“The day this blog post comes out, I’ll be in Grapevine, Texas, at the Gartner IAM conference, moderating a panel called ‘What I Wish I Knew When I Started in Identity.‘”

I’ll be on stage with Elizabeth Garber and Andrew Cameron—two people who understand identity from very different angles and bring the kind of honesty you want on a panel like this.

Preparing for the session meant sitting down with the questions I planned to ask and forcing myself to give the same level of reflection I expect from the panelists. And as I started writing, it felt like something worth sharing more broadly. Because what people wish they knew at the beginning often says a lot about how the field has changed and where it’s going next.

But before diving into the questions, it’s worth pausing on why this conversation matters now.

You can Subscribe and Listen to the Podcast on Apple Podcasts, or wherever you listen to Podcasts.

And be sure to leave me a Rating and Review!

Why this matters now

Maybe it’s because I’m in the middle of so many overlapping projects right now, but I’m seeing an unmistakable shift in who cares about digital identity. For years, it felt like a specialization tucked deep inside infrastructure teams, academic federations, or standards groups that met in windowless hotel conference rooms. Identity mattered, but it wasn’t popular.

Today, it’s showing up everywhere.

People are trying to figure out how they’re going to identify, authenticate, and authorize AI bots that act with varying levels of autonomy. Teams are scrambling to understand the reality of age-verification requirements and what it actually means to handle age signals responsibly. Product managers are waking up to the fact that wallets, passkeys, and browser-mediated login flows are going to shape their user experience, whether they planned for it or not.

Even people who don’t think they work in identity suddenly find themselves pulled into it. If you work on customer experience, fraud, security, payments, or content moderation, identity is now sitting right in the center of the decisions you need to make.

When more people enter the field—or simply become aware that this field is now part of their job—they usually arrive with a healthy mix of curiosity and apprehension. They can sense that identity is important, but they also sense it’s complicated. And they’re right.

That’s why this panel feels timely. We have a growing number of people stepping into identity, and they deserve not just technical documentation or product briefs but actual guidance. They deserve someone to say, “Here’s what I wish I knew when I started.” So that’s what I set out to do as I prepared my own notes.

Patterns I see in people new to identity today

There’s some received wisdom in the identity world that it takes about two to three years before someone feels steady navigating IAM. And that’s IAM in the traditional sense—provisioning, access control, directory systems—which is only one piece of the bigger digital-identity picture. Add things like federation, wallets, regulatory requirements, and browser-level shifts, and the surface area expands quickly.

Most newcomers have no idea what they’re stepping into.

They think they’re going to learn a couple of protocols, pick up some security basics, and maybe memorize a few acronyms. Instead, they find themselves in a space that touches policy, governance, trust frameworks, user experience, cross-border regulation, platform politics, and long-running historical debates that occasionally flare up like old family arguments.

The most common thing I hear from people in their first six months is some variant of: “I didn’t realize how big this was.”

And because it’s big, it’s also intimidating. The learning curve feels like a hill that grows steeper as you climb it. Newcomers oscillate between excitement—because identity really is fascinating—and frustration, because every answer seems to introduce a new question.

The encouraging part is this: people who stick with identity tend to be generous with their experience. The community has its quirks, but it also has a strong culture of mentorship. If you show enthusiasm and a willingness to learn, someone will take the time to help you understand the puzzle you’re staring at.

These are the patterns I had in mind as I drafted answers to the panel questions—because I want newcomers to know that the confusion they feel is normal. And survivable.

1. The misconception I had at the start

For a long time, I believed—quite sincerely—that everyone understood the critical nature of digital identity.

My very first job in tech was as a Galacticom Bulletin Board System operator. A BBS SysOp. This was long before I knew anything about formal IAM or the standards world. But even in that system, primitive as it was, my job boiled down to two essential responsibilities: managing accounts and deciding what those accounts could do.

It turns out that theme followed me everywhere. Every job I’ve ever had—whether it looked like identity or not—was ultimately about understanding users and determining what they should be able to access.

Because of that, I assumed other people saw technology the same way I did: through the lens of identity. But most people don’t. Most people think in terms of the service they’re using, not the infrastructure that makes it possible. They focus on sending and receiving email, buying and selling goods, publishing or reading online material. The identity plumbing that makes all of that possible feels invisible to them.

It took me longer than I’d like to admit to realize that what feels like “the obvious starting point” to me is not where most people’s mental models begin. Understanding that gap changed how I communicate and how I frame problems. It made me more patient. It helped me bridge conversations between IAM specialists and colleagues who were looking at the world through completely different lenses.

2. The advice I’d give my younger self

If I could go back, I’d tell my younger self not to be so intimidated by the people who had been working in identity forever.

When I started attending standards meetings and community gatherings, I found myself surrounded by people who seemed impossibly knowledgeable. They spoke in acronyms I didn’t know, referenced failures I had never heard of, and debated edge cases that felt light-years beyond my understanding. I spent the first few meetings convinced I should sit quietly and hope I didn’t expose how little I knew. (Does this sound familiar?)

But here’s the secret I wish I’d learned earlier: the people who have been in identity the longest are often the most generous with their time. They’ve made mistakes. They’ve learned hard lessons. They’ve held their heads in their hands after a deployment disaster. They’ve had opinions shaped by actual lived experience, not theoretical purity. And most of them stay in this field because they care about helping people understand it.

Once I started asking questions—real questions, not perform-to-impress questions—I discovered that these conversations were the best part of entering the identity world. They helped me understand not just the “what” but the “why.” They gave me a sense of the history that sits behind every architectural argument. And they helped me see identity as a community, not a solo pursuit.

I wish I’d started those conversations earlier. They’re the ones that helped me grow.

3. The tradeoff I didn’t fully appreciate

Identity is built on tradeoffs. That part I understood early on.

What I didn’t appreciate was how inconsistent people can be in identifying and managing risk.

Some people see risk everywhere. They’re so good at spotting potential problems that they become paralyzed. They worry themselves into inaction, convinced that every decision is too dangerous to make. When I worked in research & education, these people were the bane of my professional existence.

Others take the opposite approach: they assume the happy path will prevail and dismiss the possibility that anything could go wrong. They don’t see risk so much as they see inconvenience, and they ignore honest questions that might complicate the roadmap. (I’m not going to say I see this frequently in standards development, but, well…)

For a long time, I expected people to meet somewhere in the middle—to balance caution with pragmatism. It took years of experience to realize that “balanced” isn’t always a natural instinct. It’s something we have to cultivate. And in identity work, you see these extremes up close because identity touches everything. Every risk conversation becomes a mirror for the organization’s worldview.

Learning that was freeing. It helped me reframe risk discussions into something more human. It helped me understand that sometimes people aren’t being difficult—they’re reacting to uncertainty in the only way they know how. And it made me far more effective at guiding teams toward decisions that acknowledge real risk without turning everything into a crisis.

4. The moment I realized identity is more than authentication and authorization

Identity isn’t just authN and authZ. Most people who’ve been here for a while know that, but I learned it early thanks to the Research and Education world.

My first influences came from the federated-identity ecosystem built by Internet2 and the MACE community at the start of this century (links to that group are long gone, but you can see a brief description from this page published back in 2006). People like Lucy Lynch, Scott Cantor, Tom Barton, Ken Klingenstein, Michael Gettes, and many others were building not just technology, but relationships, trust frameworks, and community norms that allowed institutions to work together.

Working in that space made it obvious that identity is more than protocols. It’s how communities decide who belongs, who can access what, and what the boundaries of collaboration are. You can’t separate the technical choices from the governance choices, or the policy questions from the deployment questions.

To this day, that early influence shapes how I think about identity. I see it as infrastructure, yes—but also as a social function. And I’m grateful to the people who put me on that path.

5. What I hope newcomers learn faster than we did

If there’s one thing I hope people entering the field understand sooner, it’s this:

Focus on your immediate needs, but never lose sight of the bigger picture.

You may be solving a local problem—an onboarding flow, a consent experience, a directory restructuring, a federation integration—but the forces shaping your future are global. Regulations you’ve never heard of will affect you. Standards being debated in other regions will shape your architecture. Browser shifts driven by privacy expectations will break the assumptions your systems rely on. Identity doesn’t stand still. And neither do the requirements around it.

The sooner people recognize that identity sits at the intersection of local implementation and global influence, the quicker they can design systems—and careers—that are resilient. That understanding turns frustration into curiosity. It turns confusion into engagement. And it turns newcomers into practitioners who can help move the field forward.

Welcome to digital identity

Moderating this panel also reminded me how much I’ve benefited from other people’s generosity over the years. Every insight I have now came from a conversation, a mistake, a hallway debate, or a moment when someone took the time to help me understand something I was struggling with. None of us figures this stuff out alone.

If you’re new to identity, I hope some part of this helps. And if you’re at Gartner IAM this week, come say hello. There’s always room for more voices in this conversation; you never know what you’ll wish you knew today that you’ll be glad you learned tomorrow.

📩 If you’d rather track the blog than the podcast, I have an option for you! Subscribe to get a notification when new blog posts go live. No spam, just announcements of new posts. [Subscribe here] 

Transcript

[00:00:04] Welcome to another episode of Digital Identity Digest, the audio companion to the blog at Spherical Cow Consulting. In this episode, recorded while I’m in Grapevine, Texas for the Gartner IAM Conference, we explore a panel theme that turned out to be a great topic for both the blog and audio: What I Wish I Knew When I Started in Identity. transcript-What I Wish I Knew W…

As more newcomers enter the industry, understanding its nuances matters more than ever. And today’s conversation offers guidance for anyone beginning their identity journey.

---

Why This Conversation Matters

---

[00:00:30] As the industry shifts, digital identity is drawing in people who never expected to work in this space—product managers, security teams, payments specialists, fraud analysts, and more. Identity, once a quiet corner of tech, has become the thread running through everything. transcript-What I Wish I Knew W…

From AI bot identification to age-verification laws and wallet-driven user experiences, digital identity now influences decisions across organizations.

Short version:

• The field is evolving quickly.
• Newcomers are arriving fast.
• The questions are getting harder.

And many people are looking around thinking, Where do I even begin?

---

The Learning Curve in Digital Identity

---

[00:02:53] There’s a common bit of unofficial wisdom: it takes two to three years to feel proficient in IAM. And that’s just the IAM slice—provisioning, access control, directories. The broader digital identity landscape includes: transcript-What I Wish I Knew W…

• Policy and trust frameworks
• Cross-border regulation
• Governance models
• A long history of assumptions and decisions

Newcomers quickly discover that the answer to nearly everything is: “It depends.”

Identity is:

• Messy
• Political
• Global
• Occasionally maddening

But the good news?
The identity community is full of people who remember exactly what it feels like to be overwhelmed—and are quick to help others find their footing.

---

Misconception #1

Everyone Understands How Important Identity Is

---

[00:04:30] One of the first misconceptions I had was assuming everyone else saw digital identity as foundational. My early tech jobs all revolved around managing accounts and access, so it felt obvious to me. But most people don’t think this way. transcript-What I Wish I Knew W…

[00:05:30] To them, identity is invisible—until it breaks. They think about what a service does, not who is behind the scenes managing identity plumbing.

Once I stopped assuming shared context and started building that context instead, conversations became much easier.

---

Advice to My Younger Self

Don’t Be Intimidated by Standards Communities

---

[00:05:59] In my early standards-meeting days, everyone seemed impossibly knowledgeable, speaking in shorthand and referencing protocols long dead. I spent more time trying not to look ignorant than I spent learning. transcript-What I Wish I Knew W…

Key things I wish I had known earlier:

• The most experienced people are often the most approachable.
• They want new voices in the room.
• Everyone—even the experts—has moments where they don’t know what’s going on.

Once I started asking honest questions, everything shifted. I gained not just technical understanding, but also the why behind decisions and standards.

Digital identity is not a field you grow into alone.

---

Understanding Trade-offs

The Many Faces of Risk

---

[00:07:38] I knew risk mattered, but I didn’t understand how differently people experience it. Some see risk everywhere and freeze. Others see almost none and assume everything will work out fine. transcript-What I Wish I Knew W…

People experience risk based on:

• Emotion
• Personal history
• Past failures
• Past successes

Recognizing this helped me shift conversations from fear or denial into something more balanced. Most people aren’t being difficult—they’re just responding to uncertainty with the tools they have.

And in identity, every decision ripples outward, so you learn this lesson quickly.

---

Identity Is Bigger Than Authentication

The Human Side of Trust

---

[00:09:44] My earliest influences came from the research and education community—people like Scott Kantor, Tom Barton, Ken Klingenstein, Michael Geddes, and Lucy Lynch. They understood identity as not just technical, but social and collaborative. transcript-What I Wish I Knew W…

Identity shapes:

• How communities operate
• How institutions decide who belongs
• How governance and technology intersect

That perspective changed everything for me. Authentication and authorization matter, but they’re only part of the larger ecosystem of trust.

---

What I Hope Newcomers Learn Sooner

Think Locally and Globally

---

Newcomers often focus only on immediate challenges—onboarding flows, directory hygiene, access policies. But identity is shaped by much bigger forces. transcript-What I Wish I Knew W…

Global influences that will affect your system:

• Regulations in other regions
• Standards drafted half a world away
• Browser or platform changes you didn’t vote on

Identity moves fast, and assumptions can shift overnight. The sooner you understand the global ecosystem, the better prepared you are to build systems that survive change.

---

Closing Reflections

---

Preparing for this Gartner panel meant looking back at the debates, uncertainties, and conversations that shaped my understanding of digital identity. Everything I know came from people willing to share their stories—and sometimes their cautionary tales. transcript-What I Wish I Knew W…

If you’re new here, I hope these reflections make the path a little clearer.
And if you’re at Gartner IAM this week, come find me—I always love meeting people just starting to understand how big and fascinating this field really is.

---

Outro

---

[00:13:02] Thanks for listening to this episode of Digital Identity Digest. If you found it helpful, please share it with a colleague and connect with me on LinkedIn @hlflanagan. And of course, subscribe and leave a review wherever you listen to podcasts. You can always find the written version at sphericalcowconsulting.com.