Malik Haidar has spent years in the trenches of multinational security, closing the distance between boardroom priorities and frontline incident response. He treats identity not just as a login but as a living system spanning humans, non-human services, and fast-moving agentic AI. In this conversation, he explains how to redraw trust boundaries, make execution-level governance real-time, and convert shadow AI and zombie agents from silent risks into measurable value. We explore how to embed origin, delegation, and intent into every action, keep latency low without sacrificing safety, and align teams around centralized IAM while safeguarding domain autonomy. The themes are clear: extend identity past authentication, unify visibility to close the attribution gap, treat agentic identities as first-class citizens with continuous lifecycle control, and measure readiness honestly—because only 22% are truly AI-ready while 40% self-identify as mature, and nearly 90% want centralized IAM to make it all work at scale.
When environments include human, non-human, and agentic identities, how do you redraw the trust boundaries, and what guardrails prevent privilege bleed between them? Please share a concrete example and the metrics you track to prove it works.
I start by separating planes: human, non-human, and agentic are three distinct identity types with explicit crossing points governed by policies, not by shared credentials. The guardrails are preapproved delegation scopes that encode intent—read-only versus write, environment tier, and time-bounded execution—so an agent can’t silently inherit a human’s full authority. In practice, we fenced a finance bot that touched billing systems from a data warehouse agent by carving separate access corridors and forcing all cross-plane calls through signed delegation tokens that carried origin and purpose. The proof shows up in metrics: zero cross-plane privilege escalations over a quarter, measurable reduction in “unknown initiator” log lines, and incident triage times dropping from minutes to seconds because we can finally see the path of authority when 61% of tooling pressure is unsanctioned and racing ahead of governance.
Agentic identities act at machine speed and make autonomous decisions. How do you design decision checkpoints without throttling productivity, and what latency or throughput targets guide your architecture?
I design checkpoints at natural transaction seams—before data leaves a boundary, before configuration writes, and before privilege amplification—so we intercept fewer but higher-value decisions. Each checkpoint evaluates origin, delegation path, and intent, plus a quick risk score that flags high-velocity patterns called out in the “seconds” threat model. Rather than add friction to every step, we cluster low-risk actions and batch-approve them while forcing interactive re-authorization for sensitive jumps, especially when agents chain actions across systems in seconds. The throughput reality is that AI adoption is outrunning controls for 60% of leaders, so the bar is simple: checkpoints must complete in seconds, not minutes, and they must keep pace with the cascade of autonomous steps without becoming a bottleneck.
When autonomous agents inherit human-level privileges, what delegation model replaces shared or inherited credentials? Walk through the exact steps to implement least-privilege delegation and how you validate it in production.
Replace inheritance with explicit, time-scoped delegation that declares what the agent can do, on whose behalf, and for what purpose. Step one: model roles per identity type, keeping human and agentic roles separate. Step two: mint a short-lived, signed token for the agent with embedded origin, delegator, intent, and resource constraints. Step three: enforce verification at every target system, not just the entry point, so execution remains tethered to purpose. We validate by running production canaries that simulate risky actions in seconds, confirm that write operations beyond the declared scope fail, and review weekly drift reports; when only 22% are truly AI-ready, that discipline is the difference between theory and provable least privilege.
Audit logs often attribute actions to a human who never initiated them. How do you encode delegation paths and intent context into logs, and what schema or fields have proven most useful during incident response?
We log the actor-of-record as the agent, not the human, and attach a verifiable delegation chain so investigators can follow the breadcrumbs without guesswork. The schema includes fields like origin_identity, actor_type (human, non-human, agentic), delegator_id, delegation_reason, intent_category, scope_hash, and execution_context. We also capture sequence_id to correlate rapid chains that unfold in seconds and a policy_version to know exactly which rules authorized the action. In incident response, this trims the attribution gap from vague blame to crisp lineage, which is essential when 40% of organizations think they’re AI-mature but lack the fields to prove who actually did what.
With 61% of organizations reporting unsanctioned AI use, how do you uncover and rein in shadow AI without stifling innovation? Describe your discovery methods, success metrics, and a time you turned a rogue tool into a sanctioned capability.
I start with discovery through network egress patterns and API key inventories, looking for agents that act in seconds and never show up in IAM. Then I invite those teams in: we run a fast-track review that maps the agent’s purpose to approved scopes, adds execution metadata, and shifts it under lifecycle controls. Success looks like shrinking the unknown-to-known agent ratio each month and converting shadow tools into sanctioned capabilities that retain their speed without the attribution gap. We once onboarded a “rogue” data enrichment bot by wrapping it with explicit delegation and logging; the win was twofold—innovation stayed intact while we aligned with the reality that nearly 90% favor centralized IAM to make this scale safely.
Zombie agents linger with valid access and outdated permissions. How do you continuously detect, quarantine, and retire them, and what risk score or time-to-remediation targets keep this sustainable?
Zombie agents give themselves away through stale intent and repetitive patterns that no longer match declared purpose. We run continuous recertification that flags inactivity windows, privilege drift beyond original scope, and execution bursts happening in seconds at odd hours. Quarantine means revoking write scopes but preserving read-only diagnostics so we don’t break workflows blindly, then we retire or right-size based on necessity. The sustainability test is simple: time-to-remediation must be measured in hours at worst and ideally seconds for high-risk cases, because the longer they linger, the more silent damage they can cause.
Only 22% are truly AI-ready while 40% self-identify as AI-mature. How do you diagnose the gap in identity governance terms, and what three milestones reliably move a team from perception to measurable readiness?
I diagnose readiness by asking one question: can you attribute each action to a specific identity and intent in seconds? Most can’t. The three milestones are clear. First, treat agentic identities as first-class citizens with unique roles and lifecycle controls. Second, implement execution-level governance so every action carries origin, delegation, and intent metadata. Third, unify IAM across domains—because nearly 90% agree centralization is necessary—so you can enforce and observe consistently. Teams that hit these three see the gap between 40% perceived maturity and 22% actual readiness start to close.
Reactive IAM assumes post-login behavior is trustworthy. What execution-level controls let you detect misuse in seconds, and how do you tune behavioral baselines to avoid alert fatigue while catching rapid data exfiltration?
I deploy policy guards that evaluate not just who logged in but how access is used across the next sequence of steps. Controls include write-blocks on sensitive objects without matching intent, rate limits that react to bursts in seconds, and sequence anomaly detectors that spot unusual chaining across systems. To avoid noise, we baseline by intent category and actor_type, so an agent built for reads doesn’t trigger on predictable reads but will alarm on configuration writes. The goal is surgical fidelity—catch the compromised agent trying to exfiltrate in seconds without drowning analysts when 60% already feel outpaced.
A compromised agent can scan and exfiltrate sensitive data in moments. What containment playbook do you run in the first five minutes, and which telemetry—by source and granularity—matters most?
In the first five minutes, I do four things: revoke the agent’s write scopes, freeze its delegation chain, snapshot the last seconds of execution, and deploy deception routes to divert further calls. The telemetry I need is high-granularity action logs with origin, delegator, intent, and sequence data, and egress records that confirm whether data crossed boundaries. I correlate across systems to rebuild the chain of actions that can happen in seconds, then reissue narrow, temporary scopes for safe investigation. The speed of that loop is existential—five minutes is a lifetime when machines move at machine speed.
Each action should carry origin, delegation path, and intent metadata. How do you propagate that metadata across fragmented systems, and what standards or APIs have best supported cross-platform fidelity?
We standardize on a compact, signed context envelope that rides with every call, so downstream systems can validate origin and intent without trusting the caller. The envelope includes the three pillars—origin, delegation, and intent—plus a sequence_id to preserve order across actions that execute in seconds. For systems that can’t ingest rich context, we translate at the gateway so fidelity isn’t lost just because a legacy app is blind to agentic metadata. When nearly 90% want unified infrastructure, this envelope becomes the lingua franca that stitches domains together without forcing a big-bang rewrite.
Nearly 90% of leaders favor centralized IAM and unified infrastructure. How do you balance centralization with domain autonomy, and what operating model (teams, SLAs, escalation) sustains scale without creating bottlenecks?
Centralize the policy engine and identity fabric, decentralize service ownership and day-to-day changes within guardrails. The operating model pairs a core IAM team with domain stewards who own their agents and data but must encode origin, delegation, and intent in every action. SLAs commit to seconds-to-minutes policy propagation and same-day onboarding for new agentic roles, with escalations that pull in incident response when sequence anomalies spike. That balance lets teams move fast while the center maintains the attribution backbone that 60% of leaders feel they’re missing.
Lifecycle management for non-human and agentic identities must be continuous. What triggers drive re-certification, how do you measure “necessity,” and which automated controls revoke or right-size privileges without breaking workflows?
Triggers include privilege drift, inactivity windows, and new action sequences that pop up in seconds but weren’t part of the approved intent. We measure necessity by mapping actions to outcomes—if an agent’s declared purpose isn’t reflected in recent execution, it’s a candidate for right-sizing. Automation revokes write scopes first, then gradually trims read scopes while watching for workflow errors; where needed, we insert a temporary delegation requiring a human to approve sensitive steps. It’s a rolling heartbeat that keeps zombie agents from accumulating into the technical debt we all fear.
Execution visibility depends on IT unification. What integrations deliver the highest attribution value per engineering hour, and how do you roadmap the rest without creating blind spots during migration?
Start with the systems that move money, customer data, or configuration states, because that’s where attribution gaps hurt most in seconds. Integrate your identity fabric with CI/CD, data platforms, and admin consoles so every high-impact action inherits origin, delegation, and intent. For the roadmap, we tier integrations by blast radius and likelihood of agentic use, sequencing migrations so you never leave the most active corridors dark. Remember, with only 22% AI-ready and 40% claiming maturity, the difference is ruthless prioritization, not just more connectors.
Moving away from inherited credentials requires tightly governed authority. Which cryptographic or token strategies have worked best, and how do you rotate, scope, and expire tokens in complex multi-tenant environments?
Short-lived, signed tokens with embedded delegation and intent are the backbone because they die on their own and tell you why they exist. We scope them to the smallest viable set of actions, rotate at boundaries like release cycles, and force expiry so a compromise lasts seconds, not days. In multi-tenant setups, the token carries tenant context and policy_version so enforcement is precise even when agents chain across systems quickly. The outcome is fewer blanket keys and no more murky “who did this?” moments that fuel the attribution gap.
High-velocity agents chain actions across systems in seconds. How do you model and enforce safe action-chains, and what anomaly patterns (sequence, frequency, data sensitivity) have proven most predictive in practice?
We model action-chains as declarative graphs that specify allowed sequences, maximum frequency, and the sensitivity ceiling for data touched. Enforcement checks both the current step and the path taken in the last seconds so an agent can’t sneak a prohibited write after a benign read. The most predictive anomalies are off-policy sequence jumps, frequency spikes that compress hours of work into seconds, and attempts to lift data above the declared sensitivity tier. Those patterns are machine-speed tells—and they let you stop damage fast without stalling legitimate automation.
What is your forecast for identity governance in agentic AI over the next 3 years, and which early bets should security leaders place now to avoid an attribution crisis later?
Over the next three years, identity will stretch from “who logged in” to “who executed what, on whose behalf, and why”—and it will need to answer in seconds. Organizations that win will treat agentic identities as first-class, unify IAM where nearly 90% already lean, and embed origin, delegation, and intent into every action. The early bets are clear: move away from inherited credentials, build execution-level controls, and close the perception gap where 40% feel mature but only 22% are ready. If you place those bets now, you won’t be staring at an attribution crisis later—you’ll have a crisp ledger of accountability that turns speed from a liability into a security multiplier.
