Hiya folks.
It’s been a minute. Or, if we’re being honest, about sixteen of them.
The last post on this site went up in January 2025, and a lot has happened since — both in the identity and access management world, and personally. I’ve been heads-down at work, life has been life, and (let’s be honest) I’ve been telling myself I’d get back to writing “next weekend” for considerably more weekends than I’d care to admit.
But I’m here now. And I want to use this post to do two things: pause for a moment of reflection, and tell you what’s coming to this blog.
Three Eras of Identity
When I look back at the fifteen-plus years I’ve spent working in IAM, the field has gone through three pretty distinct eras. And, mostly by accident, my career has tracked all three.
Era 1: The on-prem era. When I started, identity meant directory sync, schema attributes, FIM, MIM, PowerShell, and an unhealthy intimacy with Active Directory. We argued about connector architectures and run profile orchestration. We debugged sync engines at 2am when a payroll feed failed. The work was deeply technical and often invisible — done well, no one noticed; done poorly, everyone did.
Era 2: The cloud governance era. Then identity moved to the cloud. Lifecycle, certifications, role mining, separation of duties, access reviews — the conversation shifted from “how do we sync these accounts” to “should this person have access at all, and can we prove it?” Governance became the centre of gravity. I spent the better part of the last decade in this era, designing, implementing, and advising on cloud identity governance programs across the APJ region.
Era 3: The identity-first era. And now — identity is becoming the platform itself. Modern identity-first platforms aren’t a feature on top of your stack; they’re the spine that runs through it. AI agents, machine identities, workload identities, just-in-time access, continuous verification — the surface area of “identity” has exploded, and the way organisations think about it is shifting with it. It’s a genuinely interesting moment to be in this field.
What Doesn’t Change
Through all three eras, one thing has stayed remarkably constant: the fundamentals.
The right people getting the right access at the right time, for the right reasons, with the right oversight — that’s the job. The technology underneath has changed dramatically. The principles haven’t. Lifecycle, least privilege, accountability, separation of duties, the relentless pursuit of just enough access — these were true in the AD era, they were true in the cloud governance era, and they’ll be true in whatever comes next.
That’s also the angle this blog has always taken — practical, fundamentals-first, with code samples that actually work. That’s not changing either.
A Quick Word About the Site
While we’re here: this blog also got a long-overdue refresh. New theme, faster load times, better search, a cleaner reading experience on mobile. If anything looks broken, give it a couple of days to settle — and feel free to drop a comment if something’s off.
What’s Coming
A few things I’m planning to write about over the coming months:
- Non-Human Identity in 2026 — what NHI actually means, why every vendor is suddenly shipping a product for it, and what to actually do about service accounts, agents, and workload identities in your environment.
- Just-in-time access — what’s changed since 2022 — the patterns that have matured, the ones that haven’t, and where the practical bar should sit today.
- Identity platform engineering — fewer “what is X” explainers, more “here’s how I’d actually do this” walkthroughs.
And probably a few PSA and ProTip posts in between, because old habits die hard.
Thanks
To everyone who’s stuck around, dropped me a note over the last year, or shared a post on LinkedIn — thank you. The IAM community is small, kind, and disproportionately generous with its knowledge, and I’ve been on the receiving end of that more times than I can count.
More soon. For real this time.
