Hiya folks.
It’s been a minute. Or, if we’re being honest, about sixteen of them.
The last post on this site went up in January 2025, and a lot has happened since — both in the identity and access management world, and personally. I’ve been heads-down at work, life has been life, and (let’s be honest) I’ve been telling myself I’d get back to writing “next weekend” for considerably more weekends than I’d care to admit.
But I’m here now. And I want to use this post to do two things: pause for a moment of reflection, and tell you what’s coming to this blog.
Three Eras of Identity
When I look back at the fifteen-plus years I’ve spent working in IAM, the field has gone through three pretty distinct eras. And, mostly by accident, my career has tracked all three.
Era 1: The on-prem era. When I started, identity meant directory sync, schema attributes, FIM, MIM, PowerShell, and an unhealthy intimacy with Active Directory. We argued about connector architectures and run profile orchestration. We debugged sync engines at 2am when a payroll feed failed. The work was deeply technical and often invisible — done well, no one noticed; done poorly, everyone did.
Era 2: The cloud governance era. Then identity moved to the cloud. Lifecycle, certifications, role mining, separation of duties, access reviews — the conversation shifted from “how do we sync these accounts” to “should this person have access at all, and can we prove it?” Governance became the centre of gravity. I spent the better part of the last decade in this era, designing, implementing, and advising on cloud identity governance programs across the APJ region.
Era 3: The identity-first era. And now — identity is becoming the platform itself. Modern identity-first platforms aren’t a feature on top of your stack; they’re the spine that runs through it. AI agents, machine identities, workload identities, just-in-time access, continuous verification — the surface area of “identity” has exploded, and the way organisations think about it is shifting with it. It’s a genuinely interesting moment to be in this field.
What Doesn’t Change
Through all three eras, one thing has stayed remarkably constant: the fundamentals.
The right people getting the right access at the right time, for the right reasons, with the right oversight — that’s the job. The technology underneath has changed dramatically. The principles haven’t. Lifecycle, least privilege, accountability, separation of duties, the relentless pursuit of just enough access — these were true in the AD era, they were true in the cloud governance era, and they’ll be true in whatever comes next.
That’s also the angle this blog has always taken — practical, fundamentals-first, with code samples that actually work. That’s not changing either.
A Quick Word About the Site
While we’re here: this blog also got a long-overdue refresh. New theme, faster load times, better search, a cleaner reading experience on mobile. If anything looks broken, give it a couple of days to settle — and feel free to drop a comment if something’s off.
Thanks
To everyone who’s stuck around, dropped me a note over the last year, or shared a post on LinkedIn — thank you. The IAM community is small, kind, and disproportionately generous with its knowledge, and I’ve been on the receiving end of that more times than I can count.
More soon. For real this time.
