Podcast highlights from Smells Like Identity Hygiene
You can have the strongest walls and the most advanced tools, but if someone can slip in by pretending to be you, those defenses will not matter. That is why identity has become the real perimeter of security.
In this post, we share key takeaways from the Smells Like Identity Hygiene episode “Zero Trust and Cowboy Boots,” featuring special guest Marene Allison, former CISO of Johnson & Johnson, and host Rosie Mastrogiacomo, CSO at SPHERE Technology Solutions. Their conversation blends career lessons with practical insights about modern threats and the importance of managing every identity, whether it belongs to a person, a system, or an AI agent.
From Firewalls to Identity as the Perimeter
Marene’s career in security began in the U.S. Army and FBI, where she learned to focus on the threat before designing the defense. In her corporate work, she saw the shift from physical and network boundaries to identity as the primary security control.
Rosie described this as a fundamental change in the industry:
“Security was about the perimeter, was about the firewall, was about the anti-virus and protecting the individual device as we transitioned from that to thinking about identity as the perimeter.” – Rosie Mastrogiacomo
Marene pointed out that identity is often owned by IT or application teams rather than security. This separation can create dangerous blind spots.
“You can’t really do true security if somebody’s in and they can be Rosario. There is no way you can defend against that.” – Marene Allison
Her advice is to make identity governance a core part of the security function. Without that focus, attackers with valid credentials can bypass even the most sophisticated defenses.
Zero Trust Is About Data, Not Just Networks
Many organizations still see Zero Trust as something that stops at the network edge. Marene believes the real focus should be on the data itself.
“The reality is it’s Zero Trust who is touching the data. You’re touching the data at the application level or data lakes or clouds. And it moves so rapidly.” – Marene Allison
This approach covers all identities: employees, contractors, privileged accounts, APIs, and machine identities. In both cloud and legacy environments, outdated permissions and orphaned accounts often linger without oversight. These hidden risks can be exploited if not addressed.
For Marene, Zero Trust means continuously validating access at the data layer, not just verifying who enters the network. It requires visibility, ownership, and regular reviews for every account that can interact with sensitive information.
Bots, AI, and the “Third Category” of Identities
Identity used to mean either a human or a machine. Today, there is an expanding middle category: bots, automation scripts, and AI agents that work independently but still need credentials.
“I think we have this bot worker load in the middle that is certainly something we need to look at. And you don’t know how things are connected all the time. And especially if you look at things like consultants rushing to bring in bots, but did they use secure protocols to be able to register those bots in those identities?” – Marene Allison
Marene noted that the speed of AI adoption today feels like the early rush to the cloud, when new technology was deployed faster than governance could catch up. Without oversight, these non-human identities can accumulate broad permissions that no one is monitoring.
Rosie added that these accounts must follow the same security principles as human identities: least privilege, lifecycle management, and clear ownership.
Build for Adaptability, Not Just the Latest Trend
Marene’s closing advice comes from decades in leadership. Technology and threats change quickly, so identity programs need to be adaptable and guided by an understanding of the risks.
This adaptability might mean securing a new AI-driven process, meeting an updated compliance rule, or removing access from accounts that have been inactive for years. Staying effective is not about chasing every new tool. It is about embedding governance into daily operations and making sure every identity, human or not, is properly managed.
To hear the full conversation, including Marene’s perspective on cowboy boots, Keurig coffee machines, and what she calls the digital “poverty line,” watch the full episode of Smells Like Identity Hygiene on YouTube: Zero Trust and Cowboy Boots – Watch Now.
