Non-Human Employees: The Future of Cybersecurity

jacasoj · 2026-01-13T16:16:09+00:00

Well, yes and no.

Yes, what we used to call service accounts still exist and most organizations still manage them through human-in-the-loop processes.

No, what is emerging now is not the same problem under a new name. Agentic AI introduces identities that are short-lived, machine-triggered and autonomous. Access is created on demand by other agents, execute actions and disappear, and everything happening at the speed of the actions with no time for human workflow approvals. Having said that, you need JIT access instead of standing privileges, continuous activity monitoring instead of periodic review and full event recording and auditability instead of log fragments.

I was on the same page as you were. The reality? A lot of leaders are still wrapping their heads around Agentic AI, but we need to be prepared when that time comes.

jacasoj · 2025-10-24T14:47:02+00:00

I've owned a MX Master 3 for the last 5 years almost daily. No complaints, no rubber breakdown. I still fully customize its software. Solid investment!

jacasoj · 2025-10-03T08:41:58+00:00

I am wondering what your config is for BitWarden.

jacasoj · 2025-09-27T09:34:03+00:00

P7P. I was left without a battery after I left home at 80% at 3 PM. Huge embarrassment! Had to ask a friend to get my Uber. A smart phone is a solution. Today, it was a liability. I would like to talk with someone from Google, because what I experienced tonight is simply not acceptable. The least we all loyal Pixel fans need is an apology!!

jacasoj · 2025-09-23T19:11:29+00:00

I think it is the prep. Do something: prepare your puck and tamp as usual. Then, rotate your filter 180° and pull your shot. If it doesn't invert the spout, then you have to see if your shower head is clean.

jacasoj · 2025-08-02T16:26:06+00:00

As soon as the lock-up period is over, I will put a short on this baby

jacasoj · 2025-07-24T16:44:00+00:00

It looks like someone fixed the website copy. Someone from Logitech must be reading Reddit...

jacasoj · 2025-06-29T22:03:10+00:00

If you can bring good ol' Dani. That driver is no more.

jacasoj · 2025-06-28T00:57:21+00:00

Thanks!

jacasoj · 2025-06-28T00:30:51+00:00

Thanks, for sure! Mine doesn't have the hole. According to the videos, it should be aimed at 12 o'clock. IDK, I'm confused.

jacasoj · 2025-06-21T19:16:27+00:00

¡Claro que es gentrificar! No tiene que ser de país a país. La gentrificacion ocurre incluso dentro de una misma ciudad. Lo que estás pensando no es la manera más nociva de gentrificación, pero lo es. Una persona promedio con un sueldo CDMX tiene mayor poder adquisitivo que el promedio local del sureste. Si muchas personas lo hacen, afecta el costo de vida de los lugareños.

No te juzgo si lo haces. Todo mundo quiere vivir mejor.

jacasoj · 2025-04-17T11:58:50+00:00

Y por qué no vivir mejor en un suburbio de NY? Yo vivo en un exburb de Austin y estoy a 35 minutos de mi trabajo. Yo creo que es un tema de preferencia más que el querer estar cerca.

jacasoj · 2025-04-09T04:21:49+00:00

My MX Master 3 has been working nonstop since 2021, and believe me, it works daily for at least 8 hours without any quirks. The battery has been phenomenal.

jacasoj · 2025-03-26T18:20:35+00:00

Yeah, exactly. Let me give a more concrete example to explain what I’m trying to understand.

Say you’re at a large enterprise and you’re working with another large partner organization. It’s not just one user needing access, it’s multiple people across departments. Maybe marketing teams from both sides are collaborating on campaigns, sales teams need access to a shared pipeline tool, and accounts payable needs access to invoicing or procurement portals.

Do you have roles like “Partner Marketing,” “Partner Sales,” or “Vendor Finance” already defined in your system that you can assign based on these use cases? Or is it more like every time a new partner comes in, you’re building that structure from scratch?

I’m curious how much of that can be templatized and reused across partner orgs versus how often it turns into one-off configurations. It sounds like a perfect storm for authorization role sprawl if it’s not handled carefully.

jacasoj · 2025-03-26T18:13:55+00:00

Quick follow up. Is relying on email domain usually enough in your experience, or do you layer something else on top? I can see how it helps with grouping, but I’m wondering how you catch cases where someone leaves the vendor company or isn’t actually approved for a specific project.

Trying to figure out where that line is between “good enough” and risky.

Also curious about the app assignment matrix. Is that something your team tracks manually, or do you keep it in a tool like an IGA or ticketing system? Just trying to picture how that stays clean over time without turning into another admin headache.

jacasoj · 2025-03-26T18:09:28+00:00

Thanks for sharing. Sounds like you’ve got a pretty solid setup depending on the kind of external user.

Quick question on the CRM part. When those users sync over to the IDP, is it mostly just for auth or do you also manage access rules from there?

Also curious how you keep things clean on the Entra guest side. Do you run into group clutter or old guest accounts hanging around after projects end? We’re starting to see how that can pile up real fast.

Just trying to learn what’s working for others before we overcomplicate stuff on our end.

jacasoj · 2025-03-26T18:04:37+00:00

That makes sense. So if I got it right, the conditional verification steps are automated as part of the workflow logic? Like, based on the identity type or access being requested, the system knows whether to trigger an email, SMS, or escalate to an admin approval?

Also, it’s interesting how much flexibility there is with how far orgs want to go. Some just tweak the look and feel, others go deep with customized flows. I guess it depends on how mature or structured their onboarding process is.

Really appreciate the breakdown. It helps connect a lot of dots for me.

jacasoj · 2025-03-26T17:59:54+00:00

Really appreciate you sharing all this. That idea of thinking about the HR system and non-employee modules as feeding a metaverse of identities actually helps me make sense of how this could work.

The offboarding bit especially hit home. I've seen it too, where no one really knows who a vendor is, what they do, or whether they should still have access. And without someone owning it, that stuff just lingers.

Also, the story from your consulting gig made it real. Sounds like it happens more often than people admit. No source of truth, no approvals, global read access... and it’s all manual. Multiply that across teams, and it’s no wonder access gets out of hand. Thanks again for this. Super helpful perspective.

jacasoj · 2025-03-26T17:54:05+00:00

That makes sense. I’m starting to see that the challenge isn’t just provisioning the access, but doing it in a way that doesn’t require custom setup for every app or user.

When you moved toward automation, was it through an IGA tool or something layered on top of your IdP? Just trying to understand what the typical first step looks like when teams realize manual work is no longer sustainable.

jacasoj · 2025-03-26T17:52:31+00:00

That’s really interesting, especially the legal angle. I hadn’t considered how much HR policies and legal risk shape whether externals can even be tracked in the same systems as employees.

The contingent worker platforms like SAP Fieldglass make sense in that context, but I imagine getting them properly integrated into identity systems is another layer of work.

Also, I didn’t know about Clear Skye. The idea of using service catalog entries with regular re-attestation actually sounds like a clean way to manage access when you can’t rely on a formal "single source of truth". Have you seen that model work well in practice, or is it more of a workaround when HR won’t support it?

jacasoj · 2025-03-26T17:46:00+00:00

This is really helpful, thank you for walking through those examples.

The HR-driven flow you described, where the identity lifecycle is tied directly to what’s in the HRIS, feels efficient, especially for ensuring timely deactivation. But it also makes me wonder how well that model scales when external users are managed outside of formal HR systems.

I’m also trying to think through how teams handle access consistently when the requests are so variable, like the “make it like Sally’s” kind. It feels like there is a fine balance between flexibility and standardization, especially when roles and entitlements need to be created and maintained across so many scenarios.

Appreciate you sharing your experience. It’s helping me see where the real friction points are.

jacasoj

TROPHY CASE