Insights

Field notes from active engagements.

Practical writing from the practice leads who deliver the work — IAM strategy, governance, privileged access, zero-trust, and the engineering rigor in between.

14 articles published

Featured · IAM StrategyMay 8, 202613 min read

IAM maturity model — five levels, five outcomes

Most IAM maturity models are too abstract to use operationally. The piece walks the five-level model we use, with concrete artifacts and metrics at each level.

askmeidentity PracticeRead article

Recent writing

13 articles

EngineeringMay 7, 2026
SCIM provisioning patterns that actually work
SCIM is the standard for cross-system identity provisioning, but the implementation varies more than the spec suggests. The piece covers the patterns we use in practice.
10 minRead
IAM StrategyMay 6, 2026
AI agent identity lifecycle — what your IAM program needs in 2026
AI agents acting on behalf of users are now a real production workload. The piece covers what identity for AI agents requires — provisioning, scope, audit trail, revocation.
11 minRead
Zero-TrustMay 5, 2026
Workforce passwordless — the rollout that actually lands
Passwordless workforce identity is achievable today across Okta, Entra, Ping, and Duo. The piece covers the rollout sequence that survives helpdesk reality.
11 minRead
Customer IdentityMay 4, 2026
Migrating to OAuth 2.1 with mandatory PKCE — an engineering guide
OAuth 2.1 deprecates implicit and password grants and makes PKCE mandatory. The piece walks through migration patterns from customer-identity engagements, including rotating refresh tokens and SDK fleets.
11 minRead
Customer IdentityMay 3, 2026
B2B SaaS multi-tenant identity — the primitives that matter
B2B SaaS identity is a different problem from B2C. The piece covers the multi-tenant primitives, invitation flows, and SSO patterns engineering teams actually need.
12 minRead
ComplianceMay 2, 2026
Evidence-as-code — making the audit cycle routine
The audit becomes a fire drill when evidence is reconstructed each cycle. The piece covers the evidence-as-code pattern that turns audit into a routine cycle.
11 minRead
Zero-TrustApr 29, 2026
Passkey adoption roadmap — workforce and customer
Passkeys are the strongest authentication upgrade in a decade. The hard part is adoption — workforce and customer. This piece covers rollout patterns we use across Okta, Entra, Auth0, and ForgeRock.
10 minRead
Zero-TrustApr 22, 2026
A 6-week zero-trust pilot blueprint for regulated enterprises
Most zero-trust programs stall in the pilot phase. The fix is shrinking the first wave to a single high-risk workflow, with rollback gates and audit-evidence wired in from week one.
9 minRead
Privileged AccessApr 15, 2026
The zero standing privilege playbook
Zero standing privilege (ZSP) is the design goal every modern PAM program should aim for. The piece breaks down what ZSP requires — and the failure modes that prevent it from sticking.
12 minRead
Privileged AccessApr 8, 2026
The service account hygiene playbook
Service accounts are the long tail of every privileged-access program. The piece covers the discovery, vaulting, rotation, and dynamic-secret patterns that actually keep them under control.
10 minRead
Zero-TrustApr 1, 2026
Conditional Access — building a policy library that survives audit
Most Conditional Access deployments accrete exceptions until the policy library is unauditable. The piece covers the library design pattern we use across Okta, Entra, and Ping.
12 minRead
IAM StrategyMar 25, 2026
M&A identity integration — the playbook for the close-date deadline
M&A identity integration is one of the highest-stakes IAM scenarios. The piece covers what we ship by close-date, what we defer, and the patterns that survive contact with reality.
13 minRead
Identity GovernanceMar 14, 2026
Why your IGA certifications fail by the second cycle
Certification fatigue is not a reviewer problem — it is an architecture problem. The fix is risk-tiering at the campaign level, not buying a different IGA platform.
7 minRead

Field notes from active engagements.

IAM maturity model — five levels, five outcomes

Recent writing

SCIM provisioning patterns that actually work

AI agent identity lifecycle — what your IAM program needs in 2026

Workforce passwordless — the rollout that actually lands

Migrating to OAuth 2.1 with mandatory PKCE — an engineering guide

B2B SaaS multi-tenant identity — the primitives that matter

Evidence-as-code — making the audit cycle routine

Passkey adoption roadmap — workforce and customer

A 6-week zero-trust pilot blueprint for regulated enterprises

The zero standing privilege playbook

The service account hygiene playbook

Conditional Access — building a policy library that survives audit

M&A identity integration — the playbook for the close-date deadline

Why your IGA certifications fail by the second cycle

The next note in your inbox.

Field notes from active engagements.

IAM maturity model — five levels, five outcomes

Recent writing

SCIM provisioning patterns that actually work

AI agent identity lifecycle — what your IAM program needs in 2026

Workforce passwordless — the rollout that actually lands

Migrating to OAuth 2.1 with mandatory PKCE — an engineering guide

B2B SaaS multi-tenant identity — the primitives that matter

Evidence-as-code — making the audit cycle routine

Passkey adoption roadmap — workforce and customer

A 6-week zero-trust pilot blueprint for regulated enterprises

The zero standing privilege playbook

The service account hygiene playbook

Conditional Access — building a policy library that survives audit

M&A identity integration — the playbook for the close-date deadline

Why your IGA certifications fail by the second cycle

The next note in your inbox.