An Interview With Brian Daugherty
Heya,
This is another in my series of interviews about the future of CIAM from experts in the space.
A Product Solutions Engineer at Google and University of Colorado CS alum, Brian brings over 20 years of expertise in identity, security, and infrastructure. He has held key leadership roles including Chief Security Officer and SRE Lead at companies like Qualcomm and Fitpay. From embedded systems at Cisco to cloud operations for startups, Brian specializes in OAuth, OpenID, and account linking. He excels at bridging the gap between complex engineering protocols and developer advocacy.
I’m excited to hear Brian’s views on CIAM, identity and more.
Dan: What problems do you see customer identity and access management (CIAM) solving for your customers?
Brian: Let me say first that my view of customers is something a bit different than the traditional definition of a paying customer. My perspective is that I primarily serve three groups:
end-users
developers
partners
I see some form of CIAM helping to reduce friction and secure hundreds of auth moments every day.
For example, you get up, read email or news, start your car, badge into a building, open your phone and computer, visit apps and sites, watch content, work, learn, and communicate with colleagues and friends. Most people adopt multiple personas, cross regulatory and jurisdictional boundaries, share identity and resources, and do so while using many different apps, platforms, and systems throughout the day.
Making this journey secure, seamless, and consensual are the primary problems I believe CIAM and auth help to solve.
Dan: What are major challenges you see with CIAM (in the industry, in implementation, etc)?
Brian: The sheer number of different ways CIAM is used and deployed. We’ve many protocols: SAML, OpenID, OAuth, FIDO, SCIM, RADIUS, LDAP, and SIOP to name a few.
Understanding when to use one over the other, the risks and benefits of each is non-trivial. This makes it hard for developers, UX, product managers to choose and understand the implications to development cost, user journey success rates, security, access control, resource management and so on.
Another challenge is the maintenance burden and technical debt required to update and keep auth and identity systems secure and compliant. Adopting new tech is often easier in a greenfield. The older the tech stack, the more likely it is you’ll struggle to adapt. Overcoming the resistance to stay in the status quo and update things that “just work”. Or simply, to institute change management.
As an industry, how do we help as many existing implementations throughout the world move forward and adopt newer, best practices? How can we do this in months or years rather than decades?
Dan: What excites you about the future of CIAM? Any predictions?
Brian: LLMs: with good prompts and a good model learning and understanding CIAM, choosing solutions, and implementation has never been easier. And more dangerous. Hallucinations are exciting.
Agents: MCP, A2A, UCP, and friends. Not so much because of what agents may ultimately do on our behalf, but because of the disruption to auth that they provoke. Assumptions about identity, trust, security, and risk are being re-evaluated. Established protocols and design choices are being challenged.
For predictions... Some industries and tech stacks are going to adapt quickly to new ways of interacting with agents, others will not.
We’ll have moments exposing agentic security risks--who and what we trust will change... and protocols, tools, and products will churn to adapt to new norms.
Thanks again to Brian for sharing his views.
Cheers,
Dan