Spherical Cow Consulting

NHI governance must account for a sprawl of information. Artwork depicting Globe viewing from space at night with flight routes between cities. (World Map Courtesy of NASA: https://visibleearth.nasa.gov/view.php?id=55167)

Heather Flanagan
April 22, 2025April 13, 2025
Industry Ideas

Who Owns the Bots? Rethinking Governance for Non-Human Identities

Not that long ago, non-human identities (NHIs) were governed by neglect; provisioned manually, tied to a cron job or batch script, maybe mentioned in a change ticket, and rarely touched again. No formal lifecycle, no regular reviews, and certainly no clear ownership. If you remembered to rotate the password once a year, you were ahead

Magnifying glass focusing a laptop, smart phone. Introspection of technology.

Heather Flanagan
April 15, 2025April 13, 2025
Deep Thoughts, Hot Takes

Is Introspection a Bug or a Feature?

When we talk about introspection in digital identity, we’re not just talking about what happens in OAuth 2.0. Yes, there’s a token introspection spec, but this post is about something broader: the idea that platforms—especially browsers—can inspect and influence the identity data being exchanged. Is that a good thing? Apple and Google disagree on just

Global collaboration on standards is critical. Will it still happen in the future?

Heather Flanagan
April 8, 2025March 16, 2025
Uncategorized

The Future of Open Standards: Politics, Sovereignty, and the Role of SDOs

The open standards development process, whether at the IETF, W3C, or OpenID Foundation, has always been a balancing act. While politics inevitably plays a role (where there are people, there are politics), technology has historically held at least an equal seat at the table. At least, it did. With shifting geopolitical priorities and radical changes

Heather Flanagan
April 1, 2025March 16, 2025
Deep Thoughts

The Boundaries Between Standards and Policy: AI Training as a Case Study

One of the areas I’m tracking from my usual standards’ perspective is how we set up guardrails for AI—how we contain its risks while still allowing the world to benefit from its utility. This challenge provides an excellent case study in the limitations of technical standards and where policy must step in to complement them.

Heather Flanagan
March 25, 2025March 2, 2025
Hot Takes

Why Enterprises Should Care About Digital Credentials (Even If It’s Complicated)

Digital Credentials (also known as verifiable credentials) have been promoted as the next best thing for keeping individuals secure in their online as well as in-person transactions. But what about companies? What does a typical enterprise get from moving down the digital credential path? On the one hand, they get a leg up on fraud.

business competition, A worthy competitor, Player confrontation, Administration and Management., 3d rendering

Heather Flanagan
March 18, 2025March 18, 2025
Deep Thoughts, Industry Ideas

Digital Credentials vs. Traditional Federation: What’s the Difference?

tl;dr: Traditional identity federation has enabled digital identity with centralized, third-party logins, for decades. Its limitations in security and user control, however, are becoming a problem, especially when there are alternatives being developed. Digital credentials offer a decentralized, user-empowering alternative that enhances privacy and enables offline authentication. We’re looking at a brave new world with

tension between standards and reality is like balancing boards on top of each other and a ball

Heather Flanagan
March 11, 2025February 15, 2025
Industry Ideas

Standards vs. Reality: The Long Tail of Legacy Systems

From NHI to AI to Shared Signals, even in CIAM it comes back to standards versus reality. Identity standards paint a perfect future: passwordless logins, verifiable credentials, and seamless trust. I love that picture; I want to frame it. Alas, legacy IAM, tight budgets, and a business case that still boils down to ‘but will

Shared signals bouncing through space above Europe.

Heather Flanagan
March 4, 2025March 4, 2025
Industry Ideas
1 Comment

Shared Signals: Who Pays the Price for Stronger Identity?

What if fraud prevention was, you know, a shared effort? That’s where the Shared Signals Framework (SSF) comes in! The idea behind shared signals is simple: instead of each company detecting threats on its own, organizations (or systems within an organization) can share security events—like compromised credentials or suspicious logins—in real-time. The SSF, developed by

Heather Flanagan
February 25, 2025March 2, 2025
Hot Takes, Industry Ideas, Uncategorized

What AI Agents Can Teach Us About Fraud in Consumer Identity

The irony with urgently questioning how to tell whether something is an AI or a person is the fact that we’re struggling just as much to distinguish humans from… well, other humans. This is, in fact, not a new problem at all. After writing about the AI vs Human issue in a previous post, I’m

A cryptographic math maze circle with path to center; which path you actually take is secret thanks to zero-knowledge proofs.

Heather Flanagan
February 18, 2025February 15, 2025
Deep Thoughts, Industry Ideas

Zero-Knowledge Proofs: Privacy, Innovation, and Equity

Imagine being able to prove you’re old enough to buy a drink without flashing your ID—or proving you have insurance without handing over your policy details. Sounds like magic? It’s just math. Zero-Knowledge Proofs (ZKPs) might be the biggest leap for privacy since encryption, but they also come with serious challenges. Let’s talk about the