#406 - IDAC MailBag for February 2026

In this MailBag episode, Jeff Steadman and Jim McDonald tackle eight questions submitted by listeners from around the world, including Munich, Sao Paulo, Singapore, Toronto, Hanoi, London, Sydney, and Chicago. The conversation covers governing AI and non-human identities, practical first steps toward passwordless adoption, what a mature IAM program actually looks like, who should own identity within an organization, building credibility with leadership as a new IAM practitioner, enforcing least privilege in practice, rethinking access reviews beyond checkbox compliance, and how to make the business case for identity security investment before a breach occurs. The episode wraps up with some lighter listener questions about sports analogies for IAM roles and whether anyone in their personal lives actually understands what they do for a living.

Connect with us on LinkedIn:

Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/

Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/

Visit the show on the web at http://idacpodcast.com

TIMESTAMPS

00:00 - Introduction and RSA Conference debate

03:41 - Conference plans for 2026: EIC, Identiverse, and Authenticate

05:17 - MailBag intro and how questions get selected

06:51 - Q1 (Hans, Munich): Governing AI access vs. human access — same principles or a different approach?

12:32 - Q2 (Gabriela, Sao Paulo): Realistic first steps toward passwordless without disrupting everything

18:34 - Q3 (Wei, Singapore): What does a mature identity program actually look like?

30:26 - Q4 (Marcus, Toronto): When IT and security both claim to own identity, how do you sort it out?

39:33 - Q5 (Linh, Hanoi): Building credibility and influence as someone new to the IAM space

42:53 - Q6 (Claire, London): Enforcing least privilege in practice without slowing down the business

46:14 - Q7 (James, Sydney): Are access reviews just a checkbox exercise, and is there a better way?

49:18 - Q8 (Darnell, Chicago): Making the case to a CFO or CEO for identity security investment before a breach

52:38 - Lighter note: If IAM was a sport, what position would you play?

1:00:27 - Lighter note: Does your family actually understand what you do?

1:03:06 - Wrap-up and how to submit future questions

KEYWORDS

IDAC, Identity at the Center, Jeff Steadman, Jim McDonald, IAM, identity and access management, MailBag, non-human identity, AI governance, agentic AI, passwordless, passkeys, IAM program maturity, identity ownership, RACI, least privilege, zero standing privilege, access reviews, security theater, identity security budget, business case for IAM, ISPM, IGA, IDPro, Identiverse, EIC, Authenticate conference, RSA conference, cybersecurity podcast, identity security, identity community