About
Jim is co-founder and Chief Executive Officer of Oleria, where he drives company…
Articles by Jim
-
If you want AI to move faster, fix identity first
If you want AI to move faster, fix identity first
Around the world today, CEOs are asking, “Why aren’t we deploying/integrating AI faster?” And one of the top answers to…
3 Comments -
IGA Is Still Broken. We Built What It Should Have Been.
IGA Is Still Broken. We Built What It Should Have Been.
Six years ago, I led an enterprise IGA deployment, and it was one of the most painful projects of my career. Six years…
7 Comments -
A New Blueprint for Identity in the Age of AI
A New Blueprint for Identity in the Age of AI
Last summer in Jackson Hole, Wyoming, something remarkable happened. A group of leading CISOs gathered in the shadow of…
11 Comments -
Our vision for the future of identity security? It’s already in motion.
Our vision for the future of identity security? It’s already in motion.
From Day 1 at Oleria, we’ve been committed to reimagining identity by building a completely new foundation — and…
7 Comments -
Midnight Blizzard, Snowflake Incidents Underscore the Need for Stronger Identity Security, MFA Coverage
Midnight Blizzard, Snowflake Incidents Underscore the Need for Stronger Identity Security, MFA Coverage
With Microsoft’s testimony on cybersecurity this week including the recent Midnight Blizzard incident, the urgency of…
2 Comments -
Metamorphosis - a job left to be done
Metamorphosis - a job left to be done
Last year, after a long career leading security efforts at some of the biggest technology companies in the world, I…
83 Comments
Activity
7K followers
-
Jim Alkove shared thisCEOs everywhere are asking the same question right now: why is AI deployment moving so slowly? Security often gets at least some of the blame. But when I dig into what's actually creating the bottleneck, one specific aspect of security plays an outsized role. It's the way we manage identity – manually – in a world that's starting to move at machine speed. AI agents can't move faster than your organization's ability to grant them access to systems and data. And today, most organizations are still provisioning access the same way they did over twenty years ago – with tickets and approvals. We have technology capable of exponential productivity gains, waiting in a human queue. The irony is that the identity problem isn't new. The same fragmentation that's made governing human and non-human identities so hard for years is the same fragmentation now standing between organizations and the AI future they're trying to build. Today, agents don't have a unified identity in any governance sense – they're a loose federation of service principals, API keys, tokens, and OAuth grants spread across platforms, with no single system that knows what they are, what they can access, or what they're doing. Without that foundation, every access decision is a judgment call. You either slow things down to be careful, or you over-provision to avoid friction. Most organizations are doing both, which is exactly why AI deployment feels simultaneously stalled and risky. Fixing this isn't about bolting on another AI-specific tool. It requires a unified identity layer – a single system of record for all identities, human, non-human, and AI agent alike – that can provision access dynamically, scope it to the task, and revoke it automatically. The organizations that get this right will move faster than everyone else. I wrote about what that actually looks like in practice. Reach out if you have an AI security project on the horizon, I’d love to share more about what we’ve built at Oleria.
-
Jim Alkove shared thisOne pattern I see consistently when talking to security and GRC leaders is that their teams spend months getting legacy identity governance tools to work, yet they still can't confidently answer the most important questions: Who has access to what, is that access appropriate, and what are they doing with it? The data is the constraint here. When identity data is fragmented across hundreds of systems, governance becomes a periodic compliance checkbox rather than continuous assurance. And no amount of effort closes that gap without fixing the foundation first. On April 7th, I'm sitting down with Laura Sawka to talk about what it actually takes to change that. Laura built and led the GRC organization at Salesforce, giving her a unique governance perspective among security leaders. She's seen what separates programs that deliver real assurance from programs that just consume time and resources. We'll get into why access reviews so often turn into rubber-stamp exercises, what auditors are actually looking for when they evaluate identity controls, and how AI and automation are starting to make continuous, context-driven governance achievable at scale. If you lead a GRC or security program and feel like your team is working harder than the results justify, this conversation is for you.
-
Jim Alkove shared thisSix years ago I led a large IGA deployment as Chief Trust Officer at Salesforce. We selected one of the leading IGA products, and we had one of the best security teams in the world, along with a slew of expert consultants. And it was still a brutal experience: 18 months of manual data analysis and stitching, endless meetings, engineering “out of the box” integrations. After all of that, coverage only extended to a critical subset of applications – the rest of the application estate took even longer, access reviews still lacked critical context for managers and role owners. The army of employees and consultants we used to keep it running cost several times what we paid for the platform itself. The worst part? Six years later, the IGA experience hasn’t really improved. I regularly talk to CISOs today who are in the same place I was back then. Years into an expensive deployment getting no or only a small fraction of the value they were promised and they promised their boards. When we started Oleria, one of our goals was to build the identity governance system we wished we had as practitioners. Today we’re launching Adaptive Identity Governance, built on our data-first, AI-native platform. Instead of layering governance onto fragmented identity and access data (scattered across hundreds of applications with different schemas and naming conventions), we did the hard, unglamorous work to bring all that data together into one platform, harmonized into one data model. That unified foundation drives outcomes that redefine the Identity Governance experience: - Identity governance that deploys in under an hour and delivers same-day value, instead of taking years of painful effort - Governance decisions informed by real activity data, not guesswork - Automation that enables continuous governance and compliance, without endless manual work or armies of consultants - Right-sized, right-now access that drives productivity and business speed - Stronger security at a dramatically lower TCO We’re solving the pain points of legacy IGA. But even more importantly, this is the governance foundation for what’s coming next. Agentic AI is multiplying the identities, permissions, and access decisions every organization needs to manage. Seeing all of that access is only half the problem. The other half is controlling it. Without unified identity data and the ability to act on it in real time without a human in the loop, there's no way to govern that environment safely at speed and scale. Governance needs to become adaptive and autonomous. That’s exactly why we built the Trustfusion platform. We built the Identity Governance system we wished we had. Now you have it too. Huge thanks to the incredible Oleria team, our investors and the customers who helped us shape this. Read more about what we built below.IGA Is Still Broken. We Built What It Should Have Been.IGA Is Still Broken. We Built What It Should Have Been.
-
Jim Alkove shared thisHad a great conversation with John Boitnott of From the Ground Up about how my career led me to co-found Oleria. I love telling this story because it explains exactly why the work we’re doing at Oleria is so personal to me. I spoke with John about the pattern that I saw across roles at Microsoft, Google, and Salesforce: identity seemed to sit at the center of nearly every security incident, most of the major sources of user friction, and a significant share of the outsized service costs I came across. This wasn’t really an “aha” moment—more like an anvil that hits you on the head, because working in large tech enterprises long enough, the patterns and the reasons behind them become pretty obvious. We started Oleria to fix all that. But there’s an even bigger set of identity challenges in front of us right now, and that was the main focus of my chat with John: The oncoming wave of agentic AI is fundamentally changing access management. Autonomous systems don't always know their next task until they generate it, which means we can no longer provision access statically in advance. John and I discussed how these non-deterministic AI agents are creating hidden risks for enterprises, and how we’re building an identity platform at Oleria that can handle the challenge of managing proliferating AI identities operating at machine speed. Thanks for having me on the show, John. You can watch the full episode here: https://lnkd.in/ek4u5CvQJim Alkove and the Quiet Revolution Behind Who Gets Access to EverythingJim Alkove and the Quiet Revolution Behind Who Gets Access to Everything
-
Jim Alkove shared thisAccess reviews were created to help us achieve least privilege — a goal we all believe in. But somewhere along the way, we lost sight of what makes them effective. Instead of driving better security outcomes, access reviews have become little more than "security theater." Most reviewers end up rubber-stamping approvals, not because they don't care, but because they're being asked to make high-impact decisions with low-quality information. They can't see how frequently access is used, whether peers have the same entitlements, or if someone's role recently changed. So they're stuck choosing between approving access they can't verify or revoking access that might be essential for productivity. And, not surprisingly, they default to approving access, because they don’t want to disrupt business operations. Why do we tolerate this status quo? Because cross-system access correlation has been nearly impossible. Identity data is fragmented across IdPs, SaaS apps, cloud platforms, on-prem systems, and HR data. All using different schemas and different languages for describing access. We built Oleria's intelligent Access Reviews to solve this. We unify access data across your entire digital estate into a single composite access graph. Then we layer on intelligent, usage-aware recommendations with the context reviewers actually need: real activity data, peer comparisons, role changes, and clear explanations for each recommendation. The result is access reviews that work for everyone. Reviewers get clarity and confidence to make fast decisions. Admins get control and automation to run campaigns efficiently. And at the end, you get auditor-ready reports automatically generated for SOX, HIPAA, or GDPR compliance. Access reviews don't have to slow teams down. They can actually help you move faster, securely. Nayantara Duttachoudhury on our team goes deeper on access reviews here: https://lnkd.in/e9BTHU2cAccess Review Automation: How Context & Automation Fix Manual Access ReviewsAccess Review Automation: How Context & Automation Fix Manual Access Reviews
-
Jim Alkove shared thisHad a great conversation with Authority Magazine about building AI systems we can actually trust. My key point: you can't scale AI safely if it operates as a black box. As an example, if we’re going to empower an AI agent to make access decisions (and we need to do this if we want IAM that keeps up with other AI agents), it needs to explain exactly why. We need to build the AI foundation right if we want to give AI agents serious responsibilities, and that starts with transparency and audibility. Check out the full conversation if you're interested in where I think AI governance needs to go. Always open to discussion. https://lnkd.in/e98Gb_7yGuardians of AI: Jim Alkove of Oleria on How AI Leaders Are Keeping AI Safe, Ethical, Responsible…Guardians of AI: Jim Alkove of Oleria on How AI Leaders Are Keeping AI Safe, Ethical, Responsible…
-
Jim Alkove shared thisBelated kudos to Microsoft for their announcement on Agent 365. A control plane for the future of agents is absolutely necessary. In our earlier medium post we also allude to the various facets of managing agents at scale – identity being the center piece of such a system. At Oleria we believe in driving a together future around AI. We can’t do it alone.Jim Alkove shared thisToday, we’re introducing Agent 365 – a new agent control plane to help every organization scale AI agents. With Agent 365, you can manage and secure agents with the same rigor you apply to people, apps, and data. This spans 5 key things: ✅ A unified registry to track every agent across your organization ✅ Access control for built-in policy enforcement from day one ✅ Visualization and insights to monitor usage, performance, and ROI ✅ Interoperability across Microsoft, open-source, and partner ecosystems ✅ Security with enterprise-grade compliance via Defender, Entra, and Purview Agent 365 provides the foundation to run and secure all your agents in a single place - whether you’re building agents in Copilot Studio and Microsoft Foundry or using ones from partners across our growing ecosystem. This is how we move from experimentation to transformation as Frontier Firms and I can’t wait to share more about this at #MSIgnite this week! You can check out the blog for all the details: https://lnkd.in/gsanjZuhMicrosoft Agent 365: The control plane for AI agents | Microsoft 365 BlogMicrosoft Agent 365: The control plane for AI agents | Microsoft 365 Blog
-
Jim Alkove shared thisCISOs: Your identity crisis is about to get exponentially worse—but it doesn't have to. CSO Online just published our CISO group's findings, shared in my recent Medium post (link in comments), on why traditional identity models will collapse under the weight of autonomous AI agents. The article does a great job defining the problem with some scary stats, but don’t miss the real takeaway: this isn't inevitable—we have a path forward. Our working group has laid out a vision for what we call an AI Trust Fabric—basically, an identity system that uses first principles of identity and access, enabling better trust, and meeting the scale demands of AI. As Carey Frey (TELUS CSO) said, "We don't want to give agents agency" when it comes to identity. We need guardrails. My Oleria leadership colleague Vijay Gajjala made another key point: we don't need to throw everything away. We can build on what we have, fixing the identity silos by creating a unified identity platform. One where observability and secure autonomous behaviors are the norm. We have a massive opportunity—but we need to move quickly. Build the AI Trust Fabric now, and identity stops being the thing that slows us down. It becomes the thing that lets us move fast, innovate freely, and actually trust the AI agents we deploy. Read the full article: https://lnkd.in/gY3c8rh4Rethinking identity for the AI era: CISOs must build trust at machine speedRethinking identity for the AI era: CISOs must build trust at machine speed
-
Jim Alkove shared thisAI is breaking our security models faster than we can patch them. That’s why I just published an open letter on Medium, co-signed by leaders from Google, NAB, TELUS, F5, and others, focused on one urgent idea: to secure AI, we must first solve identity. AI is already transforming how work gets done. Autonomous agents are making decisions, executing workflows, and collaborating across systems at machine speed. But our identity frameworks were never built for this. They can’t govern agents that act independently and non-deterministically, evolve unpredictably, and operate beyond traditional perimeters. Trying to retrofit legacy models onto this new reality is a recipe for failure. In the letter, we outline what an AI-native identity fabric looks like—and why this shift isn’t just about mitigating AI risk. It’s about unlocking AI’s full potential to accelerate innovation securely. The future belongs to organizations bold enough to build new foundations, not patch old ones. Read the full open letter on Medium. Thank you to Heather Adkins, Sandro Bucchianeri, Peter Clay, Carey Frey, Vijay Gajjala, Ramy Houssaini, Jason Lee, Michael Montoya, Manoj Nair, Oliver Newbury, Scott Roberts, Jiphun Satapathy, ·Matt Thomlinson and ☁️ Sandip Wadje for contributing.The AI Revolution: It’s Here, It’s Big, and Identity Will Unleash Its Full PowerThe AI Revolution: It’s Here, It’s Big, and Identity Will Unleash Its Full Power
-
Jim Alkove liked thisJim Alkove liked thisSierra is raising $950 million from new and existing investors, led by Tiger Global and GV, at a valuation of over $15 billion. We now have more than $1 billion to invest in becoming the global standard for companies wanting to transform their customer experiences with AI. We’ve never had such conviction in the opportunity for Sierra and our customers. Just a couple of years ago, we had four design partners. Now, Sierra is serving over 40% of the Fortune 50, and agents built on our platform are powering billions of customer interactions — everything from refinancing homes to processing insurance claims, returning orders, and helping people raise millions in fundraisers. We’re deeply grateful to our customers for helping show what’s possible. If you’re not yet using Sierra, we’d love to partner with you. https://lnkd.in/dJ6Dgr_T
-
Jim Alkove liked thisJim Alkove liked thisLegacy IGA has been broken for decades. It sits on top of fragmented identity data—SaaS sprawl, cloud complexity, non‑human identities, and now AI agents—and relies on manual work, infrequent reviews, and consultant-heavy implementations that can’t keep up with today’s scale or speed. So we built what identity governance should have been: Oleria’s Adaptive Identity Governance. It solves identity fragmentation from Day 1 with a foundation of unified identity, access, and activity data—which completely changes what governance can do. As our CEO Jim Alkove put it: “We rebuilt identity governance from the ground up, so it delivers real value today and is ready for the AI challenges of tomorrow.” Here’s what’s different: ✔️ Usage‑aware access reviews informed by real activity and context (not static entitlement lists) ✔️ Automated lifecycle governance that reduces manual effort and residual access risk ✔️ Continuous least‑privilege enforcement that adapts as your environment changes ✔️ Deploys in days, not months or years (without hefty professional services) Learn what adaptive identity governance looks like in practice: https://bit.ly/4bhsFM0
-
Jim Alkove liked thisJim Alkove liked thisCybersecurity is having a moment - but not the kind anyone should be celebrating. Between breaches, leaks, and “how did that end up public?”, the attack surfaces are expanding faster than teams can keep up. RSAC Conference felt different this year as a result: less hype, more urgency. Our Tapestry VC portfolio made a splash: Tracebit (Andy & Sam) announced their $20M Series A with FirstMark (Accel + us doubling down) — pushing deception from a niche tactic to a true first line of defense. Keycard (Ian) acquired Runebook (Peter & Matte) — making it actually feasible to deploy trusted agents with tightly scoped, short-lived credentials (finally). Maze (Harry) went full founder mode — flying a plane over SF and turning AI-driven vulnerability resolution into something people can actually do everyday. Oleria (Jim) launched Adaptive Identity Governance — because “who has access to what?” is still a question most companies can’t answer in real time. And while all of this was happening, the Axios hack was a reminder that software supply chain risk is very real — exactly where Cloudsmith is focused, with Glenn on stage across the world at #KubeCon. The pattern is pretty clear: more code, more agents, more access… more problems. Just please stop pushing your source code to public repos... We’re not investing in that fix. 🙂
Patents
-
Methods and systems for protecting media content
Issued US 8397069
Various embodiments provide methods and systems that utilize a protocol which enables media content protection by establishing a secure communication channel and, in some embodiments, a secure data channel, between a device such as a computing device running a protected content playback application, and a downstream component such as an associated driver, such as a graphics driver, of an associated display device such as a monitor, flat panel LCD, television and the like.
Other inventors -
Recommendations received
1 person has recommended Jim
Join now to viewOther similar profiles
Explore more posts
-
Daniel Young
Here’s a pattern I’m seeing more often: More sites. More assessments. More reporting expectations. Same headcount. Security teams are being asked to scale output without scaling structure. So what happens? Assessments become episodic. Reporting takes too long. Prioritization becomes subjective. And leaders spend more time translating risk than reducing it. This isn’t a capability issue. It’s an architecture issue. At some point, physical security has to operate with the same operational discipline as finance and IT. Otherwise it stays in permanent catch-up mode. For security people overseeing medium to large portfolios (20+ sites): What’s currently your biggest bottleneck volume, visibility, or validation? And why do you think this is?
1 Comment -
The Cyber Security Hub™
Download Pentera Labs Report - revealing three new critical injection points in the ingress-nginx controller, building on Wiz’s IngressNightmare CVE. These overlooked vulnerabilities could let attackers hijack traffic, spoof headers, or reach unauthorized backend services - They exist in one of the most widely used ingress controllers in Kubernetes, putting countless environments at risk. This research highlights how small misconfigurations can lead to major exposure in modern cloud-native architectures. What’s Inside: ✅ 3 new injection vulnerabilities in ingress-nginx ✅ How attackers find and exploit CVEs in open source ✅ Actionable tips to secure your Kubernetes environment https://lnkd.in/eHtX6EdP
1 Comment -
Alexandre Dulaunoy
After lengthy late-night discussions with Cédric Bonhomme on sightings and KEV formats, we produced a first draft of a generic format for Known Exploited Vulnerabilities (KEV). Initially, we considered extending GCVE BCP-05 using the CVE Record format. However, we ultimately concluded that it may be more appropriate to define a standalone format, allowing sources to publish their KEV data independently. Feel free to comment on the discourse link below. KEV Assertion Format – Draft Specification (potential BCP?) This format describes a generic KEV (Known Exploited Vulnerability) assertion format. The goal is to express who claims exploitation, when, based on what, where it was observed, and with which level of confidence, without turning KEV into full threat intelligence. A KEV assertion is usually very binary and lacking some meta-information. The format adds some information which could better capture details about the exploitation. A majority of the fields are optional except vulnerability, status and evidence.[].source which are recommended. 🔗 https://lnkd.in/eaBUFXie GCVE-EU CIRCL (Computer Incident Response Center Luxembourg) CVE Program
11 Comments -
MemeLord Robin Yong
Thanks to Ray Panta sharing below, National Institute of Standards and Technology (NIST) Special Publication is always a good reference for Cybersecurity practitioner in CyberSecurity related area. NIST SP as a whole is free, public accessible and by created by expert for everyone. What more else one can ask for such a good deal ? 😅 💻 Cyber risk means the chance of something going wrong in digital systems 🌐 – like hackers stealing data 🕵️♂️, systems going offline 🚫, or software getting hacked 🐞 🔐 It includes risks to privacy 🧾, finances 💸, business operations 🏢, and even national security 🛡️ 📘 NIST SP 800-30 is a guide 📖 from the US National Institute of Standards and Technology (NIST) 🇺🇸 that helps organisations figure out and manage their cyber risks ⚠️ 🧮 It teaches how to do risk assessments 🧠 – like identifying threats 👀, figuring out how likely they are 🎯, and what damage they could cause 💥 🧩 It's a key part of the NIST Cybersecurity Framework, used worldwide 🌍 to build safer digital systems 🏛️ NIST Special Publications are official guides 📚 that offer best practices, standards, and strategies for improving cybersecurity 👋 Robin Yong #MemeLord #LobinKor 🏆 #Favikon #CyberSecurity & #LinkedIn #Malaysia 💻 #5G, #ArtificialIntelligence, #IT, #CyberSecurity, #ForeignAffairs & #Geopolitics 🤝 https://v.gd/Robin ✨ #AI-augmented content, do fact check if in doubt ℹ️ #MemeLord not liable for the info shared.
1 Comment
Explore top content on LinkedIn
Find curated posts and insights for relevant topics all in one place.
View top content