
Darran Rolls, CTO Identity Innovation Labs
With over 30 years in the identity management space, including a decade as the CTO and CISO at SailPoint, I’ve witnessed firsthand the evolution of identity security. These days I spend most of my time working with investors, thought leaders, and new market entrants as we work to bring to market new technology and new approaches to solving some of the hardest problems in and around this space that we all love so much.
Chasing innovation, new thinking, and the evolution of IAM is in my blood. There are so many interesting topics to dive into and so much happening – it’s a mind-buzz! But today, I want to dive into why identity is the center of observable security and how recent developments in Open Telemetry promise a safer and more efficient future for Identity Management.
You Can’t Manage What You Don’t See
Authentication and authorization are the core elements of identity management. They represent the beating heart of security. As we enhance our capabilities in these areas, the importance of dynamic, context-sensitive, risk-aware access has become increasingly important. However, the adage “you cannot manage what you cannot see” has never been more accurate or relevant. The fear of the “Unknown-Unknowns” looms ever present, and the holy-grail of identity-security has now become chasing all the things we thought we had covered, and the things we thought we understood within the scope of control for our IAM systems.
Chasing the Unknown-Unknown

The term “unknown-unknown“, was made famous in 2002, when Donald Rumsfeld, the then US secretary of defense, used it in a speech about intelligence information on Iraqi weapons of mass destruction. It’s worth noting that Rumsfeld stole this idiom from a self-awareness and communications training model called the Johari Window, which is used to help people understand how they are seen by others.
How does this apply to IAM?
To apply these thoughts to the IAM space, we’ve developed an abstract model we call the Identi-hari Window (I just had to do it :-). Our new model takes the Johari Window concept and categorizes the understanding of authentication and authorization into four quadrants.

- Known Known: The things we are confident that we understand today, typically our funded IAM agenda and the systems already under some degree of management with our current tools.
- Known Unknown: The account, privilege and entitlement inventory awaiting onboarding into those systems – things like new SaaS applications and legacy systems we have yet to cover.
- Unknown Known: Anomaly detection insights that reveal gaps within our known systems. This is typically the operating space of Identity Threat Detection & Response (ITDR) systems.
- Unknown Unknown: The most concerning area – systems, accounts, entitlements and privilege that we are NOT unaware of and are therefore completely outside of our known controllable universe.
Obviously, the things that should trouble us most lie in the unknown-unknown quadrant – authentication and authorization processes that happen beyond our visibility, outside of our core IAM platforms, and not even visible to our ITDR layer. To tackle these systems, we as an industry need innovative approaches that provide insight into these potentially critical blind spots.
This is where advancements in observability and open telemetry give me hope for the future. Working with super-smart folks from the threat detection and remediation space, we’ve been doing some amazing research into the evolving landscape of Observability and Open Telemetry data.
Observability in Action

Observability allows us to create telemetry signals that can be retrofitted onto existing authentication and authorization processes. Open Telemetry data is the key. With the careful and ubiquitous collection and processing of telemetry data, mixed with the techniques traditionally reserved for incident response and forensic analysis, we can drive AI-based insights and intelligence that traditional IAM system have been blind to.
Employing Open Telemetry

Open Telemetry (commonly referred to as OTel) is currently the second most popular project under the CNCF umbrella, showcasing significant support and momentum in the industry. This framework simplifies the generation of observability signals by providing comprehensive language APIs and toolkits to make implementation easier for the average organization.
Applying OTel Data to IAM Discovery & Analysis
Using technologies and techniques typically employed in incident response and forensic analysis, carefully constructed AI agents can now operate like autonomous, real-time response analysts – inspecting runtime elements such as port connections, live running code, environmental variables, logs, file access, tokens, headers, and transport protocols to look for IAM indicators. By analyzing the flows and patterns of these processes in real-time, these agents can deduce usage and provide critical IAM insights that light-up the darkest corners of that much feared unknown-unknown quadrant.

A crucial addition to that OTel framework is its Semantic Conventions. This is the linguiform of signal traffic. In this important capability of the Otel model, lies a unique opportunity for the IAM industry to provide some much-needed standardization. By defining an ontology for authentication and authorization context, we can greatly enhance our common understanding, paving the way for more open, sharable and effective identity security solutions – AND drive some interesting innovation to boot.
Conclusion
Here are my condensed considerations for the future of the IAM industry:
- Authentication and Authorization Observability is emerging as a critical control for effective identity management and is a technology IAM practitioners should all take a close look at.
- We must look beyond the Known-Knowns. Relying solely on established IAM controls is insufficient for comprehensive visibility and risk mitigation.
- Semantic Conventions are cool. The development of IAM-specific semantic conventions within Open Telemetry is important for advancing our understanding of identity observability.
- Retrofitting IAM Telemetry is totally doable. We now have the potential to integrate observability into existing infrastructures seamlessly, without application modification and without disturbing the runtime application stack as we do so.
Looking at what lies ahead in identity security, I’m reminded of the incredible journey this space has been through over the last 2 or 3 decades. Each challenge we face gives us an opportunity for growth and innovation. I encourage my fellow IAM professionals to stay curious, engaged, and proactive, and together, we can shape an identity landscape that not only meets today’s demands but is also ready for what comes tomorrow.
Are you looking to ramp up your IAM strategy? Reach out to Identity Innovation Labs here.