AI agents are accelerating automation—but without trustworthy identity systems in place, they also multiply risk. In this episode, Cristin Flynn Goodwin breaks down the legal, technical, and human stakes of AI-driven ecosystems and why identity must come first.
When we talk about AI at cybersecurity conferences these days, one term is impossible to ignore: agentic AI. But behind the excitement around AI-driven productivity and autonomous workflows lies an unresolved—and increasingly urgent—security issue: identity.
In this episode, Sean Martin and Marco Ciappelli speak with Cristin Flynn Goodwin, keynote speaker at SecTor 2025, about the intersection of AI agents, identity management, and legal risk. Drawing from decades at the center of major security incidents—most recently as the head cybersecurity lawyer at Microsoft—Cristin frames today’s AI hype within a longstanding identity crisis that organizations still haven’t solved.
Why It Matters Now
Agentic AI changes the game. AI agents can act independently, replicate themselves, and disappear in seconds. That’s great for automation—but terrifying for risk teams. Cristin flags the pressing need to identify and authenticate these ephemeral agents. Should they be digitally signed? Should there be a new standard body managing agent identities? Right now, we don’t know.
Meanwhile, attackers are already adapting. AI tools are being used to create flawless phishing emails, spoofed banking agents, and convincing digital personas. Add that to the fact that many consumers and companies still haven’t implemented strong MFA, and the risk multiplier becomes clear.
The Legal View
From a legal standpoint, Cristin emphasizes how regulations like New York’s DFS Cybersecurity Regulation are putting pressure on CISOs to tighten IAM controls. But what about individuals? “It’s an unfair fight,” she says—no consumer can outpace a nation-state attacker armed with AI tooling.
This keynote preview also calls attention to shadow AI agents: tools employees may create outside the control of IT or security. As Cristin warns, they could become “offensive digital insiders”—another dimension of the insider threat amplified by AI.
Looking Ahead
This is a must-listen episode for CISOs, security architects, policymakers, and anyone thinking about AI safety and digital trust. From the potential need for real-time, verifiable agent credentials to the looming collision of agentic AI with quantum computing, this conversation kicks off SecTor 2025 with urgency and clarity.
Catch the full episode now, and don’t miss Cristin’s keynote on October 1.
___________
Guest:
Cristin Flynn Goodwin, Senior Consultant, Good Harbor Security Risk Management | On LinkedIn: https://www.linkedin.com/in/cristin-flynn-goodwin-24359b4/
Hosts:
Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.com
Marco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com
___________
Episode Sponsors
ThreatLocker: https://itspm.ag/threatlocker-r974
BlackCloak: https://itspm.ag/itspbcweb
___________
Resources
Keynote: Agentic AI and Identity: The Biggest Problem We're Not Solving: https://www.blackhat.com/sector/2025/briefings/schedule/#keynote-agentic-ai-and-identity-the-biggest-problem-were-not-solving-49591
Learn more and catch more stories from our SecTor 2025 coverage: https://www.itspmagazine.com/cybersecurity-technology-society-events/sector-cybersecurity-conference-toronto-2025
New York Department of Financial Services Cybersecurity Regulation: https://www.dfs.ny.gov/industry_guidance/cybersecurity
Good Harbor Security Risk Management (Richard Clarke’s firm): https://www.goodharbor.net/
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to share an Event Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
___________
KEYWORDS
cristin flynn goodwin, sean martin, marco ciappelli, sector, microsoft, ai, identity, agents, ciso, quantum, event coverage, on location, conference
[00:00:49] Sean Martin: Marco,
[00:00:50] Marco Ciappelli: Sean,
[00:00:51] Sean Martin: how you doing? A
[00:00:53] Marco Ciappelli: I'm doing good about you.
[00:00:56] Sean Martin: No,
[00:00:56] Marco Ciappelli: you imagine like you got Italian, an Italian, tried to do a [00:01:00] Canadian so I, don't really? You, you had to go there? You hate me that much. Yeah. I mean,
[00:01:06] Sean Martin: much. I hate, hate to love you that much. No, I'm, uh, Canada,
[00:01:12] Marco Ciappelli: Canada, know it's that time of the year, the,
[00:01:15] Sean Martin: it's that time of year.
[00:01:16] Marco Ciappelli: The footage is falling, getting my gold beauty.
[00:01:19] Sean Martin: You know, well, you know, people listen to the episode Last year, I, uh, I drove up from Manhattan to Toronto, took a week,
[00:01:29] Marco Ciappelli: It took you a while 'cause you
[00:01:30] Sean Martin: me a while because I, I stopped every minute and I hiked all over the place.
It was a non-cyber drive. It was really cool. A lot of pictures, a lot of color. And then I got to Toronto and saw a lot of friends and met some new folks and talked all things cyber. That we can, uh, it's coming up again. Last part of, last day of September, first day of October. I think it crosses over
[00:01:54] Marco Ciappelli: and that's sector, which you haven't said yet.
[00:01:56] Sean Martin: which is a black hat, uh, conference.
Exactly.
[00:01:59] Marco Ciappelli: Yeah, and we [00:02:00] love black hat, so we're gonna be there too. Although, I'm sorry to break it to you, but you don't get to take pictures this year we're doing a remote, remote coverage, which is still fun, uh, especially before the event, and that's what we're doing here today.
I don't, you go ahead and introduce the, the guest.
[00:02:18] Sean Martin: Well, I think, uh, the, the, guest is, uh, Kristen Goodwin. Kristen Flynn. Goodwin, thanks for joining us
[00:02:25] Cristin Flynn Goodwin: Happy to be here.
[00:02:26] Sean Martin: and your keynote speaker. Congratulations on, uh, getting that spot. Or sorry you have that spot to, uh, to try to a awe and, and, and inspire an audience that, uh, that is. Yeah, I think sometimes can be challenging.
They look at things, uh, negatively, negatively. Right.
[00:02:45] Cristin Flynn Goodwin: okay. I welcome it. know, our, our industry is one of the few where we, we refer to ourselves as a community. It's a security community. So even if it's, if, if, if it's hard messages, that's still okay because we're still a community, so I love it.
[00:02:58] Sean Martin: Yeah. No,
[00:02:59] Marco Ciappelli: you know, there, [00:03:00] there is a community that love a challenge. This is the one, right? It's not, it's okay if you start with everything is it's mess. Okay? How we do we resolve this, right?
[00:03:12] Sean Martin: come
[00:03:12] Marco Ciappelli: don't need to pick the right mess for the right audience.
[00:03:15] Sean Martin: talk, talking about the right mess. Uh, I think, uh, AI is certainly top of the list. Agentic AI is another, and, and I think you're doing some fun things, connecting identity. that mess, uh, Kristen, uh, is gonna be fun. So we're, we're gonna get into that in a moment, but, um, if you could please maybe a few moments to kinda give us a highlight of some of the things you've worked on in the past and, uh, where you're currently up to now that leads us into this AI and identity topic that you're gonna be presenting on.
[00:03:46] Cristin Flynn Goodwin: For sure I got my start as a baby lawyer, not in cybersecurity, but in securities, and I worked on the 85th floor of Tower one of the World Trade Center. And I knew that that was not the [00:04:00] role for me, and I managed to get hired a long, long time ago by MCI WorldCom as they were building out their very first internet law team.
And so I was given the opportunity to pick, do you want privacy or do you want security? I picked security and by just sheer happenstance, my client was Vince Surf. The founder of T-C-P-I-P and you know, one of fathers of the modern internet, and he was super active in, in advising the White House. It was a really active time in the wake of, um, Y 2K back then.
And then of course nine 11 happened. And so, um, we became extremely active in working with the White House, and I never looked back on cybersecurity. That just became my mission in life. So. Helped build from the private sector side, the national strategy to secure cyberspace. Worked on every [00:05:00] major piece of legislation.
Um, after I left MCI WorldCom, as you may recall, way back when they had some troubles. I had an operational role for a few years at Bell South, running national security and emergency response. Joined Microsoft in 2006, spent two years as their head cyber lobbyist. Moved. Moved, moved to Redmond, and then spent, uh, the remainder of my career, almost 15, 16, 17 years there as the head cybersecurity lawyer.
So I was supporting the Microsoft Security Response Center, the Microsoft Threat Intelligence Center, and responsible for coordinating and sharing information with governments all around the world. So for the past 25 years, I've been at the epicenter of almost every major incident we've, we've had. Um, since leaving Microsoft, I have set up my own law firm where I work with companies, particularly cyber lawyers, helping them. Work through cybersecurity [00:06:00] incidents and set up plans and programs inside their companies. And I consult with Good Harbor Security Risk Management, which is a company founded by Richard Clark, the former White House Cyber Czar, who ran that very first national strategy that I worked on way back in 2003.
So full circle. So I, I still say stay incredibly active in cyber, but. That story arc of the impact of of nine 11 and how we, how I get to look for opportunities to have impact and solve hard problems has been persistent throughout.
[00:06:35] Sean Martin: Yep. Serious programs, serious impact. I
[00:06:38] Marco Ciappelli: You, you, you have seen, you have seen a lot of things, right? And um, and here we are in the, somebody call it the age of ai and we. Talking about events, I'm sure that if you're gonna play the game of, what's the buzzword at that event? I can tell you what it was a black hat in Las [00:07:00] Vegas and what it was at RSA conference.
Uh, I'm gonna bet on agent ai and I know that actually that's, uh, kind of like at the, at the core of, uh, your keynote session. So. Why did you pick that as a part of your everyday consulting? Like it's coming up a lot.
[00:07:22] Cristin Flynn Goodwin: It absolutely is. I mean, agen AI is front of mind for everybody. It, it has to be. Um, ever since November of 2022 when chat GPT burst onto into our public consciousness, you know, it's, it's hard to imagine We lived in a time before it, it, it's become so embedded in our, in our day-to-day lives. But as AI and particularly ag agentic, AI becomes more a part of our lives.
It also reminds us that we had this huge gaping problem in cybersecurity that came before that we hadn't solved. And that's the problem of identity [00:08:00] and the identity issue for people, which is where we started in the internet, has not yet been solved. a lot of consumers don't have MFA applied on even some of their most important accounts.
Maybe a bank account, lots of other accounts, probably not. When you're in companies, depending upon the size of the company, your mileage may vary on the strength and the depth of identity and access management protections. And so as we take the backdrop of the, of the, the sort of turmoil we have in identity and access management, just pre ai, and then we put this accelerant on top of it.
Every AI agent can exist. Um, that's, frightening, especially if you're a ciso when you think about the risks of liability and the risks of, uh, regulators coming in [00:09:00] once attacks and exploits happen, wanting to know why these issues weren't being remediated. So this is, this is a front of mind conversation.
[00:09:10] Marco Ciappelli: You know, I, before I let Sean go, I'm like, I'm smiling and, and laughing by myself. 'cause I'm thinking about that very famous joke that nobody knows your dogs in the, in, on the internet. That was from 1996, I believe. And so talking about identity, it was just a completely different. Problem back then. But you're right.
I mean, identity has been at the core of everything happening on the, on the web. Either they know you're a dog or not, or they think you're not. Or maybe now is an AI dog who
[00:09:43] Cristin Flynn Goodwin: That's absolutely, and if you think about one of the things we know about cyber attacks and attackers is that. It is, it's easy to be lazy. Why go invest in creating a brand new type of attack when you can take something that you know [00:10:00] works well and repeat it. So we know that elder fraud and abuse online is a, is a tactic that works well.
We also know that spoofing is an T tactic that works well. You can anticipate that attackers are going to figure out how to have. AI agents that might look like somebody's bank and might have all the logos and act like somebody's bank, but you can anticipate that they're going to start scooping up pertinent account information, usernames, passwords, you.
You can just predict the abuse that will come against consumers first, and then you can also predict the more nefarious attacks that will come. Against agents. As both cyber criminals and nation state actors figure out how is the most efficient way to go about collecting intelligence or figuring out a way to go monetize a criminal scheme.
And if we [00:11:00] don't think consistently now about how do you come up with it, a way to know if an AI agent is good or bad, is yours or not, is somebody to be trusted or somebody to be rejected. We're opening ourselves up to an era of turmoil that we don't necessarily have to have.
[00:11:20] Sean Martin: This. Uh, so on my show I cover a lot of things cyber related to business operations and policies and risk management. And it, it tends to be looked at in terms of am I following reg regulatory guidelines and or my protecting the business from fraud and attack and other things like that. And then. And then I think about, there's the individual as well, which you're kind of touching on here, that they have an identity and they might interact with agents that might be valid agents, they might be spoofed agents, but we're also as humans, individuals [00:12:00] using AI agents, either whether we know it or not, acting on our behalf.
And as we continue to automate and orchestrate our lives. Through phones and other applications that are connecting a bunch of services together, we're gonna be using a lot of services that are AI driven, agent driven, and some of 'em may be good or bad. And I'm wondering from a lawyer perspective, legal perspective, what, what does that, what do we have to think about as individuals as we move forward into this world of agenda ai?
[00:12:31] Cristin Flynn Goodwin: Yeah, I mean, it's a great question because I think that we were just starting to see in 2023 and forward. Regulations that were starting to put pressure on companies and particularly on, on, um, leadership and trickling down to CISOs getting more responsible about cybersecurity policies, practices, procedures.
The New York Department of Financial Services, the N-Y-D-F-S cybersecurity regulation is a [00:13:00] great example of a really detailed playbook for identity and access management. For a company, if you're, if you don't know where to start and you're, you're trying to figure out what you should be doing for cybersecurity basics, start there.
Because if you can satisfy that regulation, you at least have a, have a, a ground floor to come in on. For the individual side. There's not a lot of guidance about what to do. You're sort of at the mercy of the company that. You pick from a service provider perspective doing the right things for you.
Fortunately, if you are on the Google ecosystem or the Apple ecosystem or the Microsoft ecosystem, the companies do care about, about you having credentials and not being open to cyber attacks. The companies have their own nuances and flavors of how they go about that. The hard part for consumers in particular is that.
[00:14:00] You don't have an enterprise version of defense. Consumer accounts can't be managed, so you're on your own and there's no individual consumer who is ever going to be able to beat a persistent nation state attacker or a thoughtful cyber criminal if they choose to go after them. You don't have the tools, you don't have the technology, you don't have the abilities, and so that makes it an unfair fight.
When you add agentic AI into the mix where the attacker's emails are going to be perfect, no more grammar and spelling errors, you know, the logo placements are going to be perfect. It will be so much harder when you can, when the attackers can use AI to hyper ize attacks than the likelihood of individuals being able to determine that at least fast enough to know before they've clicked. That poisonous link, that's gonna get [00:15:00] really hard,
[00:15:00] Marco Ciappelli: You know it's funny is that before you, you were looking for the mistake and the spell the spelling, and now you look, if it's too perfect, it's probably ai, right? We went all the way around.
[00:15:13] Sean Martin: If it, it repeats itself. Yeah. says the same thing five times
[00:15:17] Marco Ciappelli: that who, that's who now I, I was reading here. Let, let's get into your keynotes in more specific, like, you know, who, who is for and so on.
But before you go there, there's one thing that I could have an entire episode of my show, which is. With the finance, society and technology because it says that the each agent, AI agent will also have its own identity and it kind of spark something in my hand and I'm like, of course. That's the only way you know.
Is it really you? Who you say you are. It's the same thing that's dealing with, with the human. So can you elaborate on that and start [00:16:00] keynotes
[00:16:00] Cristin Flynn Goodwin: Um, one of the things that we do not yet have is a consistent and repeatable way to identify what are the attributes of an agent and. are the, the attributes that should always be present? Should all agents be digitally signed? Should all agents have, um, veri verifiable credentials?
How would they be verified? You know, is that that company to company? Is that with like an, an I can like service? You know, we don't yet have the rules
[00:16:40] Marco Ciappelli: it was gonna happen.
[00:16:40] Cristin Flynn Goodwin: for this.
[00:16:42] Marco Ciappelli: That
[00:16:43] Cristin Flynn Goodwin: of, uh, process when you add in the reality that AI agents are also going to be able to be ephemeral. So in a multi-agent ecosystem, you can have an agent create another agent for [00:17:00] just a couple of seconds to go and execute another task and then disappear. So with an ephemeral agent, that will only exist for a particular function and a point in time. You're going to have to have identities that are dynamic, that are lowest, uh, uh, zero privilege access, that are going to be auditable, that are going to be remotely controllable, and you're going to have to be able to do this at scale through machine controls because they will be faster than any human could possibly be.
So technology's going to have to be invented. That will help enable defense teams to be able to manage and hunt through this sort of telemetry too. That's, that is daunting for any ciso. Um, I think the other nuance that I'd pull out there is that. Sort of like a, like Jeff Goldblum says in Jurassic Park, nature finds a way, like employees will find a way to create shadow AI agents as [00:18:00] well if they find processes or controls are too onerous.
So the other thing that CISOs are gonna have to worry about is. Will employees create their own AI agents outside of the controls that company may have. That's then accessing company data, customer data, other sensitive company systems, and then executing functions that are outside the control of the IT team, which is terrifying because it takes shadow IT and then empowers it like a really offensive digital insider.
[00:18:35] Sean Martin: Uh, there's so much here, obviously, which is which.
[00:18:40] Cristin Flynn Goodwin: Be six hours long. It'll be great.
[00:18:42] Sean Martin: Why you have a keynote for one? Um, I think Marco and I could each have multiple episodes on this topic with you. Uh, no, no question about it. Um, perhaps, uh, as we wrap here, a few notes on. Who you're really speaking to. I've heard the, I've heard the CISO role mentioned a few [00:19:00] times here.
Are there other folks you expect to be at the conference that will gain value from what you're, you're presenting and maybe what are, what are some of the key takeaways think, uh, they'll walk home with?
[00:19:12] Cristin Flynn Goodwin: Uh, I think that this is relevant for anyone who's in a technical policy role, so that could be standards. So much is being developed in the standards world right now around this and all of the ai. And, and, and identity frameworks that were created in the past five years are all going to have to get pushed forward to go and build out this new ecosystem.
So there's a lot of technical policy and technical conformance that work that's going to have to be done. So I, I think that for those who are in the security ecosystem, this talk is for those folks as well. This talk is absolutely for anybody who has to implement and think about risk management because we have the [00:20:00] legacy risk of yesterday's identity, today's risk of ai, agent AI coming into these ecosystems.
And then we'll touch on what happens in 2030 when Q Day hits and we add the acceleration of quantum computing into agen ai, where it will make all of this happen so much faster. And so for anybody who's doing future planning, this is also a talk for them too.
[00:20:26] Sean Martin: Are you trying to make our heads explode? Drop dropping Q in there
[00:20:30] Cristin Flynn Goodwin: The first talk of conference, we gotta start big.
[00:20:32] Sean Martin: Oh my goodness.
[00:20:33] Marco Ciappelli: sounded so much like the metrics and Mr. Smith just being everywhere at the same time and no. It's probably not a case that, you know, community reefs is from Canada. So here we go. I just reconnected everything. There you go.
[00:20:48] Sean Martin: throw in there at All this gonna run on, this is all gonna run on the devices too. So we, us, us humans won't even have to be in the mix. Uh, robots and PLCs and sensors and everything else will be [00:21:00] enabled.
[00:21:01] Marco Ciappelli: yeah, just take the blue and the red pill. Just take them both.
[00:21:06] Sean Martin: Go purple team. Why not?
[00:21:07] Cristin Flynn Goodwin: Well, you can ask chat GPT 'cause it'll tell you anyways. Right?
[00:21:10] Marco Ciappelli: Exactly. He knows everything.
[00:21:13] Sean Martin: Oh
[00:21:14] Marco Ciappelli: okay. This was great. It definitely inspired me to have. Some more identity and AI agent conversation for the way we interact with them and how they're gonna be more and more part of our everyday life. In the meantime, this is a, a, a pre-event, uh, conversation about sector, uh, which will happen in, uh, Toronto, September 30th, October 2nd, 2020 fifth.
And, uh, we are not going to be on location. But we are covering it. So I invite everybody to stay tuned. And for those actually that are on location, you should definitely go and check out, uh, the, the keynote session with, uh, Christine Flynn, [00:22:00] Flynn Goodwin. Um, I would definitely go if I were there. And I know Sean would be with me, so.
[00:22:05] Sean Martin: I know Agen AI and identity the biggest problem. We're not solving though Kristen's gonna help you. Uh. Start solving it October 1st. That's Wednesday, nine to 10. Keynote session there. Kristen, congrats. Thank you so much for, uh, doing this work, sharing it at the conference, giving us a snippet, uh, of what's happening here on ITSP magazine and our audience, I'm sure, appreciates it as well.
So thank you.
[00:22:29] Cristin Flynn Goodwin: Thanks so much. I look forward to the conversation up at secor.
[00:22:34] Marco Ciappelli: Take care.
​[00:23:00]