The takeaways, in brief
- Intrusions went identity-first. The shift from brute force to attackers “breaking in by logging in” reframes the whole defensive problem around identity.
- Passwordless can hide passwords. Many passwordless tools call APIs with hidden passwords underneath — masking the problem rather than solving it, so the architecture matters more than the label.
- Be pragmatic on quantum. Constant rotation and continuous trust mitigate the risk substantially; post-quantum won’t arrive in an afternoon, and teams will see it coming.
Bert Kashyap is co-founder and CEO of SecureW2. Rather than a keynote, he hosted a live Q&A with two practitioners — Okta’s Chris Carlson and Databricks’ Kyle Dimmick — at the SecureW2 × Myriad 360 customer panel at The Battery in San Francisco. Between questions, Kashyap offered SecureW2’s framing on identity, passwordless architecture, and quantum. We pulled those moderator threads together.
Why a practitioner Q&A instead of a product talk?
We wanted something authentic — a Q&A with practitioners that could cover the topics top of mind for everybody in the room. And we can’t thank our partner Myriad 360 enough for co-hosting this with us.
How has the threat picture shifted, and what does AI do to shadow IT?
We’ve been seeing AI transition from a consumer novelty to a force multiplier for attacks. And we’ve seen a shift from brute-force attacks to attackers breaking in by logging in — identity-heavy intrusions.
The shadow IT problem is exponential now with what AI can do — and not just from a productivity standpoint. There’s a cool factor about AI that everybody wants to get in on, from Claude Code to OpenClaw. People are just getting into stuff.
Many passwordless technologies use APIs that have hidden passwords — so you’ve just masked the problem.
— Bert Kashyap, SecureW2
SecureW2 advocates passwordless. What’s the catch most teams miss?
We advocate a lot for passwordless, certificate-based auth. But one of the key things I think about is that many passwordless technologies use APIs that have hidden passwords — so you’ve just masked the problem. A broader look at a core passwordless architecture is something everyone needs to dive deep into.
What’s great is I get to rely on Chris and Okta’s advancements in IDP. The pieces work best when they reinforce each other.
You’ve been hearing about quantum for 20 years. Where does it sit on your priority list?
I’ve been in the cyber business 20-plus years, and we’ve been talking about quantum for 20 of them. We take a very pragmatic approach. All the pieces along the stack need to be enabled, but if you’re doing the good things these practitioners are doing now — constant rotation, continuous trust with our platform — you’re mitigating that risk substantially.
Post-quantum isn’t going to arrive in an afternoon; we’ll see it coming. Taking a pragmatic view is always a good thing. And with something like the AirSnitch vulnerability in the news, it’s a reminder of the damage someone can do once they’re inside the network — which is exactly why identity, not the perimeter, has to carry the trust.
The throughline
Across the panel, the practitioners and their host converged on the same idea from different seats: the network is not a trust boundary, and identity is. Carlson treats the office like a Starbucks; Dimmick automates certificate rotation in code and shrinks the L2 blast radius; Kashyap names the era — attackers logging in rather than breaking in. The shared answer is continuous, certificate-based device trust layered with everything else, rather than any single control.
Quotes are drawn from the SecureW2 × Myriad 360 customer panel at The Battery, San Francisco. Lightly edited for length and clarity. Used here in a design mockup.
