Sharon Florentine: Hey everyone, my name is Sharon Florentine, I'm the Acting Editorial Director here for SCUK, and I am thrilled to be with you today, and joined by Alex Laurie with Ping Identity. Alex, I'm gonna let you introduce yourself and…tell our audience a little bit about you and Ping Identity, and what we're going to be talking about today, and then we'll jump right into it.

Alexander Laurie: Hey, nice to meet you, and yeah, thank you. My name's Alex Laurie, I'm the go-to-market CTO at Ping Identity, which fundamentally means that I sort of sit at the crossroads between customers, partners, our sales and product and marketing teams, and sort of sit really at the middle of the spider's web, is maybe one way to describe it.

And I see, you know, what the industry's doing. I've been doing this rather a few years now, so I see what the industry's doing, see what the partners are doing, see what the customer needs are, and, you know, really act as a sort of almost like a bridging the gap between what the customers need and what we can do from a product and evolution perspective.

Ping Identity is one of the longest established identity and access management companies in the world. We've been running now for over 25 years, founded by Andre Durand. And we have some amazing customers and partners. We have, you know, some of the biggest banks, and we work with governments, we work with retailers, globally, and so that, you know, it's actually really useful to have that breadth of customer base. Because we really do get to see the problems and the situations that people are in, and how we can help them.

Sharon Florentine: So, your role, combined with the breadth and the depth of your customer base, and just the longevity of the company speaks to such a deep level of trust when I hear you explain all that. And so, I'm gonna kick things off and ask you, what does that trust mean in the context of agentic AI?

Alexander Laurie: It's such a big question, and I, you know, it's sort of almost, you hit me with the big one right up front.

Sharon Florentine: I did, I did.

Alexander Laurie: If we step back a little bit, if you think about Agentic AI, one of the problems we face with it is that it's sort of like… It's like naughty teenagers who you've been let run at home, but they're very, very smart, very capable, naughty teenagers, but you've got… they've got the keys to your house.

Sharon Florentine: Right.

Alexander Laurie: When we talk about trust in the terms of cybersecurity, it's about really establishing a baseline of assurance that I am me, that I am entitled to do some certain things, I'm set within a context of either applications or services, and I have access, and that's governed, and it's managed.

Alexander Laurie: And all of those things are really important to establish how the organization I work for, or the organization that's servicing me, like, maybe on my bank, like, how do they establish a level of trust to enable me to do what I should be doing? Am I able to make that transaction with my banking app, or am I able to look at the Salesforce app? Very, very simple concept in many ways, but then if you think about the naughty teenager who's been given the keys to your house, right? 

All of a sudden, you've got very, you know, capable, self-regulating programs that, you know, that are not determinative. They can work new things out themselves, and they can, you know, find ways to do interesting things. You know, these clever programs, effectively, which are AI agents. There is effectively no trust, because, you know, and so we have to switch the model almost on its head, and go, okay, we've now got thousands of these per every human being.

How do we trust that we've controlled them, that we've given them the right context, and the right access, and the right privilege, and the right set of boundaries to work within. You know, good teenager versus bad teenager. That's… it is a really big question.

Sharon Florentine: And taking it back to a very… a much simpler question, you know, maybe expound on that a little bit. Why is trust such an important baseline to start from?

Alexander Laurie: I think if we look at it from our own perspectives, right, there's really good examples of this in everyday life. I have an 11-year-old son, he has a mobile phone, and, you know, there's the father-to-son conversation about what he can and can't do, but then I also have a very, very good level of application control on what he can and can't do, right? And so, as, you know, establishing trust is… is fundamentally about saying, 'I believe that this is okay,' that's trusting something, and then assurance is, 'I know that this is okay.' And so, really, the baseline of trust is getting that boundary between belief and assurance, making sure that we can do everything we can to technically assure that everything is lined up then we then trust things to operate properly. So that's where the baseline comes in, and we talk about this trust gap, right, which is the difference between where you believe something is to where it actually is, and that's something that we talk about quite a lot.

Sharon Florentine: My 14-year-old, we have a very similar trust but verify approach, yes!

Alexander Laurie: Yes, exactly.

Sharon Florentine: So, how has AI, agentic AI, evolved over the last few years? It really seems to have taken, much like teenagers, massive leaps forward in just a few short years. So, how has it evolved, and what can we expect in the next, you know, 6, 12, 18 months from Ping Identity's perspective?

Alexander Laurie: what we see when we look in the rearview mirror was we see, agentic AI has gone from being something that, you know, some people in some labs and some very smart techies and, you know, very, very clever companies, you know, have been building agentic capabilities, so these are like, you know, self-controlled, effectively models, software programs that run on their own and make their own decisions. Now, that's been around for a while. I think the big shift that's happened, and it's probably less than 18 months, I mean, it's maybe in less than 12 months almost, is it's democratized. Right? You can now build an agent yourself by talking to your mobile phone. And so, where that comes in from a cybersecurity and sort of protection perspective is, all of a sudden, it's like that sort of the advent of grey IT that we've had, you know, time and time again, waves and waves of grey IT. If you're sitting within a company, you know.

When AgenticIO was controlled and owned, and a small group of people were capable of using it, it was sort of manageable. But now, you know, Bob in accounting and Shelly in product management can go off and build their own agents by speaking into their mobile phones, bring them to work, and all of a sudden, those things can do things easily. I mean, my mum's, I think, nearly 80 years old, and I was showing her how to do agentic stuff on her phone the other day. When it gets to that level, that's the big evolution, and if you look forward, it's the proliferation of this. So, you know, it becomes… it becomes every day. You know, at the moment, maybe a 30% adoption of Agentic use cases, lots of POCs, but when it becomes 80% adoption, it, you know, that is a huge volume we have to deal with.

Sharon Florentine: And I would assume that all of those amazing rapid innovations are also introducing the biggest security challenges, correct?

Alexander Laurie: Yeah, I think there's, we saw, there's obviously a story recently about, one of the main platforms being used to go off and do malicious hacking. You know, so a commercially available platform being told, write me some code to go and do me some hacking. The ability of, you know, deepfakes, I mean, I think there's a deepfake attack every… I mean, I think it's 20 seconds or 20 minutes, but it is ridiculous that it's that volume.

And these things can be automated, automated agentic phishing, you know, so if you just think about it from the adversarial perspective, and I know we're going to talk about adversarial threats as part of this thing, but that is one area from the cybersecurity perspective you have to be aware of.

 But then the other, the other area is, like, the sort of unintentional behavior. And I think if you've seen early demonstrations of commercially available agents, someone put their username and password into the agent on the screen. And, like, all of a sudden, it's got the same power as that human being. And that's, again, something you can't control. And then, you know, do we know if that agent is registered? Has it got its, you know, the right entitlements? Are we thinking about dynamic authorization policies for what it can and can't do? And, you know, agents can spawn agents. So, you have an agent that you might have secured, then all of a sudden it's created a new agent to go off and do something that you haven't actually secured at that point.

Sharon Florentine: Yeah, it's the identity and access management problem at scale, rapidly multiplying.

Alexander Laurie: Yeah, I think there's a, you know, when we did some research last year, it was sort of, on average, in enterprises, there's about 45 agents per human being. But if you then imagine, you know, as we go through the POC cycle, and, you know, we take those POCs from POC to production, that's really where, all of a sudden, this is going to scale to billions and billions of agents. And that's a, you know, that's a complex problem to handle from a cybersecurity perspective. And again, we think, you know, if you listen to Forbes' top 10 things of the year to worry about is that identity is the battlefront for Agentic AI.

Sharon Florentine: So then, follow-on question to that; how do you mitigate that with -- through the lens of engendering trust?

Alexander Laurie: So, we have a sort of agentic framework we talk about and we've proposed, and it follows in line with some of the other components that Google and Thropik and others have launched around things like the MCP protocol and A2A agent-to-agent protocols. There are many, many of these, and you know, at some point, depending on when you're listening to this, there could be 5 more protocols, that's another space.

But we start off with the concept of visibility, so understanding, you know, is this an agent in the first instance? And of course, you've got the standard sort of agents that we think about, but you've also got these clever computer-using agents that more emulate a human. So, identifying agentic behaviour, agentic risk, right up front in the engagement. Be it internal, external.

So that's the first place, the visibility. You then have to think about how you onboard and manage those agents, and then authentication authorization, and then human oversight, and then the sort of the threat protection as well. So if you step back from what I've just said.

Those are exactly the same patterns that we have when we mainly talk about, employee identity. And, you know, quite often, we're quite well known in the sort of complex area of business-to-business identity protection. And this is where, you know, you've got a business, and they've got a broker, and a third-party supplier, and someone else working, and all these people are accessing their data.

It's the same problem space with agents. You know, we have to make sure that we're controlling them almost at the level like humans. So the very first thing we do is we think about them as a first-class identity. So they have, you know, they live and breathe inside our identity system as a first-class identity with you know, roles, or attributes, or entitlements, a life cycle, onboarding, join and move a lever even in some instances, governance. You know, all of these old-fashioned identity terms actually apply, and the patterns apply very neatly to agents.

Sharon Florentine: Explain the concept of the commerce channel with regards to Agentic AI. What is that? How does it relate to what we're talking about, and how do you best secure it?

Alexander Laurie: Again, so you hit me with a big question, and this is the next really big question, because this is… like, we talk about it, this is game-changing. This is like a new channel. And the way I typically describe it is when I was at university, I had access to something called Janet, which was the Joint Academic Network, which was like a green-screen early internet where you could read scientific papers. I am that old.

As you roll forward, you know, we got a new channel in terms of websites, and they were cool, and they were like marketing brochures, and then you got e-commerce sites, and so you could actually transact online. And I remember in early doors of e-commerce, I remember speaking to retailers who were saying, you know, if they did 15% of their transactions online, they were doing great.

Now, if you speak to a retailer, you know, you'd be expecting a much, much higher percentage of everything to be, you know, online. We then went from like, web brochure to, you know, mobile e-commerce to mobile commerce, right? And, you know, we all live and breathe on our devices.

Mobile commerce, we've been sort of extended, we've got the API economy, so in Europe particularly, in other parts of the world, we have, PSD2, open banking, you know, regular, you know, so where we have to, sort of API to API, application to application, connections. And then all of a sudden, we've got agentic commerce.

And we've seen examples, and there's been some very good examples in the States on, you know, big retailers saying they're partnering up with OpenAI and Anthropic and Google to say, we want to enable shopping and agentic behavior on our sites. Right? Now, here's a question, and this is the identity question.

When my agent is shopping on my behalf, how does the retailer know it's me? So that's the identity question. Alright, so, and then, is my agent doing good things? Is my agent, like, buying up all the inventory of the latest sneaker, the latest game console, which is, you know, a problem that we've seen, or tickets for events.

Sharon Florentine: Is my agent doing malicious things, or is my agent actually trying to do something that's beneficial to the retailer?

Alex Laurie: Right! So how do we connect the human identity, that's me, to my agent, register it on the retailer, and then obviously bring that back and enable the transactions to happen? So that's the big… that's the agentic channel in commerce, and it's a huge thing.

Sharon Florentine: Understood. It's… I mean, that's pretty scary to think about.

Alexander Laurie: I think it's a real opportunity, though. I think if you look at the organizations that are starting to look at this, we were speaking to a major telco firm recently who's saying, I want users to be able, in ChatGPT, or Claude, or whatever platform of their choice, Gemini, to, like, find the best SIM deal on my network.

So, you know, it's… it's… they are, you know, they're embracing this as a channel to bring in customers, and interact with them.

Sharon Florentine: Well, any final thoughts before we wrap up? Anything that I missed that you wanted to tell our audience about here?

Alexander Laurie: I think the thing is to be… the first bit is to be aware, and I mean, I spend a lot of my life learning now, much more than I did before. This is evolving so quickly. I consider myself to be a beginner. I've spoken to people who are far more technically capable than I am, who also consider themselves to be beginners. We're all learning on this journey, so I think it's be open-minded. The… the second area I would ask people to think about is the problem space. If you think of an agent as an first-class identity, then you can think about how you can apply those identity and cybersecurity patterns to the agents, and bring control. And so those would be the two takeaways I would give.

Sharon Florentine: Fantastic. I think that's a great point, and it's something that I feel is often missed, that the agents are not often treated as a first-class identity, and I think that's a huge, huge takeaway, so… thank you.

Alexander Laurie: Excellent.

Sharon Florentine: Yeah, you're very welcome. Thank you so much again for joining me today. Again, Alex Laurie from Ping Identity. Folks, thank you so much for tuning in. Hope to see you again soon at another SCUK podcast. I'm Sharon Florentine, signing off.