1 00:00:04,720 --> 00:00:11,280 This is identity at the center. Welcome to the Identity at the 2 00:00:11,280 --> 00:00:13,240 Center podcast. I'm Jeff, and that's Jim. 3 00:00:13,240 --> 00:00:15,640 Hey, Jim. Hey, Jeff, how are you? 4 00:00:16,280 --> 00:00:19,000 Not so bad yourself. Doing great. 5 00:00:19,000 --> 00:00:23,480 We got a awesome episode lined up for today with a special 6 00:00:23,480 --> 00:00:27,560 sponsor we're recording and we're going to drop this episode 7 00:00:27,560 --> 00:00:31,400 less than a week before Gartner I Am Summit in Grapevine. 8 00:00:31,560 --> 00:00:35,320 Our guest is going to be there. I think this is a perfect entry 9 00:00:35,320 --> 00:00:37,880 point to go into Gartner I Am Summit. 10 00:00:37,880 --> 00:00:40,080 With Yeah, we've got a lot of things to cover today. 11 00:00:40,080 --> 00:00:42,360 So let me go ahead and introduce our our guest today. 12 00:00:42,360 --> 00:00:44,440 So just make it clear, right? This is a sponsored episode. 13 00:00:45,120 --> 00:00:47,960 Our friend David Goldschwag, who is the CEO and Co founder at 14 00:00:47,960 --> 00:00:50,720 Ambit is joining us today. So welcome, David. 15 00:00:51,040 --> 00:00:52,240 Thank you, Jeff. Thank you, Jim. 16 00:00:52,240 --> 00:00:53,280 It's really great to be with you. 17 00:00:53,880 --> 00:00:56,360 Yeah, so let me get the website out because I've heard this name 18 00:00:56,360 --> 00:00:57,400 pronounced a couple different ways. 19 00:00:57,400 --> 00:01:04,480 So it's Ambit and it's a E MB IT dot IO slash IDAC. 20 00:01:04,480 --> 00:01:06,760 So that's a lot of letters. It will be in our show notes and 21 00:01:06,760 --> 00:01:08,920 it will be in this YouTube description, all that so and the 22 00:01:08,920 --> 00:01:11,840 sort of things. So let me ask what I'm going to 23 00:01:11,840 --> 00:01:15,560 assume is the source of this is, is it ambit? 24 00:01:15,880 --> 00:01:18,800 I've also heard it pronounced as Aimbit, which is the correct 25 00:01:18,800 --> 00:01:22,120 way? OK, so it is ambit just like the 26 00:01:22,120 --> 00:01:26,800 word A MB, IT would be spelled would be sounded out OK. 27 00:01:27,440 --> 00:01:30,720 Of course because of trademark and other people with websites, 28 00:01:30,920 --> 00:01:36,400 we added an E in OK, that E is meant to be skipped over. 29 00:01:36,480 --> 00:01:39,720 OK, so it's still ambit and it's ambit dot IO. 30 00:01:40,320 --> 00:01:44,240 I'm adding the Ian had the advantage of moving us up 31 00:01:44,240 --> 00:01:47,880 alphabetically. Okay, so that's an advantage 32 00:01:47,880 --> 00:01:51,040 too. Okay, and I give all the credit 33 00:01:51,040 --> 00:01:54,400 to my cofounder, Kevin Sapp. He's picked all the names of the 34 00:01:54,400 --> 00:01:56,600 companies that you know, we've been built together. 35 00:01:56,720 --> 00:01:58,360 Okay, and he's really good at it. 36 00:01:59,240 --> 00:02:01,400 So this is one of those rare companies where, you know, you, 37 00:02:01,400 --> 00:02:03,560 you see a lot of like, you know, Silicon Valley where they're 38 00:02:03,560 --> 00:02:05,480 trying to get rid of all the vowels because all those things 39 00:02:05,480 --> 00:02:07,440 are taken. You guys went and added one for 40 00:02:07,440 --> 00:02:08,600 differentiation. I love it. 41 00:02:08,600 --> 00:02:10,840 That's novel and and and from what I've seen. 42 00:02:11,600 --> 00:02:13,560 Hi, you know, we're we're East Coast. 43 00:02:13,560 --> 00:02:15,000 What can you do? OK, so. 44 00:02:15,400 --> 00:02:18,760 Tell us a little bit about Ambit and tell us a little bit about 45 00:02:18,760 --> 00:02:22,160 your background. How did you get into the space 46 00:02:22,160 --> 00:02:26,400 of digital identity and identity and access management, and how 47 00:02:26,400 --> 00:02:28,720 did that culminate into Ambit coming around? 48 00:02:29,360 --> 00:02:31,880 OK. So Kevin and I have been doing 49 00:02:31,880 --> 00:02:35,080 companies together for about 20 years, all security companies 50 00:02:35,360 --> 00:02:40,880 and almost all till Ambit were focused on securing user access 51 00:02:41,080 --> 00:02:44,080 to applications. So it's all enterprise security. 52 00:02:44,400 --> 00:02:47,280 And so for instance, we did an MDM company that was supposed to 53 00:02:47,280 --> 00:02:50,600 be users on a mobile device getting e-mail and other 54 00:02:50,600 --> 00:02:54,320 services, OK. Then we did the ZTNA company, OK 55 00:02:54,320 --> 00:02:57,040 that was became Netsco Private Access. 56 00:02:57,040 --> 00:02:58,640 The company name was New Edge Labs. 57 00:02:59,000 --> 00:03:01,680 That was you're on your laptop, you're trying to get to behind 58 00:03:01,680 --> 00:03:04,240 the firewall applications. How do you do that with 59 00:03:04,240 --> 00:03:08,400 something as a service instead of AVPN and but all of those 60 00:03:08,400 --> 00:03:12,000 were, how do you secure access from a user to an app, OK. 61 00:03:12,400 --> 00:03:16,680 They were all both about identity, but about something 62 00:03:16,680 --> 00:03:18,720 else in addition to identity, right? 63 00:03:18,720 --> 00:03:22,160 The mobile or you can get me past the firewall, etcetera. 64 00:03:22,280 --> 00:03:26,040 OK, When we were ready to start Ambit, we said we've been in 65 00:03:26,040 --> 00:03:30,240 this user space for a long time. O let's talk about nonhuman 66 00:03:30,240 --> 00:03:32,800 access, right? Software accessing other 67 00:03:32,800 --> 00:03:34,760 services. That's turned out to be a big 68 00:03:34,760 --> 00:03:37,560 deal, and we'll talk about that for the rest of the episode, OK? 69 00:03:38,000 --> 00:03:42,840 But what we also said is all of these questions about firewalls 70 00:03:42,840 --> 00:03:46,640 and VPNs and all this were not the core problem. 71 00:03:46,640 --> 00:03:48,760 The core problem was identity, OK? 72 00:03:49,040 --> 00:03:52,320 If you're trying to access a service on the Internet, OK, 73 00:03:52,440 --> 00:03:54,640 this is not a network reachability problem. 74 00:03:54,640 --> 00:03:56,760 This is purely an identity problem. 75 00:03:57,040 --> 00:04:00,480 So over the course of 20 years of doing enterprise security, we 76 00:04:00,480 --> 00:04:03,800 landed at the core problem and everybody knows identity is the 77 00:04:03,800 --> 00:04:06,160 new perimeter. Turns out it's the new perimeter 78 00:04:06,320 --> 00:04:09,440 for things, right? As well as people, OK. 79 00:04:10,320 --> 00:04:11,920 I'm glad you had that caveat because every time I hear 80 00:04:11,920 --> 00:04:13,880 identity is a new perimeter, I just kind of want to yell into 81 00:04:13,880 --> 00:04:14,880 the screen. No, it's not. 82 00:04:15,920 --> 00:04:19,839 It's been that way forever. I guess not forever, but at 83 00:04:19,839 --> 00:04:23,000 least for the last decade I feel like identity has been really 84 00:04:23,000 --> 00:04:25,120 one of the main perimeters to defend against. 85 00:04:25,800 --> 00:04:28,320 And, and, and one of the things that we have, one of the 86 00:04:28,320 --> 00:04:31,280 advantages we have at Ambit is everybody's familiar with that, 87 00:04:31,280 --> 00:04:33,080 right? They know how you log in with an 88 00:04:33,080 --> 00:04:36,960 IM system, OK? So we can take advantage of lots 89 00:04:36,960 --> 00:04:42,200 of analogies of how do people, employees at an enterprise, you 90 00:04:42,200 --> 00:04:45,440 know, authenticate, login. And then we say, well, what 91 00:04:45,440 --> 00:04:48,920 happens if it's an AI agent? What happens if it's a Python 92 00:04:48,920 --> 00:04:52,120 app, OK, how do you help that log into the service? 93 00:04:52,320 --> 00:04:55,240 And the answer is this. It's the same, but different. 94 00:04:55,240 --> 00:04:56,880 OK. And that's how tech is many 95 00:04:56,880 --> 00:05:01,280 times. So I gotta ask, does ambit mean 96 00:05:01,280 --> 00:05:03,280 anything? Like what's the story behind the 97 00:05:03,280 --> 00:05:05,160 name? I, I get the extra E in there 98 00:05:05,160 --> 00:05:07,480 now, but like, what does ambit mean? 99 00:05:07,480 --> 00:05:08,840 Like how did you come up with the name of the company? 100 00:05:08,840 --> 00:05:10,320 I guess you know, how did your cofounders come up with it? 101 00:05:10,680 --> 00:05:13,200 Yeah. So ambit means scope or 102 00:05:13,200 --> 00:05:17,720 boundary, OK. And a particular use case that 103 00:05:17,720 --> 00:05:21,920 we're focused on is where access crosses A boundary, OK. 104 00:05:22,120 --> 00:05:25,200 So let's say you have an AI agent, right, running in your 105 00:05:25,200 --> 00:05:28,640 enterprise that needs to do work in Salesforce. 106 00:05:28,760 --> 00:05:31,400 OK. So this is no longer accessing 107 00:05:31,400 --> 00:05:35,320 resources as within your AWS account, rather it's crossing a 108 00:05:35,320 --> 00:05:38,760 boundary and going to a third party that's Salesforce. 109 00:05:38,920 --> 00:05:41,840 And the same thing applies for any most accesses within the 110 00:05:41,840 --> 00:05:43,920 enterprise. You're going to a database, it 111 00:05:43,920 --> 00:05:47,240 could be Oracle database in your network, but it could also be 112 00:05:47,240 --> 00:05:50,080 Snowflake or data bricks which lives someplace else. 113 00:05:50,480 --> 00:05:54,720 And so this cross boundary authentication problem is hard, 114 00:05:54,960 --> 00:05:58,360 OK and it's not solved by the cloud providers and that's where 115 00:05:58,360 --> 00:05:59,160 Ambit. Shines. 116 00:06:00,600 --> 00:06:04,400 So I find it somewhat interesting that you're working 117 00:06:04,400 --> 00:06:07,520 with an identity company now, but we were getting into each 118 00:06:07,520 --> 00:06:09,560 other here before we hit record. And you mentioned that you 119 00:06:09,560 --> 00:06:13,280 worked on Tor, the Onion router a long time ago, which is 120 00:06:13,280 --> 00:06:15,160 probably the furthest thing possible that I can think of 121 00:06:15,160 --> 00:06:16,920 that where you'd want to have an identity. 122 00:06:17,440 --> 00:06:22,600 So tell me, what about your Tor background and I guess what what 123 00:06:22,600 --> 00:06:27,800 caused you to do the 180? OK, so so it was wonderful, but 124 00:06:27,800 --> 00:06:30,720 back in the mid 90s, I was working at Naval Research lab. 125 00:06:30,720 --> 00:06:34,000 I had left in National Security Agency and I was working with 126 00:06:34,000 --> 00:06:36,960 two colleagues there, Paul Cyberson and Michael Reed. 127 00:06:37,440 --> 00:06:41,800 And we had this idea OK, right, which is wouldn't it be good to 128 00:06:41,800 --> 00:06:46,920 be able to do anonymous browsing on the Internet, OK, And there 129 00:06:46,920 --> 00:06:49,760 that there's there's lots of stories about how why the Navy 130 00:06:49,760 --> 00:06:52,960 funded OK, right. And all this, OK, but it did 131 00:06:52,960 --> 00:06:57,000 become really important, OK, this ability to visit something 132 00:06:57,000 --> 00:07:00,840 on the web, right, Without, without somebody being able to 133 00:07:00,840 --> 00:07:04,920 attribute it to you using the IP addresses or whatnot were really 134 00:07:04,920 --> 00:07:08,560 important. And my background at NSA made it 135 00:07:08,560 --> 00:07:12,360 clear to me that this was important because NSA both tries 136 00:07:12,360 --> 00:07:15,520 to understand the traffic of what's going on, right? 137 00:07:15,520 --> 00:07:19,000 What are people talking about? But more importantly, it's who's 138 00:07:19,000 --> 00:07:22,200 talking to whom, OK? And there's lots of data. 139 00:07:22,200 --> 00:07:25,440 Justin, who's talking to him call records at a phone company, 140 00:07:25,480 --> 00:07:29,200 you know, if we go back to Oldham times, OK, we're also who 141 00:07:29,200 --> 00:07:34,720 was talking to him, OK? So, so so Tor onion routing at 142 00:07:34,720 --> 00:07:38,200 the time was trying to solve this problem of saying, let's 143 00:07:38,200 --> 00:07:41,400 make sure that we can communicate, but that the act of 144 00:07:41,400 --> 00:07:44,040 communication does not give away who's talking to him. 145 00:07:44,360 --> 00:07:47,800 Now, that doesn't mean that you can't say who's talking to him 146 00:07:47,800 --> 00:07:49,800 within the connection. OK? 147 00:07:50,080 --> 00:07:53,680 So we call this anonymous connections rather than needing 148 00:07:53,680 --> 00:07:57,040 to be anonymous, right, when you're doing a transaction, OK, 149 00:07:57,400 --> 00:07:58,520 right. So that's what we did. 150 00:07:58,720 --> 00:08:01,000 OK. Now, of course, commercially, 151 00:08:01,040 --> 00:08:04,000 OK, you need to be able to authenticate, OK, right. 152 00:08:04,000 --> 00:08:08,040 And so, so, so in in the real world, right, you may want 153 00:08:08,040 --> 00:08:11,680 anonymous connections, but even within that connection, you do 154 00:08:11,680 --> 00:08:13,760 want to authenticate. Because if I'm talking to you, 155 00:08:13,760 --> 00:08:18,000 Jaffer to Jim, you should be able to know then who, who I am, 156 00:08:18,040 --> 00:08:21,720 OK, Even if it's not observable to the rest of the world, OK. 157 00:08:22,040 --> 00:08:25,320 And like you said, right, this is 1995, right? 158 00:08:25,320 --> 00:08:28,960 So that's going on 30 years, OK. So identity has been pretty 159 00:08:28,960 --> 00:08:31,120 important for a very long time, OK. 160 00:08:32,480 --> 00:08:35,600 Yeah, no kidding. And you know, I think it's, it's 161 00:08:35,600 --> 00:08:39,679 interesting to see where Tor has evolved over time and how it's 162 00:08:39,679 --> 00:08:42,880 being used. I Did you ever imagine that 163 00:08:43,000 --> 00:08:46,680 people would be using Tor the way that they are today? 164 00:08:47,440 --> 00:08:52,480 So, so it's hard to imagine any technology that's still in play, 165 00:08:52,720 --> 00:08:55,640 right, 30 years later, OK. That's pretty rare, OK. 166 00:08:56,080 --> 00:09:01,400 What we did know, OK, was another colleague of ours coined 167 00:09:01,400 --> 00:09:04,320 this term. Anonymity loves company, OK? 168 00:09:04,680 --> 00:09:08,680 If only the government were using Tor, you'd know when 169 00:09:08,680 --> 00:09:12,440 they're searching for public source, open source intelligence 170 00:09:12,440 --> 00:09:15,280 about Iran, that it was the government looking for Iran. 171 00:09:15,400 --> 00:09:18,560 OK. So you need all sorts of other 172 00:09:18,560 --> 00:09:21,800 traffic to be noise to cover that traffic. 173 00:09:22,000 --> 00:09:24,240 OK. So the design of the system said 174 00:09:24,240 --> 00:09:27,800 we can either generate our own noise, right, or we can leverage 175 00:09:28,000 --> 00:09:30,600 the rest of the world. So we opened up the system. 176 00:09:30,840 --> 00:09:34,080 And I think that that's that's created, you know, kind of an 177 00:09:34,080 --> 00:09:36,440 interesting play over these years, right? 178 00:09:36,920 --> 00:09:40,360 I think interesting is is a very light, easy way to put it. 179 00:09:41,600 --> 00:09:45,680 Let me get back to ambit though. So, you know, let me put my CSO 180 00:09:45,680 --> 00:09:47,920 hat on, right? And I think we've got just so 181 00:09:47,920 --> 00:09:52,520 many products in this space. So my question that I ask every 182 00:09:52,520 --> 00:09:55,440 vendor that I talk to is what makes you guys special? 183 00:09:55,640 --> 00:09:58,920 Like what is it that you think sets yourself apart from, you 184 00:09:58,920 --> 00:10:01,160 know, competitors in the market or contemporaries or things like 185 00:10:01,160 --> 00:10:02,720 that? Help me understand that and 186 00:10:02,720 --> 00:10:04,600 educate our audience as well. OK. 187 00:10:04,760 --> 00:10:06,640 Yeah. So like you said, there's lots 188 00:10:06,640 --> 00:10:09,480 of identity companies out there, major companies, right? 189 00:10:09,480 --> 00:10:15,200 So Okta, right. And Microsoft Antra are the IAM 190 00:10:15,200 --> 00:10:19,880 dominant IAM players for human access workforce login to 191 00:10:19,880 --> 00:10:22,440 services. We don't do that. 192 00:10:22,440 --> 00:10:26,680 Ambit does not do that. Ambit is login for software 193 00:10:26,680 --> 00:10:31,000 logging into services where that software could be AI agents, OK, 194 00:10:31,320 --> 00:10:34,360 or other client applications trying to reach services. 195 00:10:34,440 --> 00:10:37,640 This is in the enterprise OK. So the first distinction between 196 00:10:37,640 --> 00:10:41,720 what we do and what other people do OK is we're not focused on 197 00:10:41,720 --> 00:10:44,320 human access. We're focused on what people are 198 00:10:44,320 --> 00:10:48,240 now calling non human access OK. And that's that's a big 199 00:10:48,240 --> 00:10:51,880 difference against the the existing large players OK. 200 00:10:52,400 --> 00:10:56,760 The thing that's different about us than other newer players, OK, 201 00:10:56,760 --> 00:11:02,720 is we, we aim to solve the, the, the enforcement side, the 202 00:11:02,720 --> 00:11:07,360 runtime side of this problem, OK, So just like Okta helps you 203 00:11:07,360 --> 00:11:11,480 log into a service, OK, And if Okta doesn't let you log in, you 204 00:11:11,480 --> 00:11:14,960 can't access the service. Ambit is the thing that lets the 205 00:11:14,960 --> 00:11:19,360 AI agent where the I am that lets the AI agent log into 206 00:11:19,360 --> 00:11:22,360 Salesforce or Snowflake or whatever service it's trying to 207 00:11:22,360 --> 00:11:24,840 do. And without Ambit being in 208 00:11:24,840 --> 00:11:27,680 runtime and authorizing the connection and issuing A 209 00:11:27,680 --> 00:11:32,200 credential and logging it OK, we the the that access cannot 210 00:11:32,200 --> 00:11:34,080 happen. So we're critical to the 211 00:11:34,080 --> 00:11:37,720 infrastructure and we're fundamental to the operation of 212 00:11:37,720 --> 00:11:41,960 the of the environment. So David, everyone's creating AI 213 00:11:41,960 --> 00:11:43,920 agents now. I'm creating them, Jeff's 214 00:11:43,920 --> 00:11:46,880 creating them. People we work with are creating 215 00:11:46,880 --> 00:11:52,720 AI agents, and I guess the default mode that people tend to 216 00:11:53,000 --> 00:11:56,840 tend to use is when they need to make a machine to machine 217 00:11:56,840 --> 00:11:59,840 connection, they're using their own personal credentials. 218 00:12:00,040 --> 00:12:02,840 I got to imagine that's not what we want, right? 219 00:12:03,920 --> 00:12:05,880 Yeah, that, that's absolutely true, okay. 220 00:12:05,880 --> 00:12:08,640 But we're seeing that happening in lots and lots of places, 221 00:12:08,640 --> 00:12:10,400 right? The obvious way to solve this 222 00:12:10,400 --> 00:12:12,960 problem, okay. The obvious way to make things 223 00:12:12,960 --> 00:12:15,560 just work, okay, because that's what we will just want to do, 224 00:12:15,560 --> 00:12:18,080 right, is you're running an agent, goes to Salesforce, 225 00:12:18,280 --> 00:12:20,600 you're going to give it your credentials, your username and 226 00:12:20,600 --> 00:12:22,160 password, and the agent will do it. 227 00:12:22,360 --> 00:12:26,800 And then that just is easy, OK? And it's not unlike how people 228 00:12:26,800 --> 00:12:29,240 would've been securing machine to machine access for a long 229 00:12:29,240 --> 00:12:30,840 time. You had a username and a 230 00:12:30,840 --> 00:12:32,600 password for a service account, right? 231 00:12:32,800 --> 00:12:35,760 Maybe if you were diligent, it was a different service account, 232 00:12:35,760 --> 00:12:37,400 right? But it was still the username 233 00:12:37,400 --> 00:12:40,040 and password. And the irony here is this, this 234 00:12:40,040 --> 00:12:42,080 has a bunch of cascading effects. 235 00:12:42,080 --> 00:12:46,000 One is is you probably have to shut off MFA at Salesforce, OK, 236 00:12:46,000 --> 00:12:47,280 right. Because your username and 237 00:12:47,280 --> 00:12:50,080 password, right, wouldn't generally be enough for a user. 238 00:12:50,320 --> 00:12:52,920 So you're trying to do it easy. And then you put the username 239 00:12:52,920 --> 00:12:55,840 and password in. Incidentally, you shared your 240 00:12:55,840 --> 00:12:58,520 username and password and we've been teaching people not to 241 00:12:58,520 --> 00:13:02,440 share usernames and passwords. And then you shut off MFA and 242 00:13:02,440 --> 00:13:07,160 all of a sudden the bar on compliant access has been 243 00:13:07,160 --> 00:13:10,560 lowered, OK, right. So you have these in just, you 244 00:13:10,560 --> 00:13:15,000 have these enterprise thresholds, right, for secure 245 00:13:15,000 --> 00:13:18,880 access that you've trained your employees and all of your 246 00:13:18,880 --> 00:13:21,840 systems to work on for now for 10 years, OK. 247 00:13:22,040 --> 00:13:23,840 And now you're weakening those controls. 248 00:13:23,960 --> 00:13:26,800 Now why is it bad to weaken those controls? 249 00:13:26,800 --> 00:13:30,240 OK, well, one is is username and passwords can be stolen, right? 250 00:13:30,240 --> 00:13:32,760 So phishing, right? And now the bad guy can use 251 00:13:32,760 --> 00:13:34,800 that. And notice that would be true, 252 00:13:34,800 --> 00:13:38,080 Jim, even if it wasn't your username and password, let's say 253 00:13:38,080 --> 00:13:41,240 it was just a username and password for that agent. 254 00:13:41,320 --> 00:13:45,600 OK, that's not enough because we know that phishing is a problem. 255 00:13:45,720 --> 00:13:48,760 And now the bad guy could reuse the static Long live 256 00:13:48,760 --> 00:13:52,320 credentials, OK, Another problem is attribution. 257 00:13:52,320 --> 00:13:55,600 If you're sharing your credentials with an agent now 258 00:13:55,600 --> 00:13:58,680 when the access happens, we don't know if the agent did that 259 00:13:58,680 --> 00:14:03,320 access or you did that access or you and the agent did that 260 00:14:03,320 --> 00:14:06,440 access together, OK? And we should keep coming back 261 00:14:06,440 --> 00:14:09,160 to attribution, right? As we're talking for the next 262 00:14:09,160 --> 00:14:12,640 few minutes, OK? Because attribution and audit is 263 00:14:12,640 --> 00:14:17,160 sort of fundamental, OK, To be able to run your enterprise 264 00:14:17,160 --> 00:14:21,960 responsibly, OK. And we're where that brings us 265 00:14:21,960 --> 00:14:28,080 is in the ambit solution, OK? We want to make it easy to do it 266 00:14:28,080 --> 00:14:30,600 the right way because why are people taking shortcuts? 267 00:14:30,680 --> 00:14:33,360 Because it's easy. We just want to say you should 268 00:14:33,360 --> 00:14:38,160 manage access in and by managing access policies instead of 269 00:14:38,160 --> 00:14:40,400 managing secrets. That's what's on my shirt. 270 00:14:40,400 --> 00:14:44,720 Manage access, not secrets, OK? And the idea there is, is 271 00:14:44,880 --> 00:14:49,160 replace this whole notion that you enable access by sharing 272 00:14:49,160 --> 00:14:52,520 their credential, OK, saying you're enable access by sending 273 00:14:52,520 --> 00:14:55,880 a policy, OK. And then you can do what IAM and 274 00:14:55,880 --> 00:15:00,160 zero trust have done for user access, which is you can move to 275 00:15:00,160 --> 00:15:03,400 identity based policies, you can do strong access control. 276 00:15:03,520 --> 00:15:08,920 You can move away from from long lived secrets, usernames and 277 00:15:08,920 --> 00:15:10,680 passwords to short lived credentials. 278 00:15:11,000 --> 00:15:12,680 And you can add conditional access. 279 00:15:12,680 --> 00:15:15,800 All of the things that we've learned that work well when 280 00:15:15,800 --> 00:15:19,720 strengthening user access. OK, so all that said, Jim, 281 00:15:19,920 --> 00:15:22,440 you're building these agents because they're useful, OK? 282 00:15:22,640 --> 00:15:26,680 So our ultimate job is to make it easy for the developers, The 283 00:15:26,680 --> 00:15:29,440 people are building these things to do things the right one. 284 00:15:29,960 --> 00:15:34,960 So it's even worse than I thought, but I, you know, I 285 00:15:34,960 --> 00:15:38,440 grabbed a great line to use their manage access, not 286 00:15:38,440 --> 00:15:41,440 secrets. And I think you did a great job 287 00:15:41,440 --> 00:15:45,680 of kind of laying out the base problem with what you just said 288 00:15:45,680 --> 00:15:48,160 there. What I'd like to know is, I 289 00:15:48,160 --> 00:15:50,440 mean, you got to be working with a lot of customers. 290 00:15:50,640 --> 00:15:54,400 I'd like to hear about what are the kind of use cases that your 291 00:15:54,400 --> 00:15:57,440 customers are running into on this topic. 292 00:15:58,280 --> 00:16:00,120 OK. So I think it's good to start. 293 00:16:00,120 --> 00:16:02,840 Let's even ignore identity, let's just talk about things 294 00:16:02,840 --> 00:16:04,880 like you said, you're building agents, OK? 295 00:16:05,120 --> 00:16:07,680 So for instance, we have one customer, they're a financial 296 00:16:07,680 --> 00:16:11,800 company, OK, Financial services company, They have lots of 297 00:16:11,840 --> 00:16:15,080 analysts who are responsible for various accounts from their 298 00:16:15,080 --> 00:16:17,880 customers, OK? And one of the things they need 299 00:16:17,880 --> 00:16:21,560 to do is the analysts need to do portfolio reviews on a periodic 300 00:16:21,560 --> 00:16:25,080 basis, OK? And that portfolio review is a 301 00:16:25,360 --> 00:16:30,440 high level job, OK, Where the data in the portfolio is mixed 302 00:16:30,440 --> 00:16:34,040 with data from third party sources and public sources and 303 00:16:34,040 --> 00:16:37,480 proprietary information to be able to understand the 304 00:16:37,480 --> 00:16:41,560 portfolio. So this this company is using 305 00:16:42,200 --> 00:16:47,960 LLMS, right, agents and LLMS in order to routinize some of that 306 00:16:47,960 --> 00:16:51,440 analysis, right and make the analyst job easier. 307 00:16:51,680 --> 00:16:55,800 And So what happens is is you set up this LLM with prompts 308 00:16:55,800 --> 00:16:58,920 against whatever you set up the agent with pumps against 309 00:16:58,920 --> 00:17:03,240 whatever LLM it's using, but it needs to access these SAS 310 00:17:03,320 --> 00:17:08,400 applications that have the data or the in the on network 311 00:17:08,400 --> 00:17:11,800 applications that have the portfolio information or other 312 00:17:11,800 --> 00:17:13,960 third party proprietary information. 313 00:17:14,240 --> 00:17:17,040 And that login is fundamental here, right? 314 00:17:17,240 --> 00:17:22,000 Do you want that LLM, the agent to be logging in as its own 315 00:17:22,000 --> 00:17:24,680 identity, OK? Or should it do take the 316 00:17:24,680 --> 00:17:27,920 shortcut right and login as whoever that analyst is? 317 00:17:28,280 --> 00:17:33,920 And the answer is, is they wanted to log in with some of 318 00:17:33,920 --> 00:17:37,960 the analyst's rights, but its own identity. 319 00:17:39,200 --> 00:17:41,040 Does that does that make sense? Right. 320 00:17:41,040 --> 00:17:44,400 Because the analyst has a certain rights that it's allowed 321 00:17:44,400 --> 00:17:46,320 to do. But that doesn't mean that you 322 00:17:46,320 --> 00:17:50,080 should give the analysts identity to that agent because 323 00:17:50,080 --> 00:17:52,360 that's too much rights. And then you couldn't 324 00:17:52,360 --> 00:17:55,080 distinguish between the agent and the analyst himself. 325 00:17:55,240 --> 00:17:58,840 OK, so that's an example of A use case and the problem that 326 00:17:58,840 --> 00:18:01,080 they're trying to solve and and it solves that problem. 327 00:18:01,800 --> 00:18:04,880 Yeah, that's really interesting and I'd like to hear more. 328 00:18:04,880 --> 00:18:08,000 I mean what are these customers pain points? 329 00:18:08,000 --> 00:18:11,200 So I mean what's bothering them? What makes them pick up the 330 00:18:11,200 --> 00:18:15,280 phone in the 1st place? Probably not the phone, write an 331 00:18:15,280 --> 00:18:18,640 e-mail or the go to your website, but what's causing them 332 00:18:18,640 --> 00:18:20,640 to do that in the 1st place, David? 333 00:18:21,360 --> 00:18:25,280 Yeah, so, so we, we have another customer, a large a large 334 00:18:25,280 --> 00:18:30,520 retailer, OK. And their their motivation here 335 00:18:30,520 --> 00:18:34,920 was the business wants to innovate and take advantage of 336 00:18:34,920 --> 00:18:36,960 agentic AI. And just stepping back for a 337 00:18:36,960 --> 00:18:40,440 minute is really amazing, right? How much perceived and actual 338 00:18:40,440 --> 00:18:42,840 value, right enterprises are saying right. 339 00:18:42,840 --> 00:18:47,000 The revenue and the, and the, the, the use of agentic AI, 340 00:18:47,000 --> 00:18:51,280 right is really very real in the enterprise, OK, for all the 341 00:18:51,480 --> 00:18:55,200 complaining about hallucinations and all this, OK, these things 342 00:18:55,200 --> 00:18:59,080 are really very useful, OK? So there the CSO called us and 343 00:18:59,080 --> 00:19:03,080 the CSO said is my enterprise wants to innovate with agentic 344 00:19:03,120 --> 00:19:08,040 AI and in order to innovate those need to access various 345 00:19:08,040 --> 00:19:10,480 sensitive data sources in the enterprise. 346 00:19:10,640 --> 00:19:13,280 We talked about Salesforce, we talked about Snowflake, you 347 00:19:13,280 --> 00:19:17,880 could talk about ServiceNow, OK. And the problem is, is he is 348 00:19:17,880 --> 00:19:21,920 responsible for compliant access to those enterprise data sets. 349 00:19:22,200 --> 00:19:24,920 And now these agents need access. 350 00:19:25,080 --> 00:19:29,400 And the question is, is how do you provide access, OK, with a 351 00:19:29,400 --> 00:19:35,760 bar that's similar to the levels of of access control that you 352 00:19:35,760 --> 00:19:38,720 have for user access? Because you don't want a 353 00:19:38,720 --> 00:19:42,680 personnel agent, right, To get enterprise OPS data, OK? 354 00:19:42,960 --> 00:19:46,400 You don't want an HR agent to get mental health information, 355 00:19:46,560 --> 00:19:49,320 OK, Right. And how do you assign those 356 00:19:49,320 --> 00:19:52,080 rights, OK. And you can see if things go 357 00:19:52,080 --> 00:19:55,200 sideways there, right? You can actually create lots of 358 00:19:55,200 --> 00:19:59,040 problems for yourself, OK? But for me, and I've always 359 00:19:59,040 --> 00:20:01,120 liked this, when we build companies, we're trying to build 360 00:20:01,120 --> 00:20:03,920 security companies that enable things, OK? 361 00:20:04,240 --> 00:20:08,880 And here authentication is enabling the enterprise to do in 362 00:20:08,880 --> 00:20:11,400 a responsible way the things that it wants to do. 363 00:20:11,640 --> 00:20:13,320 That'll help it be more effective. 364 00:20:14,160 --> 00:20:16,840 You know, you made a statement like people in the enterprise 365 00:20:16,840 --> 00:20:19,240 and enterprises are building these agents. 366 00:20:19,520 --> 00:20:23,560 And I kind of feel like this is one of those IT trends that even 367 00:20:23,560 --> 00:20:26,320 though we saw it coming, I feel like it almost caught me by 368 00:20:26,320 --> 00:20:31,240 surprise where I went from not having seen agents in many 369 00:20:31,240 --> 00:20:34,240 organizations, client organizations, my own 370 00:20:34,240 --> 00:20:39,000 organization to I'm building a just like 6 months later. 371 00:20:39,280 --> 00:20:43,040 And now this is, this is really an identity issue. 372 00:20:43,240 --> 00:20:47,680 And I'm comparing that to certain other areas of identity 373 00:20:47,680 --> 00:20:50,680 like decentralized identity. I feel like I've been talking 374 00:20:50,680 --> 00:20:54,240 about decentralized identity. We've had guests on, but I 375 00:20:54,240 --> 00:20:56,080 haven't had my hands on it, right? 376 00:20:56,280 --> 00:21:00,400 But like this AI agent thing is very real in my world. 377 00:21:00,640 --> 00:21:06,440 And when anything moves with that velocity, I think like the 378 00:21:06,440 --> 00:21:09,120 whole organization has got to be on its toes, right? 379 00:21:09,120 --> 00:21:13,080 Including the audit function. And I wanted to ask you about 380 00:21:13,080 --> 00:21:17,760 the audit function because I've got to believe that this is like 381 00:21:18,840 --> 00:21:21,160 becoming like in their wheelhouse overnight. 382 00:21:21,600 --> 00:21:24,400 Yeah, yeah. So audit and attribution, right, 383 00:21:24,520 --> 00:21:27,600 are fundamental here, right? You want to be able to know 384 00:21:27,600 --> 00:21:32,000 what's happening, OK, Both to know, you know, accountability 385 00:21:32,000 --> 00:21:35,520 and responsibility and also when things go wrong, you got to undo 386 00:21:35,520 --> 00:21:37,680 it. And then things go wrong in soft 387 00:21:37,680 --> 00:21:40,760 ways, just operations. So audit helps you there too. 388 00:21:41,080 --> 00:21:43,760 But what's really interesting, Jim, is you talked about the 389 00:21:43,760 --> 00:21:47,160 change here, right? That's quite astounding. 390 00:21:47,160 --> 00:21:51,280 I think we can all look back a couple of decades, the change 391 00:21:51,600 --> 00:21:55,960 that's like this adoption of AI, it's akin to the change that 392 00:21:55,960 --> 00:21:59,880 happened with cloud or before that was say the adoption of the 393 00:21:59,880 --> 00:22:01,760 iPhone. OK, do you know what I'm saying? 394 00:22:02,080 --> 00:22:06,800 And it's very likely that this will change businesses in even a 395 00:22:06,800 --> 00:22:09,720 stronger way than those previous, OK, than those 396 00:22:09,720 --> 00:22:12,960 previous things because the adoption is just, is just so 397 00:22:12,960 --> 00:22:15,320 beneficial, right to the enterprise. 398 00:22:15,520 --> 00:22:18,200 And we all know, right? We all remember when, when 30 399 00:22:18,200 --> 00:22:19,240 years ago, what? No. 400 00:22:19,600 --> 00:22:22,160 When was it in? In 1990, Seven. 401 00:22:22,160 --> 00:22:27,080 Right when the iPhone came out was No, 2007 when the iPhone 402 00:22:27,080 --> 00:22:30,560 came out, people said you can't have a device without a 403 00:22:30,560 --> 00:22:32,120 keyboard, right? OK. 404 00:22:32,480 --> 00:22:37,800 But you know how wrong they were, how long they were, right? 405 00:22:38,440 --> 00:22:41,720 You also point out here, Jim, is that this development of agents 406 00:22:41,720 --> 00:22:44,720 is occurring, right, sort of organically within the 407 00:22:44,720 --> 00:22:47,600 enterprise, OK? People are just innovating, OK? 408 00:22:47,840 --> 00:22:49,960 And that's something we should encourage, right? 409 00:22:49,960 --> 00:22:52,760 Because if you want people to help their organizations work 410 00:22:52,760 --> 00:22:55,040 better. Well, I think if whether you 411 00:22:55,040 --> 00:22:56,760 encourage or not, it's going to happen. 412 00:22:57,000 --> 00:22:59,360 So why not make sure that you put the proper guard rails 413 00:22:59,360 --> 00:23:01,520 around it. And I think what I'm hearing 414 00:23:01,520 --> 00:23:03,920 from you, David, is you don't think AI is a fad and it's going 415 00:23:03,920 --> 00:23:07,560 to be around for a while. No AI is useful and we're using 416 00:23:07,560 --> 00:23:09,200 it right. You probably use it in your 417 00:23:09,200 --> 00:23:11,080 personal life instead of Google search. 418 00:23:11,080 --> 00:23:13,400 OK, right. In the enterprise, it's it's 419 00:23:13,400 --> 00:23:16,160 accelerating the ability to do things coders, right? 420 00:23:16,160 --> 00:23:18,880 It's all moving. So and I I like the word 421 00:23:18,880 --> 00:23:21,160 guardrails, right? And So what we're trying to do 422 00:23:21,160 --> 00:23:24,120 here is we're trying to give a platform and I am platform for 423 00:23:24,120 --> 00:23:27,400 agents and other pieces of software where it lets 424 00:23:27,400 --> 00:23:31,720 developers do less work because authentic is hard, right? 425 00:23:31,840 --> 00:23:34,720 You were saying, right, Jim, let's put our usernames and 426 00:23:34,720 --> 00:23:36,560 passwords. So let's avoid that whole 427 00:23:36,560 --> 00:23:38,760 problem. Let's authentication be part of 428 00:23:38,760 --> 00:23:42,720 the platform so developers can focus on the parts of the code 429 00:23:42,720 --> 00:23:46,720 that matter, OK. And incidentally, it happens 430 00:23:46,880 --> 00:23:49,360 compliant with company access policies. 431 00:23:50,640 --> 00:23:53,200 So we've been kind of talking about AI and agents 432 00:23:53,200 --> 00:23:56,920 specifically, almost like it's a generic term, an agent, but 433 00:23:56,920 --> 00:23:59,400 there are multiple types of agents that are out there, 434 00:23:59,400 --> 00:24:01,760 right? So can you explain, you know, 435 00:24:01,760 --> 00:24:04,560 maybe like what are some of the different types of agents and 436 00:24:05,000 --> 00:24:07,720 why is it important? I, I don't know, maybe is it 437 00:24:07,720 --> 00:24:10,920 important to have different guardrails for different types 438 00:24:10,920 --> 00:24:12,840 of agents? Or maybe it's the same or 439 00:24:12,840 --> 00:24:14,800 similar guardrails. Talk to me about that. 440 00:24:15,600 --> 00:24:18,480 O So all agents are pieces of software, OK. 441 00:24:18,480 --> 00:24:21,200 And you might give that column an application or call them a 442 00:24:21,200 --> 00:24:23,320 workload, right? And in this sense, they're a 443 00:24:23,320 --> 00:24:25,520 client workload, right? They're the thing that's 444 00:24:25,520 --> 00:24:28,400 accessing something else. We're seeing three kinds of 445 00:24:28,400 --> 00:24:31,240 agents in the enterprise, OK? We're seeing the use case I 446 00:24:31,240 --> 00:24:32,920 described to the financial analyst. 447 00:24:33,080 --> 00:24:35,360 Those agents are what we call hybrid agents. 448 00:24:35,560 --> 00:24:39,080 They're working. The user works with an agent to 449 00:24:39,080 --> 00:24:43,480 do some tasks, OK? We also see autonomous agents, 450 00:24:43,480 --> 00:24:45,440 right? Where the agent is doing 451 00:24:45,440 --> 00:24:49,120 something on its own that a user or somebody else, some other 452 00:24:49,120 --> 00:24:52,800 machine may have done, OK. And those two are different 453 00:24:52,800 --> 00:24:55,560 scenarios, right? Because the autonomous agent, 454 00:24:55,760 --> 00:25:00,640 the agent needs an identity, OK, and it needs access rights, and 455 00:25:00,640 --> 00:25:03,680 you need to be able to attribute any action that it does, whether 456 00:25:03,680 --> 00:25:07,360 it's data access or tool set access or changing something in 457 00:25:07,360 --> 00:25:09,760 the infrastructure, OK, to that agent. 458 00:25:10,160 --> 00:25:13,920 The hybrid agents need that sort of blended identity that we 459 00:25:13,920 --> 00:25:17,000 talked about, OK? The effective rights for that 460 00:25:17,000 --> 00:25:20,880 agent is some combination of what the agents entitled to do 461 00:25:21,040 --> 00:25:23,760 and what the controlling user is entitled to do. 462 00:25:23,920 --> 00:25:26,120 We should work through some examples there, OK? 463 00:25:26,360 --> 00:25:30,280 But even when you do have sort of entitlement, you need to know 464 00:25:30,280 --> 00:25:33,960 when it was the agent operating and when the user was operating. 465 00:25:34,120 --> 00:25:36,800 And when the agent operates, you need to know what's operating on 466 00:25:36,800 --> 00:25:40,600 behalf of that user. Now there's another use case job 467 00:25:40,600 --> 00:25:43,920 where it's agent to agent kind of chained agents, OK? 468 00:25:44,320 --> 00:25:48,440 And that one is sort of an expansion of that hybrid agent, 469 00:25:48,440 --> 00:25:49,840 right? Because instead of the agent 470 00:25:49,840 --> 00:25:53,200 being called by a user, the agents called by an agent, which 471 00:25:53,200 --> 00:25:56,400 may be autonomous or may itself be a hybrid agent, OK? 472 00:25:56,640 --> 00:26:00,160 And in all of those cases, the attribution for upstream context 473 00:26:00,320 --> 00:26:03,800 is really very important. So wouldn't it just be simpler 474 00:26:03,800 --> 00:26:06,280 to just say, OK, well, I've got an identity for an agent and an 475 00:26:06,280 --> 00:26:09,880 identity for a human, rather than try to do like an inference 476 00:26:10,080 --> 00:26:13,960 of, well, this agent has some subset of me as the, you know, 477 00:26:13,960 --> 00:26:17,440 the assignable actionable person for that agent, whatever that 478 00:26:17,440 --> 00:26:19,080 looks like, right? I'm accountable for it does. 479 00:26:19,520 --> 00:26:22,520 Why not just have two different identities? 480 00:26:22,520 --> 00:26:24,080 Or, or maybe that's what you're talking about. 481 00:26:24,080 --> 00:26:27,480 I'm just trying to understand, you know, why, Why would we make 482 00:26:27,480 --> 00:26:32,360 a differentiation there? So, so we, we believe entirely, 483 00:26:32,360 --> 00:26:36,560 Justin, every entity should have its own unique identity, OK? 484 00:26:36,680 --> 00:26:39,400 So a human who is using the agent, the agent should have an 485 00:26:39,400 --> 00:26:41,520 auditable identity. The human should have the 486 00:26:41,520 --> 00:26:44,280 auditable identity, and the transaction that happened should 487 00:26:44,280 --> 00:26:47,520 be attributed a little to both of them, OK, Where the agent did 488 00:26:47,520 --> 00:26:49,320 the work on behalf of the human, OK. 489 00:26:49,560 --> 00:26:53,120 But the real question is, is what's the rights the agent has, 490 00:26:53,120 --> 00:26:55,240 right? It's not the identity, it's the 491 00:26:55,240 --> 00:26:58,040 access rights that it has. So take an example. 492 00:26:58,120 --> 00:27:04,080 Let's say an HR person is using an agent to get HR information 493 00:27:04,200 --> 00:27:08,120 from ServiceNow OK. That agent should have 494 00:27:08,120 --> 00:27:12,280 permission to the HR information in ServiceNow OK. 495 00:27:12,680 --> 00:27:15,800 And an IT person accessing service now through that agent 496 00:27:15,920 --> 00:27:20,880 should have permission to that IT to the IT asset information. 497 00:27:21,160 --> 00:27:24,520 And so you see it's this blending, right, where it's the 498 00:27:24,520 --> 00:27:27,000 rights of what the ServiceNow agent can do. 499 00:27:27,120 --> 00:27:29,840 Maybe it's only allowed to read the data, OK, right. 500 00:27:30,080 --> 00:27:34,480 And then the data set in this case, right, depends upon what 501 00:27:34,480 --> 00:27:37,240 user it is, OK. And so it's not that the 502 00:27:37,320 --> 00:27:43,040 identities are sort of are sort of combined, is that their 503 00:27:43,040 --> 00:27:45,000 access rights, right, are combined. 504 00:27:46,280 --> 00:27:48,320 I mean, what you described there almost sounds a little bit like 505 00:27:48,320 --> 00:27:51,960 a privileged access management use case where you've got this 506 00:27:51,960 --> 00:27:54,240 agent that is going and accessing, you know, a certain 507 00:27:54,240 --> 00:27:57,440 resource, whether it's, you know, direct on behalf of a 508 00:27:57,440 --> 00:28:00,080 delegate or some sort of inference of of whatever. 509 00:28:00,680 --> 00:28:04,760 I mean, it seems to me like is the right way to have each 510 00:28:04,760 --> 00:28:08,400 person has their own agentic version of themselves? 511 00:28:08,760 --> 00:28:12,680 Or is it? I have a shared, you know, maybe 512 00:28:12,680 --> 00:28:16,040 it is an HR agent that a bunch of HR people share. 513 00:28:16,320 --> 00:28:20,280 And based on whoever's invoking that agent at that, at that 514 00:28:20,280 --> 00:28:23,280 runtime, it's saying, OK, well, because Jeff invoked it, 515 00:28:23,280 --> 00:28:26,360 whatever Jeff has access to, I now have access to for this time 516 00:28:26,360 --> 00:28:28,440 limit. Or if I'm in iti have a 517 00:28:28,440 --> 00:28:30,480 different scope of permissions or whatever maybe? 518 00:28:31,320 --> 00:28:34,800 Right, so, so I think what's what's quite beautiful about 519 00:28:34,880 --> 00:28:37,920 everything we're talking about are the analogies OK, right. 520 00:28:38,040 --> 00:28:42,360 So people should be able to draw on the concepts of IAM or Pam, 521 00:28:42,400 --> 00:28:46,000 right, in order to start to talk about what this should look 522 00:28:46,000 --> 00:28:50,080 like, OK, right. And, and it does it does start 523 00:28:50,080 --> 00:28:53,760 to smell right, like fine grain control, right, that you would 524 00:28:53,760 --> 00:28:57,000 want to do in Pam. But the difference is OK is 525 00:28:57,120 --> 00:29:01,040 whether you have an agent for a particular person or agent 526 00:29:01,040 --> 00:29:07,480 that's shared among people, OK, The user may get the effective 527 00:29:07,480 --> 00:29:13,440 rights, OK, of that agent, maybe not only the on behalf rights of 528 00:29:13,440 --> 00:29:16,280 the user. OK, Let's take a very trivial 529 00:29:16,280 --> 00:29:20,000 toy example, OK? In that ServiceNow use case, if 530 00:29:20,000 --> 00:29:24,920 the agent operated on behalf of the user, then the agent could 531 00:29:24,920 --> 00:29:28,880 read the user's calendar. OK, that's not what you want, 532 00:29:29,000 --> 00:29:31,320 right? The agent is a ServiceNow agent. 533 00:29:31,560 --> 00:29:34,960 You're smiling, but that's, that's sort of a toy example. 534 00:29:34,960 --> 00:29:38,840 So the on behalf of relationship is not sufficient, right, 535 00:29:38,840 --> 00:29:42,760 Because you don't want the agent to do everything that that user 536 00:29:42,760 --> 00:29:45,840 could do, OK, right. The agent should do what that 537 00:29:45,840 --> 00:29:48,800 user could do within the scope of what the agent is allowed to 538 00:29:48,800 --> 00:29:52,160 do, OK. And we call this notion sort of 539 00:29:52,160 --> 00:29:56,200 a blended identity, OK, right. Where what you're doing is 540 00:29:56,200 --> 00:30:00,440 you're blending the access rights that are entitled to the 541 00:30:00,440 --> 00:30:04,080 user and the agent in order to figure out what the effective 542 00:30:04,080 --> 00:30:07,160 rights of the agent are. I think there's a few people 543 00:30:07,160 --> 00:30:09,880 listening who would love to have an agent read and respond to all 544 00:30:09,880 --> 00:30:13,720 their e-mail for them. Maybe they're brave right now to 545 00:30:13,720 --> 00:30:17,200 do that right to. I think eventually, you know, we 546 00:30:17,200 --> 00:30:19,640 get to that spot. But it's probably different 547 00:30:19,640 --> 00:30:21,840 agent than the ServiceNow agent, right? 548 00:30:22,640 --> 00:30:25,280 You would certainly hope so. That that's right, right. 549 00:30:25,440 --> 00:30:27,640 And I, you know, we'd all like that, OK, right. 550 00:30:27,640 --> 00:30:30,920 But but I think again, it's these the agents will have a 551 00:30:30,920 --> 00:30:33,680 task, right? And then the task that it's 552 00:30:33,680 --> 00:30:37,680 doing will get right based on the user that's invoking it. 553 00:30:38,440 --> 00:30:43,040 So let me ask you a, a future looking question is, and we're, 554 00:30:43,040 --> 00:30:45,200 I think we're all familiar with like birthright provisioning, 555 00:30:45,200 --> 00:30:46,080 right? Things like that. 556 00:30:46,080 --> 00:30:49,320 And I kind of joked about an agentic version of myself. 557 00:30:49,720 --> 00:30:53,920 How long do you think it is that it would be where as a standard 558 00:30:53,920 --> 00:30:56,840 birthright role or birthright provisioning, not only am I 559 00:30:56,840 --> 00:31:00,520 getting my account, I'm getting an agentic version of myself. 560 00:31:00,880 --> 00:31:04,400 Is this a one year, three-year, five year, 10 year out that you 561 00:31:04,400 --> 00:31:07,600 think you'll start to see agentic Jeff being provisioned 562 00:31:07,600 --> 00:31:13,640 at the same time as real Jeff? So, so, so I think that that 563 00:31:13,640 --> 00:31:17,040 it'll be more the tooling, the the tooling that we talked about 564 00:31:17,040 --> 00:31:20,240 that they'll be things out there, right, that will do 565 00:31:20,240 --> 00:31:24,480 specific tasks, OK, more than somebody that'll operate, you 566 00:31:24,480 --> 00:31:29,800 know, sort of as as as my clone. OK, there's there's lots of 567 00:31:29,800 --> 00:31:33,080 ways, right, that I think you want probably a little bit 568 00:31:33,080 --> 00:31:36,360 shorter leash. OK, right then, then and then 569 00:31:36,360 --> 00:31:39,120 the agent being able to do everything on your own. 570 00:31:39,760 --> 00:31:42,880 On the other hand, we all said right, this is moving very, very 571 00:31:42,880 --> 00:31:45,600 fast, okay, right. And the fact that we can 572 00:31:45,600 --> 00:31:48,760 entertain questions like that shows just how close, right? 573 00:31:48,920 --> 00:31:51,400 It's actually possible. Okay, right. 574 00:31:51,880 --> 00:31:55,800 So, yeah, we we were some friends and ours were talking, 575 00:31:55,800 --> 00:32:00,040 you know, it's will agents sort of be your persona, right? 576 00:32:00,040 --> 00:32:01,280 Do do you know what I'm saying? Right. 577 00:32:01,480 --> 00:32:05,200 I'm not sure how I get the experience right from the agent 578 00:32:05,200 --> 00:32:07,080 being, you know, being my persona. 579 00:32:07,240 --> 00:32:10,000 But that's treading on philosophy and science fiction, 580 00:32:10,400 --> 00:32:13,000 so. I loved a lot of the questions 581 00:32:13,000 --> 00:32:15,920 that Jeff asked. Like I kept thinking in my mind 582 00:32:15,920 --> 00:32:21,960 about if you had a humanoid robot, would you want him or her 583 00:32:21,960 --> 00:32:25,920 or it to be able to do anything that you can do? 584 00:32:26,680 --> 00:32:28,560 The answer might be yes. I don't know. 585 00:32:28,840 --> 00:32:31,560 I'm just got to give that one some thought. 586 00:32:32,760 --> 00:32:36,680 But David, what I really like about Jeff's questions is that 587 00:32:36,680 --> 00:32:40,640 he kind of started to help me understand a little bit more 588 00:32:40,640 --> 00:32:45,040 about how ambit works. And the question I have for you 589 00:32:45,040 --> 00:32:50,800 is like, who uses ambit? Is it me and Jeff as agent 590 00:32:50,800 --> 00:32:54,560 developers? Is the IM group like the 591 00:32:54,920 --> 00:32:59,840 identity practitioner, the the the administrator of the system 592 00:32:59,840 --> 00:33:02,720 is that who uses NBIT? Both of us? 593 00:33:03,080 --> 00:33:04,640 How's that work? OK. 594 00:33:04,760 --> 00:33:06,480 Yeah. So generally we have two 595 00:33:06,480 --> 00:33:09,880 stakeholders in the enterprise. We have the security function, 596 00:33:09,920 --> 00:33:13,880 OK, whose job it is to make sure that resources in the 597 00:33:13,880 --> 00:33:17,000 enterprise, whether they're data or systems or tools, are only 598 00:33:17,000 --> 00:33:20,560 accessed by authorized users or agents, OK. 599 00:33:20,960 --> 00:33:24,440 And then there's the developers who build those agents, OK? 600 00:33:24,760 --> 00:33:28,760 And for them, our job is to make being compliant with policies 601 00:33:28,760 --> 00:33:32,320 and make access OK, authentication, authorization 602 00:33:32,480 --> 00:33:35,720 easy, OK. And we have an aspect of our 603 00:33:35,720 --> 00:33:38,560 stuff which is no code. OK, So people can include our 604 00:33:38,560 --> 00:33:41,760 stuff in the agent and they don't have to modify their code. 605 00:33:42,000 --> 00:33:46,080 And what would have been the stops of authenticate the agent 606 00:33:46,200 --> 00:33:50,400 in the hybrid case, authenticate the user, then check and access 607 00:33:50,400 --> 00:33:52,760 policy and then issue a credential and use that 608 00:33:52,760 --> 00:33:55,720 credential. That all gets taken care of, OK 609 00:33:55,960 --> 00:34:00,400 by our stuff without the developer needing to write any 610 00:34:00,400 --> 00:34:02,280 code. And then of course everything is 611 00:34:02,280 --> 00:34:06,360 logged, both successful attempts and not and and and denied 612 00:34:06,360 --> 00:34:07,480 attempts. OK. 613 00:34:07,960 --> 00:34:11,800 So the two stakeholders? You know, David, I, I heard you 614 00:34:11,800 --> 00:34:14,040 say in one of our conversation, I wrote it down. 615 00:34:14,280 --> 00:34:16,639 Identity helps folks on the front end. 616 00:34:17,000 --> 00:34:20,000 And now that I've got you here for the interview, I wanted to 617 00:34:20,000 --> 00:34:22,600 ask you what you meant by that. OK. 618 00:34:22,679 --> 00:34:26,440 Yeah. So so there's there's two places 619 00:34:26,440 --> 00:34:29,320 where identity, well, there's three places where identity 620 00:34:29,320 --> 00:34:31,920 happens, OK, there's policies, right? 621 00:34:32,080 --> 00:34:35,400 This agent can access ServiceNow, OK. 622 00:34:35,800 --> 00:34:40,760 There's how ServiceNow enforces those policies and identity or 623 00:34:40,760 --> 00:34:44,560 an access token comes in and ServiceNow knows that it can go 624 00:34:44,560 --> 00:34:46,960 to HR data, right, and not IT data. 625 00:34:47,320 --> 00:34:50,600 But then the question is on the left hand side of the picture, 626 00:34:50,760 --> 00:34:55,000 how does the agent get that access token so that it can use 627 00:34:55,000 --> 00:34:55,920 that? OK. 628 00:34:56,440 --> 00:34:59,280 And that's the part of the problem that and it solves. 629 00:34:59,280 --> 00:35:03,680 And it says set a policy and we can authenticate the agent and 630 00:35:03,680 --> 00:35:07,680 the user and then deliver a token that that agent can use. 631 00:35:08,000 --> 00:35:12,000 And the interpretation of that token is left to the system 632 00:35:12,000 --> 00:35:14,520 you're accessing, OK? Now, if you think about it, 633 00:35:14,520 --> 00:35:18,080 that's exactly what happens with Microsoft Antra or Okta, right? 634 00:35:18,320 --> 00:35:21,920 They're not trying to give sales force a fine grained 635 00:35:21,920 --> 00:35:25,200 authorization mechanism, OK? They have sales force's job. 636 00:35:25,440 --> 00:35:28,480 The job of Okta is to deliver to the user, right? 637 00:35:28,480 --> 00:35:32,240 The sales person, the token that maps them to a certain set of 638 00:35:32,240 --> 00:35:34,920 rights, OK. And that's what I meant by the 639 00:35:35,080 --> 00:35:38,520 left side of the picture, the guy doing the access, rather 640 00:35:38,520 --> 00:35:40,640 than the right side where the resource is. 641 00:35:41,240 --> 00:35:45,560 Very cool. You know, I, I think the whole 642 00:35:45,680 --> 00:35:51,960 AI agent wave feels a lot like the cloud platform wave. 643 00:35:52,200 --> 00:35:58,040 Remember, organizations started standing up Amazon Web Services 644 00:35:58,880 --> 00:36:03,000 accounts and they just have development servers at first. 645 00:36:03,280 --> 00:36:06,680 Then you check back in a year later and there were like 30 646 00:36:06,680 --> 00:36:09,840 accounts and all kinds of production applications and it 647 00:36:09,840 --> 00:36:13,800 moved so quickly just became a thing that made sense for the 648 00:36:13,800 --> 00:36:16,560 business. And we identity practitioners, 649 00:36:16,560 --> 00:36:20,360 we were I think in many cases late to react, right. 650 00:36:20,360 --> 00:36:24,560 We didn't get ahead of it and we couldn't hold back the business 651 00:36:24,560 --> 00:36:27,680 from, you know, taking on this great technology. 652 00:36:27,840 --> 00:36:32,480 Just like today you're seeing probably in my organization, 653 00:36:32,480 --> 00:36:34,920 there are probably thousands of agents that have already been 654 00:36:34,920 --> 00:36:39,520 built. So I, I think the, that maybe 655 00:36:39,520 --> 00:36:44,400 not because of just the size of the wave this time, but maybe on 656 00:36:44,440 --> 00:36:46,960 how quickly it came on. I think it caught a lot of 657 00:36:47,160 --> 00:36:51,200 identity practitioners, probably flat footed, I guess. 658 00:36:51,200 --> 00:36:53,440 What's the advice you have for them now? 659 00:36:53,840 --> 00:36:56,880 If you're an organization, you've got thousands of agents, 660 00:36:57,240 --> 00:37:00,160 you know, how do you get your arms around this beast? 661 00:37:01,040 --> 00:37:04,080 Yeah, so, so I think that's, that's a good question, but I 662 00:37:04,080 --> 00:37:07,520 think you want to look that even if there's thousands of agents, 663 00:37:07,520 --> 00:37:10,320 it's relatively Greenfield, OK? Right. 664 00:37:10,560 --> 00:37:13,720 So let's look at 3 examples, OK? Right. 665 00:37:14,000 --> 00:37:17,880 We've spent probably a dozen years getting control over user 666 00:37:17,880 --> 00:37:21,160 access, right? By introducing IM systems and 667 00:37:21,160 --> 00:37:24,880 multi factor and conditional access and a path to zero trust. 668 00:37:25,080 --> 00:37:30,280 OK, Machine access, however, is still stuck in the world sick 669 00:37:30,280 --> 00:37:33,800 secrets management management, okay, right, So most service 670 00:37:33,800 --> 00:37:38,080 accounts that machines log into are API keys or username 671 00:37:38,080 --> 00:37:39,840 passwords for those service accounts. 672 00:37:40,160 --> 00:37:44,720 And that's where you have Jim, like you said, lots and lots of 673 00:37:44,880 --> 00:37:50,120 years and years, right? Of of of of debt, okay to clean 674 00:37:50,120 --> 00:37:53,120 up, okay. On the other hand, agents are 675 00:37:53,120 --> 00:37:56,320 relatively nascent, OK. And what we're hearing from the 676 00:37:56,320 --> 00:37:59,280 enterprise is it's this combination of push pull. 677 00:37:59,360 --> 00:38:03,600 We need to innovate, but we need to create the platforms, right 678 00:38:03,800 --> 00:38:07,800 that prevent us from getting into this problem that we're in 679 00:38:07,920 --> 00:38:10,960 with machine access, right? Where it's just credential 680 00:38:10,960 --> 00:38:13,120 sprawl and Long live credentials, right? 681 00:38:13,320 --> 00:38:17,120 Doing all the things the way you wouldn't do for users, OK, 682 00:38:17,160 --> 00:38:18,800 right. But you didn't because you 683 00:38:18,800 --> 00:38:20,400 didn't have the plumbing along the way. 684 00:38:20,760 --> 00:38:23,800 And so now what we're hearing for agents, it's the time to 685 00:38:23,800 --> 00:38:29,080 start in doing doing it better, OK, using modern authentication. 686 00:38:29,240 --> 00:38:32,320 And that's what Amit does. We're IAM for agentic care. 687 00:38:33,720 --> 00:38:36,400 So you've made a compelling case and now I think I'm OK. 688 00:38:36,400 --> 00:38:39,160 Well, I need to do something about the identity and the 689 00:38:39,160 --> 00:38:42,400 access for my agents. What are some of the things 690 00:38:42,400 --> 00:38:45,080 that, as I put my jaded Siso hat on again, is that right? 691 00:38:45,080 --> 00:38:46,360 It's going to cost me money, right? 692 00:38:46,600 --> 00:38:51,200 So how do I, you know, how do I make the case to the board or 693 00:38:51,360 --> 00:38:54,520 the CIO or whoever, right to get the budget? 694 00:38:55,040 --> 00:38:58,640 How do I measure success with ambit and then say, OK, this is 695 00:38:58,640 --> 00:39:00,560 what the return is looking like that. 696 00:39:00,560 --> 00:39:04,160 Do you have any any metrics that you typically are seeing from 697 00:39:04,160 --> 00:39:06,560 your customers or things like that, that can help me make the 698 00:39:06,560 --> 00:39:09,040 case as somebody who's interested in delving into this 699 00:39:09,040 --> 00:39:10,360 more? Yeah. 700 00:39:10,360 --> 00:39:13,640 So we're seeing metrics 1 is, is a hard metric, right? 701 00:39:13,880 --> 00:39:16,440 How much, how hard is it for developers, right? 702 00:39:16,440 --> 00:39:19,760 How much time do they say by not having to code up all OK. 703 00:39:20,520 --> 00:39:25,160 The second metric that's that's also a hard metric is if you did 704 00:39:25,160 --> 00:39:28,920 it the way Tim you said, right, with usernames and passwords or 705 00:39:28,920 --> 00:39:32,080 dedicated usernames and counts. We all know the overhead 706 00:39:32,080 --> 00:39:34,920 associated with rotating credentials and all that, right? 707 00:39:35,040 --> 00:39:38,280 So there's, there's there's just hard cost associated with that. 708 00:39:38,520 --> 00:39:41,040 And then of course, there's just compliance, OK, Right. 709 00:39:41,240 --> 00:39:45,320 You can't say that I have, you know, Snowflake available to 710 00:39:45,320 --> 00:39:51,720 every user through Okta, OK, in a controlled, gated way, OK, But 711 00:39:51,720 --> 00:39:54,080 my agents can get to Snowflake, right? 712 00:39:54,280 --> 00:39:56,000 With username, password, OK, Right. 713 00:39:56,160 --> 00:39:59,720 That just that doesn't withstand board scrutiny either, OK. 714 00:39:59,960 --> 00:40:05,600 So I think it's a combination of dev work, OK, the the management 715 00:40:05,600 --> 00:40:08,680 of the hygiene of the environment, OK, Now we don't 716 00:40:08,680 --> 00:40:10,080 manage secrets, you manage policy. 717 00:40:10,600 --> 00:40:13,560 And the third one is, is we should do this the right way, 718 00:40:13,640 --> 00:40:16,200 OK. And with agents, we're finding 719 00:40:16,400 --> 00:40:19,880 Jeff, you'll like this, right? Since people sort of think of 720 00:40:19,880 --> 00:40:24,000 agents as people, it's easy for them to imagine that the agents 721 00:40:24,120 --> 00:40:27,400 should have authentic care authentication characteristics 722 00:40:27,560 --> 00:40:30,760 like we do for people, OK? But then you ask yourself the 723 00:40:30,760 --> 00:40:33,760 obvious question, OK, is I have MFA for people. 724 00:40:33,760 --> 00:40:36,600 I text A4 digit code to my phone, right? 725 00:40:37,000 --> 00:40:40,720 I can't do that OK, to an agent because even you, we didn't ask 726 00:40:40,720 --> 00:40:45,960 that we should give your proxy agent proxy a a a an iPhone, OK, 727 00:40:46,000 --> 00:40:48,640 right. So how do you do strong off 728 00:40:48,640 --> 00:40:51,960 right dynamic policies, ephemeral delivery, just in 729 00:40:51,960 --> 00:40:55,800 time, just in time, deliver ephemeral credentials, OK for 730 00:40:55,800 --> 00:40:58,360 these agents like you would for people, OK. 731 00:40:59,640 --> 00:41:01,640 So what does it look like? Get started with this? 732 00:41:01,680 --> 00:41:05,640 Is this you know code that I insert as a developer into my 733 00:41:05,640 --> 00:41:09,000 agent? You know, workflow, is it some 734 00:41:09,000 --> 00:41:11,760 sort of UI that's going out? And just like, tell me like how 735 00:41:11,760 --> 00:41:15,520 I get started down this journey. Yeah. 736 00:41:15,520 --> 00:41:19,880 So our our system is, is a SaaS based policy console, OK. 737 00:41:19,880 --> 00:41:21,920 So that's where you set access policies. 738 00:41:21,920 --> 00:41:25,320 This agent with this user can access service now in this way, 739 00:41:25,400 --> 00:41:29,280 OK And in order to make that live, then you need to be able 740 00:41:29,280 --> 00:41:32,680 to establish trust relationship so that service now we can issue 741 00:41:32,680 --> 00:41:35,640 credentials to service now that would be just like you would do 742 00:41:35,640 --> 00:41:38,280 with Octa. And then the idea is of course 743 00:41:38,280 --> 00:41:41,160 is that then you need to integrate it into the agents, 744 00:41:41,160 --> 00:41:42,920 OK? And for the most part, our 745 00:41:42,920 --> 00:41:45,120 deployments are code free, OK right. 746 00:41:45,280 --> 00:41:49,080 The agent is configured to use Ambit, but the developer doesn't 747 00:41:49,080 --> 00:41:51,560 have to do anything, anything extra, OK. 748 00:41:52,280 --> 00:41:55,680 We always recommend that people start small, OK, You know what 749 00:41:55,680 --> 00:41:57,440 I'm saying? Never or mandate something new 750 00:41:57,520 --> 00:42:01,160 across the whole organization right away, OK, Here you're 751 00:42:01,160 --> 00:42:05,080 starting on use cases, OK, And that use case can either be app 752 00:42:05,080 --> 00:42:07,480 by app, right? You're choosing to secure access 753 00:42:07,480 --> 00:42:09,760 to Salesforce or Snowflakers, right? 754 00:42:09,760 --> 00:42:14,320 Or service now or it can be with the the agent developers, right 755 00:42:14,320 --> 00:42:17,360 who are using particular services and then you start 756 00:42:17,360 --> 00:42:21,600 there and that becomes patterns for other people to deploy, OK. 757 00:42:22,520 --> 00:42:25,200 I mean, we all know developers love to be told what to do and 758 00:42:25,200 --> 00:42:28,360 how to do it. So, you know, guardrails. 759 00:42:29,840 --> 00:42:36,200 Guardrails so so coding up off is hard, OK coding up off well 760 00:42:36,200 --> 00:42:40,320 is harder, OK, right. And you can either, you know, 761 00:42:40,400 --> 00:42:44,640 code it up yourself, right, or you can get it for free, OK, and 762 00:42:45,880 --> 00:42:48,120 you know. Where do you want to spend? 763 00:42:48,840 --> 00:42:49,920 Your time. Building the cool app? 764 00:42:49,920 --> 00:42:52,680 Or is it doing the things and solving problems that have 765 00:42:52,680 --> 00:42:56,200 already been solved elsewhere? And it is actually amazing job 766 00:42:56,200 --> 00:43:00,880 that off is still a application level function, OK, right. 767 00:43:01,120 --> 00:43:03,800 It's so fundamental that it should just be part of the 768 00:43:03,800 --> 00:43:06,200 platform, OK. And that's what Emma tries to 769 00:43:06,200 --> 00:43:08,040 do. That's great. 770 00:43:08,240 --> 00:43:12,000 So we started the conversation with onions and onion routing. 771 00:43:12,760 --> 00:43:16,960 We went to Identity for Agents and I was looking through your 772 00:43:16,960 --> 00:43:19,360 background as we kind of close out the conversation here today. 773 00:43:19,800 --> 00:43:24,000 You did work on Divx and I had to explain before I hit record 774 00:43:24,280 --> 00:43:26,600 with Jim to Jim, like what Divx was. 775 00:43:27,120 --> 00:43:28,760 And I think it was like late 90s. 776 00:43:28,760 --> 00:43:31,400 And so, you know, we've got a lot of, you know, folks in our 777 00:43:31,400 --> 00:43:33,080 generation who might be familiar with it. 778 00:43:33,080 --> 00:43:37,360 But talk to me a little bit about Divx itself, what it is or 779 00:43:37,360 --> 00:43:38,800 what it was. I guess I'm not even sure if it 780 00:43:38,800 --> 00:43:40,240 still exists. Maybe you can help me with that. 781 00:43:40,600 --> 00:43:43,640 And then talk to me about some of the identity components maybe 782 00:43:43,640 --> 00:43:47,080 that went into Divx, because that was really one of the first 783 00:43:47,680 --> 00:43:51,960 maybe Internet of Things, things that people kind of might be 784 00:43:51,960 --> 00:43:53,520 familiar with at that point in structure. 785 00:43:54,280 --> 00:43:56,760 Yeah, So Divx was really very cool business. 786 00:43:56,760 --> 00:44:00,000 OK, so we're all going to date ourselves here, OK? 787 00:44:00,000 --> 00:44:02,880 Right. So Divx existed when Blockbuster 788 00:44:02,880 --> 00:44:05,800 existed, OK, Right. And how did you rent a movie? 789 00:44:05,800 --> 00:44:07,880 It was Avhs tape. OK, Right. 790 00:44:08,200 --> 00:44:11,960 And you'd go to Blockbuster and there'd be all these movies and 791 00:44:11,960 --> 00:44:14,640 the popular ones were gone, of course, right, Because they 792 00:44:14,640 --> 00:44:16,880 weren't available. And then you'd pick the movie 793 00:44:16,880 --> 00:44:20,440 that you wanted, OK. And then you'd bring it home and 794 00:44:20,440 --> 00:44:24,840 then you'd watch it and then you'd return it probably late 795 00:44:24,920 --> 00:44:26,840 and pay a late fee. Okay, right. 796 00:44:27,200 --> 00:44:30,920 And a lot of the revenue was from those late fees. 797 00:44:30,960 --> 00:44:35,040 Okay, so you made two trips, okay, paid a rental fee and late 798 00:44:35,040 --> 00:44:38,120 fee. Okay, So Divx, not the Divx 799 00:44:38,120 --> 00:44:41,960 codec. Okay, that was the name was sold 800 00:44:41,960 --> 00:44:46,760 to after it closed OK, but Divx was when DVDs were coming out 801 00:44:46,880 --> 00:44:52,080 OK, the the founders of Divx, which was owned by Circuit City, 802 00:44:52,080 --> 00:44:56,120 another blast from the past OK right, So today they were 803 00:44:56,120 --> 00:44:58,120 competitor to Best Buy OK, I feel. 804 00:44:58,160 --> 00:45:01,160 So much white coming in into all of our beards as we're talking 805 00:45:01,160 --> 00:45:03,440 about. This if like amazing, OK, right. 806 00:45:03,800 --> 00:45:08,960 And so, so, so, so DVDs were coming out and, and the, the 807 00:45:08,960 --> 00:45:12,760 founders of Divx said one, wouldn't it be cool if we can 808 00:45:12,760 --> 00:45:17,320 sell you a DVD instead of for $25, whatever it would cost you? 809 00:45:17,560 --> 00:45:21,880 We could sell you a DVD for the price of a rental $3, OK. 810 00:45:22,320 --> 00:45:26,920 And more importantly, that DVD could be available at a retailer 811 00:45:27,040 --> 00:45:31,640 instead of a store that knew how to rent and process a return. 812 00:45:31,800 --> 00:45:34,120 OK, because that was complicated. 813 00:45:34,160 --> 00:45:36,360 So imagine you're at the checkout aisle in your grocery 814 00:45:36,360 --> 00:45:39,640 store, in the top 20 movies are there, and they cost 3 bucks 815 00:45:39,640 --> 00:45:41,800 apiece. And you buy it, and then you go 816 00:45:41,800 --> 00:45:43,840 home and you watch the movie, OK? 817 00:45:44,120 --> 00:45:47,000 And then you can put it on your shelf and watch it again and be 818 00:45:47,000 --> 00:45:50,720 charged another $3, but you don't have to return it, OK? 819 00:45:50,840 --> 00:45:52,640 No more late fees, OK? Right. 820 00:45:53,000 --> 00:45:55,600 So this was really a very cool idea. 821 00:45:55,600 --> 00:45:58,880 And for all of the young people on the call, this is before 822 00:45:58,880 --> 00:46:01,160 Netflix had streaming, OK? Right. 823 00:46:01,160 --> 00:46:06,240 You know, Netflix actually had a DVD rental business by mail when 824 00:46:06,240 --> 00:46:09,560 they first started, right? So dad had the same plumbing 825 00:46:09,560 --> 00:46:11,720 problem, right? It had to work directions. 826 00:46:12,120 --> 00:46:14,760 So this is an identity problem. OK, Right. 827 00:46:14,960 --> 00:46:16,920 How do you know who the rental renter is? 828 00:46:16,960 --> 00:46:19,760 How do you know what DVD player is playing it? 829 00:46:19,840 --> 00:46:22,520 OK, and how do you know what disc you're playing? 830 00:46:22,520 --> 00:46:26,160 OK, And that knowing which disc you're playing, I don't mean 831 00:46:26,160 --> 00:46:28,560 which which movie you're playing, right? 832 00:46:28,800 --> 00:46:34,000 Remember when you paid $3? That first play was free. 833 00:46:34,560 --> 00:46:40,200 So how did you know that a disc was played only the first time 834 00:46:40,520 --> 00:46:42,800 and the second time you would charge for it? 835 00:46:43,120 --> 00:46:47,960 So what what Divx did is DVDs are all clones OK right there 836 00:46:47,960 --> 00:46:51,360 stamped OK. But post stamping they would 837 00:46:51,440 --> 00:46:55,320 etch a serial number into the DVD that could be read by the 838 00:46:55,320 --> 00:46:58,760 machine. And the first time ADVD serial 839 00:46:58,760 --> 00:47:03,320 number showed up that consumed the purchase price, the rent, 840 00:47:03,320 --> 00:47:07,520 the the built in rental price. And if you played it again a 841 00:47:07,520 --> 00:47:11,080 month later, OK, then you would be charged again, OK. 842 00:47:11,440 --> 00:47:15,160 And so this is very interesting because you were giving at at a 843 00:47:15,160 --> 00:47:19,080 large scale an identity to a DVD, OK. 844 00:47:19,400 --> 00:47:21,400 And it flowed through the whole system. 845 00:47:21,600 --> 00:47:23,760 And there were the other identities that we talked about 846 00:47:23,760 --> 00:47:25,560 in watermarking and all this stuff. 847 00:47:25,960 --> 00:47:29,800 A really cool business, OK, They had deals with all the studios, 848 00:47:30,080 --> 00:47:33,400 almost all the studios. And then then they shut it down. 849 00:47:33,520 --> 00:47:36,440 And that's a story for a conversation over a beer. 850 00:47:36,640 --> 00:47:40,000 OK, so. I think we just said Circuit 851 00:47:40,000 --> 00:47:44,520 City for the first time ever on this podcast, 380 some episodes 852 00:47:44,960 --> 00:47:47,560 and for the first time in that combination, in that sequence, 853 00:47:47,560 --> 00:47:50,440 Circuit City just came up. So, David, that's a blast in the 854 00:47:50,440 --> 00:47:53,320 past. It's great, OK, And it was cool 855 00:47:53,320 --> 00:47:56,320 to be talking and you you recognizing that that's like the 856 00:47:56,320 --> 00:47:57,800 coolest thing. OK, so. 857 00:47:58,160 --> 00:47:59,640 I'm a nerd, what can I say? That's fine. 858 00:48:00,920 --> 00:48:02,040 Jim, do you remember Divx at all? 859 00:48:02,040 --> 00:48:03,560 Does any of this ring a bell for you? 860 00:48:03,560 --> 00:48:06,080 Like, you know, back back in the days of your. 861 00:48:06,400 --> 00:48:11,000 So I do remember the Divx codec. Now one of the things I would do 862 00:48:11,000 --> 00:48:16,320 is take DVDs and you know, copy them to other DVDs and you 863 00:48:16,320 --> 00:48:21,720 basically had to reverse out the Divx codec and save this MP4 864 00:48:21,720 --> 00:48:25,720 file, etcetera. So I think I just admitted to a 865 00:48:25,720 --> 00:48:28,040 federal crime, but. Statute of limitations. 866 00:48:28,040 --> 00:48:29,760 Well, nobody's going to come after me. 867 00:48:29,760 --> 00:48:32,480 I think the statute of limitations has gone by. 868 00:48:34,080 --> 00:48:37,760 I do remember one thing, my grandfather used to rent movies 869 00:48:37,760 --> 00:48:41,160 and record them and then like the whole family would come over 870 00:48:41,160 --> 00:48:43,840 and he was like the Blockbuster video like. 871 00:48:44,080 --> 00:48:47,000 But there was no late fee and no rental fee. 872 00:48:47,000 --> 00:48:51,360 He just borrowed Terminator 2 and keep it for a week. 873 00:48:52,840 --> 00:48:55,920 This is the good old days. The good old days, right? 874 00:48:55,920 --> 00:48:59,440 And, and you're lucky you had a grandfather like that, OK? 875 00:48:59,440 --> 00:49:02,800 Because he did the work to make it free, OK, But for most 876 00:49:02,800 --> 00:49:06,080 people, if it was 3 bucks, OK, you know, it was all right, you 877 00:49:06,080 --> 00:49:09,200 know, so. Well, we're just this the way 878 00:49:09,200 --> 00:49:11,560 that the industry has evolved over time, right? 879 00:49:11,560 --> 00:49:15,240 So we had, you know, Blockbuster Video, you know, you'd go pick 880 00:49:15,240 --> 00:49:16,720 up your video. For me it was pick up video 881 00:49:16,720 --> 00:49:19,400 games, Super Nintendo, Nintendo, whatever it may be, right? 882 00:49:19,480 --> 00:49:21,840 Get that stuff. And then you had things like 883 00:49:22,160 --> 00:49:25,920 this DVD, Divx type approach, Netflix when it was, you know, 884 00:49:25,920 --> 00:49:28,400 mail order. And I think Red Box was around 885 00:49:28,400 --> 00:49:29,640 for a little while at some point as well. 886 00:49:29,640 --> 00:49:33,000 It's kind of another idea. And then it became subscription 887 00:49:33,000 --> 00:49:34,400 based. It was like, OK, now it's a 888 00:49:34,400 --> 00:49:36,720 buffet because people I think got sick and tired of being sort 889 00:49:36,720 --> 00:49:39,400 of nickeled and dimed, right. So it had like the iTunes 890 00:49:39,400 --> 00:49:42,960 stores, like, OK, $0.99 for a song, and then it was, you know, 891 00:49:42,960 --> 00:49:46,480 $1.99 I think, to rent a movie. And then people started wanting 892 00:49:46,480 --> 00:49:49,320 to own the digital media themselves. 893 00:49:49,880 --> 00:49:53,360 And now we're in this era of subscription, you know, hell, so 894 00:49:53,360 --> 00:49:55,520 to speak, where you've got a subscription for like 8 895 00:49:55,520 --> 00:49:58,000 different services and you don't actually own anything. 896 00:49:58,440 --> 00:50:01,400 But you have the right to consume as much of this as you 897 00:50:01,400 --> 00:50:03,560 want. And I consume, you know, quite a 898 00:50:03,560 --> 00:50:05,120 bit of it, just like I'm sure everyone else does. 899 00:50:05,640 --> 00:50:08,960 But now we're seeing those subscription prices go so crazy 900 00:50:09,400 --> 00:50:11,800 that now it's like people want to actually buy the thing and 901 00:50:11,800 --> 00:50:13,480 put it on a shelf. So now you have things, you 902 00:50:13,480 --> 00:50:16,960 know, people are buying DVDs and, you know, trying to think 903 00:50:16,960 --> 00:50:19,720 of other ways to archive their media so that they don't have to 904 00:50:19,720 --> 00:50:21,240 keep paying subscriptions and things. 905 00:50:21,240 --> 00:50:23,080 Like that? Just think about this chef in 906 00:50:23,080 --> 00:50:26,240 your 20s. Did you have more than or less 907 00:50:26,240 --> 00:50:30,520 than 100 C DS? I had more than 100 and then I 908 00:50:30,520 --> 00:50:33,440 undertook. I had hundreds of C DS at one 909 00:50:33,440 --> 00:50:37,360 point I undertook that the challenge of digitizing them 910 00:50:37,360 --> 00:50:39,520 all, turning them into MP threes. 911 00:50:39,520 --> 00:50:42,840 And I think the highest codec at that point or bit rate would 912 00:50:42,840 --> 00:50:48,640 have been 128, maybe 192 bits. And now you've got things like 913 00:50:48,640 --> 00:50:52,200 lossless and you know, 320 and variable bit rates. 914 00:50:52,200 --> 00:50:57,160 And you know, I had so many DVDs and CDs that were burnt that 915 00:50:57,160 --> 00:51:00,840 turned into trash because the buffer overflow or buffer under 916 00:51:00,840 --> 00:51:02,040 on, I can't remember which it was. 917 00:51:02,560 --> 00:51:04,000 It was. It was a real mess, man. 918 00:51:04,720 --> 00:51:07,120 Yeah, but The funny thing is though, you felt like you own. 919 00:51:07,600 --> 00:51:10,320 Right. You own that music in the CDs, 920 00:51:10,320 --> 00:51:13,800 right? But ultimately now you have 921 00:51:13,960 --> 00:51:17,120 Apple Music or Spotify or something like that. 922 00:51:17,760 --> 00:51:19,080 And aren't you happier? Don't. 923 00:51:19,160 --> 00:51:21,120 Isn't it better? It's like, oh, you heard this 924 00:51:21,120 --> 00:51:25,320 new song and it's like, I want to hear that song 15 times 925 00:51:25,320 --> 00:51:26,440 today. You can do it. 926 00:51:27,560 --> 00:51:30,720 Well, define better. I think the convenience is 927 00:51:30,720 --> 00:51:32,800 certainly there. I'm perfectly willing. 928 00:51:33,320 --> 00:51:36,920 I mean I have been for years at this point to pay some certain 929 00:51:36,920 --> 00:51:40,360 amount of money, typically somewhere between 13 and $18.00 930 00:51:40,360 --> 00:51:42,560 a month, right, For a media service of some sort. 931 00:51:43,160 --> 00:51:44,600 I feel like you get the value out of it. 932 00:51:44,680 --> 00:51:49,120 I am not interested in having my background be all these 933 00:51:49,120 --> 00:51:51,760 different, you know, C DS and things like that I used to have. 934 00:51:52,880 --> 00:51:54,960 But you've got people who are now interested in collecting 935 00:51:54,960 --> 00:51:57,440 vinyl. They want to go back to that old 936 00:51:57,440 --> 00:52:00,160 school kind of fidelity of the audio itself. 937 00:52:00,160 --> 00:52:02,720 And you know, there I think there is something a little bit, 938 00:52:02,720 --> 00:52:05,880 you know, romanticized about having the album right, and the 939 00:52:05,880 --> 00:52:08,960 album cover and the artwork and the lyrics and all that stuff. 940 00:52:09,240 --> 00:52:10,840 You don't get that in the digital world. 941 00:52:11,320 --> 00:52:12,840 And so I can kind of see it both ways. 942 00:52:13,280 --> 00:52:16,000 Yeah, you're right. I'm going to isolate that you 943 00:52:16,000 --> 00:52:18,120 just said I was right. And that's just how it went over 944 00:52:18,120 --> 00:52:21,600 and over again, right? All right, we're going to go 945 00:52:21,600 --> 00:52:22,520 ahead and wrap it up for this week. 946 00:52:22,520 --> 00:52:24,680 David, thank you so much for taking time with us. 947 00:52:24,680 --> 00:52:27,480 I definitely want to get people out there to visit Ambit and 948 00:52:27,480 --> 00:52:33,080 I'll spell it out here a E MB IT dot IO slash IDAC. 949 00:52:33,080 --> 00:52:34,360 We'll have a link in our show notes. 950 00:52:34,840 --> 00:52:37,840 I'll put a link to your LinkedIn profile as well for people to 951 00:52:37,840 --> 00:52:40,640 kind of reach out there either to, you know, ask questions 952 00:52:40,640 --> 00:52:43,200 about Ambit or maybe just reminisce about Divx or, you 953 00:52:43,200 --> 00:52:46,560 know, whatever it may be. And yeah, we'll leave it there 954 00:52:46,560 --> 00:52:48,880 for this week. We are on the web, IDC 955 00:52:48,880 --> 00:52:51,320 podcast.com. Thank you David again for 956 00:52:51,320 --> 00:52:54,160 sponsoring this episode. And yeah, do all the things 957 00:52:54,160 --> 00:52:56,600 like, like and subscribe, share with all your friends and let 958 00:52:56,600 --> 00:53:00,000 people know the gospel who I am. So thanks everybody for watching 959 00:53:00,000 --> 00:53:02,320 and or listening and we'll talk with y'all in the next one. 960 00:53:04,920 --> 00:53:07,960 You've been listening to Identity at the Center. 961 00:53:08,320 --> 00:53:12,400 We hope you've enjoyed the show. Make sure to like, rate and 962 00:53:12,400 --> 00:53:15,560 review and we'll be back soon. But in the meantime. 963 00:53:15,680 --> 00:53:18,960 Hit the website at identity at the center dot. 964 00:53:18,960 --> 00:53:24,160 Com see you next time on identity at the center.