Published to clients: November 20, 2025 ID: TBW2107
Published to Readers: November 21, 2025
Whisper Email Release:
Public Release Date:
Analyst(s): Dr. Doreen Galli
Photojournalist(s): Dr. Doreen Galli
Abstract:
“This Whisper Report explores the most desired casino innovations identified at G2E 2025. Industry experts highlighted two key areas: operational improvements for casinos—such as seamless system integration and cross-platform play—and enhanced player experiences through biometric authentication, personalized VIP services, and engagement strategies. These insights reveal opportunities for transformation and differentiation in gaming technology.”
Published to clients: October 27, 2025 ID: TBW2094
Published to Readers: October 28, 2025
Whisper Email Release: TBD
Public/Video Release: TBD
Analyst(s): Dr. Doreen Galli
Photojournalist(s): Dr. Doreen Galli
Abstract
This Whisper Report investigates the biggest UAV threat CIO’s are not ready for. CIOs are underestimating the scale and urgency of UAV-related risks. From electric infrastructure and jamming threats to data overload and geopolitical embargoes, this Whisper Report captures the 10 most pressing vulnerabilities revealed at CUAV Expo 2025 — and what enterprise leaders must do next.
Published to clients: September 29, 2025 ID: TBW2087
Published to Readers: September 30, 2025
Published to Email Whispers: TBD
Public and Video Release: TBD
Analyst(s): Dr. Doreen Galli
Photojournalist(s): Dr. Doreen Galli
Abstract:
“The creator economy is no longer a niche—it’s a strategic force reshaping media, marketing, and consumer expectations. This report explores how businesses can partner with creators to unlock scalable engagement, rival traditional media in quality and speed, and adapt to a market where authenticity and agility win. Insights from NAB Show 2025 reveal why enabling creators isn’t optional—it’s essential. “
Target Audience Titles
Chief Data Officer, Chief Marketing Officer, Chief Content Officer, Chief Data Officer
Chief Technology Officer, Chief Digital Officer,
Head of AI/ML for Media or Marketing, Data Scientists, Creator Partnerships Manager, Director of Content Strategy,
Product Managers, Content Managers
Key Takeaways
Creators connect directly with consumers, offering scalable, intimate interactions.
Businesses must support creators with tools, partnerships, and infrastructure.
Creators rival traditional media in quality, speed, and production scale.
The creator economy is reshaping media and consumer expectations.
We took the most frequently asked and most urgent technology questions straight to the Technologists gathering at NAB Show 2025 held in Las Vegas, Nevada. This Whisper Report addresses the question regarding how can we leverage the creator economy to drive business growth? As Latakoo’s Jade Kurian shared, “every single person out there is a content creator right and they all want to be able to take their content in put it one place and do the editing do the transfers do the transcoding.” With all these creators, a shift is coming. As Strada’s Michael Cioni observed, “the creator economy is actually the economy we should be we’re following them now we should emulate.” Figure 1 depicts the four levers of the Creator Economy that we will now dive into.
Creators connect directly with consumers, offering scalable, intimate interactions. As DeepDub’s Oz Krakowski noted, “I think that in a world of creator economy where independent creators have a direct reach to the consumers ignoring that part of the business is a big mistake.” TightRope Dana Healy argued, “we still need to tie these new technologies to stories and creators are really good at telling stories.” Not only are they great at telling stories, but as LucidLink’s Gergana Berman reported, “we really think that the voices of individual creators and independent creators are really the trusted voices out there.” This trusted, storytelling capabilities with a direct reach results in, as Oz Krakowski observed, “unique product that very unique IP where they can reach different types of audiences and the ability to interact to have that level of interaction that is sometimes very intimate with their audiences is extremely scalable.” In conclusion per Tightrope’s Dana Healy, “the creator economy is still very valuable in the organic reach.”
Businesses must support creators with tools, partnerships, and infrastructure. There is a critical question all media vendors should be asking themselves, according to Axle.ai’s Sam Bogoch. “How can we enable them to make better content and how can we help them repurpose and retarget that content better.” Latakoo’s Jade Kurian noted, “creator economy to drive business growth for us it’s really about giving creators on one-stop shopping.” Catering to the creator economy is valuable for as Strada’s Michael Cioni proposed, “they are effectively bigger than professional media and entertainment and so what we need to understand is that consumer tastes have changed and what we have been protecting through our history and traditions for a long time is no longer as relevant.” Finally, and perhaps most critical, Cinnafilm’s Dom Jackson contended, “other piece is that we have to adjust to the way that those people do business we have to make sure that our cost models match their revenue models so that we can make a compelling case that we are tools that fit with their businesses.”
Creators rival traditional media in quality, speed, and production scale. Ross’s David Green emphasized, “The truth of the matter is some of these creators are just doing incredible things and their production quality is sometimes better than those of us who think that we’re the you know the you know the enterprise class content professionals. And when you when you look at some of the biggest content creators in the world they’re truly innovating in terms of how they’re creating this amazing content doing it flexibly doing it fast doing it on the run doing it efficiently.” David was not alone in sharing his enthusiasm for the creator economies scale. Per Dell’s Tom Burns, “size of the creator economy dwarfs what we have thought of for the last 100 years as episodic and feature production pipelines.”
The creator economy is reshaping media and consumer expectations. DeepDub’s Oz Krakowski declares companies must collaborate with content creators, “companies and businesses have to do this in order to cannot basically cannot ignore it.” And why would you ignore it for as Axle.ai’s Sam Bogoch asserted, “the creator economy is the biggest growth area in media right now and not just the official creator economy but also things like user generated content for marketing purposes.” And there is a very good reason creator content is growing. Per Strada’s Michael Cioni, “we have to get over that and meet them where they are because the next generation of consumers 10 and 20 years from now will not be going to see movies in theaters they’re not going to watch traditional broadcast television.”
Published to clients: September 9, 2025 ID: TBW2068
Published to Readers: September 10, 2025
Published to Email Whispers: TBD
Published Publicly with Video: TBD
Analyst(s): Dr. Doreen Galli
Photojournalist(s): Dr. Doreen Galli
Abstract:
“Trust in fintech isn’t just about compliance—it’s a multi-dimensional strategy. This report explores how transparency, privacy, and strong identity verification shape consumer confidence. Insights from Fintech Meetup 2025 reveal how leading firms are navigating open banking, fraud prevention, and data ethics to earn and retain trust. If trust is your brand’s currency, this report is your blueprint. “
Published to clients: September 2, 2025 ID: TBW2064
Published to Readers: September 3, 2025
Published to Email Whispers: October 27, 2025
Public with Video Edition: October 27, 2025
Analyst(s): Dr. Doreen Galli
Photojournalist(s): Dr. Doreen Galli
Abstract
This report explores how telemedicine is evolving beyond convenience to deliver deeper, more personalized care. From AI-powered test result interpretation to seamless appointment coordination and continuity across care settings, experts at HIMSS25 reveal how digital tools are reshaping the patient journey. Discover how telemedicine can close access gaps, enhance understanding, and support long-term health outcomes—if systems are designed with the full patient lifecycle in mind.
Target Audience Titles:
Chief Information Officer, Chief Medical Officer, Chief Data Officer, Chief Digital Officer, Chief Innovation Officer, Chief Patient Officer
Clinical Informatics Specialists, Telehealth program manager, Health IT Architect, Clinical Data Analyst, Biomedical Engineer, AI/ML Engineer (Health Focus), Patient Engagement Strategists, Virtual Care Coordinator
Key Takeaways
AI-enhanced telemedicine can streamline appointment booking, interpret test results, and personalize care recommendations—improving speed, clarity, and access for patients.
Continuity of care is the next frontier—integrating telemedicine across acute, post-acute, and home health settings to support the full patient journey.
Access equity improves when telemedicine includes specialists and reaches underserved populations, addressing socioeconomic and geographic barriers.
Patient understanding is amplified when generative AI explains results and next steps in context, reducing confusion and improving engagement.
We took the most frequently asked and most urgent technology questions straight to the health systems technology experts gathering at the Healthcare Information and Management Systems Society (HIMSS) 2025 Global Health Conference and Exhibition or HIMSS25 for short. This Whisper Report addresses the question regarding how can telemedicine be optimized to improve patient care? Figure 1 depicts two patient care optimizations one can expects from telemedicine.
The first benefit many expect to experience with telemedicine is the patient experience. For example, when getting test results, AI can be leveraged for the benefit of the patient to find a doctor. As Aisera’s Daniel Caravajal suggest, “I get my test results it can recommend me doctor that’s specific on that area right and it can book the appointment right it can coordinate the calendars and basically made that experience a lot faster a lot seamless and easier to kind of interact with.” Caravajal further suggests AI can help the patient understand the results. “let’s say you get your test results. We can analyze them and give you suggestions that is the unique part about a genetic AI is not only delivering a unique use case but it’s also understanding the situation. It’s understanding the intent and making further suggestions.” Valuable to note that it is always best to confirm any such information with your actual practitioner! MinttiHealth’s Xiaoqian Zou suggests telemedicine technology can, “give everyone access to the easy health care solution and service.”
A critical part of the patient experience that also affects the medical care is that of continuity of care.
As Alexander Group’s Tray Chamberlin advised, “what we think is probably the next evolution in tele medicine is that continuity of care where you’re really thinking about a patient across the entire life cycle be it acute to Post Acute to maybe even home health and integrating that tele medicine it more so that the date and Records can still communicate and we understand the holistic patient Journey.” The significant benefit of telemedicine as Chamberlin further observed, “we’re also meeting the patient where they are and so you know the inclusion of specialists in telemedicine certainly just from a socioeconomic perspective getting access to the right populations that traditionally maybe don’t have access.” For additional background on the benefits and current state of telemedicine, see the Press Conference for OnMed from CES.
*When vendors’ names or quotes are shared as examples in this document, it is to provide a concrete example of what was on display at the conference or what we heard doing our research, not an evaluation or recommendation. Evaluation and recommendation of these vendors are beyond the scope of this specific research document.
“This report dives into the evolving role of generative AI in logistics, revealing how it’s reshaping visibility, communication, and adaptability across global supply chains. From forecasting weather impacts to managing labor shortages and customer-driven changes, the research explores both the promise and the limitations of AI. It also introduces a provocative challenge: should supply chains adopt disruption modeling, just as IT uses threat modeling?”
Whisper Report:What’s the biggest cybersecurity myth in 2025?
Published to clients: August 19, 2025 ID: TBW2090
Published to Readers: August 20, 2025
Whisper Email Release: TBD
Public and Video Release: TBD
Analyst(s): Dr. Doreen Galli
Photojournalist(s): Dr. Doreen Galli
Abstract:
This Whisper Report identifies eight persistent cybersecurity myths in 2025, from the belief that threats can be fully stopped to misconceptions about AI’s role in security. Experts from Black Hat USA 2025 clarify that resilience, strategic investment, adaptive training, and human oversight remain essential. AI is powerful but not a plug-and-play solution, nor a replacement for human judgment. Understanding these myths helps organizations build more realistic, effective cybersecurity strategies.
We took the most frequently asked and most urgent technology questions straight to the Cybersecurity professionals gathering at Black Hat USA 2025 held in Las Vegas. This Whisper Report addresses the question regarding what’s the biggest cybersecurity myths in 2025? Figure 1 displays the eight cybersecurity myths we uncovered we will now discuss.
MYTH 1: We can Stop all Threats
The first myth comes from Trustmi’s Corey Sienko and is that “we can stop every single threat from entering the organization” This may come as a surprise to some executives particularly those outside of cybersecurity but the expression used is always when not if you have an incident. No Need to fret, Trustmi’s Corey Sienko continues. “It’s about how do we respond to those threats and make sure that we protect the organization from losing valuable information and cards.” I believe all appreciate that clarification. Cybersecurity involves defense but it is also a game all about preparation for when and resiliency after. This topic is further discussed in Conference Whispers: Black Hat USA 2025.
Cymulate’s Avihai Ben Yossef brings us myth number two, “The more money you spend on cyber security the more protected you are.” Ben goes on further to explain. “I think in order to really be protected in cyber security from cyber attacks is by actually knowing what you need to do in order to make sure you are protected and when once you know that you don’t need to spend too much money you need to spend you know a very focused amount of money in what matters most.” If you are surprised by this, you really need to book an inquiry with TBW Advisors so we can help you review your cybersecurity strategy. Additional research regarding critical observations on cybersecurity spend can be found in the keynote covered within Conference Whispers: Identiverse 2024.
Cybersecurity Myth number three comes to use from Dune Security’s David DellaPelle. “Security awareness training is improving readiness and reducing risk. Security awareness training is dead.” Intrigued? Let’s hear more from David. “Security awareness training as it exists today, meaning legacy security awareness training technologies are not effective at reducing risk and create friction and an adversarial relationship between the security organization and the end users. The problem is if you think about a doctor who is looking to solve a patient’s problem, the first thing they would do is take in a lot of data and run tests to exclude the possibilities. They quantify the risk before they prescribe a medicine or a surgery. And so if there’s a security awareness training solution that doesn’t automatically provide uh user adaptation, it’s uh it’s kind of falling flat on its face. Every piece of security control or adaptation should be relevant to the individual user’s risk profile and that training or that security measure should be applied automatically based on the risk profile.” Training employees only on what that specific employee personally need to get better at? Sounds optimized.
Bringing us cybersecurity Myth 4 is StrikeReady’s Alex Lanstein. “AI is going to replace humans.” Alex further clarifi:ed, “AI is always going to augment humans. Anybody who’s ever leveraged any AI system, any generative AI system. You see that it makes mistakes. Sometimes those mistakes are obvious, sometimes they’re subtle. And no one is ever going to turn anything over to an AI when it’s making such obvious or subtle mistakes without a human in the loop.” Or as Elastic Security’s James Spiteri further explained, “we’re thinking about this fully autonomous security operations team. I don’t think that’s going to happen. I don’t think even think it’s the right approach to think about these things. AI and agents are phenomenal, but they are the perfect compliment to humans. They’re not they’re not there to replace humans. They’re there to make humans lives better. eliminate the stuff that humans don’t want to do and let humans do the fun things like make people excited about wanting to work in cyber and that’s what the AI is allowing us to do.”
of my agents, and his name is Ralph. Ralph, can you answer the question as you see it in our world view? What’s the biggest cyber security myth here in 2025? Absolutely, Brian. Happy to jump in here. So, from our perspective, the biggest cyber security myth of 2025 is probably the idea that AI is just a plug-and-play solution, that it’s kind of a one-size fits-all magic bullet.” Ralph and Brian went on to further explain, “In reality, the myth is that AI will handle everything securely on its own. But the truth is it needs a lot of oversight, a lot of transparency, and people often underestimate the complexity inside the machine. So that’s the big myth that AI is just simple and straightforward when really it’s a lot more nuanced. And that’s my take. Uh I would add my answer. I would extend onto yours is I agree, but um I’m used to systems that have access controls, authentication controls, and audit. Uh inside the black box, we don’t have any of them. Once I log in and I authenticate, it’s a wild wild west. That has to change. Immutable logs within the system is probably something that’s going to happen at some point. Uh or some other unique uh solutions to the problem.”
Interestingly, Ariful Huq from Exaforce observed a similar concern. “Trying to build an LLM wrapper is what I call it without really understanding the data related to the problems that you’re trying to solve. LLMS can only get you so far, right? They are large language models and summarization and contextualization but at the end of the day if you want to solve problems related to say detections investigations LLMS can only get you so far right you really need to go back to the data go back to the fundamentals and then layer on a large language model on top of it to solve some of the problems that around like you know summarization um you know building agent workflows.” In other words, solutions are custom crafted – NOT plug and play.
Checkmarx’s Jonathan Rende brings us Myth 6, “AI generates secure code.” That myth should grab the attention all organizations leveraging coding agents to quickly advance their product. Jonathon continues, “It doesn’t. It doesn’t. And it will probably get better over time. And will it do a better job than a junior developer in simple mistakes that can cause vulnerabilities? Heck yeah, of course it will. But for the more complex issues, it’s not there yet. AI is not there yet.”
Let’s hear Myth 7 from Booli’s Joe Schorr, “the biggest cyber security uh myth is that AI is actually going to solve everything.” Joe went on to further explain, “I think if you judiciously apply AI, machine learning and very discreet task and things, it’s fantastic. I think it’s being overblown quite a bit right up at the myth level. I think that if you treat it like we treat it in Booli, we’ve got AI built in, but we don’t publish it all over everything we’ve got, but we treat it kind of like an idiot savant. It’s it does one to ask really well or does a discrete set to ask really well. It may not actually behave well in church, but you can get it to do what you want for something very very specific, which is how we do it. I think the myth is that AI is going to solve everybody’s problems.” Brian Sledge of imPAC also believes that AI will solve everything is a myth. “I think AIis best positioned more like a forcemultiplier, but I don’t think it solvesthe problems, the core problems of cybersecurity today. Um cyber security stillrequires context. It requirespolicy driven control and those thingsstill require human in the loop. And Ithink the best way to leverage AI isn’t so much in solving for cyber security,but it’s more for helping multiply andscale out what humans still need andwe’re required to do. So I don’t think Idon’t think customers should sleep onthe idea that humans still need to be very much engaged as part of cyber security. Because cyber security AIis only as good as the algorithms andthe models and the data it’s getting.” Thus believing in 2025 AI will solve everything is a stretch but will it solve something?
Microsoft’s Thomas Roccia brings us Myth 8. “right now I think most people in in the industry in the security industry doesn’t yet believe in this technology (AI) and that’s maybe one of the one of the myths that AI will not really solve issue in cyber security. We have and I think that’s a mistake it’s probably something which is changing the way we are doing and all the past work that we did for the past 20 or 30 years uh is going to be changing and evolving thanks or because to AI so that’s something to consider.” Thus, while it may not solve everything today, it is changing how the industry works and what it is fighting against.
*When vendors’ names are shared as examples in this document, it is to provide a concrete example of what was on display at the conference, not an evaluation or recommendation. Evaluation and recommendation of these vendors are beyond the scope of this specific research document. Other examples products in the same category may have also been on display.
“Effective strategies for securing customer data include encryption at rest, in transit, and during compute; cautious AI adoption; and strict access controls. Removing or masking personally identifiable information (PII) and training staff on cybersecurity best practices are essential. Legal compliance, intellectual property protection, and customer trust drive the need for robust privacy measures in customer interactions.”
We took the most frequently asked and most urgent technology questions straight to the technologists gathering at Customer Connect Expo 2025 held at the Las Vegas Convention Center. This Whisper Report addresses the question regarding What are the most effective strategies for ensuring data security and privacy in customer interactions? There are two reasons security and privacy are critical in this space. As Ford’s Dr. Kalifa Oliver pointed out, “to first really understand the laws..” In fact, all governance program definitions start with legal requirements, then industry regulations and requirements, then internal privacy promises made to customers. The second critical reasons for ensuring data security and privacy as Claritiv’s Sean Gigremoss reminds us, “your knowledge for your business comes from all the conversations that you’re having – that is your IP (intellectual property).”
Figure 1. Four Pillars of Customer Data Protection
As Macy’s Siva Kannan Ganesan pointed out, “all those regulation and implementing an regulation it’s a multi-step approach like data and motion data at rest should be encrypted and you have to make sure it’s like the access strict access control and frequent evaluation of the data breach.” With security depth is always valuable. TBW Advisors LLC advises clients to not only use encryption at rest and in transit, but to leverage protections during compute leveraging Confidential Computing. For additional research, enjoy Industry Whispers: Public is Privacy – Confidential Computing in the Cloud available on TBW Advisors YouTube Channel.
TBW Advisors has frequently warned if you are not being charged for the product, you are the product. If you are the product, you should assume you do not have privacy. Today with many of the advanced AI products, even lower tier paid products do not get privacy; rather they are being used to further train the product. As Ford’s Dr. Kalifa Oliver observed, “you really got to start asking organizations that have AI technologies about their Blackbox about how the data is being trained. You have to ask them about data breaches you have to be conservative about how you implement things because I think the law is going to catch up and the hardest thing to do is trying to go back and fix it.”
One critical step to ensure privacy is to not send PII or personally identifiable information to tools. Enthu.ai’s Atul Grover denoted, “we also ensure that we deduct the PI information we deduct almost 16 kind of PIs including social security data birth credit card information …. we do that in the recording as well as all the analytics.” While removing the information is a common practice, masking data is also quite common. As Mitrol’s Pedro Lopez Slevin shared, “our banks for example you will probably have on premise data servers. Everything will be with TLS 1.2 two or higher you know and create your data. We’re talking about AI, we usually do rack so you will have to process every information into embeddings and those embeddings are..unreadable if you just put it in a vector database.”
While the term Human in the Loop has gained popularity with generative AI and agentic solutions, cybersecurity has always known the human in the loop as being a critical risk factor. Thus in order to truly ensure data security and privacy, you must train those humans! Randy Simmons from FaxSipIt shared the common journey towards compliance. “we’ve gone through a HIPPA audit and we’re secure there we just finished the SOC 2 audit and we’re SOC 2 compliant so people have come in they’ve audited our system our policies they’ve come with recommendations or not and we pass the audit for the socks 2 audit so our staff all goes through cyber security training as well we go through a wiser cyber security training and then also we send phishing to our to our employees and see if they’re going to click and if they click on a link then guess what they’re doing they’re doing that training all over Again.” So remember, do not click on that link without checking the link is safe first!
“Recent advancements in decentralized identity include passwordless authentication, time-bound credentials, and dynamic identity chaining. These innovations reduce risk, improve privacy, and enhance user control. Separation of authentication from authorization enables more precise access management. One-way functions protect biometric data in cloud environments. Emerging standards like SPIFFE and CSA’s agentic identity frameworks offer scalable, interoperable solutions. Together, these developments support secure, flexible identity ecosystems without relying on centralized authorities.”
We took the most frequently asked and most urgent technology questions straight to the Technologists gathering at Identiverse 2025 held at Mandalay Bay in Las Vegas. This Whisper Report addresses the question regarding the latest advancements in decentralized identity and verifiable credentials. But what is a decentralized identity. Panini’s Jim Harris explained, “identity – being able to capture that information using nearfield technology and then verifying that issue issuing information with the agency that issue it to certify that customer is legitimately who they say they are so we believe that’s one of the ways we can support authentication in a digital decentralized environment.” Let’s dive into six advancements in decentralized identity for you to add to your environment as depicted in Figure 1.
Frequently involved in moving authentication from something you know to something you are, Passwordless takes those pesty passwords out of the equation. As Simeio’s Octavio Lopez observed, “I’ve been seeing a lot of a lot of organizations are pushing towards passwordless.” For vendor examples that provide biometric identity options see Conference Whispers: Identiverse 2025 and Conference Whispers: ISC West 2025.
A favorite tactic to limit any damage from stolen credentials is to time bound them. As GitGuardian’s Dwayne McDaniel explained, “How do we not store a long-term credential but instead expose only the bit of the credential you need to verify that entity should be doing that thing and then issue a very short live jot or 509 Cert (X.509 certificate) that will expire immediately.” Any compromised short-lived credential is useless thereby limiting the blast radius in the system.
Related to time bound credentials is the dynamic identity chaining. As Apono’s Ofir Stein revealed the key to decentralization of identities is, “it’s the ability to create dynamic changes in the identity that exist in the environment. Meaning by that we keep what we call identity chaining while if I need access to some resources let’s say in cloud we create all the identities that needed for me to work and then we revoke them so dynamic approach to decentralized identity in a panel the dynamic approach is the decentralized identity when we create identity when needed and we work them when they when they don’t need them.”
“Although commonly associated together, as the namespace identity and access management imply, the decentralized identity world is seeing a separation. Authentication — the verification you are who you say you are — is being distinguished from authorization — the granting of some authority to some resource. As GitGuardian’s Dwayne McDaniel highlighted, “we’re going to see some major advancements with this idea of I can prove on me but that doesn’t automatically authorize me for things the authorization is starting to be separated from authentication in a way that should have probably done in the first place.”
As one might suspect, many identity solutions involve the cloud. The concern becomes, how to store the data in such a way that even if the data stored is compromised – the identity information is not? Keyless’ Alex Jones elaborated on the use case. “when you’re talking about privacy in the biometric space it’s all about where your biometric data goes does it stay on the device does it stay on the cloud so within cloud-based biometrics which is what Keyless does, there’s different ways of making sure that the biometric data on the cloud is kept really safe and this is where a decentralized biometric system come in it’s basically transforming the biometric data when it goes on the cloud so that when it’s there it is completely unrecognizable so even if the cloud server is compromised the biometric data or the data that’s stored there is kept safe.” This is the same approach we saw leveraged during our coverage of ISC West. A hash of the data is stored not the data itself. This hash function can be used against new data presented to see if the two results match properly. There is no reverse of this hash function thus the original data cannot be disclosed even if the resulting hash is compromised.
Finally, when you are creating your roadmap or architecture you do not have to reinvent the wheel. As GitGuardian’s Dwayne McDaniel denoted, “we’re seeing the standards emerge right now about 7 years ago we saw SPIFFE the secure production identity framework for everyone emerge and that came out of what Google was doing internally. Number of working group that sprung up at Netflix and they wrote a beautiful book on it called solving the bottom turtle. The CSA has just put out a new paper May 25th on how dissolve this multi- agent system problem and introducing concepts like agentic name spacing and a distributed ID like as name spaces and it’s just a fascinating time now.”
For those wishing to see a case study about how to bring a massive, decentralized identity solution to life, Identiverse had a keynote for you. Specifically, a case study of the UK mobile identity deployment featuring Hannah Rutter, Deputy Director, Digital Identity of the United Kingdom. If your organization is on the decentralized identity path, there is no reason to go alone. Reduce the risk and increase your chances of success by working with TBW Advisors LLC. Schedule an inquiry at the beginning of the process and each critical step to stop missteps.
“Organizations can implement zero-trust security without disrupting user experience by prioritizing frictionless authentication, especially biometrics, and enforcing least-privilege access through dynamic policies. Understanding user context and behavior enables informed decisions that preserve continuity. Self-service access tools reduce delays, while streamlined verification processes minimize frustration. With thoughtful planning and clear communication, zero trust can enhance both security and usability, ensuring users access only what they need—when they need it—without unnecessary barriers. This report includes insights from executives and technologists at CyberSolve, Lumos, Imprivata, Simeio, Panani, Keyless, Oasis, Apono, Omada, and Cubeless, quoted throughout the discussion.”
Target Audience Titles:
Chief Information Security Officer, Chief Technology Officer, Chief Digital Officer, Chief Information Officer
Chief Product Officer, Chief Experience Officer
IAM engineers, Security Architects, DevSecOps Engineers, UX Designers, IT Ops Managers, Application Security Architects
Key Takeaways
Use biometric authentication to streamline access and reduce friction for users.
Apply least-privilege policies with dynamic adjustments to maintain secure, appropriate access.
Enable self-service access changes to minimize delays and improve user experience.
Understand user context and behavior to make informed, non-disruptive security decisions.
How can organizations implement zero-trust security without disrupting user experience?
We took the most frequently asked and most urgent technology questions straight to the Technologists gathering at Identiverse 2025 held at Mandalay Bay in Las Vegas. This Whisper Report addresses the question regarding how can organizations implement zero-trust security without disrupting user experience?
What is the desired user experience?
At the end of the day, the goal is, as Imprivata’s Diron Chai put it, “authentication and visibility and control to making sure that you know the right people are accessing the data whether remotely or within the organization in terms of their role and their functionality and then be a being able to understand who’s in the system when and why that all ladders up to a zero-trust architecture that we’re able to bring forth in a full architecture.” Reaching this goal won’t be easy but as Simeio’s Octavio Lopez emphasized, “There’s a lot of communication that needs to happen and that’s something that we help a lot of our customers with.” A lot of communication and planning with the customers’ experience kept in mind. Here are five suggestions attendees at Identiverse offered also depicted in Figure 1.
1. Go Frictionless with Bio
One common suggestions to deploy biometric based identity and access management solution. As Panani’s Jim Harris suggested, “make the authentication of your customer as frictionless as possible a one-time identity verification process establishes that customer in the future they present a simple credential match their biometric information to the information stored in the credential that they own and control making it a very frictionless fast way to authenticate with your customer.” And this is something Alex Jones from Keyless can also agree with! “going to pitch biometrics this is the fastest way to prove who you are effectively implementing zero trust.”
2. Understand User Context
Guy Feinberg at Oasis suggests that understanding the user context is the winning approach. He started by simply asking “Are you familiar with the scream test?” For those of you not familiar, one not uncommon method in IT to understand how a resource, in this case an identity, is used by disconnecting or unplugging the resource and see who screams. Feinberg went on to further explain, “when you want to understand what’s this identity is used for so what you do you decommission it and just see who’s at the open space is screaming that something is broke. We do we help you construct all the context around the consumption of that identity so you can see the full picture before you’re taking actions so you’ll have informed actions deciding do we need this type of identity now uh should we change the permission should we decommissioning it completely all without disrupting the workforce and making sure that business continuity stays on and nothing is disrupted aspects of this.”
3. Understand User behaviour
Beyond the context of what the user is using, Imprivata’s Diron Chai recommends also understanding the how and the when. “ Being able to inject simple multifactor authentication into the environment at the local level also being able to track the behavior of credentials of people accessing like Windows endpoints as an example or mobile devices and be able to have the analytics to show utilization of the endpoint but also who what when was accessed within that session.”
4. Use Self-Service
To maintain the best user experience, Apono’s Ofir Stein recommends getting the human out of the loop. “you keep the user experience by allowing self-serve in your organization to provide access changes combine these two and you actually provide zero trust to all of the resources.”
5. Leverage Dynamic Policies
Omada’s Craig Ramsay highlighted the potential behind dynamic policies. “By using dynamic and continuous policies to make sure that their access is appropriate and it’s always at that level of least privilege and then it’s granted, when they join the organization, and as they move around the organization, and it stays appropriate.” It’s always nice when your privileges keep up with organizational changes – without human intervention or manual configuration.
In Conclusion
As Cubeless’ Treb Ryan concluded, “I find zero trust has greatly enhanced our user experiences and greatly made my job easier in the old days where there’s systems where you had to figure out which networks could connect or who would have access to what particular piece it was a nightmare.”
Finally Lumos’s Janani Nagarajan reminded all, “not just in the networking layer not just in the app layer but a critical layer for us is identities because that’s where the workforce the humans the employees the contractors the vendors your customers are actually interacting with the apps.” Identities is the key to minimizing friction for the users in zero trust. If your organization is implementing a zero trust architecture and want to ensure you are on the right track, remember to book an inquiry.
