Identity has a framing problem.

For most of its history, the field has defined itself around a single question: who are you? Authentication protocols, directory services, federation standards — nearly all of it is infrastructure for answering that question reliably and at scale. And we got pretty good at it.

But that question was never the hard part. The hard part is what comes after: what are you allowed to do, on whose behalf, under what conditions, and who is accountable when something goes wrong?

Those questions are what this blog is about.

What I Learned Building the Last Generation

I spent a decade at Okta helping build identity infrastructure for the cloud and mobile-first, SaaS-driven world. That era had a thesis: the network perimeter was dead, and identity had to replace it. We weren’t wrong. But building at that scale — tens of thousands of enterprises, hundreds of millions of users — teaches you things that don’t show up in specs or architecture diagrams.

A few that still shape how I think:

Adoption beats correctness. The most technically elegant solution loses to the one enterprises can actually deploy. Standards that ignore operational reality — provisioning complexity, help desk load, legacy system constraints — don’t get adopted. They get worked around, and the workarounds become the de facto standard.

Interoperability is a governance problem as much as a protocol problem. SAML was technically sufficient for federation in 2005. The reason enterprise SSO was still painful in 2015 had less to do with the protocol and more to do with the absence of shared profiles, testing suites, and implementation discipline. OIDC and SCIM learned some of these lessons — but spec authors often optimize for the enterprise IT buyer and forget that developers are the ones who actually implement these integrations. Developer experience drives adoption just as much as enterprise requirements do.

The identity lifecycle is a visibility and coherence problem. The hardest thing about enterprise identity isn’t authenticating users — it’s knowing what your actual identity state is at any given moment. Systems don’t talk to each other. Policies are defined in one place and enforced inconsistently in another. Real-world state drifts silently from intended state. Organizations discover their security posture only after something breaks. You can have excellent authentication and still have no idea who actually has access to what, whether those permissions match current policy, or whether a change three systems upstream has already invalidated your assumptions downstream.

Enterprises are still fighting the last war. Much of what I see today in enterprise identity is organizations finally implementing what was considered best practice in 2018 — MFA everywhere, SSO coverage, basic lifecycle hygiene. That work still matters enormously. The gap between where most enterprises are and where they need to be is wider than the industry narrative suggests.

The Next Hard Problem

And yet, even as enterprises work through that backlog, a new generation of problems is arriving faster than anyone is ready for.

Autonomous agents are collapsing the assumption quietly embedded in every identity system ever built — that there is a human being somewhere in the loop who can be authenticated, blamed, or held responsible.

When an agent acts, it doesn’t authenticate in any meaningful sense. It presents a credential. The credential may have been issued legitimately. The agent may have been provisioned correctly. But none of that tells you whether this specific action, taken right now, on behalf of this specific principal, with these specific delegated powers, is something that should be permitted.

Passports were the wrong mental model. We need something closer to power of attorney — scoped, time-bound, delegated authority with a clear chain of accountability back to a human principal.

Most of the industry is still bolting API keys onto agentic systems and calling it identity. We haven’t built the right thing yet.

What I’ll Write About

This blog will cover the full range — from the enterprise identity work that isn’t finished yet to the architectural and standards questions that will define the next decade:

  • Where enterprises are still struggling and what actually moves the needle
  • What identity infrastructure needs to look like when the primary actors are agents, not people
  • How delegation, authority, and accountability survive multi-hop agentic chains
  • Where the standards bodies are making progress, and where the gaps are
  • Lessons from building at scale — what the cloud-and-SaaS era got right, what it got wrong, and what it left unfinished

I’ll also write about the work I’m doing in the IETF OAuth working group and the OpenID Foundation, where the specifications that will underpin the next decade of identity are being written right now.

Who This Is For

If you work in identity, security, or platform architecture — whether you’re still untangling the enterprise identity problems of today or thinking ahead to what happens when agents start making decisions at machine speed — I hope this is useful.

I’m not interested in vendor positioning or marketing framings. I’m interested in the architecture, the standards, and the operational reality of building systems that govern trust at scale.

Let’s get into it.