David Berlind

Artificial intelligence is in-position to do some very non-artificial damage as threat actors really look to harness it in 2026 in order to inflict unprecedented financial and reputational damage (not to mention identity theft). I gathered expert opinions from some of the best threat intelligence and #cybersecurity pros on the planet to find out how these #AI attacks and will happen and published my findings on @ZDNET zdnet.com/article/10-way…

According to @levie, the ratio of AI agents to humans will be 1000:1. If that's so, we'll need a new way to track how those agents are permissioned to access an organization's systems of record. As I explain on @ZDNET, @okta has proposed an extension to the #Oauth standard to make that possible. zdnet.com/article/okta-i…

Thanks @levie. I've been writing about what I think is a new category: Agent IAM or AIAM. As you say, most of these agents will have delegated access. Resource servers like Box are going to get slammed with Oauth requests. The autonomy and ephemerality of agents will exacerbate the scenario. I've been wondering what the ratio of agents:users will be. There isn't much in the way of data or research. But 1000:1 is quite a prediction.

We’re moving to a world where there will be 1,000x more agents than people working with software. In that world the value of systems of record goes up not down. The ability to control what AI agents have access to, govern their workflows, integrate their work into a broader process, ensure consistency and reliability, and so on, will be even more important than it was when we just had people involved in these workflows. And as long as agents are extensions of existing users in the work they’re doing (a legal contract agent working on behalf of a user), agents will run alongside SaaS in a heavily complementary way. As a result there are 3 outcomes that will happen: 1. Existing systems of record will be the natural launch off point for agents that deal with many existing categories of workflows, assuming they can move and adapt fast enough. This will be the case the more existing data and workflows are required for an agent to be effective; with the X factor being how quickly the incumbent can pivot and evolve their platform. 2. In some categories the system of record won’t move fast enough, or needed solution for agents is so different from the existing system, that AI-native platforms will better serve customers. This will be more pronounced in areas where there’s no data or workflow moat, or where agents aren’t natural extensions of the existing user seats. We’re seeing this in customer service, and a handful of other categories. 3. The biggest play for the new entrants, however, will be all the new categories for AI agents that don’t have a traditional software complement today. Because AI agents will bring automation to all areas of knowledge work, there are many categories of work that don’t have a natural software player. This will mostly be services categories traditionally or new forms of software going after roles that never had tools. Overall, AI agents + software are going to work together and this mostly just represents a major TAM expansion for all software.

For an article that I'd like to write on @ZDNET, I'm looking for users of @evernote to discuss recent pricing changes.

A chicken-and-egg paradox: If you need to be logged in to your password manager so that you can login to everything else without a password, then how is a passwordless login to your password manager possible without the help of that same password manager? Answer? It's not... unless.... (my latest on @ZDNET) zdnet.com/article/dashla…

Starting today, @Microsoft's Authenticator no longer supports passwords. But all the coverage of this change claims that Authenticator still manages #Passkeys. As it turns out, that's only in certain edge cases. Here's the scoop: zdnet.com/article/micros…

With polymorphic extensions, @getsquarex has exposed how the permissions process for browser extensions is pretty much useless. @Google (who didn't respond to my inquiries) needs to start over with how such permissions are granted and managed zdnet.com/article/your-p…

Today is #WorldPasswordDay. I wrote up my top 10 current tips for working with #passkeys right now (even though the passkey ecosystem isn't 100% ready for primetime) Props to @ZDNET's @jasonhiner for pushing me to write it and to @dgrober for a great edit zdnet.com/article/10-pas…

While I appreciate this author's enthusiasm for #passkeys, he & @Forbes are misinforming you in saying that passkeys are a form of account authentication linked to the security hardware on your device. Yes, they *can* be. But in most cases, they won't be forbes.com/sites/zakdoffm…

The big idea behind #passkeys is to get rid of passwords. That idea alone is scary to a lot of people. A lot of education is going to be necessary. If we screw the story up, it will only delay adoption. This @ZDNET article gives an example #security zdnet.com/article/if-we-…

@windley 💯 @windley Great to hear from you BTW. It's that hit or miss nature that's going to slow adoption down. Also because from one user journey to the next, it's hard to know who's responsible for the hits and who's responsible for the misses. It might get better. Fingers crossed!

I agree. I often tell people that passkeys work so well that most people won’t believe anything happened. And that’s a problem. Also, using a passkey aware password manager helps take a bit of the sting out of different UXs. But it’s still hit and miss.

There are many posts on the web about how #Passkeys are a failure. Yes, the road to passkeys (and maybe a #passwordless future) is littered with potholes. But, in this @ZDNET article, I'm "glass half-full" for now zdnet.com/article/why-th…

I never considered the intersection of #Agentic #AI , credential managment (aka "password management"), and #APIs until I reported on this @1Password news for @ZDNET zdnet.com/article/1passw…

@zenobiaZAG "Wrapped up in job title" would be an immediate red-flag for me. So much to unpack from that concern. Less concerned about job description. There are subtle differences between the need for a DWIT attitude while at the same time aligning with your boss on key expectations.

Talked to a mentee who's thinking of hiring an early employee. Great resume, but the candidate seems really wrapped up in titles, job description, etc. Your co-founders must be willing to do EVERYTHING, from taking out trash to negotiating biggest deals. Let's see what he does...

Microsoft has disqualified many Windows 10 PCs from being upgraded to Windows 11. Microsoft is also discontinuing support for Windows 10 this October. @edbott8 has the workaround on @ZDNET zdnet.com/article/how-to…

I've returned to @ZDNET to do some writing and here's my first contribution. HINT: According to the lawyers, if you plan to travel throuugh a US point-of-entry, you might want to disable your #biometrics. zdnet.com/article/worrie…

Breach of LastPass allegedly led to compromises of #crypto wallets (and subsequent theft of tokens) 🥲 paymentsecurity.io/crypto-roundup…

I'm giving away free merch (including a beautiful new commemorative cycling jersey) to the BEST partners! Let's GO!! Bit.ly/StopMS #StopMultipleSclerosis

When I first interviewed @Deloitte's @michaelvbondar in '23 and he referred to #blockchain as a general purpose trust machine, I walked away thinking "Wait! What?!!!" Disintermediating untrustworthy banks with a new set of financial "rails" (aka #crypto) is what comes to everyone's minds. But Bondar was referring to many other businesses where trust is not only lacking, but further eroding. The epiphany came when I read that @salesforce CEO @Benioff once implied that you're mistaken if you think his company's main solution is #CRM when he said (paraphrasing) "the thing we really sell is trust." For any organization and any application, blockchain is the shortest path to restoring and "selling" trust. deloitte.wsj.com/cfo/rebuilding…

@kantorcodes most of #blockchain's business benefits (including censorship mitigation) are significant improvements over the status quo. While those benefits are inherent to the technology in a way that is difficult to scalably reproduce with any antecedent application platform (it's critical to think of these benefits as platform-introduced commodities not found elsewhere), none of those benefits are absolute. The paper's phrase choice of "provides robustness" is, IMHO, appropriately muted.

@dberlind @API3DAO Hmm --- couldn't you still typically inflict a censorship attack by holding a ton of the respective tokens required for the vote?

This quote about #blockchain from the linked (below) @API3DAO paper (the #dAPI guys) is one of the better ones. Not "great" IMHO, because it leaves out some important benefits of #decentralization (and elimination of trusted parties is a terrible icebreaker). But "censorship" really caught my eye as a highly overlooked #Web3 topic: "Decentralization defines Web 3.0, which is characterized by distributing computation and settling outcomes through predetermined consensus rules. The business logic of a decentralized application is implemented as a smart contract, which runs on a blockchain-based smart contract platform. Decentralization allows participants to cooperate without requiring mutual trust or a trusted third-party, and thus provides robustness against attacks and censorship." Here's the paper: drive.google.com/file/d/1b8QsGP…