Power is….

Podcasting Commentary: IDAC 390 Agentic AI with Tobin South

So I’m going to try something new, I spend a lot of time listening to A LOT of podcasts. Mostly listening in my car on my way to and from work or the gym. While I’m doing it I spend a lot of time talking to myself reacting to the conversations happening in the episode I was listening to. So from time to time I’m going to collect that commentary and post it. I’m not sure what value will come from it, beyond giving me a chance to really absorb conversations I found interesting enough to put more reflection and effort into. However if it just accomplishes that, I’m good with it.

For this one, I introduce you to the Identity at the Center Podcast with Jeff and Jim. These guys are awesome. If I was forced to listen to only one IAM podcast it would be these guys.

In this episode they talk to Tobin South about the future of Agentic AI and how IAM is going to be effected by it in the coming months and years. Tobin does a wonderful job of establishing his background, passion for AI and his hands on keyboard experience with AI tools giving him credibility quickly in the episode. Which was easy, because Tobin is very credible.

Now that AI is here, how can we manage it?

Here’s where I start getting into the weeds of the conversation. Listen to it yourself and draw your own conclusions, but as I listened these are the challenges and questions that came to me that need further discussion.

The Distinction Between Impersonation vs. Delegation

The first thing that hit me in this discussion was the impersonation vs. delegation problem. The base questions are simple but enormous.

  • How do we technically guarantee an agent NEVER impersonates the user?
  • How do we ensure it never inherits the user’s full entitlements by accident?

Financial institutions simply cannot tolerate:

  • “The agent logged in as the user”
  • Credential sharing
  • Indistinguishable audit trails

That isn’t just bad practice — it’s a compliance nightmare. Delegation with isolated agent identities is the only viable pattern, and even then, only if everything is trackable.

And we all know who’s watching: SOX, FFIEC, PCI, Internal Audit, every flavor of regulatory examiner. They all require clear separation of identities and clean attribution.

Which brings me to the real questions I’d ask Tobin:

  • How do we technically enforce “agent identity” vs. “user identity”?
  • How do we stop an agent from accidentally gaining full user access and running wild?

Accountability, Liability, and the Audit Trail We Know Is Coming

Tobin brought up the analogy of liability. I don’t automatically think in legal terms — I think like someone who sits in audit meetings.

Because every audit conversation eventually asks:

  • Who approved the action?
  • Who executed the action?
  • Who owns the risk?

We need a trail to follow, full stop. That’s what auditors care about for everything, and AI agents won’t get a free pass.

Risk teams and compliance reporting are going to have to define what “sufficient attribution” looks like in an agentic world.

The Sub-Agent Problem I Didn’t Want to Think About

The idea of sub-agents surprised me — and honestly, rattled me a bit. If agent identity is already a challenge, sub-agents compound it dramatically.

Putting on my tin-foil hat:

  • This isn’t identity sprawl — it’s identity sprawl at machine speed.
  • How do we certify the entire chain of delegation?
  • How do we enforce least privilege when agents talk to other agents across… well, everything?

What Does the Agent Lifecycle Actually Look Like?

This conversation reinforced something I’ve been thinking for a while: Agents are identities. They need a lifecycle just like users do.

  • Create
  • Approve
  • Certify
  • Review
  • Rotate
  • Offboard

To support that, we need IGA and inventory models that can handle:

  • Entitlement catalogs for agents
  • Segregation of Duties policies
  • Access reviews that differentiate human vs. agent
  • Recertification and revocation workflows

But let’s start at step one: What does onboarding an AI agent actually look like?

When the rubber meets the road, does an agent look like a contractor? An application ID? Something entirely new?

How Does an Agent Actually Get Access?

I haven’t been in many conversations yet about how AI will receive access in an enterprise, but the early documentation from Microsoft and others suggests we’re heading toward something like conditional access on steroids.

  • Strict SoD constraints
  • Dynamic risk evaluation (Is this a thing yet? I’m wondering already if I should start a company that does this)
  • Context-aware authorization -knowing a user vs an agent or sub agent and giving it conditional power based on it.
  • Expanded policy enforcement

And here’s a thought I keep coming back to. I know it’s way past today’s talk but it’s gotta be What’s next:

Will agents be allowed to request access for themselves? And if so, who approves it?

There are whole governance models waiting to be designed around that scenario.

Final Thoughts

These are the questions I’d ask Tobin if I ever got the chance to sit across from him. And honestly, I’d probably owe the man a bottle of his favorite booze after unloading all of this.

But if I walked away with good answers?

Yeah — it would be worth every drop.

What do you think? What did I miss from the talk? Do you want to see more of this in the future?

As a disclaimer and for irony. Claude was used to assist with the editing, Chat GPT to help condense the message and make it more readable, Adobe firefly for the image, but much like a disclaimer on an informercial: thoughts and opinions are expressly my own.

Leave a Reply

Search

Latest Stories

Quote of the day

“The world is a book and those who do not travel read only one page.”

– St. Augustine

Discover more from Power is....

Subscribe now to keep reading and get access to the full archive.

Continue reading