In this first episode of The Identity Heroes, we’re joined by Eve Maler, President and Founder of Venn Factory, standards pioneer, and one of the most influential voices in the identity industry.
Eve shares her unconventional path into tech—from a background in linguistics and technical editing to helping define XML and SAML, and later serving as CTO at ForgeRock. She reflects on what it means to lead, coach, and push boundaries in a field that’s constantly evolving.
With hosts Mark Callahan and Gerry Gebel, Eve explores the real challenges facing identity professionals today. From non-human identities (NHI) and agentic AI to consent, privacy, and the business case for IAM, this episode is full of thought leadership, practical insight, and sharp takes.
If you’re an IAM architect, security leader, product manager, or anyone building modern identity programs—this conversation is for you.
Disclaimer:
The views expressed in this episode are solely those of the guest and do not represent the opinions of their employer or family.
00:00 – Introduction to Identity Heroes
05:52 – Navigating Comfort Zones and Imposter Syndrome
12:00 – Trends and Innovations in Identity
18:05 – Future Trends and Challenges in Identity
25:24 – The Future of Privacy and Security
31:09 – The Role of Standards and Organizations in Identity
36:43 – Making the Business Case for Identity
44:50 – Coaching and Mentorship in Identity Management
Mark Callahan [00:00:11]:
In this episode of the Identity Heroes, we’re joined by someone who needs absolutely no introduction. Eve Mailer is here to talk about her hero’s journey and how she started out writing basically technical documentation for software and working on identity standards as a side gig all the way through to becoming the CTO of one of the largest vendors out there. Certainly there were a lot of stops along the way and a lot of learnings that she had. So we’ll hear more about those in this episode. We talk about non human identities, decentralized identity, and also the intersection of where privacy and all the things that we’re working on as practitioners intersect. And she’ll also help us understand making the business case for identity to non technical teams in your organizations. Stick around. Let’s go ahead and hear what Eve has to say in this conversation.
Mark Callahan [00:01:01]:
Hi, everyone. Welcome to our ongoing series of identity Heroes in the identity industry. I’m your host and emcee today, Mark Callahan, and I’m joined by my partner, Gerry Gebel, who’s the head of standards and product both at Strada. And I can’t say how excited we are to have our guest today, Eve Mailer from the Venn Factory. And so many other things. Eve, welcome.
Eve Maler [00:01:25]:
It is a pleasure to be here.
Mark Callahan [00:01:27]:
Awesome. Awesome. Well, as part of the series, Gerry and I are really just digging in with folks who have been in the space for quite a long time to understand the path that you took to get where you are today. I think it’s been said, and I’m not going to take any credit for this, the idea that there’s no actual college degree for identity, that’s probably going to change pretty quickly here. I don’t want to keep saying that because at some point it’s going to prove me wrong, but really just to help the audience and people who are listening in to understand what’s it take to become a leader, become an influencer, become a strategic voice in the space. And so love having you here to join us. Thank you.
Eve Maler [00:02:02]:
It is such a pleasure. And of course, Gerry and I have intersected many times over the years in various venues, doing various things together. So great to see him here.
Gerry Gebel [00:02:12]:
Yes, we sure have. And like Mark said, there’s no college degree, but there are many paths to identity and many different things you can do within the identity space. So we’d love to hear your thoughts on that today.
Mark Callahan [00:02:23]:
Absolutely. As we have this sort of structured out, just as people come to the series, kind of a feel for it, we wanted to take this sort of hero’s Arc. So there’s the path that took us to where we are and the formative events that shaped us as we got there. And I kind of, to that end, would love to lead off. I know that I don’t know else to say other than you need no introduction in this space, but not everybody knows all the titles that you’ve held in getting to where you are today. I would love to share a little bit of your hero’s arc simply by the roles that you’ve gotten to where you are today and to understand was this linear for you or anything that stood out. So I’m going to do this and maybe not in one breath, but it’s an amazing one. I’ll see what I can do here.
Mark Callahan [00:03:03]:
All right, so right as you began, there was this period where you were a principal application specialist, moved on becoming a solutions marketing manager. You were a founding member of the XML Working group. You were a founding chair in Oasis and saml. You were an XML standards architect, a technology director, a distinguished engineer for identity services, a principal analyst, a co founder and chair. You were also a cto, which is incredible. And then more advisor and board appointees than I can really count. And then where you are today, the idea of, you know, you’re president and founder of the Venn Factory. Was this a path you knew you were going to take? All those titles?
Eve Maler [00:03:42]:
There were many branches. It’s very fractal. I mean, every role was formative, but there are some things that have fallen off the bottom. Right? And where I started my first career, I think of having many careers in a way. There was something very formative for me, which was I became a technical editor. So I was editing software documentation for Digital Equipment Corporation, which I referred to as Dear Departed Deck. That was formative because I was just sort of dipped suddenly into the vat of tech. Not having really been a techie.
Eve Maler [00:04:12]:
My degree in university was linguistics and not like computational linguistics. So it was just super different. And it was just a great way to engage, to be that kind of bridge to understanding for folks who were learning about. I had to. One manual that I was editing, there was a definition of Internetworking to explain the word Internet. These were things that needed to be explained once upon a time.
Mark Callahan [00:04:37]:
They did, they did the things we.
Eve Maler [00:04:39]:
Take for granted that was really formative. And that led me to sgml, which was the precursor to xml. Not that we knew at the time, but I just started fooling around with DOC tools. So this was. It was kind of the backdoor to doing standards work. So defining the schema for SGML, which was called DTD’s. And I ended up co authoring a book which was another sort of part of the journey that I had to sort of swallow hard and decided to do it. This was in the mid-90s.
Eve Maler [00:05:09]:
The book was called Developing SGML DTD’s from Text to Model to Markup. And it was explaining how to organize the schema for your data. So that was all formative towards the world of standards and kind of standards leadership. All of those things took, I’m going to say, a little bit of courage, like a little bit of, oh my gosh, can I do this? I am having to read and it’s one of the things that I really love to support other people in doing actually is figuring out where your comfort zone is and figuring out what’s cool to you, what seems something that you’re passionate about just a few steps beyond, and then figuring out how to take a step over the line. So I did that many times, not knowing at all what I was doing. I mean, I started working on XML with the folks at W3C without my company actually knowing, like, you’re XML girl.
Mark Callahan [00:05:56]:
I mean, that’s the thing that was like, okay.
Eve Maler [00:05:59]:
They were not happy when they found out. And so there was a lesson learned. But, you know, I was like, this is going to expand the market. We’ve got this kind of static sized pie and we’ve got four or five different companies implementing sgml and all of the customers are either government agencies or large publishing houses. And that’s it. It was like manufacturing manuals. Boeing, I think, was a user. It was that kind of organization.
Eve Maler [00:06:22]:
And it was a very small market. And I was like, we need to break open this market. And I kind of disruptively help do that. So more lessons there about disruptive business models and what you do when you strategically commoditize something into a standard. Gerry, that’s what we do, right? You have to figure out what to strategically commoditize in order to allow a whole new level of building value on top and opening it up.
Gerry Gebel [00:06:45]:
Well, when you were taking these different twists and turns in your career and you said getting outside of your comfort zone, how often were you volunteering to do something new versus being pushed to do that?
Eve Maler [00:06:58]:
Honestly, it wasn’t often that I was pushed by external forces. Although when I joined Forrester, that was a really important role. Looking back, becoming a principal analyst, Gerry, you’ve been there as well other places, and I just did not know what I was doing. There either. But I was so supported. I really thought of it as an environment of intellectual curiosity and intellectual honesty. And it’s a wonderful, wonderful place to learn how to serve clients in that way by producing sort of innovative research and providing feedback to them in the form of inquiries, things like that. And then ultimately having this amazing honor of being Forge Rock’s CTO during the latter part of Forge Rock’s existence, helping it to grow and helping sort of run the innovation function.
Mark Callahan [00:07:48]:
Was there a touch of, like, imposter syndrome that happened along the way? A little bit.
Eve Maler [00:07:52]:
Oh, of course. I know very few people who don’t feel that a little bit.
Mark Callahan [00:07:56]:
There are so many people, I think, in identity who just think everybody looks like they know what they’re doing. Everyone is meant to be there, and they were just cut from the same cloth.
Eve Maler [00:08:04]:
They are paddling like hell underneath if they’re doing something important. Being completely in your comfort zone. I mean, there’s times of the day when you need that, but there’s also times of the day where you need to reach and need to be faced with that. I can’t remember, like, which brainwave it is, which frequency it is, where you’re like, in the zone and it’s like you’re focused, but you’re a little bit uncomfortable, which is the one that corresponds to flow. You need a little bit of that in your life so that you can reach and have insights. It’s not deductive, it’s inductive reasoning where you have leaps. And that, to me, is hard going. When you’re, let’s say you’re forced to go give a talk and you haven’t written the talk yet.
Eve Maler [00:08:44]:
This never happened to me.
Mark Callahan [00:08:45]:
We’re a friend. We’re a friend.
Eve Maler [00:08:46]:
We’re saying, yeah, you’re forced in those moments to make all the pieces come together. There was a writer in, one of the famous writers in New York. This is, I don’t know, many decades ago, maybe a hundred years. No, I don’t know. Dorothy Parker is who I’m thinking of. And she was one of the members of the Algonquin Roundtable. And they would sit together in this bar somewhere in New York and they would snark. And they were like, really awesome, catty people.
Eve Maler [00:09:11]:
And she had this saying which was, I hate writing. I love having written. So if you want to come up with good things, you gotta do the thing.
Gerry Gebel [00:09:20]:
I can so relate to that one, Eve. Absolutely.
Eve Maler [00:09:22]:
There are very few people in the world who can just issue forth a whole bunch of amazing content that hardly needs any editing. Like Bob Blakely is one of them.
Gerry Gebel [00:09:30]:
Yes, he does come to mind. I was thinking that as well.
Eve Maler [00:09:33]:
And I am not one of them. Sounds like Gerry, you’re not one of them either. Comes more difficult.
Gerry Gebel [00:09:38]:
One thing I wanted to ask about your career path here. For those out there that are have opportunities maybe to go to the vendor side or stay on the enterprise customer side, you’ve mostly been on the vendor side side of things, right? Except for a short stint at PayPal. What would you say to people who maybe are there on the enterprise customer side or thinking about going to the vendor side or vice versa? Do you have thoughts one way or the other? What advice you could give to people?
Eve Maler [00:10:04]:
They’re both valuable, right? And yeah, you have to go pretty far back to see other kind of buy side players that I’ve worked with. Having both experiences is valuable. And I hope people at amazing enterprises don’t take this the wrong way. Vendors live in the future. They have to sort of imagine their time horizon has to go far out with respect to technology in a pretty specific way. Enterprises with respect to that technology, which is shoring them up and giving them the ability to deliver what they do, live in the past a little bit, right? That’s when we talk about legacy. So there’s these kind of curves of when what you’re doing is applicable and there’s a tolerance or an appetite for what can be absorbed into an enterprise. So I think both perspectives are absolutely valuable.
Eve Maler [00:10:52]:
I’ve always lived five years in the future, which is why I think I’ve gravitated to tech vendors and have found a welcome there. I think that there’s a way to provide value and get satisfaction from both.
Mark Callahan [00:11:05]:
Being on the vendor side myself, oftentimes I wonder how much of what you’re doing could be an academic thing where you’re looking into that future and you’re like, wow, that’s great. And you’re telling the world that everybody needs this. And you talk with customers and they’re like, I share the vision, I love where that I want to be there as well. But this is where I am is over here. And that gap, do you think it’s growing? Do you think it’s shrinking? Are we getting closer?
Eve Maler [00:11:28]:
I do see the ability to have a higher and higher maturity faster in the enterprise. AI is helping with that, actually democratizing certain things that were more difficult to do or hard to scale. Maybe there’s always going to be a gap and I don’t know, maybe it will end up Staying the same. But I do think that there are lots of organizations that are open to, they’re working on certain problems and it might be sort of a spike for them. I’ll just give an example. I worked with an automotive OEM that saw part of their brand as including consent on the part of their customers for digital use of their data and things like that. You think about that kind of OEM play, there’s a lot of connected car IoT, a lot of data, a lot of interactions in a huge ecosystem. They’re just, they’re in a technology world and they actually have the foresight to conceive of privacy and consent in an innovative way.
Eve Maler [00:12:28]:
So for them, because of their priorities, we were able to have a pretty far reaching conversation and that’s always exciting. So at Forge Rock, I was really in charge of that two to five year time horizon. And what my team produced, it was my small but mighty awesome team. We produced as I would say, PoCs, prototypes of new things, working with customers and POVs, meaning points of view, ways to be opinionated. And I bring that into my Venn factory, work with clients now as ways to, we call it, make your vision actionable, actually. Like how do you like bring it home and how do you figure out the appetite of some organization to innovate in an area and then how do you exploit that as much as possible to get the most done?
Mark Callahan [00:13:11]:
Actually, I’m going to use the analogy and dad joke, but the Venn factory is that the intersection that we’re seeing is the POC and the POV that that vision overlay and that’s the actionable point.
Eve Maler [00:13:21]:
Honestly, I see Venn diagrams everywhere I look. So yes, in short, yes. And finding those intersections of vision and actionableness are absolutely part of. It’s hard to focus in that way and especially when it comes to identity centered pursuits, because there’s so much to it. There’s the security aspect and the privacy aspect and the experience aspect and the fraud aspect and all those things. So finding what’s absolutely the most valuable thing at this moment to do or to talk about if you are a vendor.
Mark Callahan [00:13:52]:
If we were all heroes and we had that perfect vision, we’d never be blindsided by anything but what a wonderful thing that would be. But that’s not the case and instead we’re heroes in the way of how do we flex and how do we bend when things happen. And to that end, every good story needs a good pivot or a plot twist. And I’m curious as you look to the year behind us, what didn’t we see coming that happened that shaped the face of identity in 24?
Eve Maler [00:14:18]:
I love the concept of a plot twist. Yeah. So yeah, a couple times I’ve done talks that have this notion of trends, transience, tropes and transparence. And so the plot twist is kind of like a transparent. Like we didn’t see. We were looking right through it and it hit us anyway. Right. And I feel like we go in cycles, right.
Eve Maler [00:14:37]:
Maybe two or three year cycles in the identity innovation world. And 2024 was one where I feel like we figured out a lot like late 2023. I’m going to extend the time period that you’ve suggested a little bit.
Mark Callahan [00:14:50]:
Fair. Absolutely.
Eve Maler [00:14:51]:
Actually, in 2024 itself, I would say NHI non human identity as such was kind of a plot twist. Like that acronym just kind of sprang up really fast in 2024. It’s not that we. Not that certain people weren’t kind of seeing a reflection on the glass and noticing that there was something there. I think we thought of it a little differently and maybe not with that grand vision. So that was one thing I want to almost say extending that time period a little bit agentic AI in certain senses. As to how you apply identity questions to it, I totally agree with the folks who are tapping the sign going use OAuth. Yes.
Eve Maler [00:15:31]:
But OAuth itself doesn’t actually solve one of the key problems that’s coming up with agentic AI and some other pursuits as well, which is delegation with the on behalf of semantics. So that one, I mean, I feel like I’ve been the Cassandra for 10, 15 years. I’ve been working on that area going, this is going to come and it’s either sharing credentials or it’s going to be fixing delegation properly. And I think we’re finally at the point where there’s an awareness. It’s growing. Late last year, early this year, the Dade Group Death in the Digital estate is facing a lot of those use cases and I’m a co chair in that group. One more thing, and this is maybe a bit spicy, but I think there was a realization broadly within the identity community for the first time last year that decentralized identity is in a little bit of a trough of disillusionment because there are certain environmental reasons why some of the things that it’s been advocated for. We’re going to have amazing privacy with selective sharing and ZKPs.
Eve Maler [00:16:34]:
They’re very hard to achieve. Very hard to achieve. And so I think that there’s a realization that it could be good for some things. They may not be the things that have been touted by a lot of folks for a long time and I think we’re just going to have to be okay with that until really other disruptive technology comes along to make data shielding more potent.
Gerry Gebel [00:16:55]:
Yeah, I think the saying goes something like, you know, events have overtaken the concept of zero knowledge proofs and limited data sharing because reassembling data is a lot easier than maybe was perceived a couple years ago or so. So I totally agree with that one. I really liked also the agentic AI, that’s a different aspect of AI that sort of came on all at once. So great point there. And nhi, my gosh, we’ve had service accounts like forever, but we didn’t call them non human identities. Right.
Eve Maler [00:17:28]:
And client IDs. It’s easy to throw off a lot of client IDs if you’ve got an oauth stack that you’re treating how seriously client identity was taken. I mean, yes, workload identity has become a whole sort of area that’s being built. And yes, great. I was actually one of those kind of Cassandras probably about five years ago asking how we were managing client IDs in the company I was at at the time. Are we putting these in the identity repository? Could we do that? Should we do that? Yeah, we should do that. Are we? Those are things that I think have deserved better treatment for a little while. So it’s good to take care of them better.
Gerry Gebel [00:18:04]:
Yeah. And the last point too, decentralized identity. I’m really curious to see where that group goes going forward because I’ve been an advocate for the whole, you know, the concept, you know, we called it different things in the past, but definitely been an advocate for that concept. But there are, I think you call them environmental factors. You know, the commercial interests are so much against having that independence of your own identity. I think it’s going to take quite some time for that really, really to settle out.
Eve Maler [00:18:32]:
I have some other comments. I’m going to reserve them, see if it comes up later. But yes, absolutely, if that’s.
Mark Callahan [00:18:38]:
And with the trends and tropes and as you’re thinking forward, I know that you’ve often have talked about the trends you see, but just for the benefit of folks who are listening right now, what do you see shaping the year ahead? And I don’t want to limit you just to 25, let’s think the 24 month horizon. What is shaping it going forward?
Eve Maler [00:18:56]:
This trend is a challenge to all of us. We need to accept that identity can’t succeed at privacy and consent without other ingredients. I think it’s been a little bit of a challenge for identitarians writ large to take on that mantle of we’re going to do privacy and we can do consent management and our platforms and everything without realizing that there’s another conversation about data monetization going on off stage. With respect to identity, Identity is little data. That’s big data and it has a direct line to the business model of company. So I feel like partnering with marketing and data departments is going to be a necessary ingredient. And I’ve been doing some work to understand in my VEN factory work, I’ve been doing some working with the folks who own the MarTech stack, learning about what those frameworks look like and what the business benefits and the ROI for all that looks like. And then the second thing is providing something that disrupts today’s martech and ad tech regime.
Mark Callahan [00:20:00]:
Give me an example.
Eve Maler [00:20:01]:
When I went to go talk to EIC last year and they asked me to pick a subject and I went there in the sort of usual EIC fashion and did a talk called Consent is Dead and discovered that, I mean, there were, I don’t know, hundreds of identity people in that room. And I asked how many people know what identity resolution is, which is the kind of AI inflected process of all the heuristic stuff that identifies you and tracks you around the Internet and it feeds customer data platforms. CDPs. Now, at the beginning of my identity journey, CDPs didn’t exist yet. But I’ve been learning about the history of how they grew and how they grew and grew and grew. Being able to provide value to the folks who care about that and kind of getting inside their OODA loop a little bit is what I think is necessary. And in fact, I’ve been extending my. I ultimately wrote a consent is dead paper that has some actionable advice.
Eve Maler [00:20:50]:
If you’re in an organization, you’re an identity person, what can you do to do that, to find out who all the other stakeholders are and how to know when what’s going on in the tech world or in the even the legal world, the regulatory world, is going to start to be disruptive to the current monetization regime. It’s not your obvious advice about, well, turn on 2fa and make sure your consent flows are there. Like, I had to go beyond that, and this is the way you go beyond, is to actually work on the stakeholder problem. And the appetite problem.
Gerry Gebel [00:21:22]:
You’re giving me flashbacks here, Eve, because I’m thinking back to when we started the identity practice at Merton Group. We called it Identity and Privacy. And I’m wondering now if that was a misnomer.
Eve Maler [00:21:32]:
It’s ambitious.
Gerry Gebel [00:21:33]:
Yeah. Yeah, right. But also when you were talking about the auto manufacturer and their privacy perspectives a few moments ago. Now this reminds me of the other side of the coin, which is, you know, the Talk of the $0 car. Do you remember this from a few years ago?
Eve Maler [00:21:52]:
Is this about like the subscriptions are making them more than the cost of the car?
Gerry Gebel [00:21:57]:
The data that’s being produced by a vehicle is worth so much money they could give away cars for free and just harvest the, you know, the data and make money off of that.
Eve Maler [00:22:09]:
It’s such a great name and it’s. Yeah, it’s a little horrifying to me, being a private mentalist, but there’s a TV like that. Send me a link to this TV that is a $0 TV with exactly that. It comes with a little supplementary monitor.
Mark Callahan [00:22:22]:
That shows you ads the entire time and just programs a little Clockwork Orange. I don’t, I mean, I’m sorry I went little dark there, but. Yeah, no, I, I, Yes, I see.
Eve Maler [00:22:31]:
They supply the toothpicks too, you know.
Gerry Gebel [00:22:35]:
But this goes to those commercial interests that I mentioned before, you know, that are really pushing back against us, trying to limit our data sharing and enhance our privacy. And. But your mention of going to the marketing people and talking directly to them, I mean, that’s the only way to get to break through those limitations, right, is because what we’re doing, we’re just in a rubber room by ourselves and we’re not having any impact.
Eve Maler [00:22:59]:
We’re looking for our keys under the lamppost, even though that’s not where we dropped them. I put something into my consensus dead paper. I went and looked at ID Pro’s mission statement, I think, which mentions being a vital and vibrant part of security and privacy. And I think to really live up to that, we need to be really, really honest with ourselves. And we’re at this point where it’s kind of at a breaking point. So I think in the next couple years, I don’t know where the disruption is going to come from. I’ve placed a couple of bets. Cloud Security alliance has a fully homomorphic encryption working group, which I, as a complete cryptography, know nothing have gone onto, just to sort of be vaguely helpful in their direction, because I think that’s the kind of technology that has the power to like make trade offs go away, that’s what’s needed.
Mark Callahan [00:23:42]:
You both are hitting something that’s near and dear to my heart. I actually, prior to joining Strada, I spent almost 10 years at Twitter on the enterprise data and developer platform. And the mission there as a public social media platform was making sure that tweets were being shared in the appropriate way with the intent honored, the person who shared the information. And as you think about the corpus of human thought that was created when there’s 500 million tweets a day, in hindsight, everyone was wondering, what was Elon buying? Well, he actually, as we look at AI and training of these models is it’s the largest corpus of human thought ever created. And so as we think about where is privacy and identity, where is that intersection? It’s definitely stirring things for me as well. Where is that intersection?
Eve Maler [00:24:26]:
I remember back in the day looking at Twitter versus Facebook’s models of how people could configure the sharing extent of what they did on the platform, their user generated content. I actually always liked that Twitter was, it was either all private or all public. It was very clean. And I know it’s gotten more sophisticated since. And there can be dragons because it’s hard to set expectations. That’s where you get questions about informed consent, like, is it possible to be informed? Whereas Facebook had like, well, there’s the friend circle and then there’s the friends of friends and there’s the nth order connections and nobody really knows that things are being shared further on. And those kinds of complications in sharing policy or authorization policy or permissions applied by people to their own stuff, those things are quite subtle and hard to do. Right.
Eve Maler [00:25:16]:
And maybe AI can help there. You know, we talk about personal AI agents. You know, I was talking about consent intelligence back and I don’t know, I think it was still cloud identity summit and not identiverse back then, but now maybe we can have them all the.
Mark Callahan [00:25:28]:
Decisions that were made were also situational and contextual. You know, if you said the all or nothing at the time, you meant all public. But perhaps something you’ve shared later on down the road you want, you know, revoked. How is that honored if it’s been shared elsewhere? Same with identity. You know, it’s like, how do we ensure a revocation and that sort of thing. So I think we could probably go down this path quite a bit. Sorry, but it’s fascinating to think about maybe one more trend for the next 24 months.
Eve Maler [00:25:55]:
Well, then I gotta bring up the R word relationships, which I’ve been on a hobby horse about for a long time. And it relates to that delegation point that we were talking about. Making life easier and identity more secure with knowing about relationships. And honestly, I think a lot of folks need to sort of, I don’t know, make a 90 degree turn in their thinking. Because identity is so strongly about an individual package of information about somebody in digital form, somebody, a singular entity. It might not be a person and it could be a company or whatever workload that’s a node, but the edges between nodes, now you’re into plural. It makes everything really, really different. And you know, we started to see some great examples of like how you can drive authorization policy in the enterprise through I’m going to say graph technology or equivalent or similar or whatever.
Eve Maler [00:26:52]:
But like relationships, I’ve seen people do it with Excel spreadsheets like Poor man’s graph, if they had to. If it’s not so volatile and there aren’t so many of them, hey, you know, knock yourself out. But like the important thing is capturing. You can learn a lot about separation of duties, violation checking by looking at relationships. You can learn a lot about intrapersonal conflicts, thinking about relationships with oneself. And so like I’m working with a colleague on a, on a new paper about Persona driven identity where that’s it’s relationships with yourself and how in some guises it’s appropriate for you to do certain things and have certain permissions. It’s inappropriate for you to have others because you have a duty to somebody else or so all those relationships, that entire constellation comes into play. So I’m going to say that’s a second trend that is finally getting its due and I’m excited about it.
Mark Callahan [00:27:40]:
That’s great. Well, we’ve got our plot twist with the things that we didn’t see coming, the things we need to plan for for the year ahead, sort of collaboration and influence. Obviously both you and Gerry. I say, Jess, there were too many boards. There were really too many boards to list on my page. You are involved in so many efforts for this. But as we think about identity being stronger, better together, that it’s not an isolated thing, one vendor, one enterprise. What are some of the boards, what are some of the working groups, what are some of the committees, things that people need to be aware of, moving forward, thinking today, when I was thinking.
Eve Maler [00:28:15]:
About a question like this, I was thinking about, well, in order for a superhero landing on anybody’s part to be really worth it, you have to have like your peeps around you to witness the landing as you stick it. There’s a lot of great organizations and some of them are sort of centrally about identity and some of them are other. So I mean, ID Pro has to get a mention. It’s today’s generation and tomorrow’s generations of identity pros enabling them to do great work and get community support. I’ve always had a great deal of respect for Cloud Security alliance csa, which I just mentioned. Identity Defined Security alliance has been a longtime champion of zero trust. They have great resources. FIDO really has been bringing people together more and more within its kind of specialty area.
Eve Maler [00:29:00]:
There’s a lot of expertise there. And a word about standards like there’s obviously great work being done all over. And Gerry, we’re talking about like the group around decentralized identity. Honestly, there’s a lot of groups and I almost feel like maybe there’s another spicy take, I don’t know. But we’re in the third wave of identity standards. If the first wave was kind of like SAML stack, second wave was OAuth Stack ish, obviously there are lots of other piece parts in there. But like there’s being a coffee aficionado, I think in this, like first wave was Folgers and second wave was Starbucks and third wave is now like light roasts that are just crazy. So we’re in this third specialty wave where there’s so much going on.
Eve Maler [00:29:42]:
I think we need to look ourselves in the mirror and go, is it too early for some of these in the battle of protocols versus platforms that Moxie Marlinspike wrote about, when was it last year about Web3? Sometimes it’s just not appropriate or it’s too early or we need to be honest about the value of things being done in proprietary land. Because I think we’re not often served by sucking a lot of oxygen out of the room to work on many, many, many things in many, many different venues. It takes a lot of company resources to do that. Actually, one of the offerings of Venn Factory is what I call standards coaching, which is standards engagement strategy as measured against your IP strategy and your resources and the knowledge that you have and what is it you’re trying to achieve in product strategy. Like, I’m sure you’ve probably been doing this for a long time. Like coming up with those strategies are like, sometimes people just sort of throw resources and it’s probably not the best.
Mark Callahan [00:30:41]:
Way sometimes pretty dizzying for the enterprise, for the client side of things as well as they’re trying to understand which direction to go. If there’s all these proprietary things, the standards approach, it becomes really difficult for the end buyer probably to make rhyme or reason.
Eve Maler [00:30:57]:
There’s artifacts that try to help and reconsolidate. I don’t know. Mike Jones has been talking about the Cambrian explosion of OAUTH specs and there’s a reason that it’s been exploding because it’s so generative in the unanticipated reuse by others. Meaning that’s a sign that it’s good and healthy. But sometimes you need to now go and curate what people should understand from it.
Gerry Gebel [00:31:17]:
You think about the time needed to really dedicate seriously to these efforts, Eve, you know, it’s. It’s wanting to show up on working group calls or go to an event like the. The Off Security workshop in Iceland this week. You know, it’s like, great. That’s the week off, off the radar for me and I can’t be doing something else. So it takes a lot of resources to participate at a deep level. I mean, you can sort of surf the top of the water and pick up what’s going on. But even that takes a lot of time because there are so many different working groups and across IETF, W3C, OpenID foundation and so on.
Eve Maler [00:31:57]:
Decentralized Identity Foundation. I mean, Hyperledger has how many RFCs? At one point I counted up how many RFCs they had and it was like dozens. I’m like, who’s expected to read all these? Much less implement or check or. Too much doesn’t mean there isn’t valuable stuff going on. And you know, I have a dog in this hunt, I suppose I’ll say. Gerry and I are both involved in auths and I think you need to pick your investments and pick them for really good strategic reasons and understand the cost to the business. I owned our standards budgets at Forge Rock when the COVID era hit and there was an awful lot of belt tightening going on. We didn’t know what was going to come.
Eve Maler [00:32:33]:
And I was not happy about having to really curate hard. But sometimes you gotta do the necessary.
Mark Callahan [00:32:40]:
So in trying to make that pick you mentioned, ID Pro may be a good place for our audience to think, even to start, just as they’re trying to dip their toe in the water and try to find like a community sounding board and a place to just connect with all these different efforts. Might that be a place to start that?
Eve Maler [00:32:56]:
Absolutely, yeah. ID Pro is really a first stop. The body of knowledge is amazing. The Slack community is also amazing, which you have to you access that by being a member. And it’s not an onerous requirement to become a member. Thinking about other things that are supportive of people maybe entering the field. A couple books that I like a lot, Phil Windley’s Learning Digital Identity and Simon Moffatt’s Siam book is really good as well. There’s lots of books out there.
Eve Maler [00:33:23]:
I just didn’t mention those too.
Mark Callahan [00:33:24]:
Yeah, we’re actually having a chat with Simon in about a week here, so I’m sure he’ll love hearing that. Yes, it’s always a nice nod. So the cost, Gerry, you mentioned just actually you brought to mind the idea of, like, how do you decide where to invest and how do you make the case for it? Maybe if I were to turn something even just a little bit more, perhaps top of mind for some of our audience is how do we make the business case for identity? So, as you’ve been on both sides, Eve on the vendor, a little bit on the client side with PayPal, but really the research side and especially, you know, at Forge, how do we make the business case for identity and Identity investments in 2025?
Eve Maler [00:33:58]:
It definitely did come up at PayPal in my tenure there, and while I was there, I worked for Andrew Nash and yeah, we worked hard on making those cases. Designing metrics look is really hard and it’s a skill that you get better at by practicing. I’m a big fan of the book Radical focus for its OKR approach. And it has a whole lot of advice on looking for key results that are meaningful. It’s a generic place to go, but it’s, I think, a really good place to go. It’s also kind of a page turner. But I think part of the problem we face in coming up with how you sell identity and its benefits, it has so many complex stakeholders for different aspects and this has never been really, I think, solved to anybody’s satisfaction. This question of all the different stakeholders and it’s different.
Eve Maler [00:34:47]:
Oftentimes it looks different. Who’s the buyer in different organizations and whether it’s a kind of enterprise risk committee facing when it comes to the board or something else. When I hopefully I’ll see a lot of folks at EIC this year. I’m going to be talking this year about a kind of a framework for stakeholder identification in identity in a Venn diagram, of course. But like an example of how problematic it is to come up with metrics is, let’s look at speed of provisioning workforce identities and speed of deprovisioning workforce identities. Now provisioning and deprovisioning it’s two different people who like own the problem. You can’t look at how products are sold because that’s going to be one product. You got to get finer grained with it.
Eve Maler [00:35:31]:
I think one of the trends that I’m seeing actually working with a bunch of tech vendors who are facing kind of like the identity security market, sub market, whatever. Like identity security. Maybe that’s something that hit us between the eyes in 2024. People deciding what to call it and what it is. I always say it’s about the prepositions. I got this from my old colleague Andras Chair, who’s still at Forrester. He would talk about the like cloud identity. Is it identity for cloud or is it cloud for identity? Or is it.
Eve Maler [00:35:57]:
It’s about the prepositions. Right. So identity for security or security for identity. One of the things I’m seeing is that the economic buyer for these solutions is very firmly going to the ciso. And there was some confusion about that prior because if you’re looking at things that are kind of augmenting iga, there’s kind of a question. See my provisioning and deprovisioning example. So I’m seeing CISOs have to start to take on that Cheeto thing we were talking about over the last year or so, the whole chief Identity Officer function. Like maybe it’s not a new person with that title, but like it’s a function that needs to be deliberately owned.
Eve Maler [00:36:38]:
And I don’t disagree with that. Why not? Now that we have something on the scene called identity security, what I’m seeing in the market is pivoting to going hard to sell to CISOs who are getting budget and accountability. So that tells you a lot about a certain subset of metrics and personal accountability too.
Mark Callahan [00:36:58]:
I mean, if you read the news, we start seeing where personal liability for a CISO also comes into play when breaches and other things happen. That’s quite the change.
Eve Maler [00:37:08]:
And we’re actually seeing a reaction to that reality now with this. I can’t remember what it stands for, but PAC P A C. I know Val Mukherjee and Heather Hinton are involved in this kind of CISO advocacy group to protect against some of the potential excesses of that whole personal liability of a CISO challenge. Why would anybody go and get the next job as a CISO for a large organization? We’re seeing an interesting rebalancing there. Right. So just one last comment on the whole thing is I’ve seen the best successes around identity services being provided within an organization. When they’re conceived of formally as products with product management looking after them. And product management knows how to live up to and define metrics.
Gerry Gebel [00:37:52]:
Interesting. Well, I like the concept of using OKRs. We do that here internally. But I also think there’s a bit of the need to be a storyteller when you’re, you’re looking for these stakeholders and selling them the vision and the value of what you’re doing. From an identity perspective, I think there’s equal elements of that needed to really break through because it is, it is difficult to. Okay, what are these metrics, you know, these hard numbers I’m trying to come up with, but I can’t quantify some of the value, some of the benefits.
Mark Callahan [00:38:23]:
That’s it. And you gotta tie it to the top level strategic initiatives of the organization. It’s, it’s identity as a, as a value driver and not just like a, oh gosh, here comes someone from the IAM team again. Hi.
Eve Maler [00:38:35]:
Right. Problem, no solutions.
Mark Callahan [00:38:37]:
We could actually make more money. Yes. Yeah, we can make more money because of you. Which back to the hero narrative. That’s amazing. I think we’re seeing a shift there as well where the members of the identity and security teams really are the promotions and the recognition. It’s coming because they are matching those top level initiatives for the organization as well.
Eve Maler [00:38:57]:
And tell you what, when you conceive of it as a real product then and you’re looking for internal customers to choose you and not mandate, not have some mandate come down that says do this onboard these apps, do whatever. Then if they start choosing you, those make really good stories because you’re now better protected, you have better visibility. There’s all kinds of great things that happen. And they came to you.
Mark Callahan [00:39:21]:
That’s awesome. Well, I think we were listing off your titles at the beginning and even as we’ve talked with you the last little bit here, you’re an excellent storyteller. You’re a teacher, you’re an educator. I mean people want to engage and listen. How might they engage with you a little bit more if they were looking coaching? Is there something that conferences are kind of expensive these days, but are there ways that they may engage with you separately or independently?
Eve Maler [00:39:46]:
I’m very reachable, honestly, in fact, and I tell the world which conferences I’ll be at in case they’re there. They happen to be in that city. I really love meeting folks out IRL, but venfactory.com is there and it shares a little bit about what we do. Me and my one other factory worker that I have. That’s what we call ourselves. In addition to the strategic advisory, in addition to some kind of evangelism public speaking activities, I do offer, I talked about the organizational standards coaching and I do also offer personalized IAM leadership coaching. So for identity leaders and those looking for identity centered career advancement, and that’s something that I’ll just hold out there and just say, reach out to me on the site and I would love to chat.
Mark Callahan [00:40:28]:
And there may not be a college degree for identity and access management, but there might be some coaching and that’s spectacular.
Eve Maler [00:40:34]:
Totally. Nobody has to do this alone.
Gerry Gebel [00:40:36]:
And that’s world class coaching out there, folks. I mean, this is like if you’re trying to learn golf and you get a lesson with Tiger woods kind of level coaching.
Eve Maler [00:40:46]:
Oh, you’re so kind to say so. I have had coaches and I love working with coaches and oftentimes career development and executive development. It’s coming from an HR centered place. And I have been finding it nice that you can commune on the level of identity and I am stuff and what’s going on and what needs to be going on and what needs needs to be known. So that’s just something a little bit, a little bit out of the ordinary.
Gerry Gebel [00:41:12]:
Other than coaches, I mean, the mentors have been a really important part of my career path. I mean, have there been mentors also in your world, in your career arc? Yeah.
Eve Maler [00:41:22]:
Oh yeah. So many. Yes. Ian Glaser was a mentor for me in hanging out a shingle and like starting my own business. He was an amazing just friend and resource and lots and lots of others. I call it my Super Friends network and I think we can all.
Mark Callahan [00:41:37]:
That’s it. Okay. So now not Identity Heroes. It’s now the super friends of Identity. I love it.
Eve Maler [00:41:42]:
Seriously. Everybody I meet, they know something, they have deep knowledge about something. I don’t know and I may be able to help them with something they don’t know. And sometimes it’s just an ear, sometimes it’s a virtual hug or a real hug. We all need different things.
Gerry Gebel [00:41:55]:
I love that Mark, when Eve phones a friend that’s a super friend, she’s phony.
Eve Maler [00:41:59]:
They’re all super friends.
Mark Callahan [00:42:01]:
Understood? Understood. Well, if we were to phone one more friend, we always like to think about who else should we invite to the Identity Heroes video cast? Who might you recommend that we grab? You mentioned a few folks here. Who else might be able to share a story like you’ve done for us today?
Eve Maler [00:42:15]:
I think Dave Middleton would be amazing to join you. He’s such an amazing person. He’s achieved so much. He humbly does so many, many things and he’s got this product centered outlook, by the way. It’s one of the things that just really impresses me about what he can do for organizations.
Mark Callahan [00:42:32]:
So love it. Well noted. And we are going to be reaching out today. Well, Eve, thank you so much for joining Gerry and I. This was a pleasure, love hearing and we look forward to seeing you at the next event, whether it’s in the real world, virtual or otherwise. But thank you for joining us today.
Eve Maler [00:42:48]:
It was so much fun. Thanks, Gerry. Thanks, Mark.
Gerry Gebel [00:42:51]:
Yeah, thank you so much.
Mark Callahan [00:42:52]:
Y awesome. And Gerry, thank you as well. Our audience thank you. And please look forward to the next in the series. We hope to see you soon. Take care, y’all.
Use Identity Orchestration to integrate, automate, and secure identity and apps across hybrid and multi-cloud environments
Media kit 