Can We Really Have Zero Trust with a Federated Identity Architecture? With Justin Richer (MongoDB)

Most organizations say they are doing Zero Trust. Many still trust their IAM directory implicitly, protect it with a firewall, and call that a modern identity architecture. That is a perimeter by another name. In this session, Agne Caunt (Dock Labs), Richard Esplin (Dock Labs) and Justin Richer (MongoDB) work through what Zero Trust actually requires at the identity layer, why federated architectures tend to recreate the problems they were designed to solve, and what a more structurally sound approach looks like.

0:00 Introduction and guest overview

3:48 Zero Trust: origins and core principles

10:26 Why Zero Trust is still unnatural

11:45 Zero Trust in what? The foundational question

13:14 Directory synchronization: how enterprise identity fragility compounds

15:47 Verifiable credentials and the move to user wallets

18:06 Is the wallet really untrusted? Justin pushes back

20:39 Practical transition: using wallets at domain boundaries, not everywhere

22:55 VCs as a reinvention of X.509 for an online world

26:22 Tool comparison: OAuth/OIDC/SAML + SCIM vs. VCs

27:42 Shared Signals and Events (SSE): strengths and structural limits

31:51 User Managed Access (UMA): what it got right, why it stalled

34:35 GNAP: what it solves, when to use it instead of OAuth

41:00 SPIFFE/SPIRE: workload identity and short-lived credentials

46:06 SPIFFE's trust model and the "bottom turtle" question

47:24 WIMSE: bridging workload identity across trust domains

51:12 Agentic identity: the question from the audience

52:38 AI agents -- neither human nor workload, and why that matters

55:26 "On behalf of" vs. "for the benefit of" -- the liability distinction

58:55 What would a Zero Trust native architecture actually look like?

Website - https://www.dock.io/

LinkedIn - https://www.linkedin.com/company/docknetwork/