Greg Keller, JumpCloud CTO on AI Agent Identity and Security

Michael Koenig: Could AI be the ultimate insider threat? Like not through hacking, but by misinterpreting or manipulating policies and hallucinating its way into admin access.

Greg Keller: Yeah, I think, listen, it, it's not an if, like this is an actual practical reality. Basically like any other human. You, you provide entitlements to the human right. Your, um, you know, rank and file IC engineer is gonna have a very specific set of entitlements, what are called scopes, right? This is what you can get access to once you're in, you know, here's the things you can do in the system. And turn them into the Oprah moment. You get an API key, now you get an API key. Now you get an API key and before you know it, you have no go governance or manageability over. Oh my God. There has to be some level of governance over it, you know? [00:00:57] [00:01:49] [00:01:53]

Michael Koenig: Hello and welcome to Between two COOs. I'm your host, Michael Koenig. Today I am joined by an old friend, fff1ceGreg Keller, co-founder and chief [00:02:00] Technology officer of JumpCloud. If you're not familiar, JumpCloud has become one of the fastest growing identity platforms out there, basically giving it to teams, a modern alternative to the old Microsoft Active directory. What started as a bet on making identity and access simpler has now scaled into a multi-billion dollar company securing thousands of organizations worldwide. Greg has been at the center of that journey from Scrappy Founder days to now steering the company's technological vision at scale. We're going to dig into what a CTO actually does, how JumpCloud has navigated some of the biggest challenges in identity access management and security. And then, uh, it takes some left turns into the future. And ai. Greg, great to have you here. Let's get right in.

Greg Keller: Good to see you and, uh, couldn't have said it better myself. Thank you for that intro.

Michael Koenig: Oh, of course. So, uh, let's start off first. This is a COO podcast, but um. Uh, you know, I, I love having other functions [00:03:00] on so that we can get a different perspective and appreciation. What does A CTO actually do? Just real quick?

Greg Keller: Oh, we just, you know, sit around and chase butterflies and think of, uh, you know, obscene visions to task our global engineering teams to go and execute on. I, I digress. Um, lately, uh. It, it there, it's a multitude of things, but I think in the core mission, uh, we are the ones who are setting the tone and the tempo of where the company's puck is headed. Uh, in terms of technology. So, um, that is the foremost charter. Um, there are different flavors and variants of CTOs. Some are, you know, deeply ensconced in engineering practices and rigor, and that's a part of it. But you find characters who kind of, you know, accelerate in that way. And others are more customer facing and product inclined. Right. [00:04:00] Uh, I tend to be on more of that side of the fence, which is, you know, setting a kind of a, a, a precedent of the what and the why behind the company's product initiatives and pulling the organization towards that mission. That's generally how, at least my. Architecture of a CTO role needs to be at at this company, but it may not apply for other companies.

Michael Koenig: That's a little bit more difficult than the COO role where we try and see around corners and position the company to mitigate risks, to be in a good growth path. But you have to see around corners on the tech stack itself. So there's actually a lot of work that goes into building the future. If you get it wrong, it could set you back a long time. How do you balance that? How do you see around those corners?

Greg Keller: Yeah, it's, um, you know, that was when I, we use that analogy where the puck is headed. Mm-hmm. Huge Gretzky fan. Um, it is, uh, first of [00:05:00] all, um, let me address, you know, all of these roles in senior leadership, you know, with a c in front of it are, uh, there's, you know, it's mind bendingly hard, so you can't, uh, the, the, the plight of the COO is absolutely as you suggest. Incredibly difficult. Uh, we each have our own challenges. I love your analogy of looking around corners. So on that front, you know what I need to do as the CTO is assure a continual, um, kind of value chain that is uni uninterrupted and constantly is demonstrating progressivity. Right. This is where, um, you know, great companies kind of, uh, stagnate plateau and start their decline in their descent. Um, and it's incredibly important that, you know, for me personally, like trying to get my Periscope and look around the [00:06:00] corner. Um, is literally about meeting needs and expectations before many of my customer, you know, buyer ICPs, um, kind of think of it, right?

Michael Koenig: Mm-hmm.

Greg Keller: What you don't want to be doing is be in chase mode all the time. Uh, that's a bad place to be. It's a tough place to be for, you know, an inventor and, uh, frankly, for our GTM teams, right? Then they turn into a bunch of folks who are constantly. You know, uh, doing the Coke versus Pepsi challenge, you know, um, which is not uncommon, but we, what, what we want is to set the tone of this is something you haven't tasted before and here's why you need to be in this taste test, right? Mm-hmm. Demonstrating a, a, a level of, of, of technology progression that you may not be familiar with, right. In these other vendors, these other approaches. Does that make sense? Like, to me that is Yeah, absolutely. Bending of [00:07:00] around the corner.

Michael Koenig: Got it. Got it. And uh, because you brought up the taste challenge, um, Pepsi or Coke.

Greg Keller: Oh, I have to say Pepsi. My, my brother ooh, a senior guy at Pepsi for a billion years. So if I, this is on record, so if I say coke, uh, it could cost.

Michael Koenig: So that's more outta loyalty than taste. Got it. Um, and,

Greg Keller: and the fact this is also gonna not get him, uh, or get him angry at me. I haven't actually had a soda pop in. Yeah. I, I know this sounds crazy in probably 20 years. I just don't

Michael Koenig: Oh, good for you. Yeah. Yeah. Good for you. That's wonderful. Well, let's talk about JumpCloud because identity access management, I've come across it a lot because I've been heavily technical, COO at points, but identity access management, I just said that, and people's eyes glazed over. What is it, how does JumpCloud fit into this and, and what are you guys [00:08:00] doing differently than say, in Okta?

Greg Keller: Yeah, it's, those are all. Good, you know, questions. Some very ethereal, some very specific. So, uh, for the, the, you know, let's call it the progressive COO, who may not be ensconced or educated on these things, I, I'll boil it down like this. In a business of any kind, remote first SaaS, highly progressive to very traditional. I walk into a brick and mortar office every day in order for the worker to do their job. Writ large, they need access to something to perform the task. Right? It could be taking your I'm in a retail store and taking your badge fob and getting into a point of sale machine. It could be I am a software engineer and I need to log into my services to work on cloud infrastructure. It [00:09:00] could be I am a financial person who needs to sign into a, you know, uh, into NetSuite or a, you know, a large scale like, you know, uh, transactional system. So jobs require. You know, uh, tooling and things that perform, you know, help the human perform the job. All of them require access in the broad spectrum of startups to multinational, conglomerate, you know, huge companies. There is a spectrum on the maturity of gaining access to resources. Okay? And that is another set of technologies that. Is the world of identity and access management. So even in that acronym IAM, it starts with the identity. You and me, Michael, we're just human knowledge workers. We're just, we're just part, [00:10:00] we're cogs in the business machine. We're the identities. The access part is what we need to get access to to do our job. The M or management part is how do you on a continual basis manage the appropriate access and security into those things? That's the spectrum. Startups are typically very immature. Multinational conglomerates have purchased all the tools and all the magic of software and security things to, to do it safely. Right. And there's a broad spectrum in between. So that's the education part. Okay. That's the basis of the world that we live in at JumpCloud. Historically, this is not a new concept. Okay. Companies, namely Microsoft, have uh, offered and performed these duties in their software, uh, for many, many [00:11:00] decades. In the case of Microsoft truly launching this in the late 1990s, early two thousands, with first with Windows nt, if you're old enough to remember that, then moving into Windows Server 2000. Uh, and many of us old enough to remember that you were probably walking into an office. Uh, you sat at a cubicle, you had a big monitor on your desk and below your desk you had a tower like your, your, your, you know, literally your machine, which you would knock your knee into every time you rolled your chair on, you know, at your cubicle. And all those machines were ethernet in literally to a actual closet. And inside that closet was a rack of servers. This is how it was done for decades. And those servers would dictate when Michael Kig would sign into a Windows machine and what Michael Kig could actually get access to. [00:12:00] Microsoft was very, very good at that for their own ecosystem of products like SharePoint. Like Outlook Exchange, which is their email client like, uh, windows servers where documents and files would be held, right? It was a very harmonious thing. Guess what? Things have changed. The last three companies I've built didn't look anything. Like those companies in the nineties. I use a MacBook. I've been a, a proud Apple user for 20 years. Uh, anything that I could put a credit card in to operate my business like mm-hmm. Google Apps as it was called in the day, or Amazon to build my, you know, infrastructure or Salesforce, you know, to run my, you know, CRM right. None of that looked like what Microsoft is doing. And yet it still had the same challenges. Right? How do you securely get access to that wide variety of non-Microsoft stuff? Oh, and by the [00:13:00] way, there may be Microsoft things in there. Like my finance people could not use MacBooks 'cause they needed proper versions of Excel to do those big Excel things for finance reasons. So you gotta manage Windows too. So real companies operate in a non monoculture stack, in a very heterogenetic stack using lots of different vendor resources. That was the problem that JumpCloud chose to solve, right at different operating systems. Different working behaviors. Some, some remote, some in offices, some on-premise equipment, some up in the cloud services. You had to respond to all these things and provide an identity with that secure access no matter what it was, from where it was. Okay. So that's what JumpCloud decided to do. Very much. You know, in contrast to Microsoft's dedication to their own software. [00:14:00] Your last part was this company, Octo a, a company that is, uh, uh, we have a lot of respect for they, uh, uh, you know, generate, you know, publicly traded, generate, you know, a billion plus in revenue, in actual revenue, um, you know, large market capitalization. And it was a demon, uh, uh, demonstrative. Uh, of how identity, at least one service aspect of it needed to happen. And what that one service aspect was, was something called single sign-on SSO, and it was a capability to secure and provide access to anything that a user would need to get access to through a browser. Right, so think of Salesforce or any of the number of web-based applications that you use. They needed to go and solve that, and they were the ones who more or less disrupted that community. There were others [00:15:00] that did it before them, like Ping Identity, another Colorado based company. Okay. So they, uh, in effect, um, demonstrated that, Hey, we're gonna go and reinvent this browser-based world of, of secure access. And guess what? It's a thing, right? What it didn't solve for though, was the whole totality of things a user may be touching on a daily basis. Like for example, Michael, before you got on this, uh, recording with me, you walked into your home office. You logged into your computer, probably a MacBook, right?

Michael Koenig: You got it

Greg Keller: all right, and you put your fingerprint down on that MacBook, maybe, you know, to get biometrically to get into it, right? Mm-hmm. Then you need to put a username and password into certain things like your Google thing, and then to get into this recording software, which is web or browser based, you needed another password for that. [00:16:00] Okta is doing the password things for the browser based stuff, but who's working on the hardware or things that are on your laptop, or maybe you have a file server next to your desk or all these different, the meaty things. That's what we had to provide the total solution for, not just what they did, which we do. Does that make sense? That

Michael Koenig: Absolutely.

Greg Keller: Yes.

Michael Koenig: And, and the, one of the main reasons, uh, aside from, you know, you being an awesome person and love, and I love chatting with you, but also one of the main reasons why. I find this really pertinent to COOs is that a lot of us are looking at how do we integrate AI into our business stack? And

Greg Keller: yeah,

Michael Koenig: a lot of the answers here is it depends because it depends on what the pipes are that's powering your data. And so without. Identity access management. This literally determines who has [00:17:00] access to what and which identities speak and interact with your other ones. And it's depends on whether or not how much of that can be automated by your IT team. So. To to listeners, go talk to your IT team and ask them specifically how labor intensive and manual is it to provision a new employee on their first day and then provision them to new software that's coming out, because this is going to be a key part as to whether or not you can have AI enabled in your company in certain, certain places,

Greg Keller: right?

Michael Koenig: Now that I touched on ai, what I'm really curious about is how do you view AI and identity access management as kind of, uh, uh, coinciding? No, no, that's not the word, but converging rather.

Greg Keller: Oh, yeah. I think I'm going to answer that, but let me do a public [00:18:00] service announcement for your COOs. Alright. It, uh, it, uh, it's not a if, but when, uh, progressive COOs CISOs and then the subsequent IT leaders need to be on the same page, uh, on adoption of and aggressively using ai, lest your businesses fall off the back. Alright. Mm-hmm. There is no question about the impact of AI in all nooks and crannies and corners of the business. All right. Again, I'm queuing on and pinning the, the IT related question. Uh, but it's in continuing the public service announcement. First and foremost, the COO needs to be challenging its employee base on what are you doing now? In order to improve your job efficacy and efficiency, uh, by accelerating time motion, you know, by using [00:19:00] AI first point, right? Second point, that same COO needs to be pointed at the cso. Saying, I have made a declaration as the chief operating officer to the company that we are going to get better and faster and more efficient and accurate using ai. Ciso, what are you doing to support me on the mission to make it secure? Okay. So it absolutely is a function. It, you know, we cannot hand sharpened scissors to every, you know, mid-level manager and ic. The scissor being the AI component and running down the hallway, you're gonna get a lot of upset people tripping over their feet and cutting themselves, right?

Michael Koenig: Mm-hmm.

Greg Keller: So you have to do this responsibly. Case in chief at, uh, at the end of Q3 into Q4 of last year. Barba, my, my co-founder and CEO, um, set the precedent. You know, we, [00:20:00] we are going to measure and start to evaluate. Each employee's utilization, uh, and business units, utilization of AI tooling. We laid the tools out on the table. Many of them, we funded it. We, we evaluated the security of them all, uh, which our CISO is, uh, amazing. His, you know, he assigned his team to do all, all, all of this research and we handed the tooling out. No excuses. Like here it is, this isn't gonna take your job. This is gonna make you better. The results are bonkers. And in fact, you would imagine, oh, the engineer, you know, engineering is. X percent more efficient. Yeah, they are. You would not believe what it's doing to our GTM teams, our finance teams, uh, name it, of course marketing. Um, so that, that's the PSA part, okay? Right? So get behind the initiative, do it safely and securely. Now, on the IT side, you know, it is [00:21:00] a function of evaluating. You know, again, think efficiencies, but think security. Okay. And think the third component of this, which is it's not just about flesh in skin identities, humans,

Michael Koenig: mm-hmm.

Greg Keller: It is about synthetic identities. Mm-hmm. So what are synthetic identities? They're nonhuman. Right. Every time you are interacting with a bot, an agentic bot, it's doing in many ways the role or the task of what you would typically call upon a human to do, right?

Michael Koenig: Mm-hmm.

Greg Keller: Guess what? Those same bots have access requests, right? So the number one thing a team needs to do is what are the agents coming into my business? What are the ones going out from the business and really assessing what do they have access to in either direction? [00:22:00] Right? Does the bot responding to our customers, maybe through a customer chat vehicle, is it confined to only, you know, the dataset related to that customer? So there's no permeate, permeation or co-mingling, but any other data is. How do you control that? Same thing inbound. You and your COOs are gonna start to hear acronyms like. MCEP model, context, protocol. It's just frankly a, a, a front door. Think of it as a front door. API stack that lets agentic bots talk to your infrastructure. Same thing. What is that thing have access to? Mm-hmm. What are its swim lanes and bumper guards? You're going to give ag agentic bots access to, you know, because the end result. Either A with good bumper guards is amazingly productive for external services to [00:23:00] go and work with your service very seamlessly. Efficiencies. The bad side of that coin is the agentic bots start to learn APIs about your infrastructure, and it is making assumptions on what it thinks it can do to solve a problem that, you know, was tasked to it, right? Mm-hmm. So, like I, it, it all comes down to appropriate access controls. IAM. Into infrastructure or other services within your environment. Right. So it's a big, big part of it's, you know, think of it as a, this space is changing, it's changing every month. Yeah. Frankly, every other week, you know, there's an advancement. It's happening that fast. So, you know, companies like ours are on the forefront of working to solve those problems.

Michael Koenig: Yeah. And I love this because. You just answered three more of my questions, which was [00:24:00] posing whether or not, uh, there's going to be a shift towards a human list directory where AI agents and devices outnumber people and identities, but also, um, this next one. You know, for listeners, this is, we have a shortened recording session today because everything's going nuts on Greg's end in a good way. Um, and so

Greg Keller: you can keep driving. Yeah.

Michael Koenig: Cool. Um, well two, two questions left here then. Um, the first, and this is just more of a thought process and. Again, this may cause listeners eyes to glaze over, but I'm really curious about what you think here. Could AI be the ultimate insider threat? Like not through hacking, but by misinterpreting or manipulating policies and hallucinating its way into admin access.

Greg Keller: Yeah, I think, listen, it, it's not an if, like this is an actual practical reality. Um, and you know, with the, again, the, um, uh, I, I, I'll promise the COO's eyes will not [00:25:00] super glaze over. I'm gonna use some technical terms, but it basically like any other human. You, you provide entitlements to the human right. Your, um, you know, rank and file IC engineer is gonna have a very specific set of entitlements, what are called scopes, right? This is what you can get access to once you're in, you know, here's the things you can do in the system. Okay.

Michael Koenig: Mm-hmm.

Greg Keller: A lot of that is, is happening now on the agentic side. And the reason for that is many of these AI based systems still leverage API keys instead of tokens. Tokens are are, you know, widely regarded as in some cases, not all cases, but. More progressive. 'cause you can control them, time them out, you know, they're just more, um, manageable in many ways. Mm-hmm. And the rigor around [00:26:00] API keys. Which are an older manifestation of, you know, a, a kind of a, a secret, a password, right? They're often, you know, there's no timeout for them. There's, uh, there's either, there's, there's also not a lot of granularity in, you know what the API key when assigned to something can do, it's. You get all the access. Yeah. Or you're like, read only, like you can do it. You know nothing, but you can see things. Right. So there is uh, uh, I think a maturity level that has to happen. Um, you know, so that, you know, we don't turn our teams who. Build or not building, but rather, you know, deploying API systems. Mm-hmm. And turn them into the Oprah moment. You get an API key, now you get an API key. Now you get an API key and before you know it, you have no go governance or manageability over. Oh my God. Like, you know. Who was the, [00:27:00] the, the service account? What was the service account that was assigned to this? API key that we gave to the thing and what were, its, its entitlements and scope and range of. You know what I mean? Yeah. So it's, you know, again, in the, in the, in the spirit of moving fast and everyone's excited to, you know, leverage this ai, there has to be some level of governance over it, you know?

Michael Koenig: Yeah. And it's such a fine line be between finding that balance of, uh, not too much restriction, but just enough.

Greg Keller: You're right, right,

Michael Koenig: Greg, because, uh, you just offered for a few more minutes.

Greg Keller: Yeah.

Michael Koenig: It's time for my, my last favorite question. Um. We've all had those moments in the executive seat where we've seen something just totally crazy and thought to ourselves. I never thought I'd see that. Do you have one you can share?

Greg Keller: Oh, Michael, that is the threshold question. Um, yeah, let me, uh, you got me on the spot here. [00:28:00] Um. So I guess 32 years in, in industry. Um, at this point I've seen a ton. I've entered the workforce when it was still very, very much like how things had been done, you know, decades and decades prior. There was no email or anything. The internet wasn't a thing when I joined the workforce. It was, you know, very analog in that way. Um, so you, you may think that. My knee-jerk response is, well, I never thought that I'd see, you know, software, write emails for me and, you know, do my job so I can sit back and be brain dead, you know? No, by the way, I, I, I'm still waiting for my jet pack as I was promised in the seventies as a child. So, uh, 100%. Um, the software aspect doesn't. Um, you know, surprise me. [00:29:00] You, you know what I, I'm gonna actually put a, a kind of a meaningful twist on this. You know, what does surprise me? It is our nation's inability to heal and cure itself and galvanize itself in order to be the absolutely best luminary nation on earth. Progressively. Um, I'll stick to the software and technology vein. And, you know, we have given birth to many of the, if not, you know, the majority of the world's most progressive technology inventions. And we are not, you know, capable enough to see or otherwise respond to many of the, the, you know, the, the global moves happening. In order to protect our interests as, you know, the, the most progressively, uh, technologically, uh, innovative nation state on earth. You know, I would challenge everybody [00:30:00] to understand the following fact that, you know, I travel the globe multiple times a year and sitting in an office in Koala Lumpur with, um, some of the most amazing, um, software engineers that I've ever seen, and they have. Aggressive startup culture and they want to change the world. Um, how do we get that mojo back, you know, that was the mojo that built this amazing country. And you know, how do we really look at ourselves and say, we can get back to that place. We can get back to that place. So there you go. That is one thing that, you know, as a child growing up in the seventies and eighties, you know, when you have this flag waving Americana and you know, we're just the best. Well, guess what? Um, right now. There is a two-man team in Pune, India [00:31:00] or Jakarta, or incur Chiba, Brazil that have the tooling, the capability, the knowledge, and most importantly, the motivation to go and build the next trillion dollar, multi-trillion dollar company like that, I think is what I never expected.

Michael Koenig: Well, we ran into some technical issues just when Greg finished answering that question. Luckily it was the last one of the podcast, so that in mind, a big thank you to Greg Keller for joining me. You can check him out on LinkedIn. I'll drop a link in the show notes as well as JumpCloud if you're looking for an identity access management solution. I'm your host, Michael Kanig. Thanks so much for listening to this week's episode between Two COOs. Tune in next time and until then, so long. [00:31:49] [00:31:51]