Identity

Microsoft has been moving LDAP channel binding from 'available' to 'required' for nearly seven years. The enforcement timeline keeps slipping because the third-party tail is large and quiet. A short note on what the registry key actually does, how to find the appliances that will break, and what to do before the DC stops accepting them.

Passwordless authentication is finally landing across enterprise IAM programs. The same orgs are simultaneously onboarding AI agents that hold long-lived credentials and run inside the human's session. The two projects are colliding, and most identity programs aren't ready.

Token exchange is the cleanest pattern for delegating identity to an AI agent, and every major IdP implements it differently. Field notes from wiring it into Entra, Okta, and Auth0 — what the spec leaves to interpretation, what breaks first, and what to standardize before the second agent ships.

AI agents are the next vulnerability vector and we are not tackling it fast enough. A look at why the gap between AI adoption and AI governance is widening, what it looks like inside real orgs, and where identity programs should be aiming.

After more than a decade in enterprise security across the public and private sectors, I'm convinced the actual perimeter is human and machine identity. Most security programs are still spending the majority of their budget on the wall around the castle.