Andy Ellis

The human challenge is humans don't use most of their permissions because we give people way too broad permissions because we don't understand what people do.

The core of the problem is we don't actually govern humans.

identity or authorization, however you want to look at that.

What we do is we sort of say, oh, like Danny has just come into the organization.

Let's just clone somebody else's permissions and give them to Danny.

Nobody actually knows what Danny's job's going to do.

He changes from one organization to another.

So we leave all of his old permissions there while he goes over in case he gets called.

And over the course of 15 years at a company, Danny ends up with access to everything, but he's never using it.

Then Danny goes and deploys an agent and the agent's like, oh, I have access to these things.

And I could probably use that in answering some question.

So I'm going to grab access to everything.

And that's just a key piece of it, which is the thing we've never solved, which is governance over what people do, because we don't know what they do.

Authorization and permissioning is just the shadow reflection of what the business needs the person to do, but we don't understand that.

So instead we treat it like a ground truth.

We give it lots and then agents just abuse it.

So this is not me saying this problem isn't worse.

This is me saying this has always actually been the worst problem we have.

Now it's just gotten even worse.

No, no.