The challenge of adopting AI in production is going to be the same challenge we've always faced, but maybe 100 times larger. And that challenge is complexity and scale.

Everyone knows that cloud infrastructure is more complicated than traditional infrastructure. Back in the day before cloud even existed—maybe when Facebook got started—the tech stack back then was much simpler. The LAMP stack: Linux, Apache, PHP, MySQL.

And look at what we have now, 20-plus years later, where an average company that builds cloud software has a tech stack that is super tall and very complicated. It causes all kinds of problems: managing identities, managing access, managing policy.

Let's say you have data—very valuable data—for your crown jewel. That data probably lives in some kind of database. Every cybersecurity professional, whether knowingly or unknowingly, goes through a mental loop enumerating all the possible ways that data could be stolen or even just accessed. The database listens on the network, so you need to make sure there's strong authentication, encryption, audit, compliance controls, and so on and so forth.

But if I'm attacking you, if I want to steal your data, I can just socially engineer your workforce and get an SSH key to get into a Linux box, bypassing database security, and I will get the data file directly. So you need to make sure you have a privileged access management solution to secure your Windows and Linux boxes to prevent that from happening.

But then I will social engineer and steal some credentials from your employees, and I will get into a cloud API using a different door, bypassing your Linux security, bypassing your database security. So you need to secure that.

But then I see, oh, you're using Kubernetes. I can phish your employees and I will get Kubernetes API credentials, and I will get into a pod where the database is running and I will get data out this way. So you need to secure that.

But then I will get into Grafana, for example, and from Grafana I might jump into a database or into GitLab or Jenkins or any other workload that has database credentials.

The point is, these things are called access paths, and the modern scale of complexity says that you have an infinite number of them. This is why it sometimes takes weeks to go through forensic investigation to figure out which access path an attacker took.

What causes this problem? Identity fragmentation—that's the root of all evil.

To talk about ephemeral identity, I would talk about long-lived secrets. There are multiple cases in which people have long-lived secrets in the infrastructure. One that comes to mind is CircleCI had a security incident in which they leaked long-lived credentials for different systems. CircleCI is a continuous integration, continuous deployment system, and since these keys deploy to production systems, the organization had to make sure which systems had those keys. This is the long-lived secret. So the developers had to go into each one of their systems, rotate those keys—it took about a month of remediation to touch and edit all their systems.

This is how we solve this problem. We're bringing an identity layer for your infrastructure. The purpose of that identity layer is to keep track of everyone and everything that's involved in computing. So you need to know all of your humans who access your infrastructure, all of the laptops they're using, all the servers you have, and every piece of software, including AI agents that run on those servers.

What this does is it eliminates all anonymity from your computing environment. In the end, you're going to have one identity interacting with another. The access path doesn't matter anymore.

2026 is going to be an interesting year. I would say it will be the first true AI year. When ChatGPT was released, it showed the world what is possible. What followed was rapid iteration of the quality of AI technology, and this made a lot of very smart people think very hard about what kind of new products and services could be built. But building those products and services took time. So my argument is that in the previous couple of years, most organizations have been building AI solutions, and 2026 is the year when they will start rolling them into production. Essentially, 2026 is the year where AI will graduate from the labs and start going into production at most companies.

If you look at a typical SaaS company, it's helpful to decompose what they do into two parts. They have the data that they're operating on, and then they have the user interface and maybe an API that allows the customer to interact with this data. So essentially, every software product consists of both of these components. And what AI is doing is rapidly making the user interface and API obsolete or even unnecessary.

An obvious example of this would be Google Drive, where I keep a lot of our company documents. There are all kinds of UI capabilities for me to open individual documents and click on different tabs and do different searches. Or I could simply ask Gemini a question that I need the answer for, and then suddenly the UI disappears. I don't need to use it anymore. And it's good for Google that they designed both, so they're not threatened by Gemini. But it is a problem for companies that don't have their own AI implementation, because essentially they're threatened to become dumb databases.

Sometimes folks ask me why I'm so excited about resiliency—in fact, more so than security—to which I always respond that resiliency has a very direct connection to technological progress. Our customers are leaders in their own industries. They want to move fast. They want to move into the future with maximum velocity by launching and building new products. This is why they often say to their engineering teams, "Move fast and break things." And guess what? Having a resilient infrastructure allows you to move a lot faster.