Beyond the Hype: Real World IAM Challenges in AI and Solutions

very good morning. Uh thanks for uh the full room. Previously I was seeing like I was very happy like it's going to be very full room and uh how I'm going to manage it but I'm very happy that like you guys are stopping here and trying to understand a very important problem uh which is uh which is which is going to solve uh the current AI. Thank you so much first of all for coming and stopping by. Um so today morning when I try to wake up uh there was a beautiful woman trying to wake me up. Don't think that it's my wife. It's Alexa. Hey wake up. Today you have this appointment. You're going to talk to

people and you're going to educate the people which is your expert. Okay. Then I just slowly move into uh the restroom and start pressing. In that in that press I see it's AI enhanced really okay then I move around and immediately started uh the Alexa a assistants everything in the house started speaking to me and it makes me anxious in the morning. But if you talk to any motivational speakers, any psychologist, they they will tell you when you wake up at least for 30 minutes to 1 hour, don't go near to the technology. Is it true? Right. But anybody is can you follow that? Anybody? Anybody? Oh, very nice. I see a gentleman. Thank you so much. Uh I

try to follow but it's very tough. The morning when I wake up, I immediately I go to the device and check. Okay, what is happening today? And that the whole day it sucks up all my tobomine. It's done. That is how the AI coming into our life. Okay, let me ask you some question. Anyone of you running into AI some funny stuff like you see any advertisement anything crazy about like because if you see everywhere all the places AI so any interesting stuff like you see like in the washing machine dryer and dishwasher and any product you look at there is always it's AI enhanced AI producted so the one interesting I saw in the ready yesterday so one guy was

talking about AI AI water what is it? AI water it make you smart. Ah okay it make you smart a can make you smart. So that is how the a world is emerging. So the AI provides lot of lot of advantages so many advantages to us. In 2024 November there was a statistics in United States 40%age of the adults people they are using AI in their daily life. How many of you are not using AI in this crowd? Oh no one right? Everybody uses somehow they may have in their mobile phone or work life or somewhere some apps they might be using it right. But although we have so many advantages but we may have

many disadvantages too and how can we solve that as a security professional. So some of them are very expert like they you are in the field for a long time and some of them very new you're going to step into future expert of cyber security then how we are responsible and how we are going to secure AI that's what we are going to see so first of all I want to introduce uh myself quickly my name is Palanuel Manogan you can call me as Mano of course you can only call me as Mano it's easy and uh I have done uh many certifications in uh um CIBC, CSP and all those stuff. I am in the AM field

for 15 years. I worked for Publix here. I moved to Florida because for Publix I protected their system and now I'm working for Humanana uh insurance Jane and I'm working as a architect. All the IM solutions I designed and built for them and in future let's see how that look like. So to know more about me my site website rgmonpeaker.com. All right now AI now and then. So maybe there was a shocking news uh two weeks before Microsoft CEO Satya Nadella and uh Facebook uh CEO Mark Jagurbar they were talking about 40%age of their coding was done by AI. Did you see that news? So is it this it is some somewhat like you guys okay is it going

to replace our job you think no yes exactly it cannot replace a job they can tell us anything but 40%age of the code but still what I believe AI cannot replace humans definitely because it is our baby how they can replace us so but the way we work today the way the job market currently in that definitely is going to change. So how we are going to adapt ourself to the AI world that is how it's going to change in future. So now currently because if you see on all my slides I have a robot baby you know why because AI is in initial state we this is a baby it it can't do a mistake

it is not the right it is not going to provide you the right solution or decisions and it is very new the same like last 10 15 years before everybody's talking about oh we are going to move to the cloud we are planning to move to the cloud and everybody think oh are you going to shift your on- premises to cloud Now everything is real. Now people are going back to on premises because they see the bills. Oh, I might have stayed on my house instead of just renting out. So that is how the the technology changes. The same way we are in AI and there is a hype cycle everybody even without know the output

and without know the outcomes. So everybody we talked about everybody talk about AI AI AI everywhere AI. So how it's going to bring it up the value and what are the disadvantages or what are the benefits we have and how I am is going to play the role because it's my field. I'm started researching okay everybody talking about AI but how I'm going to be a responsible I am expert how I can help how I can protect the AI pitfalls or issues this is what hype cycle the Gartner from 2019 there was a concept the theory in any technology in the world any technology you can take it up anything. So it start from innovation trigger now

we are in the peak of inflated expectation. So that is what we don't understand like everybody going around and they they're trying to use it then we try to use it. We don't know why we are using so what are the what are the different problems it may create how the data is sifted to somebody else and and we don't care we try to use it. Uh recently OpenAI introduced uh a trending image capability if you remember I forget the name. Um anybody aware about that? So like when we upload the image it gives back some uh animated images of us. We look so good in that. What what is that? Uh zip je uh I forgot

that. Sorry. So that technology when they opened up they training their model with your images you are giving it free same like social media boom the technology when they invented so we are giving a data for free take it up I'm open my data is open for anybody you can use it then we cry for privacy oh man I'm I'm I'm very very very hard I feel sad about my privacy so that is how the technology try to eat Okay, with the rise of the AI and machine learning in security, you think like you will definitely learn end of this uh presentation. But let me ask you something. Option A, option C, option D. So this is a $1 million question. You

can say that which can be a very important and critical concept would be would be solving it. Somebody said answer >> exactly. So anybody from like I am already? So you guys Oh, then you will be answering everything. [laughter] All right. You you're from IM too. Oh, nice. Nice to meet you my partners. Thank you guys. So policy based access control. Yes, definitely this is very important from IM field going to solve many of the AI issues we going to see. The next one do you know why I'm talking going to talk about IM why it's important everybody talk about pentesting purple team and defense GRC and lot of stuffs are there but before you get into the

gate we are the one protecting the system so without the right access without the right people uh we allow you cannot do any work and most of the breaches recently happen because of the student currency report and only less than half of the organization less than half of the organization it's not even 50%age currently they can protect identities from AI attacks when they use the attackers when they use AI technology so that is how the current organizations living in yeah anyone of anyone of you hear about the words zero trust right most of most of you right um always verify never trust even if you I speak never trust me always verify who I am so that is how the zero trust zero

trust is booming and every industry they're trying to adapt zero trust but are we in the mark already no everybody trying to do it but not exactly so that is So that is how the IM is playing a major role in the zero trust. There is a one pillar within zero trust is identity and access management. 90% of the organization experienced at least one identity related incident in last year. So many attacks. If you work in Microsoft Azure, if you call the product called Entra, you can see how many like a millions, billions of signals they try to attack each and every company in the US. Already we are attractive. So everybody try to attack all the different

companies and the identity theft resource center if you see 21%age identity crimes increasing that was the reason so I came here to talk about very important thing I am how can we protected so these are the companies most likely you might have already know about it and so many breaches just last two years because of the snowflake. Snowflake was huge. Many of the companies they got impacted. You know what? What was the reason? It was just unauthorized access. They did not enable multiffactor for breakass accounts. So that was the simple reason but it it created a big impact wave to all the different industries and Microsoft midnight blizzard breach was very fun. They promote it everybody use passwordless

use multiffactor use strong authentication but in their lower level environment they forget to enable MFA. This is how we sometime we forgot and act breach that was another interesting one CDK global most of the most of the breaches I listed down here they are impact of lack of the right control right IM control placed so that is how the IM's playing a major critical role in the industry so what IM some of our guys already have what IM identity and access management. The right people have a right access at the right time. So this is what I am very simple one single sentence I can tell you if you are the right person. So what is this? This ID card we have this

is authentication. Okay. You are authenticated to come into besides Tampa and are you allowed to attend all the sessions? Yes, you are allowed with this authorizing it. But in some of the rooms you are not allowed not everybody allowed that is authorization are you allowed to access all the rooms that's authorization that is what I am why I am right access control and no more network is only the security parimeter so I am is already taken over especially in this cloud era people often move to the cloud every cloud provider they say one single word security is your responsibility. We give you a house and but you need to take care of it. I cannot come and sit

with you all the time with the lock at the camera. No, it's not possible. That is how they sell the product. So this is what I am and so many compliance and regulations and you have to have this and that and all those stuff. So this I am providing lot of benefits. I don't want to go each and everything but this is what I hold I am multiple different areas identity life cycle management so when you try to onboard the people that is the user life cycle management done by identity life cycle management access management single sign on multiffactor passwordless no more passwords Microsoft target and Gmail Google everywhere they are trying to enforce passwordless try to

use it like if already using it. That is that is well and good. We don't need to remember password anymore. Already I'm remembering all my dogs like in my life like okay all the pets I have because I already the ran out of my passwords. So no more passwords is how and privileged access management who can access what and when and you are the right person and we will provide you only access when you need. We don't provide you access all the time. Oh, you're allowed to do anything. You are the enterprise admin, global admin, you can use it. No, do you need do you have a change control, change request and go for it, activate it and use it. That's a

privileged access management and cloud IM is a different space. There are so many interesting things, latest stuff like workload identities, machine identities especially that is very important for this AI because AI is not anymore like it's not it's not a human, it's not a human account. It is a service account the anybody hear about agentic AI right agai so many of the people talking about in this conference too that everybody afraid about it oh it's going to replace human it's going to kill human it's going to do something blah blah blah everything they're doing no you when until unless you don't have access what you can do you just sit outside the door and look for me that is how

this going to play and identity threat direction response This was booming and not only we going to monitor all the attacks and the traffic and we are also going to monitor identity related threads and all the transactions. Okay, another question. Once a user is granted access to an application, they should generally retain the access indefinitely just in case they need it again in the future. True or false? Definitely. Yeah, that's what we talk about, right? Just in time access. Uh we cannot allow you all the time. Everybody know I am very well than me I guess. Okay. Now we go into the topic. You talk about I am. What is I am? Why I am? What

is AI now and then? Okay. What is next? What are the challenges? You see I am challenges especially in IM challenges and how can you re uh mitigate it? Right. So these are the challenges within AI currently. Major challenges I can say but there are so many challenges but major challenges data privacy and security concerns. Yeah, it is a very important one and everybody talk about data privacy. Uh but no anymore I feel. So one one in one incident happened one of my friend he was talking about to me he was using a jatp to get all the code for writing into for for the company. He provided all the IP addresses. He provided all the details like sensitive

data into the chat GPT. Next time what happened was when other people the bad actors they were trying to ask the company A what is the IP range they are using and what is the technology they use it for writing this particular application it's completely given all the details to them so already data breached because AI doesn't know is it sensitive or not sensitive so that is how usually people to build the AI but it was Not because large language models doesn't understand okay this data I have to consume this data I don't consume. No whatever you feed whatever you do like a prompt engineering or generative AI that takes up your input and learn by

themsel learn by itself and try to build the responses in future. So we have to be very very very careful what we are asking for with AI. Many companies they are in awake mode and they are trying to bring their own instance for that. They wanted to run everything within their own instance instead of just going to the cloud. So so many services they are having and they're trying to do it and complexity of managing AI identities it's going to be very very very tough especially the agentic AI. tomorrow if I want to go to some vacation I will just tell my agent okay hey I need to plan for the trip just just try to go and do

everything by yourself that has my credit card information that has to be right that that should be have my credit card information that should have my phone number address email address all those stuff and it has to have access to multiple different websites it has to access to bookings.com it has to access to uh airline ticket to booking the airline tickets and all those accesses will be provided with agentic AI. So who is going to control that? Who is going to who is going to provide then all the human identities we are trying to protect? How we can apply those all identity and access management theory concepts into agentic AI? It's going to be very hard. So the I am

need to be re-evolved and re-imagined and re-implemented. any organization they have to take it take it serious in case if you like to implement I am same like every other uh AI if same like every other people oh we have to compete in the market we just go for and implement IM uh AI without understanding the technology it's going to be hard and regulatory compliance is used definitely and interaction with existing systems and process okay how can you train the model you get the instance from open AI for your company and you need to feed the data. AI is data hungry. Are you guys hungry now? Right? Yes, I understand because I feel too. So same

way AI is data hungry. You need to provide the data. It eats up and throw up. That is how AI is going to work. Then in that case if you like the AI agentic AI or any prompt engineering if you like to implement in your company then you have to open your data how can you separate it out sensitive and nonsensitive data and how can you protect the access to the sensitive data when you allow AI to learn it. So we let's see what the solution what what the solution we have. So for the data what are what is exactly about data private and security consents right. So when AI tries to collect of collection

of sensitive data, it tries to go and touch the sensitive PI data, PHI data or any other sensitive data, it tries to access and learn by itself. That is bad and many times collection of data without consent many places it's happening. If you look at me, go and search in the JBT or Gemini today. Who is Mano? It tells me something. I sucked even I don't know like I I'm I'm there I'm like that. So it provides so much of context about me. It takes the data from social media and it takes from here and there and it tries to build something new story about my life. Your consent without your consent somebody talks about you bad even in

front of the public speaking. Oh this guy is very bad and this guy has done all these mistakes. This guy is so great. What do you think? Right. So that is what without consent without any permission our data are used to manipulate the bad information misinformation or disinformation about a person that's going to be challenging with this AI and unchecked surveillance and pers. So this is a very very very another problem we have the data based on the data it can be biased but sometime the way we insert the data or put the data inside the AI system will make a bias decisions and data exploration data leakage anything is possible with this AI world

what can be done to to reduce the data concerns right security and consents everything else I don't want to focus but only thing I love to focus this this uh this guy you most likely you hear about it risk assessments you do every year every 6 months once in your company and limiting the data collection okay what data can be fed what data can be restricted all those stuff and seeking and confirming consent security practices providing more protection for data from sensitive domains This is where IM is going to make a big difference. Each data like when you try to pull okay what type of data can be pulled and how can we protect it and the data can be so

for the social security numbers uh one system we have social security number if try to try to explorate or get the data into AI system how can we protect it so that is where data data masking or data removal come and play a major role okay how can you do that if the AI system have a service account or agentic AI try to access it. Okay, if you are accessing I'm going to mask the data I'm going to do the dynamic authorization dynamically we authorize the data and allow agentic AI or AI going to get this data. So that is how we are going to fix this problem. IM is going to fix the problem and

reporting and data collection and storage. So that's important how how can we segregate separate the access between each system when we feed the data into that AI that's how same like that this is this is what I love this topic agentic AI everybody talks about initially like couple of years before everybody so when first time open introduced 2019 nobody cared it it came up and they don't have a they don't have a attraction but 2022 Actually there was a game change and everybody started talking about AI and they started using a JCPT and deepseek and many other new new AI came came into the market. Now everywhere is AI your data is already available everywhere. It is very hard to

protect it. So the agent now everybody the hot topic is agent KI. So it's going to it's going to be very hard and how can we protect it? How can we stop it? How can how can we stop that to overcome um so overtaken u so why it's going to overtake human and all those topics are now it's it's unfocused so because why you know the agentic AI is actually autonomous and it has a dynamic behavior it can learn by themsel with a different functionalities different data you provide and different operations you ask for it based on the different functions different functionalities it can learn by itself and try to steal the data. So how the access is going to be maintained

for this each AI agents and if you allow to provide same like human identities human AM for agentic AI you will be end up having 1 million identities because it automatically same like in a movie it automatically multiplied agents will multiply based on the user usages. is if today's we have a thousand users for doing the same operation tomorrow it's going to be a million users then you will be ended up like a billion agents doing the job for you so how can we manage the identities how can we limit the access those identities h so many challenges on this particular agendic AI so what solutions what I researched and what I learned I want to share with you.

We have to separate that human AM system and we have to have a separate framework for agentic AI. We should not mix it up. No, this is not going to work what we have from the olden way. No, it's completely different. You need to make sure you have a different different way of implementing IM and implement dynamic access control. That's what you guys already answered it. Policy based access control that checks and allow access provide access when you need based on the policies that policies need to be written intelligently but don't write again that policy using artificial intelligence [laughter] then that that can easily modify it so that is where human needed so some of

the people you said okay whether AI is going to replace human no I like that answer AI is going to change the way we work and one of the research from Oxford University they say that the low profile jobs low income jobs may be replaced but it it can it is again it's a theoretical for example the truck drivers are Uber it's completely changing the way how we are hiring Uber and traveling one place to another place autonomous cars so That is how the AI making change. AI is seem like a calculator. So some 20 more than many years right? So calculator we try to use. So when the calculator came nobody was trying to use and everybody

using today I'm asking you okay anyone of you in the crowd can you tell me 388.25 plus 8080.65 what is the answer immediately take the phone. Okay do that. So that is how the AI is going to be change our life too. Oh now I'm already forget to write. If you ask me to write in the note paper I am like a kindergarten student like A B like that because we started typing and we don't have we are not using at all. Same way in India IM university student he got a top percentage 93%age he got in in in academic writing you know he posted in in I used AI to write this article I got

top one then what happens to the real person who is really working hard and doing the work and writing it some some of the Harry report we still anticipate from this AI. So enforce list and just in time access and utilize strong authentication passwordless or passwordless is the strongest strongest authentication today currently available. No other MFA if even if you have biometric and everything whatever it is but password list is the top if you enable it that would be great. So for that only for machine identities they concept called in IM federated credentials. So that don't need a password they don't need a secret that work with a token one time generated token that is the strongest way of

utilizing missing identities for the agentic AI and obviously implement comprehensive monitoring and auditing. This one I already told you but anybody can try to answer uh latest IM technology employed to safeguard machine and workload identities. Just now I told that passwordless federated identity that is correct. So more both are same federated identities uh is booming and providing authentication and authorization for agentic AI. Okay, we are almost like uh at the point like just five more minutes. I'm going to tell some some of the examples currently within all the different industries we have IM what what different IMA challenges currently we are facing let's go the financial institution for example we take it up AI for task

like fraud deduction algorithmic trading and customer service so these AI systems definitely need sensitive data access do you agree to provide this already every company how many of you more like so when you try to talk take a phone or try to chat with any company for support how many of get irritated at least 5 minutes it route to you yes I understand uh I understand uh I can help you but can you can you can you tell me the real problem can you can you please elaborate what is your problem I already elaborated five times 10 times no I I need some specific okay I will give you the five different options select it

okay I have a problem I have a problem I have a problem I select it again It is asking again okay can you please route this to the real agent the human agent but it doesn't do many places it will kill us like I get oh man so that that type of chats are or agentic agent AIS going to help on many places but that really need data. So recently I have a experience around like a one application. They did a very nice job. Uh I was trying to log in I forgot my username and password. I don't have my credential. I didn't oh it's a J C Penney. I I remembered it. So I really surprised that company is not

doing well for a long time but they did a very nice implementation. So I don't have password. I don't have a I don't remember past name. Okay we will help you. That is a agent AI they implemented recently. What they did is they route you. They send you the okay again it is a pissing link. It can be pissing link. Okay, we have to be very careful. They will be sending you your phone number. When you click that it automatically validate yourself with all the sensitive information. Again that is what agent EI. So it ask you your SSN number and uh it ask you a phone number and address and some of the details and immediately

allows you to log into account without username and password. So one way is good but we have to be very careful before we click the link or we getting the message from J C Penney or somebody else in between sitting and they can send you the text and you can enter all your details for them. So some of the disadvantage we have but why why I'm saying that that sensitive financial data or any data we need to provide the access to them for the agent AI many example we have so the one solution we have is a dynamic peakback dynamic policy based authorization control and context aware authentication and authorization from where the where it is

logging in or the agentic AI logs in from the network internal network and this is login from the known location and what time is used to login what job it is doing all those context need to be aware before providing access and healthcare industry again right so this is also need uh for example this example an AI model used to predict the risk of heart disease needs access to patient data including age medical history lab results especially in US HIPPA plays a major role and data can be shared between each entity. So in that case it's going to be very hard when they try to implement but even though they implement it then how you

are going to protect the data and how how can you give segregation data segregation is going to happen so that will be done through jit just in time access emerald credentials and sort living credentials and data masking and pback. So when we combine this AM technologies you definitely can solve it same same it is example. So these are two systems one is a medical imaging system another one is actually another system need the data and and parse it the AI system need to passse it and understand it and need to provide the analysis result to the doctor provider. So how they can talk to each other the systems each other. So that can be done

with a mutual authentication through certificates or through uh passwordless or federated credentials. So service to service they can communicate and securely they can pass the data and also the have a API security authentication. So on the API layer level the you might have heard about like IM guys heard about Wath. Uh so those are the modern authentication and authorization technologies can be utilized to avoid any breaches. This is this is again uh same basically strong access to access controls to data we need to provide for the moral sector to stop. So finally I have 10. Okay. To effectively protect and preserve organization model AI models the AM plays a major important crucial role and it has to be

seen differently and provide more focus. So that will definitely will help your organization stay secure and that is what I am mean. All right. So that's all I have. So I know some of the topics I went depth and uh if you have any questions we can talk through for five more minutes. You have any questions to talk about it? >> Yes sir. >> That's something I actually recently did.

So uh breakless accounts the problem is it's not tied up with the human right. So we cannot go for biometric or MFA or something like that. So most likely some of the organizations what they do u they will maintain some some of the tools they provide they can get the OTP one-time password generation through inside the tool that tool will have accessed by the higher management. So until in case of something bad happen then they only have access they can get that credential for you. Uh if not right so we cannot simply provide a multiffactor authentication because that not tied up to the human identities. I think hopefully you implemented the same because if you tied up with some person

so definitely you can leave the company or you may lose the device so anything can happen. So for example I can provide you cyber arc. So for those all those breakass account they used to provide you a hard uh hard hardware server which we can maintain within the uh on premises uh data center. So there you can usually store all those breakass accounts. So until unless you have access to your on premises uh uh on premises server room or onremises uh data center you cannot access it. So that is how so security again we can slow down the bad actors but we cannot completely avoid it. Yeah. Yeah. Yeah. This how any other questions? >> Yes sir.

>> Human. Oh password. Oh you said like condition disclaimer. No passwordless. Easy. [laughter]

>> Yes.

So individuals definitely if they are not very closer to password passwordless uh they definitely MFA is a is a next solution they have to implement for all the human identities. uh for the breakass accounts or service accounts uh there is a there is a concept in cyber or anything I think API they call it as so API which does it at daily rotation of password for the credentials also that go and update on the application where that password resides in. So usually you will be maintaining the centralized password store. So that is exposing API for this is one of the tool like cyber arch you might have hear about there is one tool. So they

maintain all the service account credentials over there that will be automatically rotated every 24 hours or you can reduce it every 1 hours too. So the same time from the applications it can be java.net or any any type of applications they pull in the password every time it tries to use it. So that is how we I see it can be rectified until unless if they don't uh very closer to passwordless but now federated identity federated authentic authorization authentication is a very best solution um um for for implementing it you may require some effort on the application side. Uh but definitely that rectify complete secrets federated identities is a best for any missing identities or any service accounts.

Yeah. Cool. Any other final questions? Yes ma'am.

>> Um so for example again uh user context right context aware. So the A agents uh if they that that is looking for access uh then you need to provide more granular you you have to go into the more granular from the networking start from networking and uh from the time access from the what time you are allowing access so basically the short answer is more granular you need to design the solution design the policy not like just simply on the high level okay you are allowed to access on the on this particular time but no so you have to go for multiple conditions multiple rule sets you need to be implemented to protect it yeah all right thank you so

much and if you have any further questions definitely you can reach me out and thank you for listening in and thank you so much guys happy I am take