As organizations grapple with increasingly complex environments, including hybrid workforces, rapidly evolving technology stacks, and stringent regulatory pressures, the challenge of delivering secure, scalable, and agile identity and access management (IAM) solutions has never been greater. In this fireside chat with Miguel Furtado, Senior Manager for Identity Engineering at Blue Shield of California, he shares practical experiences and lessons learned from the front lines. Discover how his team addresses IAM complexity for both workforce and customer environments, navigates the unique threats and opportunities of non-human (machine, service, agentic AI) identities, and prioritizes data quality and risk reduction—all while supporting business innovation and integration at scale.
Read the transcript
My name is Wade Ellery. I am the Identity and Access Management Strategist for Radiant Logic, and I’m here today with Miguel Furtado. We’re going to have a conversation around identity management and tap into the years of experience Miguel has had in this area. I welcome you all to listen in, take as much as you can from this time, and if you want more information, we’ll have opportunities for you to follow up afterwards.
Miguel, you and I have known each other for quite a while, but I think the audience would benefit from your background. Can you tell us a little bit about your experience in the identity management space?
Sure. Hello, everyone. My name is Miguel Furtado, and I’ve been in the identity space for a little over twenty years. I’ve managed IAM programs from Barclays Global Investors to BlackRock, and now I’m the senior manager for identity engineering at Blue Shield of California.
Excellent. I’m going to jump into a big question. Given the scale of identity management operations that you manage, what would you say is your biggest challenge? What keeps you up at night as a leader in the identity management space for a large organization?
For Blue Shield of California, my team manages both the customer side as well as our corporate identity, so identity management is certainly top of mind. I’d say the main focus is the complexity of delivering a reliable and secure service at scale. One of the biggest things we challenge ourselves with now is avoiding tool sprawl. Given the speed at which identities as a whole are expanding, a lot of attention is spent on orchestrating workflows. Especially with hybrid clouds and more DevOps integrations, managing the traditional joiner–mover–leaver lifecycle and the commissioning and decommissioning of identities is becoming more complex. Balancing that with a highly regulated environment, in Blue Shield’s case, is what keeps me fairly busy on a regular basis.
Yes, I can attest to you being busy; we tried to schedule this earlier and the real world overran us.
Right, that happens all the time.
Do you find your organization focusing more on operational efficiency, risk reduction, or compliance—or are those really different parts of the organization that run in parallel with different teams? How are those three pieces balanced in your focus?
All three are prioritized. Risk reduction often drives budgets and investment. The balance we try to hit is being as efficient as possible operationally while keeping the risk level acceptable and looking to reduce it as much as we can. In a one‑liner, risk is the driving force, with compliance and operational efficiency close second and third. Even though they may be separate teams, especially for an IAM program, all three coexist within IAM. In my case, IAM is large enough that we have specific focus on those three areas within IAM, so there’s a kind of separation of concerns there. The biggest thing on the risk‑reduction side is keeping innovation high to give us as much observability and risk reduction as possible in access provisioning and related areas. Those things are always front and center and always tied to risk.
It sounds like these three areas are all critical and need to work together, and that communicating across those silos is really important. Everyone depends on everyone else, and good security comes from good compliance and good operations.
That’s correct. And as environments grow and become more complex, the need for clear signals across those three areas becomes even more important. As much as we’re trying to reduce risk, having good compliance and good identity practices by themselves will reduce risk, but for me the name of the game is being able to measure and observe it so we know whether we’re on track and can constantly monitor.
Excellent. One topic that’s become very prominent—something we saw a lot at Identiverse when you and I were there—is non‑human identity. Historically we concentrated on human beings—employees and customers—but the risk from non‑human identities is much larger and growing faster. How are you addressing that area? What can you reuse from what you already know, and what do you have to adapt when dealing with non‑human identities?
Non‑human identities have definitely surged, especially with cloud environments and the focus on DevOps integration. Non‑human identities have grown significantly and they require different handling. In particular, I’m seeing more and more organizations treating non‑human identities as first‑class citizens in the identity and access management model and integrating them into the robust practices we already have for identity governance.
It’s also important to recognize the variety of non‑human identities. It’s no longer just service accounts or simple machine identities. There’s a wide range of NHIs, each with slightly different management needs and risks. Aligning how they’re managed, their current state, and their ownership associations requires a much higher level of discipline.
It sounds like this really multiplies both the complexity and the scope of the identity and access management model. Is there a relative budget increase to handle the fact that the environment is four times more complex and larger, or are you expected to just do more with what you have and squeeze these identities in?
Budgets don’t necessarily grow at the same pace as technology needs. We have to demonstrate strong justification for investment. What sets a proposed solution apart is whether it can fill the control and visibility gaps that current technology doesn’t address. If we want budget to align to new capabilities and controls, we need a strong business case. Non‑human identity is a good example—there’s clear justification and clear macro‑level movement in the industry. You can talk about NHIs and AI; there’s better clarity today on why we need better identity data management than in the old days of opaque service accounts. That clarity helps justify investments.
Another area that’s really growing is artificial intelligence. As a buzzword, it’s eclipsed zero trust and blockchain. How do you see AI integrating into your environment? It seems to come in two directions: AI to analyze your own data and make better decisions, and agentic AI that runs around on its own, making autonomous decisions. How are you looking at that? What level of caution versus “jumping in with both feet” are you taking?
I see two sides to that answer. First, AI is already here. Many vendors have AI components or features. Some tools are more AI‑driven than others, but AI is present in many capacities, including at Blue Shield of California—for analytics, anomaly detection, and so on. When it comes to agentic AI, that’s where the comfort level and the adoption level are still in an exploratory phase. There’s motivation to go all‑in with AI, but in highly regulated industries like mine there’s warranted caution, particularly around policy‑ and control‑driven guardrails and deciding when those guardrails are appropriate for letting general users leverage agentic AI.
The bottom line is that AI is not just hype. Its use, like any good tool, will mature. As an industry, we’re still coalescing around guardrails and open standards that will make AI extensible and safer to deploy. Every vendor says AI is ‘it’ and ready to produce value, but from an identity perspective there’s a cautious approach where guardrails and policies have to be able to account for AI behavior.
So: caution, but you can’t avoid it. It’s going to be here.
That’s correct. The name of the game will be governance of AI. Can you see it, observe it, and audit its decision‑making and actions? Can you authenticate and authorize appropriately? The same basic challenges an IAM program has with a human account apply to AI. Best practices increasingly say: treat AI identities as you would human identities. So visibility and observability—being able to see AI, know what it’s doing, and react as close to real time as possible—are critical.
I’d add one more data point: when you treat AI as a human‑like identity, you also consider ‘on‑behalf‑of’ (OBO) flows. Agentic AI often performs actions on behalf of users. It’s not just ‘can I see the AI’s identity?’ but ‘can I see what it’s doing on behalf of another user?’ Is it appropriate? Did it have the right authorization scopes? What was its intent? All that data has to correlate somehow.
It seems then that planning will be critical. Before you start deploying, you need to map your intended consequences and trap for unintended consequences, because things will be created or done that weren’t what you originally intended.
That’s right. What makes AI a little unique is the potential blast radius. Other tools are often more contained. AI isn’t a purely deterministic tool, so we have to treat it with more planning.
On a related topic, more and more focus is being brought to identity data—the foundational information that feeds all the decisions made in an identity platform, from access management to policy‑based access to whether an agentic AI is operating properly. All of that goes back to: “On whose behalf is this happening?” and “What object identity information do we have?” Historically, identity data has often not been pristine or well‑correlated. There’s a lot of IT debt there. I use the “garage” metaphor: it’s full of things I need to clean up, but I’d rather go wine‑tasting. Is the industry really ready to tackle that “garage full of IT debt” now?
I think it’s here. The problem has evolved to a point where we know the amount of data and identities we manage requires a full 360‑degree view. I’m big on not just data hygiene, but observability. I like the metaphors—your garage, my kitchen‑sink leak sensor. Identity data observability will be key. The more complex the identity space becomes, the harder correlations become.
One thing I focus on is associating identities with less‑volatile data points such as applications and ownership. A lot of IAM is enforcing policy, and we can’t properly enforce controls without appropriate associations and meaningful signals. Those signals help us certify and close out access or respond to situations intelligently. For me, identity‑data management is like a leak detector under your kitchen sink: everything may look fine, but as soon as there’s a leak, you want to know immediately to minimize damage. That need has always been there, but it’s more accentuated now, especially with AI and NHI growth. The tooling is out there and there’s enough justification to implement something like that.
Well, you give me hope for my garage. That’s also encouraging for Radiant Logic because we’ve spent twenty years building a platform that aggregates identity data—that foundational information—and makes it available in ways that can be observed in real time, cleaned up, and consumed by whatever platform needs it. This move toward recognizing that requirement is music to our ears.
I’d say so. The evolution is not just about managing the data, but using it for posture management. That’s where identity is headed. It’s more and more important. We can’t confidently answer whether our identity environment is secure and reducing risk as desired if we don’t have that level of visibility into our identity data sets.
One last question to wrap up. I’ve been doing this for thirty years and I’ve watched cycles. History doesn’t repeat, but it rhymes. We see best‑of‑breed vendors with groundbreaking solutions; then large stack vendors acquire them and build loosely coupled, single‑vendor suites. Those suites often lag innovation, and we swing back to best‑of‑breed. It feels like we’re in the last third of a strong best‑of‑breed cycle right now, with excellent standalone PAM, SaaS access management, and governance platforms. Do you see things consolidating back down to major brand names, or do you think we’ll stay in a best‑of‑breed model because requirements are too diverse for one mega‑stack to do everything?
I agree IT problems are cyclical. The pendulum swings between consolidation and best‑of‑breed. At the moment, especially with cloud vendors, there’s a strong business case for big stacks. But once your use cases are complex or you need more advanced handling, best‑of‑breed becomes attractive for flexibility. I don’t see best‑of‑breed losing out to big stacks today. Big cloud providers like Microsoft and Oracle offer lots of capabilities, but often as a baseline. When you need to go beyond that, you usually can’t stay only on the same stack.
Big platforms will consolidate some capabilities, but that also introduces vendor lock‑in risk. You have to balance the comfort level with that. Innovation can come from big stacks, but especially today with NHI management and secrets management there’s a lot of innovation coming from smaller startups. We see different ways of managing these things that aren’t coming from the big providers. There will always be waves of innovation; some will become best‑of‑breed products, and big providers may adopt baseline functionality from them. Best‑of‑breed is here to stay; it just depends on your use case and the problem you’re solving.
Given the complexity and diversity of the topics we’ve discussed, you want a strong baseline—a solid platform and foundation—but you’ll still need point solutions tuned for specific variations, like agentic AI. You may need different technology depending on how governance and regulation evolve, and startups may adapt more quickly.
Exactly. On the Radiant side, integrating tools is key. You can have best‑of‑breed tools, but integrating them and their data gives you flexibility. I can have specialized products and integrate their data so signals work cohesively. That’s one way of solving the problem. Over the last five to ten years we’ve seen adoption of standards make integration more straightforward. Now we see more cooperative efforts where one vendor realizes they do one thing really well and need to share information with others—or consume others’ information. That cooperative model is great to see. The era of castle walls and isolation is long gone. We have to play together as a village.
The IAM industry has gotten far too complex for hard silos. We wouldn’t be able to provide the right level of security if that were still the model.
I know you have your own personal blog; we’ll include that with the promotion of this session so people can find it from the website. Do you want to say a few words about it?
Sure. I do have a personal blog at idmig.org. If anyone wants to check it out, I post ‘thoughts of the day’ and host a bit of a conversation between IAM, coffee, Portugal, and the Azores. Take your pick—there’s a topic there for everyone.
Excellent. Thank you again for squeezing time out of your day. I know you probably have to run off to another meeting or fire, but hearing your insights and how you’re facing today’s challenges has been excellent. Miguel, thank you very much for joining me today.
Thank you. Thanks for having me.
Thank you, everybody. Bye.
