Reflections from Identiverse: Why Security Needs Operational Efficiency

Security is not just about stopping threats, it’s about doing so in a way that doesn't disrupt or burden operations. As enterprises scale, the pressure to reduce costs while improving security grows. This makes operational efficiency not a luxury, but a mandate. At Identiverse 2025, one takeaway became crystal clear: both identity administrators and network administrators are hungry for a unified way to solve identity and access not just for humans, but for systems, services, and AI agents. That convergence is where true transformation lies.

Aligning on Identity: Google and Riptides, Different Paths

One of the standout talks for me was by Uttam Ramesh from Google: Zero Trust Networking with Managed Workload Identities. Conceptually, there are strong similarities between what Google is doing and our vision at Riptides. Both approaches align on using SPIFFE as the protocol for securely issuing and consuming workload identities. SPIFFE provides the foundation to federate trust across cloud providers, on-prem environments, and organizational boundaries.

But our technical approaches differ: Google’s solution is centered around sidecars, proxies, and load balancers—while Riptides operates entirely from the Linux kernel. At Riptides, we’ve taken it one step further by embedding OPA (Open Policy Agent) directly into the kernel, letting us make inline decisions about what identity to assign to a connection based on metadata provided from user space. This gives us full visibility and policy control without needing to divert traffic to userland proxies.

Historically, Google has been one of the few companies consistently driving innovation through thoughtful research and open publication of new technology paradigms. The Zero Trust model is no exception. Their continued work in this area sets a clear direction for the industry and aligns closely with our belief that identity driven access should be at the core of modern infrastructure.

Industry Gaps and the Case for Active Security

From the vantage point of Identiverse, it’s clear the industry still has work to do in how it talks about and handles non-human identities (NHIs).

Mislabeling Credentials as Identities

The term non-human identity is often misleading. What many refer to as NHIs are really just credentials—API keys, service accounts, IAM roles—that float untethered from the workloads they represent. At Riptides, we believe this model is fundamentally broken. Identities should be tightly bound to workloads. When credentials exist in isolation, they become vulnerable to misuse and provide no assurance about whoor what is using them. We believe identity must originate from and be inseparable from the workload itself.

At Riptides, our mantra is simple: kill credentials entirely—because true security starts when identity is no longer something you store, share, or manage.

Underutilization of SPIFFE

Despite being an open standard purpose built for this challenge, SPIFFE remains underused across the industry. We see no better mechanism today to assign identities to workloads. SPIFFE provides the consistency, interoperability, and trust federation capabilities required to operate across cloud providers, on-prem environments, and organizational boundaries. Riptides is fully committed to SPIFFE—not just as an implementation detail, but as the foundation for identity in distributed systems.

From Passive Posture to Active Enforcement

Most solutions showcased at Identiverse focused on governance, compliance, and posture management. These are critical capabilities—but they are reactive by nature. Discovering a leaked credential is useful, but by then, the window for exploitation may have already passed. Worse, you often can’t even tell when or where it was used.

Riptides takes an active approach: by operating in the kernel, we observe and enforce identity at the network layer, in real time. All workload-to-workload communication passes through the kernel, giving us complete visibility and control. This allows us to build a dynamic, realtime inventory of active identities, without requiring invasive access to your cloud accounts or SaaS providers.

AI Agent Security is Still Workload Security

AI agent security dominated much of the conversation at Identiverse, and while it’s an important topic, we feel it’s often overhyped.

In particular, when it comes to connection security between MCP servers, orchestration tools, and agent-to-agent (A2A) systems, the foundational building blocks already exist. There is no need to reinvent the wheel. Well established mechanisms as mutual TLS, identity aware and conditional routing, workload bound credentials, and fine-grained authorization are more than capable of securing these connections when applied correctly. The challenge isn’t inventing new protocols, but using existing standards like SPIFFE, TLS, and OPA properly and consistently.

We’ll be covering our specific approach to AI workload security in an upcoming post.

Looking Ahead

At Riptides, we’re committed to this vision. We believe that operational efficiency and security can go hand-in-hand. Our identity fabric delivers strong, workload-bound identities using a proven and mature foundation: x.509 certificates, SPIFFE, and in-kernel policy enforcement. We’re here to cut cost, reduce risk, and bring clarity to the complex landscape of non-human identities—at wire speed.

‍