Back

AI for Identity Security: My Journey, Our Perspective, and Veza’s Strategy

When I left my role leading the product management team at Okta in 2018, I had the unique opportunity to really think. I had the chance to be thoughtful and deliberate about my next career move. Even before Chat GPT had broken into public consciousness, it was pretty obvious that AI was going to drive the next big wave of technological innovation. I worked through Stuart Russell’s textbook “AI: A Modern Approach” and did a couple of online Python classes. I don’t come from a software development background, and I wanted to get closer to the tech that I was becoming increasingly convinced would be transformational.

My mental model was that there were three key drivers for success in AI: the algorithm or model, compute resources, and training data. There was plenty of work to be done on developing new models, but it seemed that there would likely be accessibility to the best ones or at least open-source versions that would suffice. Compute takes money, but the cloud platforms have made that readily available for those willing to spend. The training data, however, is different. Training on the public internet can only take you so far. Living in the world of enterprise software has certainly attuned me to the value of unique datasets. I took from this line of thinking that the key to unlocking value in new enterprise AI applications is having a unique and valuable dataset that no one else does.

That’s when I met Veza (then called Cookie.AI). Of course, I fell in love with the team and the tech, but the data! With my product manager hat on, I really loved the concept of the Veza Access Graph- a unique dataset that tied together the reality of permissions for the first time that I’d ever seen. I love platform companies where I can imagine a portfolio of future products waiting to be built by extending the data we were gathering to new use cases and teams within the enterprise—and Veza hit that mark. But even more, I could see the vision of being able to train AI on the data that Veza was assembling. That’s a big part of why I joined Veza- to be in a position to do amazing things when AI was ready.

Fast forward to 2024, and the world is buzzing with Chat-GPT 4o from Open AI, Claude 3 from Anthropic, and a huge cohort of smaller, purpose-built AI startups. Nvidia has been riding the “selling pickaxes to the gold miners” principle to become the third largest company in the world on the back of its GPUs for AI training. For the tech world, following the soap opera of OpenAI’s inner workings is like reading the Hollywood tabloids. The world is a different place—but I still think that data is king, and that puts Veza in a prime position to bring AI to the problem of identity security.

You can’t go to a security conference these days without stumbling over AI everywhere. There are obvious challenges and questions, like “Does AI help the attackers or defenders more?” I think the more interesting questions are the second-order effects of the AI wave. Most notable, I think, is the energy with which organizations are rushing into the fray to position themselves as “first-movers.” This includes transforming their treasure troves of enterprise data into training sets for AI. Security, unfortunately, is often an afterthought. Look no farther than Microsoft’s recent announcement around their Copilot+ PCs, with Replay- a feature that takes frequent screen captures of an end user’s machine. From a security perspective, I find this, frankly, terrifying—and shocking that Microsoft would announce this in the same month that Satya Nadella announced that security was the top priority, above all else. Here, in real time, we see the irresistible pull to leverage data for AI to work its magic in conflict with security-focused common sense.

For identity security, AI and LLMs raise the question of whether our access control model in the enterprise will survive. If the LLM is trained on all the data, how can you tell whether this data is truly secure- and can anyone extract the data through creative prompt engineering? Will we know if and when that happens? I think the main challenge here will be one of transition—in the rush to train LLMs, mistakes (even some very bad ones) will be made. However, newer techniques like Retrieval-Augmented Generation (RAG) show early promise in being able to have our cake and eat it too—to allow the AI to “design the search” across enterprise systems but still maintain the integrity of user context in pulling information from enterprise systems.

For Veza, we’ve tried to take a very practical approach to how we implement and use AI. Our guiding light is really about delivering value for our customers- not to simply try and get the “AI halo” without meat on the bones. There are a number of different ways we’re trying to deliver value with AI at Veza. The first, which is largely the focus of our current release, is about democratizing the data in Veza. The data is powerful, but it can be complex and even overwhelming if you don’t know what you’re doing. It’s tremendously powerful in the hands of an architect, but less so for an analyst who is seeing the product for the first time. Adding natural language capabilities to our search and the results we return will put the power of Veza into the hands of more people across more teams. If there is one common refrain I hear from security and identity practitioners, it’s that no one can find enough great, experienced people to hire. Making the identity security tools more widely usable by more of the team is a great driver of value.

Later, you’ll continue to see more AI features and products come from Veza. These will start down the path of reducing the time that humans need to do their tasks and drive more and more towards full automation of those tasks. Ideally, we want humans involved in tasks that ONLY those humans can do…and that list is getting smaller every day. I’m personally very excited about our work to see how much AI can drive forward the speed and ease of doing integrations to enterprise systems. It’s not the sexiest of problems in computer science, but from a practical standpoint, integration is probably the number one point of friction I hear about from customers with their existing IGA deployments, and I think it’s a worthy problem to solve.

Even longer term, I think AI will really help us with the grand problem of Least Privilege. In particular, I think a challenge most organizations have is truly understanding what data someone needs to do their job. To accomplish this today, most customers tell me it is a “role definition” exercise that usually involves a horde of System Integrator analysts, along with an appropriately sized invoice.  There is so much context- communications across the organization, project-level work, understanding what data is actually where- even direct managers are challenged knowing this precisely. I can’t think of a better task for an AI- to understand the full breadth of the context of someone’s job, but also all the data across the organization that could be brought to bear to better do that job. In this way, you can really think about the problem of Least Privilege being the “flip-side” of Knowledge Management. In security, we almost always think about restricting information. But, what about the information that’s relevant but a person isn’t aware of? From a business value perspective, that might even be more powerful.

Table of Contents