:56,840
now orchestration should show up here
1879
01:05:56,840 –> 01:05:59,800
as lower decision latency and faster enforcement.
1880
01:05:59,800 –> 01:06:01,880
And if it doesn’t, you don’t have a tooling problem.
1881
01:06:01,880 –> 01:06:03,480
You have an operating model that still
1882
01:06:03,480 –> 01:06:05,760
confuses visibility with control.
1883
01:06:05,760 –> 01:06:06,760
Composite incident.
1884
01:06:06,760 –> 01:06:07,440
Same tools.
1885
01:06:07,440 –> 01:06:08,520
Different outcome.
1886
01:06:08,520 –> 01:06:11,320
Now put all of this into a story that leaders recognize,
1887
01:06:11,320 –> 01:06:14,240
not a named breach, not a vendor fairy tale.
1888
01:06:14,240 –> 01:06:16,480
A composite incident built from the same patterns,
1889
01:06:16,480 –> 01:06:19,160
every SOC and identity team has seen.
1890
01:06:19,160 –> 01:06:20,160
Session abuse.
1891
01:06:20,160 –> 01:06:21,000
Over permission.
1892
01:06:21,000 –> 01:06:23,000
Slow revocation and manual response.
1893
01:06:23,000 –> 01:06:24,000
Same organization.
1894
01:06:24,000 –> 01:06:25,280
Same Microsoft stack.
1895
01:06:25,280 –> 01:06:27,320
Same green dashboards.
1896
01:06:27,320 –> 01:06:30,000
Two different outcomes determined entirely by design.
1897
01:06:30,000 –> 01:06:32,040
In the first version, the attacker doesn’t start
1898
01:06:32,040 –> 01:06:33,360
with some exotic exploit.
1899
01:06:33,360 –> 01:06:35,520
They start with an identity that has more authority
1900
01:06:35,520 –> 01:06:38,480
than anyone remembers approving, a contractor account,
1901
01:06:38,480 –> 01:06:40,840
a partner identity, or an internal user
1902
01:06:40,840 –> 01:06:43,760
who moved roles three times and kept access every time.
1903
01:06:43,760 –> 01:06:45,480
The initial foothold is boring.
1904
01:06:45,480 –> 01:06:48,960
A captured session token via a malicious browser extension.
1905
01:06:48,960 –> 01:06:50,920
A convincing OAuth consent.
1906
01:06:50,920 –> 01:06:53,840
Or straight credential theft followed by MFA completion.
1907
01:06:53,840 –> 01:06:55,960
It doesn’t matter which because the system’s failure mode
1908
01:06:55,960 –> 01:06:56,760
is the same.
1909
01:06:56,760 –> 01:06:58,880
The user successfully completed MFA.
1910
01:06:58,880 –> 01:07:00,760
So the attacker doesn’t fight authentication.
1911
01:07:00,760 –> 01:07:01,720
They inherit it.
1912
01:07:01,720 –> 01:07:03,760
From there, the attacker explores entitlements.
1913
01:07:03,760 –> 01:07:05,200
They don’t need to scan networks.
1914
01:07:05,200 –> 01:07:07,800
They just enumerate what the identity can reach.
1915
01:07:07,800 –> 01:07:09,040
SharePoint sites.
1916
01:07:09,040 –> 01:07:10,120
Teams files.
1917
01:07:10,120 –> 01:07:11,440
Mailbox rules.
1918
01:07:11,440 –> 01:07:12,960
Power BI workspaces.
1919
01:07:12,960 –> 01:07:14,080
Azure resources.
1920
01:07:14,080 –> 01:07:15,680
Third party SAS.
1921
01:07:15,680 –> 01:07:18,400
They look for the same things every attacker looks for.
1922
01:07:18,400 –> 01:07:19,560
Export paths.
1923
01:07:19,560 –> 01:07:20,640
Admin paths.
1924
01:07:20,640 –> 01:07:21,800
And trust paths.
1925
01:07:21,800 –> 01:07:23,160
Here’s the weird part.
1926
01:07:23,160 –> 01:07:25,320
Most of this activity doesn’t look like malware.
1927
01:07:25,320 –> 01:07:27,040
It looks like a busy employee.
1928
01:07:27,040 –> 01:07:27,920
Downloads.
1929
01:07:27,920 –> 01:07:28,760
List operations.
1930
01:07:28,760 –> 01:07:30,040
API calls.
1931
01:07:30,040 –> 01:07:30,840
Roll lookups.
1932
01:07:30,840 –> 01:07:31,800
Consent grants.
1933
01:07:31,800 –> 01:07:33,720
Maybe a few impossible travel hints.
1934
01:07:33,720 –> 01:07:35,240
But nothing that screams ransomware.
1935
01:07:35,240 –> 01:07:37,000
So the organization stays calm.
1936
01:07:37,000 –> 01:07:38,240
Defenders see signals.
1937
01:07:38,240 –> 01:07:39,600
Entracies risky behavior.
1938
01:07:39,600 –> 01:07:40,600
The logs are there.
1939
01:07:40,600 –> 01:07:42,600
But the decision loop isn’t connected to enforcement.
1940
01:07:42,600 –> 01:07:45,520
So what happens is the most common failure mode in identity
1941
01:07:45,520 –> 01:07:46,280
incidents.
1942
01:07:46,280 –> 01:07:48,960
People notice, but nothing changes fast enough to matter.
1943
01:07:48,960 –> 01:07:50,640
A ticket gets created and analysts
1944
01:07:50,640 –> 01:07:51,920
pings the identity team.
1945
01:07:51,920 –> 01:07:54,800
The identity team asks the business owner whether the account
1946
01:07:54,800 –> 01:07:55,480
is critical.
1947
01:07:55,480 –> 01:07:56,960
The business owner isn’t sure.
1948
01:07:56,960 –> 01:07:58,320
Someone schedules a call.
1949
01:07:58,320 –> 01:07:59,920
Meanwhile, the attacker keeps operating
1950
01:07:59,920 –> 01:08:01,360
because the session remains valid.
1951
01:08:01,360 –> 01:08:03,160
Tokens don’t care about meetings.
1952
01:08:03,160 –> 01:08:04,800
Then the attacker finds the real value
1953
01:08:04,800 –> 01:08:07,360
an identity pathway that can change control.
1954
01:08:07,360 –> 01:08:09,280
A role that can read security settings.
1955
01:08:09,280 –> 01:08:11,760
An account that can create new app registrations.
1956
01:08:11,760 –> 01:08:14,440
A service principle with broad graph permissions.
1957
01:08:14,440 –> 01:08:15,960
Or a legacy admin group.
1958
01:08:15,960 –> 01:08:16,960
Nobody reviews.
1959
01:08:16,960 –> 01:08:19,840
Now the incident stops being suspicious user behavior
1960
01:08:19,840 –> 01:08:21,560
and becomes a business event.
1961
01:08:21,560 –> 01:08:24,480
Data exfiltration, control disablement, or persistence
1962
01:08:24,480 –> 01:08:25,520
creation.
1963
01:08:25,520 –> 01:08:27,520
And the root cause later reads like a checklist
1964
01:08:27,520 –> 01:08:28,840
of comfortable truths.
1965
01:08:28,840 –> 01:08:30,760
MFA was enabled.
1966
01:08:30,760 –> 01:08:32,760
Defender generated alerts.
1967
01:08:32,760 –> 01:08:33,880
We had logging.
1968
01:08:33,880 –> 01:08:35,200
We followed the process.
1969
01:08:35,200 –> 01:08:35,680
Yes.
1970
01:08:35,680 –> 01:08:38,240
And the attacker had time now rerun the same incident
1971
01:08:38,240 –> 01:08:39,480
in the redesigned environment.
1972
01:08:39,480 –> 01:08:41,880
Same tools, different outcome.
1973
01:08:41,880 –> 01:08:44,040
The attacker still gets the initial token.
1974
01:08:44,040 –> 01:08:45,320
That part is not fantasy.
1975
01:08:45,320 –> 01:08:46,200
Assume breach.
1976
01:08:46,200 –> 01:08:48,000
But the identity is governed differently.
1977
01:08:48,000 –> 01:08:49,200
The access is time bound.
1978
01:08:49,200 –> 01:08:51,000
Privilege is eligible, not standing.
1979
01:08:51,000 –> 01:08:52,280
Entitlements have owners.
1980
01:08:52,280 –> 01:08:54,960
And the first meaningful actions don’t require heroics.
1981
01:08:54,960 –> 01:08:57,680
The first sign of risk elevates the account state.
1982
01:08:57,680 –> 01:09:00,360
Entrance identity signals change the trust decision.
1983
01:09:00,360 –> 01:09:03,200
CAE forces re-evaluation inside the session.
1984
01:09:03,200 –> 01:09:05,240
The attacker’s borrowed trust collapses
1985
01:09:05,240 –> 01:09:07,160
while they’re still trying to explore.
1986
01:09:07,160 –> 01:09:08,600
Not because someone woke up faster
1987
01:09:08,600 –> 01:09:11,240
because the platform revoked trust in business time.
1988
01:09:11,240 –> 01:09:13,880
At the same moment, Defender correlates the incident
1989
01:09:13,880 –> 01:09:15,480
and pushes it into service now
1990
01:09:15,480 –> 01:09:17,160
with the context already attached.
1991
01:09:17,160 –> 01:09:21,120
Identity, device, SaaS artifacts, and recommended containment.
1992
01:09:21,120 –> 01:09:23,240
Service now isn’t used to start a conversation.
1993
01:09:23,240 –> 01:09:25,920
It’s used to execute a predefined response path.
1994
01:09:25,920 –> 01:09:28,400
Automation takes the reversible steps immediately.
1995
01:09:28,400 –> 01:09:30,640
Revoke sessions, block risky sign-ins,
1996
01:09:30,640 –> 01:09:32,800
remove active privilege role assignments,
1997
01:09:32,800 –> 01:09:34,120
isolate the device if needed,
1998
01:09:34,120 –> 01:09:37,040
suspend suspicious or author’s grounds if they exist.
1999
01:09:37,040 –> 01:09:38,640
Humans still decide the big calls.
2000
01:09:38,640 –> 01:09:40,200
Do we disable the account entirely?
2001
01:09:40,200 –> 01:09:41,520
Do we pause a business workflow?
2002
01:09:41,520 –> 01:09:42,400
Do we notify legal?
2003
01:09:42,400 –> 01:09:44,480
Do we trigger broader access reviews?
2004
01:09:44,480 –> 01:09:46,800
But humans are deciding while the attacker is contained.
2005
01:09:46,800 –> 01:09:48,560
Not while the attacker is still active.
2006
01:09:48,560 –> 01:09:50,000
That is the entire difference.
2007
01:09:50,000 –> 01:09:52,760
In the first environment, trust, drift, and decision-latency
2008
01:09:52,760 –> 01:09:55,760
turned a minor identity compromise into an enterprise incident.
2009
01:09:55,760 –> 01:09:57,560
In the second, the attacker still got in,
2010
01:09:57,560 –> 01:09:59,400
but they couldn’t stay, couldn’t escalate,
2011
01:09:59,400 –> 01:10:02,600
and couldn’t move fast enough to make the event existential.
2012
01:10:02,600 –> 01:10:05,400
Same tools, same tenant, same budget line items.
2013
01:10:05,400 –> 01:10:06,480
Different outcome?
2014
01:10:06,480 –> 01:10:08,920
Because the organization stopped measuring security
2015
01:10:08,920 –> 01:10:11,840
by coverage and started engineering it as a control loop,
2016
01:10:11,840 –> 01:10:14,800
identity governance to reduce reckless entitlements,
2017
01:10:14,800 –> 01:10:17,720
CAE to revoke sessions when reality changes,
2018
01:10:17,720 –> 01:10:19,560
and orchestration to collapse the time
2019
01:10:19,560 –> 01:10:21,280
between signal and action.
2020
01:10:21,280 –> 01:10:23,320
This is the moment leaders need to internalize.
2021
01:10:23,320 –> 01:10:25,760
Security isn’t the number of incidents you prevent.
2022
01:10:25,760 –> 01:10:28,000
It’s the size and duration of the incidents you allow.
2023
01:10:28,000 –> 01:10:31,000
The executive operating model for security beyond controls.
2024
01:10:31,000 –> 01:10:33,840
So if the story is same tools, different outcome,
2025
01:10:33,840 –> 01:10:36,400
the obvious executive question is what actually changed?
2026
01:10:36,400 –> 01:10:39,240
Not the product list, the operating model.
2027
01:10:39,240 –> 01:10:40,960
Because controls don’t run themselves,
2028
01:10:40,960 –> 01:10:43,480
they are executed through ownership, decision rights,
2029
01:10:43,480 –> 01:10:46,360
and a loop that converts intent into enforcement.
2030
01:10:46,360 –> 01:10:48,160
Without that, you’re just accumulating features
2031
01:10:48,160 –> 01:10:49,560
and calling it maturity.
2032
01:10:49,560 –> 01:10:51,920
Here’s the model leaders need to hold in their heads,
2033
01:10:51,920 –> 01:10:55,280
one loop, end to end, identity, trust decisions,
2034
01:10:55,280 –> 01:10:57,280
detection, response, recovery.
2035
01:10:57,280 –> 01:10:58,880
Identity is your control plane
2036
01:10:58,880 –> 01:11:00,640
because it’s where permissions live.
2037
01:11:00,640 –> 01:11:02,960
Trust decisions are the policies that decide
2038
01:11:02,960 –> 01:11:05,520
under what conditions is that identity allowed to act.
2039
01:11:05,520 –> 01:11:07,360
And detection is the sensing layer.
2040
01:11:07,360 –> 01:11:08,840
Response is the action layer.
2041
01:11:08,840 –> 01:11:11,880
Recovery is the process of restoring trusted operations
2042
01:11:11,880 –> 01:11:14,360
and proving the environment is clean enough to resume.
2043
01:11:14,360 –> 01:11:16,160
If any part of that loop is weak,
2044
01:11:16,160 –> 01:11:18,680
the whole enterprise becomes a probabilistic system.
2045
01:11:18,680 –> 01:11:20,840
And leaders should stop accepting probabilistic.
2046
01:11:20,840 –> 01:11:23,320
Now, most enterprises treat each part of that loop
2047
01:11:23,320 –> 01:11:25,200
as a separate department, identity team,
2048
01:11:25,200 –> 01:11:28,040
security operations, IT operations, application owners,
2049
01:11:28,040 –> 01:11:31,280
risk, legal audit, the attacker doesn’t care.
2050
01:11:31,280 –> 01:11:33,440
So the operating model has to align those pieces
2051
01:11:33,440 –> 01:11:37,040
without creating a bureaucracy that moves slower than the threat.
2052
01:11:37,040 –> 01:11:39,680
That starts with a clean split, policy intent
2053
01:11:39,680 –> 01:11:41,120
versus policy enforcement.
2054
01:11:41,120 –> 01:11:42,800
Policy intent belongs to the business,
2055
01:11:42,800 –> 01:11:45,080
not because the business writes conditional access rules,
2056
01:11:45,080 –> 01:11:47,920
but because the business defines the tolerable risk.
2057
01:11:47,920 –> 01:11:50,440
Who should have access to what, for how long,
2058
01:11:50,440 –> 01:11:52,440
with what approvals and under what conditions?
2059
01:11:52,440 –> 01:11:54,760
That’s governance, that’s not an IT preference.
2060
01:11:54,760 –> 01:11:56,680
That’s a business decision about trust.
2061
01:11:56,680 –> 01:11:59,040
Policy enforcement belongs to the platform teams.
2062
01:11:59,040 –> 01:12:01,520
Identity, endpoint, and security engineering
2063
01:12:01,520 –> 01:12:04,760
translate intent into deterministic mechanisms.
2064
01:12:04,760 –> 01:12:07,920
Conditional access, privileged access constraints,
2065
01:12:07,920 –> 01:12:12,360
entitlement packages, CAE triggers, and automation playbooks.
2066
01:12:12,360 –> 01:12:14,800
But the key is this, enforcement must be testable.
2067
01:12:14,800 –> 01:12:17,640
If a policy can’t be tested under realistic conditions,
2068
01:12:17,640 –> 01:12:20,520
it’s not a control, it’s a belief.
2069
01:12:20,520 –> 01:12:22,520
The second component of the operating model
2070
01:12:22,520 –> 01:12:23,720
is exception governance.
2071
01:12:23,720 –> 01:12:25,280
This is where most programs collapse.
2072
01:12:25,280 –> 01:12:28,320
Exceptions are not rare edge cases, they are entropy generators.
2073
01:12:28,320 –> 01:12:30,720
They accumulate because the business is trying to function
2074
01:12:30,720 –> 01:12:32,720
and because security is trying to accommodate,
2075
01:12:32,720 –> 01:12:34,720
overtime exceptions become the real policy
2076
01:12:34,720 –> 01:12:36,720
and the real policy becomes theater.
2077
01:12:36,720 –> 01:12:39,400
So executives need a non-negotiable rule.
2078
01:12:39,400 –> 01:12:41,920
Every exception must have an owner,
2079
01:12:41,920 –> 01:12:45,800
a justification, an expiration date, and a review cadence.
2080
01:12:45,800 –> 01:12:48,400
No expiration means you’re not granting an exception.
2081
01:12:48,400 –> 01:12:51,200
You’re redesigning the security model without admitting it.
2082
01:12:51,200 –> 01:12:54,000
And exceptions need to be treated as first class risk objects,
2083
01:12:54,000 –> 01:12:56,320
tracked, measured, and reduced over time.
2084
01:12:56,320 –> 01:12:58,280
Otherwise, you will always enable CAE,
2085
01:12:58,280 –> 01:13:00,560
enable governance, enable zero trust,
2086
01:13:00,560 –> 01:13:03,360
and then quietly bypass it everywhere it matters.
2087
01:13:03,360 –> 01:13:06,120
Third, decision speed requires decision rights.
2088
01:13:06,120 –> 01:13:07,920
Identity incidents become expensive
2089
01:13:07,920 –> 01:13:09,360
when nobody is allowed to act.
2090
01:13:09,360 –> 01:13:12,000
The SOCC signals but can’t revoke access.
2091
01:13:12,000 –> 01:13:14,920
It can isolate devices but can’t disable accounts.
2092
01:13:14,920 –> 01:13:18,000
App owners can approve access, but don’t understand blast radius.
2093
01:13:18,000 –> 01:13:21,120
Legal one certainty, the business one’s continuity.
2094
01:13:21,120 –> 01:13:23,720
So define three tiers of authority in advance.
2095
01:13:23,720 –> 01:13:26,080
Tier one, pre-approved, reversible actions
2096
01:13:26,080 –> 01:13:28,640
that can happen immediately when confidence is high,
2097
01:13:28,640 –> 01:13:31,720
session revocation, forcing reauthentication,
2098
01:13:31,720 –> 01:13:35,800
blocking risky sign-ins, suspending a suspicious O-orth grant.
2099
01:13:35,800 –> 01:13:37,600
These should not require a meeting.
2100
01:13:37,600 –> 01:13:39,640
Tier two, disruptive but bounded actions
2101
01:13:39,640 –> 01:13:41,280
that require fast approval,
2102
01:13:41,280 –> 01:13:43,600
disabling an account tied to revenue workflows,
2103
01:13:43,600 –> 01:13:45,560
locking down a sensitive sharepoint site,
2104
01:13:45,560 –> 01:13:48,640
removing privileged access from a production operator.
2105
01:13:48,640 –> 01:13:50,840
These need named approvals, not the team.
2106
01:13:50,840 –> 01:13:53,200
Tier three, enterprise impact actions
2107
01:13:53,200 –> 01:13:55,720
that trigger executive incident governance.
2108
01:13:55,720 –> 01:13:58,160
Broad access shutdowns, customer notifications,
2109
01:13:58,160 –> 01:13:59,680
regulatory disclosures.
2110
01:13:59,680 –> 01:14:01,800
These are rare but if you don’t pre-define them,
2111
01:14:01,800 –> 01:14:04,080
you’ll discover your authority model in real time.
2112
01:14:04,080 –> 01:14:06,160
That’s not leadership, that’s improvisation.
2113
01:14:06,160 –> 01:14:07,680
Fourth, investment posture.
2114
01:14:07,680 –> 01:14:10,000
Leaders need to fund the loop, not the sensors.
2115
01:14:10,000 –> 01:14:12,200
If the organization already detects plenty
2116
01:14:12,200 –> 01:14:13,560
but still bleeds time,
2117
01:14:13,560 –> 01:14:16,760
the gap is response, orchestration, and identity enforcement.
2118
01:14:16,760 –> 01:14:19,520
That means funding integration work, automation playbooks,
2119
01:14:19,520 –> 01:14:22,640
entitlement, cleanup, and application modernization
2120
01:14:22,640 –> 01:14:24,560
so that revocation is actually honored
2121
01:14:24,560 –> 01:14:27,480
that is not operational detail, that is the only path
2122
01:14:27,480 –> 01:14:29,720
to reducing MTTR, finally accountability,
2123
01:14:29,720 –> 01:14:31,720
not in the abstract, in the operating rhythm.
2124
01:14:31,720 –> 01:14:34,400
Every quarter leaders should demand three outputs.
2125
01:14:34,400 –> 01:14:37,160
Current MTTR for identity-driven incidents,
2126
01:14:37,160 –> 01:14:40,880
the top ten exception paths by risk and business criticality,
2127
01:14:40,880 –> 01:14:43,520
and the backlog of identity and response improvements
2128
01:14:43,520 –> 01:14:45,240
with owners and dates.
2129
01:14:45,240 –> 01:14:46,440
If those three are visible,
2130
01:14:46,440 –> 01:14:49,240
security stops being an argument and becomes a new problem
2131
01:14:49,240 –> 01:14:52,400
a system, that’s the executive operating model, one loop.
2132
01:14:52,400 –> 01:14:55,240
Explicit ownership, governed exceptions, pre-approved actions,
2133
01:14:55,240 –> 01:14:57,880
and a scoreboard that measures speed of containment.
2134
01:14:57,880 –> 01:14:59,360
Everything else is commentary.
2135
01:14:59,360 –> 01:15:00,680
Executive checklist.
2136
01:15:00,680 –> 01:15:02,440
What to ask your teams this quarter?
2137
01:15:02,440 –> 01:15:04,640
If leadership wants this to move from security
2138
01:15:04,640 –> 01:15:06,920
is complicated to security is operated,
2139
01:15:06,920 –> 01:15:09,360
the fastest way is to ask better questions.
2140
01:15:09,360 –> 01:15:12,080
Not more questions, better ones.
2141
01:15:12,080 –> 01:15:14,080
Here are the questions that cut through tooling
2142
01:15:14,080 –> 01:15:16,480
and land directly on system behavior.
2143
01:15:16,480 –> 01:15:18,440
First, where do we have authorization risk,
2144
01:15:18,440 –> 01:15:19,640
not authentication gaps?
2145
01:15:19,640 –> 01:15:21,600
Don’t accept we have MFA as an answer.
2146
01:15:21,600 –> 01:15:24,520
Asquare-accompromised identity could still do disproportionate damage
2147
01:15:24,520 –> 01:15:26,000
because the entitlements are wrong.
2148
01:15:26,000 –> 01:15:27,080
Who can export data?
2149
01:15:27,080 –> 01:15:28,680
Who can change sharing settings?
2150
01:15:28,680 –> 01:15:30,240
Who can create app registrations?
2151
01:15:30,240 –> 01:15:31,720
Who can grant admin consent?
2152
01:15:31,720 –> 01:15:33,160
Who can disable controls?
2153
01:15:33,160 –> 01:15:35,040
If the answer is we are not sure.
2154
01:15:35,040 –> 01:15:36,280
That’s not a visibility gap.
2155
01:15:36,280 –> 01:15:37,640
That’s unmanaged blast radius.
2156
01:15:37,640 –> 01:15:41,280
Second, which identities can change systems, data, or controls?
2157
01:15:41,280 –> 01:15:42,960
Humans and non-humans.
2158
01:15:42,960 –> 01:15:45,320
This is where most organizations lie to themselves.
2159
01:15:45,320 –> 01:15:46,360
They can list admins.
2160
01:15:46,360 –> 01:15:48,960
They can’t list service principles, automation accounts,
2161
01:15:48,960 –> 01:15:52,960
CIS, CD identities, connectors, or the new wave of agent identities.
2162
01:15:52,960 –> 01:15:55,800
If machine identities outnumber humans in your environment
2163
01:15:55,800 –> 01:15:57,760
and they usually do then governing only humans
2164
01:15:57,760 –> 01:15:59,400
is a decorative security program.
2165
01:15:59,400 –> 01:16:02,680
Ask for an inventory, ownership model, and rotation posture.
2166
01:16:02,680 –> 01:16:04,720
If nobody owns an identity, it owns you.
2167
01:16:04,720 –> 01:16:06,800
Third, how quickly can we revoke access
2168
01:16:06,800 –> 01:16:08,800
across our critical apps when risk changes?
2169
01:16:08,800 –> 01:16:10,840
Not can we disable the user?
2170
01:16:10,840 –> 01:16:13,360
How quickly can we actually remove effective access
2171
01:16:13,360 –> 01:16:14,680
in the apps that matter?
2172
01:16:14,680 –> 01:16:17,480
Email, files, collaboration, ERP finance,
2173
01:16:17,480 –> 01:16:20,200
ticketing code repos, and your top SAS platforms.
2174
01:16:20,200 –> 01:16:22,520
Ask for proof, not assurance, which of these apps
2175
01:16:22,520 –> 01:16:25,280
honor near real-time revocation signals,
2176
01:16:25,280 –> 01:16:28,160
and which will keep a session alive until token expiry.
2177
01:16:28,160 –> 01:16:30,680
If revocation is slow, you are granting attackers time
2178
01:16:30,680 –> 01:16:31,360
by design.
2179
01:16:31,360 –> 01:16:34,760
Fourth, how many response steps remain manual and why?
2180
01:16:34,760 –> 01:16:36,640
This is not a call to automate everything.
2181
01:16:36,640 –> 01:16:39,240
It’s a call to identify the latency you’ve normalized.
2182
01:16:39,240 –> 01:16:41,400
Ask your teams to map one identity incident
2183
01:16:41,400 –> 01:16:43,120
and to end and count the handoffs.
2184
01:16:43,120 –> 01:16:45,960
How many times does context get re-entered into a new system?
2185
01:16:45,960 –> 01:16:49,360
How many steps exist only because systems don’t talk to each other?
2186
01:16:49,360 –> 01:16:50,720
The goal is not fewer tickets.
2187
01:16:50,720 –> 01:16:53,640
The goal is fewer minutes between signal and containment.
2188
01:16:53,640 –> 01:16:55,360
Fifth, what exceptions exist?
2189
01:16:55,360 –> 01:16:57,120
Who owns them and when do they expire?
2190
01:16:57,120 –> 01:16:58,480
Executives are often the reason
2191
01:16:58,480 –> 01:17:02,040
exception culture survives, so ask for the uncomfortable list.
2192
01:17:02,040 –> 01:17:05,040
Exclusions in conditional access, bypasses for business
2193
01:17:05,040 –> 01:17:08,400
critical apps, accounts that never get access reviewed,
2194
01:17:08,400 –> 01:17:11,520
service principles with broad permissions temporarily,
2195
01:17:11,520 –> 01:17:15,360
and privileged roles that stay standing because it’s easier.
2196
01:17:15,360 –> 01:17:19,440
If an exception has no owner and no expiry, it is not an exception.
2197
01:17:19,440 –> 01:17:20,880
It is the real architecture.
2198
01:17:20,880 –> 01:17:24,160
Sixth, what is our current MTTR for identity-driven incidents
2199
01:17:24,160 –> 01:17:27,840
and to end, not a guess, not a slide, a measured baseline?
2200
01:17:27,840 –> 01:17:32,000
An MTTR broken into detect, decide, enforce, recover.
2201
01:17:32,000 –> 01:17:34,040
If your teams can’t produce those timestamps,
2202
01:17:34,040 –> 01:17:35,000
they can’t improve them.
2203
01:17:35,000 –> 01:17:37,600
If they can produce them, then leadership can fund
2204
01:17:37,600 –> 01:17:39,400
the stage that is actually slow.
2205
01:17:39,400 –> 01:17:43,880
Decision rights, enforcement mechanisms, or recovery workflows.
2206
01:17:43,880 –> 01:17:46,320
Seventh, and this is the one most leaders avoid.
2207
01:17:46,320 –> 01:17:49,160
Who has authority to act and how fast can they act
2208
01:17:49,160 –> 01:17:51,320
when the identity is politically sensitive?
2209
01:17:51,320 –> 01:17:53,320
Ask specifically about the hard cases,
2210
01:17:53,320 –> 01:17:56,000
an executive account, a production deployment identity,
2211
01:17:56,000 –> 01:17:58,400
a revenue workflow, a third party integration
2212
01:17:58,400 –> 01:18:02,360
that a business unit owns or a service principle nobody understands.
2213
01:18:02,360 –> 01:18:05,240
In those cases, does the organization have pre-approved actions
2214
01:18:05,240 –> 01:18:06,640
or does it have meetings?
2215
01:18:06,640 –> 01:18:09,120
Because an attacker doesn’t care that the identity is important,
2216
01:18:09,120 –> 01:18:10,440
they care that it is powerful.
2217
01:18:10,440 –> 01:18:12,600
If you ask these questions and you get vague answers,
2218
01:18:12,600 –> 01:18:14,440
that is not a failure of the security team.
2219
01:18:14,440 –> 01:18:16,760
That is a leadership problem, unclear intent,
2220
01:18:16,760 –> 01:18:20,600
unclear ownership, and no mandate to reduce decision latency.
2221
01:18:20,600 –> 01:18:23,240
So don’t ask your teams for a zero trust road map,
2222
01:18:23,240 –> 01:18:26,440
ask them for proof that the trust model is enforceable,
2223
01:18:26,440 –> 01:18:29,600
exceptions are governed, and response actions are pre-approved
2224
01:18:29,600 –> 01:18:30,280
and rehearsed.
2225
01:18:30,280 –> 01:18:33,640
That is what security maturity looks like when it’s real time.
2226
01:18:33,640 –> 01:18:35,840
Conclusion by security as an enabler.
2227
01:18:35,840 –> 01:18:38,480
Security maturity is safe autonomy plus fast recovery,
2228
01:18:38,480 –> 01:18:41,760
measured by MTTR, not by how many controls you can list.
2229
01:18:41,760 –> 01:18:43,440
If you want the practitioner version of this,
2230
01:18:43,440 –> 01:18:45,560
listen to the follow-up episode where we unpack
2231
01:18:45,560 –> 01:18:48,560
intra-governance, CAE, and Defender to Service
2232
01:18:48,560 –> 01:18:51,000
now responds loops in plain operational terms.
2233
01:18:51,000 –> 01:18:54,480
Subscribe to M365FM and queue that next episode now.
