If something can’t go on forever, it won’t
Identity’s role in the unsustainable path of security and privacy

If something can’t go on forever, it won’t.
I’m an optimist, some might even say a Pollyanna. There’s nothing like contributing to novel Internet standards efforts to demonstrate one’s belief in hope over experience! But after 25+ years in the trenches of digital identity, this maxim of economics is starting to hit close to home.
So many of our current identity paths are unsustainable. Security is still eroding. Privacy is still evaporating. Trust is threadbare at best.
Identity’s Death Spiral
I’m not a fan of the phrase “identity is broken” — but the way we do IAM often leads to a death spiral of negative consequences for experience, user control, security, and even basic online safety. The Internet commentator I think of as the “login rant lady” said:

…and she’s not wrong.
When Leaders Become Casualties
Part of the downward spiral is psychological.
I’m working on a new project1, for which I’ve identified three fatal delusions that leaders often cling to to feel safe.
The first delusion can be stated as:
🚫 More identity = more security
Our identity solutions, automations, checklists — and standards, an ever-growing pile of them — can feel proactive and productive, but none of it is a guarantee of a particular outcome, even if implemented and rolled out.
And the costs for getting things wrong are higher than ever. Have you been following the trend towards personal executive liability for cybersecurity failures? A great new organization called the Professional Association of CISOs (PAC) has launched, thanks to my talented friends Val Mukherjee and Heather Hinton, under the Cyber Future Foundation umbrella. It prepares CISOs for the increasing level of accountability they face in the modern world, including providing CISO-specific professional liability insurance.
But it’s not just CISOs. CEOs are taking direct fire as well, as in the infamous Drizly case:
According to the FTC, Drizly and [its CEO] Rellas failed to implement basic security protections for the collected data, did not use multi-factor authentication, did not limit employee access to personal data, and did not develop adequate security policies. — Security Week, 25 Oct 2022
Fixing Our Foundations?
The Internet, as has famously been observed, was built without an identity layer. All of the layers we’ve been adding on top have gotten more sophisticated over time, exemplified by the recent publication of revision 4 of NIST Special Publication 800-63, the Digital Identity Guidelines.
Do we need brand-new infrastructure to replace the old?
For years, I’ve helped define standards and technologies meant to patch this gap. More recently, I’ve been working with organizations of all sizes, translating identity complexity into language that decision-makers can act on.
What I’ve learned is that today’s identity foundations and innovations can serve as the healthy cardiovascular system of the connected world. They can protect us from exploits and fraud, support our financial transactions, give people choice and control, and even foster healthy digital relationships with businesses.
But only if organizations and their leadership understand their power, value, and full impact. Technical expertise, and a mindset focused exclusively on security, are proving inadequate to the moment.
As the number of executive stakeholders with their fingers in the IAM pie becomes overwhelming, and as detractors proliferate, I believe we need to master identity’s higher purpose so we can make common cause and achieve what we know is possible.
The identity crisis is here. The spiral is accelerating. But crises have a way of forcing evolution.
My question for you is whether it’s possible to help identity fully contribute to a healthy connected world.
Do you see identity circling the drain, or do you believe it can reach an inflection point?
I’m working on a new book! If you take a moment to subscribe, I’ll share more here real soon.
Your comment about more identity <> more security reminded me of something that Bruce Schneier wrote years ago. Paraphrasing, he said that we don't need to know anything ABOUT the person sitting next to us on the plane (i.e. identity attributes). All we need to know is that they are not carrying explosives or weapons.
Totally agreed with those observations. Your point on the “more identity != more security” I think takes on another layer of meaning in a world captivated by LLMs.
With these models being stochastic in nature, I think we are at risk of drifting even further away from a clear, deterministic way of enforcing and managing access/AuthN+AuthZ, and if the solution to this problem relies to heavily on purely AI (at least as we currently understand it) we are at risk of adding an unauditable and unaccountable piece to this quagmire