Interested in being a guest? Email us at admin@evankirstel.com
AI agents are starting to do real work inside real companies and they often do it by acting as us. That’s exciting, and it’s also a security wake-up call. We sit down with Matthew Immler Regional CSO, Americas at Okta, to unpack why identity security has become the primary battleground and why attackers increasingly prefer impersonation over breaking through a “front door” with zero-days.
We get concrete about what “non-human identities” actually means in plain English, and how agentic AI changes the rules. When employees connect new tools and click consent, an AI agent can gain access not just to a calendar, but to email, files, and other sensitive systems through broad OAuth scopes. From the security team’s perspective, the activity can look like normal user behavior, which creates a visibility problem at the exact moment enterprises are being pushed to adopt AI faster than their controls can mature.
We also talk solutions: treating AI agents as first-class identities with owners, managers, and access reviews; spotting non-human behavior through signals like abnormal client secret flows and extreme refresh token patterns; and why blocking AI outright can drive “shadow AI” instead of safety. Matt shares how standards work like cross-app access can shift control from end-user consent to IT policy so teams can approve tools, lock scopes down, and keep tight governance.
If you care about AI security, identity and access management, OAuth risk, and practical guardrails for agentic AI, this conversation will help you think clearly and act faster. Subscribe, share this with your security or IT team, and leave a review with the one control you think every AI agent should have.
More at https://linktr.ee/EvanKirstel
