We also explore the future of identity security\u2014from AI kill switches and agentic AI to quantum threats\u2014and how identity can serve as both a safeguard and a kill switch in the age of autonomous systems.<\/p>\n
Whether you’re a cybersecurity professional or simply interested in the latest security trends, this episode offers valuable insights into the importance of machine identity in safeguarding our digital world. Don\u2019t forget to subscribe, leave a review, and follow Security Matters for more expert discussions on the latest in cybersecurity.<\/p>\n
David Puner:
\nYou are listening to the Security Matters podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.<\/p>\n
Imagine this: you’re sitting in your office, catching up on the day. Things feel under control. Then your phone buzzes. Not a text. Not an email. It’s an alert. A certificate just expired. No big deal, right? Except that one little expired machine identity\u2014just a tiny string of code\u2014is the reason your system’s trust chain is unraveling.<\/p>\n
You start to panic. Your web app won’t load. Customers are receiving “site can’t be trusted” messages. Your team’s already scrambling to identify what expired, where it expired, and who’s responsible for fixing it. Meanwhile, attackers\u2014who never sleep, never blink\u2014are watching. Because when identity breaks down, opportunity opens up.<\/p>\n
This isn’t a hypothetical. It’s the everyday reality of modern infrastructure, where machine identities outnumber human identities by more than 80 to one. And the only way to stay resilient is to know what you’ve got, where it’s running, and how fast you can respond when\u2014not if\u2014something goes sideways.<\/p>\n
Our guest today knows that world of machine identity better than most. Kevin Bocek, SVP of Innovation at CyberArk, has spent years sounding the alarm on machine identity. Today, he joins us to discuss why machine identities are the new frontline of cybersecurity and what every security leader should be doing to prepare.<\/p>\n
Let’s dive in.<\/p>\n
David Puner:
\nKevin Bocek, senior vice president of innovation at CyberArk. Welcome to the podcast, Kevin.<\/p>\n
Kevin Bocek:
\nThanks so much for coming on, David. It’s cool to be here. Loving it.<\/p>\n
David Puner:
\nAwesome. Really excited to talk with you. We’re going to talk about all things machine identity and machine identity security, and you are the guy to talk to and with about machine identity and machine identity security. So let’s start by setting the stage. What are machine identities and how do they differ from human identities? And what does scope and scale have to do with all of it?<\/p>\n
Kevin Bocek:
\nYeah, so you know what? Out there on the internet, cloud, enterprise networks, there are really two actors now that matter. There are humans like us, and there are machines\u2014I mean, of all shapes, sizes, forms\u2014everything from cloud instances to Kubernetes clusters, web applications, load balancers, IoT devices, and AI.<\/p>\n
To us, I mean, we’re pretty boring. There are only so many customers, only so many members of the workforce that you can gather. But just since we’ve been talking, David, just think of the thousands of cloud instances that have been created at a data center not far from you or me. So you hit it right on the button, which is the volume, the velocity, and the variety of machine identities makes them so, so different.<\/p>\n
Just in a matter of milliseconds\u2014up, down\u2014machines, cloud instances, virtual machines\u2014they come and go. The variety\u2014there’s not just one type. We have TLS certificates, we’ve got API keys, access tokens, SSH certificates, we’ve got code signing certificates, Spiffe IDs\u2014more and more types are growing. So there’s that variety. And then again, the velocity, the volume\u2014humans, we just can’t keep up.<\/p>\n
That gives a perfect mix of, first of all, how they’re different. And second of all, machine identities\u2014they live out with the applications, the cloud instances, the IoT devices. You don’t have one central directory or one central CyberArk identity to control all the machine identities in one place. They live out there. So all of that makes them different, unique. And we’ll get into some of the challenges. And of course, everyone here has gotten up close and personal with machine identities. You may not think you already know that, but you have. So we’ll dig into that.<\/p>\n
David Puner:
\nSo what would just a very common example of exposure to machine identity be?<\/p>\n
Kevin Bocek:
\nYeah, everyone every day sees it. And right now, if you’re watching through a web browser on your laptop, desktop, or even mobile device, it’s that padlock that glows in your web browser. Your web browser is a piece of software. It’s a machine. It’s connecting, of course, to a cloud, a web application, a load balancer. And when that padlock glows, it says, “Hey, I’m connecting to another machine. It’s presenting its identity. The identifier is its URL. And it’s been authenticated.”<\/p>\n
We know that, yeah, that machine is\u2014at least it’s coming from the same host that it says it’s coming from. And that’s where we get started with machine identities each and every day\u2014whether we’re visiting our bank, a web shop, an insurer\u2014any place we go on the web with our mobile device, laptops, desktops\u2014we get up close and personal with machine identities. And again, there are many, many more that we’ll dig into, of course, too.<\/p>\n
David Puner:
\nThe big headline around here from our recently released 2025 Identity Security Landscape Study is that machine identities outnumber humans by now more than 80 to one. So this is a rapidly growing number, and it doesn’t seem like it’s going to stop growing anytime soon.<\/p>\n
Kevin Bocek:
\nPrecisely, David. Actually, it’s 82 times the number of machine identities to human identities. Of course, that’s up from a little over 40 just a couple of years ago. And already\u2014if we were to sample that again\u2014we\u2019d probably see that number going up and up, as security teams start to get more and more visibility and awareness of some of the challenges that we’re going to dig into. Whether that’s the attacks that we’re seeing\u2014the latest Verizon Data Breach Report is out too, we’ll talk about that\u2014or the type of outages, the downtime that’s occurring from something like when a certificate expires. So all of this is causing us to have more awareness of the growth, the breadth, the scope of everywhere machine identities are being used in the business.<\/p>\n
David Puner:
\nSo you’ve been sounding the alarm on machine identity for years. Why is this moment right now so critical for getting it right?<\/p>\n
Kevin Bocek:
\nEvery organization\u2014whether business or government\u2014is heading into new territory. First of all, we’re headed to a point where every public TLS certificate that\u2019s representing our business or government will have to have a lifetime of 47 days or less in the coming years. Starting next year\u2014starting March 2026\u2014the march will be ongoing down to 47 days.<\/p>\n
Already we’re a little over a year in, and I know security teams, security ops teams, app teams\u2014they’re struggling. Struggling to keep up, struggling to stop outages. That number going down to 47 days means six times or more the number of operations on TLS certificates\u2014a machine identity\u2014that we’re going to have to perform each and every year. Six times. And there are only more and more cloud instances, more and more web apps that are representing businesses or government organizations.<\/p>\n
That\u2019s number one: stopping certificate outages and getting those renewals in place. That’s why this is so important. Number one.<\/p>\n
The second then is breaches. Recent research shows that it\u2019s taking organizations on average over 100 days to detect an attack where the adversary has taken an API key or access token. Over 100 days to detect and remediate that. That\u2019s 100 days. We’ve seen attacks\u2014government organizations, modern cloud businesses\u2014where API keys and access tokens are just kind of being hoovered up, vacuumed up by attackers.<\/p>\n
And those two reasons\u2014certificate outages and attackers getting the API keys and tokens\u2014make this a critical moment.<\/p>\n
David Puner:
\nTell me if I\u2019m getting this right or not, but TLS certificates are like digital ID cards for websites?<\/p>\n
Kevin Bocek:
\nYeah, machine identities of all types\u2014especially TLS certificates\u2014they\u2019re just like passports. I mean, they’re passports for machines.<\/p>\n
David Puner:
\nThey\u2019re currently valid for up to 398 days, and we\u2019re going down to 47 days by March of 2026, as you’ve mentioned. So how do you see this change impacting organizations\u2019 approach to certificate management? And what steps should security leaders take to prepare for the new standard?<\/p>\n
Kevin Bocek:
\nWhat we find in the average business or government organization is that you have thousands of public TLS certificates. Those are the ones that are representing you out to the world\u2014whether it’s on mobile apps, web browsers, or API clients.<\/p>\n
Of course, internally you’ve got even more. But those are the ones externally. And I know some of you here in the audience have definitely been involved in requesting, downloading, validating a TLS certificate. On average, that takes four or more hours per certificate. Now you do that a thousand times. Now multiply that time six times or more per year. You can just imagine\u2014there are many out there in the audience\u2014I mean, the nightmares that this brings and conjures up.<\/p>\n
I have to say, yes, I used to work\u2014no more\u2014but in data center ops. This is really a nightmare for teams.<\/p>\n
David Puner:
\nThank you for reminding us that we should get to know you a little bit here. You came over to CyberArk last year by way of the acquisition of Venafi, and you\u2019ve been in the cybersecurity world for quite some time before your time with Venafi, of course. How has your philosophical approach to cybersecurity and identity security evolved throughout the years? And how might you be considering identity security differently now than you were just a year ago?<\/p>\n
Kevin Bocek:
\nOne thing that I\u2019ve learned and really taken to heart is that we always have to remember: there\u2019s an adversary. And they\u2019re always there. They\u2019re watching, and they are looking for the opportunity to attack.<\/p>\n
And I think that\u2019s the thing\u2014no matter if it\u2019s a good day, bad day, sunny day, cloudy day\u2014we have to remember that they\u2019re there. And I think that is the one thing that I\u2019ve come to learn.<\/p>\n
Why are we here in cybersecurity? We are here to protect our businesses, our organizations. And it can be tough. Again, when we’re down, trying to get something to work right at 2 a.m., or maybe we got a call. It is tough, I know. But that is why we\u2019re here. And I think that’s what makes us so special in our roles.<\/p>\n
That\u2019s first. I have to say, I\u2019ve learned that. I got started loving the technology and the complexity and details. But the thing I\u2019ve learned, working with so many like you, that makes us special is\u2014yeah, we\u2019ve got the adversary always watching. And it\u2019s down to us to keep us safe.<\/p>\n
Second, when it comes to identity, it is the frontier. It is that first line, last line of defense. It’s that one layer of cyber which\u2014when it fails\u2014all the other layers of cybersecurity fall down.<\/p>\n
So often, I\u2019ve seen when an attacker\u2014say, for example, like Stuxnet, one of the most infamous cyberattacks\u2014what\u2019s maybe not known very well is why was it so violent? Because a machine identity\u2014in this case, code signing, something that authenticated the actual code\u2014was stolen from Taiwan. It was used to sign the code that then made Stuxnet so viral. That\u2019s how identity showed up as being completely authentic.<\/p>\n
That\u2019s the second thing: identity. And we just see that more and more every day. That makes our roles as identity security professionals so much more exciting and, I think, richer in terms of what we\u2019re learning and how we\u2019re keeping up with the adversaries and the new technologies.<\/p>\n
David Puner:
\nAm I remembering correctly that you majored in chemistry in college?<\/p>\n
Kevin Bocek:
\nI do. I do have a degree in chemistry from a great college\u2014William & Mary in Williamsburg, Virginia. I have a specialty in analytical chemistry. So if anyone wants to know about a graphite furnace and what you can do with that, just contact me. We’ll chat it up.<\/p>\n
David Puner:
\nSo how is your focus now\u2014in innovation, in cybersecurity and identity security\u2014how is that an extension… I mean, it\u2019s probably a bit of a pull, but how is it an extension of your background in chemistry? And then maybe even more importantly, your path through Colonial Williamsburg. How has that helped you evolve into the modern era?<\/p>\n
Kevin Bocek:
\nToday, I get to have fun at CyberArk because, yes, my role and title is Innovation\u2014which is all about exploring, bringing hypotheses, new ideas, and then bringing new capabilities back to help our customers.<\/p>\n
So today, we’re exploring spaces like workload identity\u2014how do I authenticate something like a virtual machine to a cloud instance? Agentic AI\u2014how am I going to authenticate an agent as it talks to another agent but also make sure that we delegate correctly to human identities without doing things like impersonation?<\/p>\n
Going back to chemistry\u2014I loved it. Analytical chemistry was about finding, proving: was this true or not? Could we find ways, if we wanted to describe\u2014was this, say for example, this artifact taken from this location or not? Could we find a way to prove it?<\/p>\n
Yeah, that\u2019s why I loved analytical chemistry. And I still bring those days of discovery and learning through to today, when we’re working on innovation in cyber and identity security.<\/p>\n
I think the team knows I love being out there on the edges. You probably wouldn\u2019t want me to be your project planner or project manager\u2014that might be pretty dangerous. So, keep me working on what’s new, not keeping the lights on every day.<\/p>\n
David Puner:
\nSo then, from the sciences to nuance and language\u2014we often hear the term \u201cnon-human identity\u201d or NHI. Is that just a synonym or an umbrella term for machine identity, or is there a distinction between the two?<\/p>\n
Kevin Bocek:
\nHi\u2014benkyo shimasu. As I said in Japanese\u2014I studied Japanese in university. For those Japanese speakers, well, I probably said it very, very poorly. But language, of course, matters. Hopefully, as I just demonstrated.<\/p>\n
And yeah, absolutely. You know what? As we started off earlier, there are humans, and of course, there are non-human entities. There are business entities\u2014that’s a non-human entity. You might have a pet, a dog, a cat\u2014that\u2019s a non-human. Of course, machines of all shapes and sizes\u2014workloads, devices\u2014those are also non-human.<\/p>\n
And, well, who knows? Maybe there are extraterrestrials\u2014but again, separate topic.<\/p>\n
All those could be non-human. But the non-humans that matter here are the machines.<\/p>\n
So I think that\u2019s why I said: the actors that matter on the internet, enterprise networks, and clouds are humans and machines. Those are the ones that matter.<\/p>\n
And as I said, words matter. Language matters. That\u2019s where we get precision. If I just talk about non-human, again\u2014it could be everything from your cat to a business entity to your AWS Lambda function.<\/p>\n
That\u2019s why we talk in specific terms: humans\u2014things like workforce, customers, developer or IT identities\u2014and then machine identities\u2014workloads and devices. We can even go into subcategories there.<\/p>\n
So absolutely\u2014humans and machines. It matters. And I encourage everyone to go through that exercise themselves and understand. And too\u2014the experts have agreed with this. Gartner, Forrester\u2014the two actors that matter are humans and machines. That will help you tell the story.<\/p>\n
And that\u2019s the one thing too that\u2019s powerful. I will not tell a story in Japanese, I promise.<\/p>\n
David Puner:
\nYou’re welcome to\u2014we\u2019ve got nothing but tape here.<\/p>\n
Kevin Bocek:
\nThat could be dangerous. Or\u2014\u201cauf Deutsch\u201d for the German speakers\u2014that could be even worse. I lived in Karlsruhe, and my \u201cDenglish\u201d\u2014my German-English\u2014and my special Swabian dialect is even worse than my Japanese.<\/p>\n
But you know, it allows us to tell a story\u2014to the executive teams. Whether that be the CTO, the CIO, the auditors\u2014it allows us to explain: just like we have a human identity for the workforce that allows us to say who is good or bad, friend or foe, who belongs and who doesn\u2019t, we have things like machine identities\u2014like TLS certificates or access tokens\u2014so we know which workloads or cloud instances belong or not.<\/p>\n
It\u2019s really, really important\u2014especially in storytelling. I encourage everyone to practice it too.<\/p>\n
David Puner:
\nYeah, as do I. We know how important that is, that\u2019s for sure. So then, while still on the subject of precision\u2014how does machine identity precision strengthen Zero Trust architectures? And what\u2019s the risk if we get it wrong?<\/p>\n
Kevin Bocek:
\nWhen it comes to Zero Trust\u2014and I won\u2019t be offended because I\u2019m not there with you in the audience\u2014so as you go along, you can Google this. When we think about Zero Trust and the early architects\u2014Google\u2014they put together two position pieces. One was called BeyondCorp, and the other BeyondProd.<\/p>\n
So I now encourage you to Google \u201cBeyondProd\u201d\u2014all one word. That sets forth Zero Trust.<\/p>\n
BeyondCorp is the model we know\u2014human to machine. Many of the teams in the audience are working on how to uniquely identify the workforce or developers when they come and authenticate to applications or services. That\u2019s that human-to-machine Zero Trust model\u2014BeyondCorp.<\/p>\n
Now there\u2019s the next model\u2014BeyondProd. That\u2019s machine to machine. How do I uniquely identify every machine-to-machine operation?<\/p>\n
Just like the principles of Zero Trust, we\u2019re always authenticating. We\u2019re never just blindly trusting. And we do that with identity.<\/p>\n
Just like in the human-to-machine model, the machine-to-machine model must be identity-based. Every TLS certificate, every API token, every SSH key must be unique and rotated\u2014short-lived and constantly verified.<\/p>\n
David Puner:
\nWhat kind of context do security teams need to truly secure machine identities?<\/p>\n
Kevin Bocek:
\nReally important in understanding machine identities is getting, as you said David, the discovery and context right. We have to know where they live, because again, there is no one central directory, no one central repository. We have to go out across the enterprise, across different network segments, and discover them\u2014not just one type, but all of them. We have to get the TLS certificates, the API keys, access tokens, SSH keys, code signing certificates.<\/p>\n
We have to also do that out in the cloud and in and out of our CI\/CD pipelines. And once we get all that data\u2014wow\u2014that could be like a tidal wave. And if we don\u2019t have the right tools, it\u2019s just like… you might as well just have a spreadsheet.<\/p>\n
So we then need to get the right context, and this is something that CyberArk has really been innovating on\u2014so that we can apply not only the identities coming in, but also which machines they’re working with, what workloads are using those machine identities, and\u2014really importantly\u2014who are the teams, who are the individuals responsible for those machine identities.<\/p>\n
Because still, here in 2025, humans are still responsible and accountable for securing and maintaining those machine identities. So we need to have that full context. And then we can start to answer the what, where, why questions\u2014plus the who questions\u2014about machine identities.<\/p>\n
Why are they being used? What are they giving access to? Where are they being used? When are they being used? It\u2019s all the who, what, when, where, why questions you\u2019ve probably already been asking and solving for in the human identity world. Now that\u2019s just as important in the machine identity world\u2014whether we\u2019re getting ready to solve for that 47-day certificate lifetime, or trying to find out who owns the certificates we\u2019ve discovered. We need to know if they\u2019re on our F5 load balancers or Apache web servers or EC2 instances or NGINX boxes.<\/p>\n
Same thing with access tokens. Where are they being used? When? How many? Are they being duplicated? What secrets manager or vault are they stored in\u2014maybe a few?<\/p>\n
Getting to answer all these questions gives us real intelligence. Then we can take action. Not to mention, David, all this is happening at machine speed. So it\u2019s constantly changing. The idea that we just discover once and we\u2019re done? That doesn\u2019t apply. We have to be constantly monitoring and keeping up\u2014because these machines are changing everywhere.<\/p>\n
David Puner:
\nHow does this approach change the way CISOs should think about visibility and inventory?<\/p>\n
Kevin Bocek:
\nRight\u2014so it\u2019s not a one-and-done. It\u2019s not a once-a-year inventory and then we apply some policy or show the auditors. We have to be keeping up each and every day.<\/p>\n
A great example I love: we\u2019ve seen a number of outages in Microsoft Azure due to expired TLS certificates. The Azure team has some really good automation for performing renewals\u2014they built it themselves inside of Azure for Microsoft\u2019s internal teams. But what happens is you get a virtual machine that gets rolled back, or a system that\u2019s rolled back or updated, and then an old certificate gets put back in place\u2014or a new one doesn\u2019t get moved into production. Then what happens? You get an outage.<\/p>\n
Which means you have to be constantly monitoring.<\/p>\n
So from a CISO perspective\u2014thinking about machine identities\u2014it\u2019s a continuous discovery and context loop. And the idea of inventory is something I tend to guide against. Because it\u2019s a bit like retail: you take inventory at certain times, and it tends to give a static connotation. But this is always changing. You have to be able to discover and get context continuously.<\/p>\n
David Puner:
\nYou\u2019ve spoken about the importance of cyber resilience. How does machine identity security contribute to building a more resilient infrastructure?<\/p>\n
Kevin Bocek:
\nThe ability to respond to any type of incident involving machine identities is, at the core level, just about keeping the business operating.<\/p>\n
Think about it: if something like a TLS certificate expires\u2014which I know everyone here has experienced\u2014you go to a website and it says \u201cThis site cannot be trusted.\u201d Or, actually, I know from our research\u201445% of organizations are having a certificate outage weekly. So almost half of the audience is having a certificate outage every single week.<\/p>\n
So first of all, of course, you hope not to be having them. But then: how do you respond?<\/p>\n
Or if you’re under attack\u2014say, for example, it takes 100 days to discover and remediate an exposed access token in the cloud\u2014being able to instead rotate those secrets automatically, being able to detect them early, that\u2019s resilience.<\/p>\n
Cyber resilience means your systems don\u2019t collapse when something goes wrong. If one machine can\u2019t authenticate with another, entire systems can go down. It\u2019s so different from a human. If one employee can\u2019t log in, okay\u2014it\u2019s a bad day for that person. But if a machine identity expires or an API key isn\u2019t updated correctly, that can have a cascading effect on systems.<\/p>\n
And I think that just gets to the core of resilience.<\/p>\n
And one thing I\u2019d say too\u2014and we were just talking about discovery, context, and CISOs\u2014this is something I\u2019m doing each and every day. I\u2019m checking: how are we doing? Are we finding more identities? Are we remediating more? Are we automating and securing more?<\/p>\n
From a resilience perspective, that gives me confidence. If I\u2019m discovering more and automating more\u2014whether I\u2019m rotating TLS certificates or rekeying API tokens more often\u2014I know I\u2019ve got a much better level of cyber resilience. Which, ultimately, is what the CISO is looking for.<\/p>\n
So that\u2019s something I\u2019d recommend to teams: the type of reporting you give to your CISO and your leadership should show that progression over time. Not just \u201cAre we doing our job?\u201d or \u201cAre we keeping it safer?\u201d\u2014but \u201cAre we delivering a higher level of resilience to the business?\u201d<\/p>\n
David Puner:
\nTo give a little nod to our 2025 State of Machine Identity Security Report\u2014in that report, it found that in the last year, 72% of organizations experienced at least one certificate-related outage and 50% reported security incidents and breaches related to compromised machine identities. So just piggybacking on your earlier stats there and showing a little machine identity report love\u2014folks should definitely check that out for more information.<\/p>\n
How can CISOs embed resilience thinking into their identity programs from the start, rather than treating it as an afterthought?<\/p>\n
Kevin Bocek:
\nAgain, as we talked about\u2014do we have the intelligence? Do we know and can we answer the what, where, who, how, why questions?<\/p>\n
I suspect that security teams can answer many of those when it comes to, say, the workforce or customer identity. So first, it\u2019s understanding.<\/p>\n
I have to say, if you go into your CISO and say, \u201cHey, you know what? We just found 5,000 TLS certificates or 1,500 API keys and access tokens that we didn\u2019t know about\u201d\u2014that\u2019s pretty alarming. But we see that each and every day.<\/p>\n
So first, having that intelligence. And second, of course: can I do something about it? Do we have the automation\u2014whether it\u2019s rekey, reissue, or renew?<\/p>\n
So you put those together\u2014the intelligence and the automation\u2014and you\u2019re having a huge, huge impact on cyber resilience.<\/p>\n
I think those are great principles to bring in. And of course, they\u2019re measurable. We can measure the intelligence we\u2019re gathering. We can measure the percent of automation. The mean time to take down or respond. So all things that have great measurable results.<\/p>\n
David Puner:
\nWhile we\u2019re on the subject of resilience, I recently heard your notion of an AI kill switch. What does that mean?<\/p>\n
Kevin Bocek:
\nYeah. Well, if we think about AI today\u2014whether large language models or the emergence of AI agents\u2014they\u2019re going to be doing work, performing transactions across our business. Some of them already are.<\/p>\n
There\u2019s no power switch. There\u2019s no network plug that you can pull. So let\u2019s just say, for example, if an AI agent starts to have a bad day or starts working outside its training\u2014what are we going to do?<\/p>\n
In the end, having a kill switch is something that… if you’re a manufacturer, you have a kill switch. If you go to a petrol forecourt\u2014or as we say in America, a gas station\u2014you\u2019ve got a kill switch. You can turn off the flow of fuel.<\/p>\n
And with AI, how do we have a kill switch?<\/p>\n
It\u2019s identity-based. That\u2019s how.<\/p>\n
David Puner:
\nOkay.<\/p>\n
Kevin Bocek:
\nIf we\u2019re uniquely authenticating each AI agent, then we know what AI agents are out there. We can say, \u201cYou know what? That\u2019s a good one. That\u2019s a bad one.\u201d<\/p>\n
It\u2019s all identity-based. So essentially, identity becomes the kill switch for AI.<\/p>\n
I think that\u2019s something important for security teams to bring forward as they look at and build architectures around AI agents.<\/p>\n
And it\u2019s pretty simple too. I mean, I can tell that story to a CEO, a CISO, a CTO\u2014whatever your business is, they\u2019ll get it.<\/p>\n
David Puner:
\nSo it is feasible?<\/p>\n
Kevin Bocek:
\nAbsolutely feasible. So long as we build it in now.<\/p>\n
One of the things I\u2019m always coaching security and identity teams on\u2014we can learn from what we experienced with RPA, with bots.<\/p>\n
With RPA and bots\u2014if you remember back to, say, 2015, 2016, 2017\u2014there was a rapid business-driven adoption of RPA. And I think as security professionals, identity professionals, what did we do?<\/p>\n
We had essentially impersonation, to quickly give some type of identity to those bots. But it was impersonation\u2014we were applying human identity to a machine.<\/p>\n
Some security teams were actually giving those same bots the same human identities\u2014or placing them into groups alongside other human identities.<\/p>\n
And we need to learn from that impersonation mistake. That\u2019s something we\u2019d love to have a do-over on.<\/p>\n
Now with AI agents coming along\u2014we can. We can get that right.<\/p>\n
We can give AI agents unique and universal identities so they can do their work. But again, applying Zero Trust principles: we\u2019re always authenticating.<\/p>\n
And then we\u2019ve got that kill switch. We say, \u201cYup. You know what? I\u2019m going to revoke that certificate. I\u2019m not going to allow that agent to authenticate anymore.\u201d<\/p>\n
David Puner:
\nIn one of your recent blogs, you describe agentic AI as \u201cdigital coworkers with admin rights and zero chill.\u201d So what makes them such a singular challenge for identity and access management?<\/p>\n
Kevin Bocek:
\nThey\u2019re machines. They\u2019re working at machine speed. It\u2019s different than a customer or a member of the workforce. Even when we see the adversary trying to do account takeovers\u2014we\u2019ve got great signals and we can usually understand.<\/p>\n
But machines? They operate at a different speed and scale.<\/p>\n
AI agents won\u2019t just be one-off. There will be many of them\u2014possibly performing the same tasks\u2014and that introduces complexity.<\/p>\n
Then you have variety. There will be many types of AI agents.<\/p>\n
That will challenge us\u2014as identity and security professionals\u2014if we don\u2019t start getting identity built in from the beginning.<\/p>\n
The great news is\u2014we can take the lessons we\u2019re learning from workload identity and cloud-native identity. Those lessons are about creating unique and universal identities\u2014particularly with things like SPIFFE, which is a cloud-native standard\u2014and apply them to AI agents.<\/p>\n
Because agents are workloads.<\/p>\n
And we\u2019ve got emerging protocols like MTP, which will allow us to authenticate those agents when they\u2019re doing work with each other\u2014or when they authenticate to application services or databases.<\/p>\n
So we\u2019ve got the lessons. And we\u2019ve got the capabilities.<\/p>\n
David Puner:
\nWe\u2019re talking about machine identities, obviously. And hearing you talk about it\u2014it seems so clear. Maybe not simple, but at least easy to wrap your head around.<\/p>\n
When you talk to Kevin Bocek about machine identities, is there any particular misconception regarding machine identity that you hear a lot these days?<\/p>\n
Kevin Bocek:
\nWell, first of all\u2014thank you, David. I\u2019m a student. I\u2019m still learning.<\/p>\n
The one thing I always hear after an incident\u2014like a certificate outage, or an API token being exposed in an S3 bucket\u2014is, \u201cAh yeah, that was just one incident. Not a big deal.\u201d<\/p>\n
But the big myth is: it\u2019s an isolated issue.<\/p>\n
People think there aren\u2019t that many machine identities out there\u2014or that they can just apply a script\u2014or that their cloud provider is taking care of the problem for them.<\/p>\n
Those are myths.<\/p>\n
A perfect example: cloud providers are offering more automation. But how do you know what API keys and access tokens are in all your AWS Secrets Managers? How do you know what TLS certificates are on all your EC2 instances? Even if you\u2019re using Amazon Certificate Manager, how do you know across all regions?<\/p>\n
How could you even help if there were an incident?<\/p>\n
These are the types of myths we see popping up. And it\u2019s no one\u2019s fault\u2014we\u2019re still learning about the volume, velocity, and variety of machine identities.<\/p>\n
Where are they being used? How are they being used? What\u2019s their lifecycle?<\/p>\n
We, as security and identity professionals, need to help educate CISOs, application teams, and platform teams. And bring together a cohesive identity security strategy.<\/p>\n
This is what Gartner has been doing\u2014helping CISOs learn what capabilities are required. Your secrets manager needs to work with your certificate manager. That needs to work with your enterprise PKI. That needs to integrate with your workload identity tooling.<\/p>\n
We\u2019re still learning. It takes experts to guide us\u2014to educate the architects, the CISOs\u2014on what to do about the problem, and how to solve it with the right architecture.<\/p>\n
David Puner:
\nIt\u2019s a rapidly evolving landscape and story, that\u2019s for sure. One of the things I think would be interesting to do here at the end is to look into the crystal ball a little bit with you, Kevin. As we move toward artificial general intelligence and quantum computing, what identity innovation should security leaders be prepared for?<\/p>\n
Kevin Bocek:
\nWhoa. Well, we didn\u2019t even get to a post-quantum world yet\u2014which is a world where quantum computers are rapidly evolving. And there is almost certainly going to be a time when they\u2019re able to break today\u2019s encryption.<\/p>\n
When that happens, everything we\u2019ve come to know about the digital world\u2014whether it\u2019s paying online, authenticating on a mobile device, or trusting a communication\u2014could break.<\/p>\n
That\u2019s the post-quantum world. And we need to be prepared for it.<\/p>\n
The good news is\u2014we can talk about it. We\u2019ve got capabilities. All the things we\u2019ve been talking about: discovery, intelligence, automation. We need those, and we\u2019ll need to be even better at them.<\/p>\n
When you think about a world that also drives more and more AGI, the speed of identity-based attacks is only going to increase. And I think, from a machine identity perspective\u2014because AI is a machine, and it\u2019s operating at machine speed\u2014that\u2019s why we\u2019ve got to get machine identity right.<\/p>\n
The front door won\u2019t just be phishing or spam attacks anymore. AGI brings forward full-on, cloud-native, machine-driven attacks. That\u2019s the future world.<\/p>\n
David Puner:
\nSounds like we\u2019ve got many sequels to this story coming up. Really appreciate you coming on the podcast, Kevin. I know it\u2019s getting late for you\u2014am I right in assuming it\u2019s close to bedtime over there in the UK?<\/p>\n
Kevin Bocek:
\nAs they used to say in the old advertisements: the city never sleeps. But yeah, I did my internship at Dell. And anyone who\u2019s spent time in Austin in July or August knows\u2014it\u2019s like being a vampire. You just can\u2019t sleep when it\u2019s over 100 degrees Fahrenheit\u2014or greater than 40 degrees Celsius.<\/p>\n
So I\u2019ve learned to love being up late. And our teams are all over the world\u2014Australia, Singapore\u2014and our colleagues in Palo Alto. This is fun. It\u2019s great to be here with you.<\/p>\n
David Puner:
\nReally appreciate you coming onto the podcast, Kevin. You bring a lot of insight into machine identity and everything else in this world, and we appreciate your time very much. Look forward to talking with you again down the road. See you next time.<\/p>\n
Kevin Bocek:
\nThanks, David.<\/p>\n
David Puner:
\nAlright, there you have it. Thanks for listening to Security Matters. If you liked this episode, please follow us wherever you do your podcast thing so you can catch new episodes as they drop. And if you feel so inclined, please leave us a review\u2014we\u2019d appreciate it very much, and so will the algorithmic winds.<\/p>\n
What else? Drop us a line with questions, comments. And if you\u2019re a cybersecurity professional and you have an idea for an episode, drop us a line. Our email address is securitymatterspodcast@cyberark.com.<\/p>\n
We hope to see you next time.<\/p><\/div>\n","protected":false},"featured_media":213774,"template":"","class_list":["post-210874","podcast","type-podcast","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"\n
EP 8 - Zero Trust, Zero Chill: Securing Machine Identity | CyberArk<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"EP 8 - Zero Trust, Zero Chill: Securing Machine Identity\" \/>\n<meta property=\"og:description\" content=\"In this episode of Security Matters, host David Puner welcomes Kevin Bocek, CyberArk SVP of Innovation, for an insightful discussion on the critical role of machine identity in modern cybersecurity. As digital environments become increasingly complex, securing...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/\" \/>\n<meta property=\"og:site_name\" content=\"CyberArk\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/CyberArk\/\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-09T20:10:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/05\/MGMwZS5qcGc-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1400\" \/>\n\t<meta property=\"og:image:height\" content=\"1400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@CyberArk\" \/>\n<meta name=\"twitter:label1\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data1\" content=\"31 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/\",\"url\":\"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/\",\"name\":\"EP 8 - Zero Trust, Zero Chill: Securing Machine Identity | CyberArk\",\"isPartOf\":{\"@id\":\"https:\/\/www.cyberark.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/05\/MGMwZS5qcGc-1.jpg\",\"datePublished\":\"2025-05-28T04:03:12+00:00\",\"dateModified\":\"2026-04-09T20:10:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/#primaryimage\",\"url\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/05\/MGMwZS5qcGc-1.jpg\",\"contentUrl\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/05\/MGMwZS5qcGc-1.jpg\",\"width\":1400,\"height\":1400},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.cyberark.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"EP 8 – Zero Trust, Zero Chill: Securing Machine Identity\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cyberark.com\/#website\",\"url\":\"https:\/\/www.cyberark.com\/\",\"name\":\"CyberArk\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.cyberark.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.cyberark.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.cyberark.com\/#organization\",\"name\":\"CyberArk Software\",\"url\":\"https:\/\/www.cyberark.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg\",\"contentUrl\":\"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg\",\"width\":\"1024\",\"height\":\"1024\",\"caption\":\"CyberArk Software\"},\"image\":{\"@id\":\"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/CyberArk\/\",\"https:\/\/x.com\/CyberArk\",\"https:\/\/www.linkedin.com\/company\/cyber-ark-software\/\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"EP 8 - Zero Trust, Zero Chill: Securing Machine Identity | CyberArk","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/","og_locale":"zh_TW","og_type":"article","og_title":"EP 8 - Zero Trust, Zero Chill: Securing Machine Identity","og_description":"In this episode of Security Matters, host David Puner welcomes Kevin Bocek, CyberArk SVP of Innovation, for an insightful discussion on the critical role of machine identity in modern cybersecurity. As digital environments become increasingly complex, securing...","og_url":"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/","og_site_name":"CyberArk","article_publisher":"https:\/\/www.facebook.com\/CyberArk\/","article_modified_time":"2026-04-09T20:10:43+00:00","og_image":[{"width":1400,"height":1400,"url":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/05\/MGMwZS5qcGc-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@CyberArk","twitter_misc":{"\u9810\u4f30\u95b1\u8b80\u6642\u9593":"31 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/","url":"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/","name":"EP 8 - Zero Trust, Zero Chill: Securing Machine Identity | CyberArk","isPartOf":{"@id":"https:\/\/www.cyberark.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/#primaryimage"},"image":{"@id":"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/#primaryimage"},"thumbnailUrl":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/05\/MGMwZS5qcGc-1.jpg","datePublished":"2025-05-28T04:03:12+00:00","dateModified":"2026-04-09T20:10:43+00:00","breadcrumb":{"@id":"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/"]}]},{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/#primaryimage","url":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/05\/MGMwZS5qcGc-1.jpg","contentUrl":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2025\/05\/MGMwZS5qcGc-1.jpg","width":1400,"height":1400},{"@type":"BreadcrumbList","@id":"https:\/\/www.cyberark.com\/podcasts\/ep-8-zero-trust-zero-chill-securing-machine-identity\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.cyberark.com\/"},{"@type":"ListItem","position":2,"name":"EP 8 – Zero Trust, Zero Chill: Securing Machine Identity"}]},{"@type":"WebSite","@id":"https:\/\/www.cyberark.com\/#website","url":"https:\/\/www.cyberark.com\/","name":"CyberArk","description":"","publisher":{"@id":"https:\/\/www.cyberark.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.cyberark.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":"Organization","@id":"https:\/\/www.cyberark.com\/#organization","name":"CyberArk Software","url":"https:\/\/www.cyberark.com\/","logo":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg","contentUrl":"https:\/\/www.cyberark.com\/wp-content\/uploads\/2021\/02\/cyberark-logo-dark.svg","width":"1024","height":"1024","caption":"CyberArk Software"},"image":{"@id":"https:\/\/www.cyberark.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/CyberArk\/","https:\/\/x.com\/CyberArk","https:\/\/www.linkedin.com\/company\/cyber-ark-software\/"]}]}},"_links":{"self":[{"href":"https:\/\/www.cyberark.com\/zh-hant\/wp-json\/wp\/v2\/podcast\/210874","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cyberark.com\/zh-hant\/wp-json\/wp\/v2\/podcast"}],"about":[{"href":"https:\/\/www.cyberark.com\/zh-hant\/wp-json\/wp\/v2\/types\/podcast"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cyberark.com\/zh-hant\/wp-json\/wp\/v2\/media\/213774"}],"wp:attachment":[{"href":"https:\/\/www.cyberark.com\/zh-hant\/wp-json\/wp\/v2\/media?parent=210874"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}