In this interview from RSAC 2026 in San Francisco, Andre Durand, founder and chief executive officer of Ping Identity, joins theCUBE Research's Christophe Bertrand to discuss why agentic AI is forcing a fundamental rethink of identity security and zero-trust principles. Durand draws on 23 years of building identity infrastructure — now protecting roughly eight billion accounts across the Global 5,000 — to explain why autonomous agents demand even stricter security than human users. Operating around the clock at machine speed, these non-human identities face no personal consequences for damaging actions. He underscores why organizations must authenticate, authorize and maintain full observability over every agent, applying zero-trust guardrails tighter than those historically extended to their human counterparts.
The conversation also explores what Durand calls the "agentic channel" — a new interaction surface alongside web, mobile and voice — where customer-facing agents research products, scan information and engage on behalf of individuals. Drawing on insights from more than 200 enterprise conversations over the past year, he details how large financial institutions and retailers are racing to detect whether an inbound visitor is human or agent and to scope permissions accordingly. Durand also unpacks Ping Identity's newly announced agentic core capability, which extends the platform to manage the full agent lifecycle from discovery and inventory across multiple clouds to real-time runtime authorization that moves beyond static entitlements to just-in-time, context-aware decisioning. From balancing the competitive urgency of automation with the duty to protect brand trust, Durand provides a practical framework for how security leaders can harness agentic AI without sacrificing governance or accountability.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Register for RSAC 2026 Conference
Please fill out the information below. You will receive an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC 2026 Conference.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC 2026 Conference. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Sign in to gain access to RSAC 2026 Conference
Please sign in with LinkedIn to continue to RSAC 2026 Conference. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Andre Durand, Ping Identity
Andre Durand of Ping Identity, founder and chief executive officer, discusses agentic artificial intelligence, identity security and access controls at RSAC 2026. Durand outlines Ping Identity's 23-year history of protecting digital identities and they frame the emerging risks posed by agentic AI.
The interview is recorded by theCUBE Research and features host Christophe Bertrand of theCUBE Research, principal analyst. Bertrand examines non-human identity, lifecycle management, runtime decisioning and the need for tighter controls as agents interact with systems of record. They highlight operational challenges governance requirements and stewardship models for organizations deploying agentic AI.
Key takeaways include treating agents as non-human identities that demand the same or stricter controls as human users: authentication, observability, entitlement management and just-in-time authorization. Durand argues that zero trust principles must extend to agentic runtimes with runtime control planes and stewardship. Bertrand emphasizes that full traceability and auditability are essential to protect brands meet compliance requirements and reduce operational risk. These principles inform identity and access management. IAM design must incorporate lifecycle governance, runtime decisioning and monitoring to ensure accountability and resilience.
Watch the full interview for practical guidance on implementing identity and access management and securing agentic AI at scale.
In this interview from RSAC 2026 in San Francisco, Andre Durand, founder and chief executive officer of Ping Identity, joins theCUBE Research's Christophe Bertrand to discuss why agentic AI is forcing a fundamental rethink of identity security and zero-trust principles. Durand draws on 23 years of building identity infrastructure — now protecting roughly eight billion accounts across the Global 5,000 — to explain why autonomous agents demand even stricter security than human users. Operating around the clock at machine speed, these non-human identities face n...Read more
exploreKeep Exploring
What motivated you to found Ping Identity, and what is the company's purpose/mission?add
How should systems of record and access controls be secured in light of the emergence of autonomous non-human (agent) identities?add
What governance and runtime control mechanisms are required to manage autonomous agents operating in an enterprise environment?add
Why do autonomous agents acting on a company's systems of record require much tighter guardrails and zero‑trust controls?add
>> Hello everyone. Welcome to day two of RSAC 2026 in San Francisco. It's been very busy yesterday, day one. Actually, some people even started showing up on Sunday, but now it's day two. And we're back here at theCUBE with back to back coverage of this conference. And today, and our first segment is going to be about AI agent identity, access, and how do you treat agents as humans? Joining me today is Andre Durand, who's the founder and CEO of Ping Identity. Andre, welcome.
Andre Durand
>> It's a pleasure to be here. Thank you.
Christophe Bertrand
>> So Andre, tell us a little bit about yourself and what drove you to become the founder and create this organization and tell us about Ping Identity.
Andre Durand
>> So thank you. So 23 years ago, I came across what is now kind of a famous cartoon of no one knows you're a dog on the internet, that was late 2001. And I had taken a little bit of time off from a company I had founded prior to that. And it occurred to me that's a problem, that how could we do anything meaningful on the internet if we're not certain who is actually on the other end of the call or the transaction or whatever it is. And so Ping Identity was founded early 2002, so 23 years ago now, with a mission to help secure your digital identity on the internet and your use of your accounts and your information with everyone that you interact with. And so roll forward, we protect about eight billion accounts globally. We focus on the global 5,000. In every vertical, about 60% of our business is securing the customer experience as you log in to airlines, banks, retailers, government institutions. About 40% is securing the workforce and partners as they access internal systems. But it's all about how do we enable a really frictionless experience to the extent we can, but also maintain a very high level of security.
Christophe Bertrand
>> Right. And it's interesting because in the past 23 years, compliance and regulations and the whole space of security, identity management, access, et cetera, it's all changed. Two or three times over. You started the business right around the time when cloud was becoming a big thing and now we're in the era of AI. And that's really what I want to talk to you about because clearly agenetic AI is happening. I feel that a lot of organizations are getting ahead of their skis, rolling things out and we don't really know what these agents are really doing, what they have access to, how they're being controlled, how they could even become tools for cyber criminals to leverage against you. So tell us more about that. What's your view of agents? How should I as an end user consider agents?
Andre Durand
>> Well, so it's a whole new world. I would start with saying that the way in which we secure our systems, who has access to what at its core is all founded on the notion of knowing who is acting. So there is no security without identity. You can't secure what you can't identify.
Christophe Bertrand
>> Absolutely.
Andre Durand
>> And agents now are new actors, if you will, in the system. So we call non-human identity. We have human identities and non-human identities. These non-human identities work 24/7. They can act with a speed that's different than humans.
Christophe Bertrand
>> Right.
Andre Durand
>> We might have 10X or 100X or who knows how many more of them. And they can now take action on systems of record if we allow them. So they can automate things internally. So because of that, we need to treat them with the same level of diligence and care and security that we treated our human actors. We need to authenticate them. We need to know when they're created. We need to have observability if they're acting in our systems. We need to authorize what they can do and not do. From a perspective of security in humans, humans, take for example, employees and others, there is an accountability to humans for bad action. In the agenetic world, there's no accountability for an autonomous agent taking action. And so for that reason, the level of security and level of scrutiny that we've referred to as zero trust, it needs to come much faster to the agenetic world. We've been on a journey towards zero trust with humans, but the trust gap hasn't been abused as badly as it has been.
Christophe Bertrand
>> Right. And I think that's really how AI agents are sort of reshaping the way we work. We use them as our own personal executive assistants in many ways or sometimes I would say some functions will be replaced. Let's talk about traceability because I think it's totally reshaping, again, this notion of zero trust, so if not throwing a lot of the concepts away to redefine what that trust or zero trust should be. So traceability, why is it important? If I'm watching you today right now, why should I care as an IT leader or as an AI leader, why should I care about this traceability? What's behind that? Is it governance? Is it compliance? Is it just having best practices? What are the risks of not having that traceability in managing what will become very quickly hundreds of thousands of agents making decisions and interacting with your clients?
Andre Durand
>> Well, we can't have any actor in our systems dealing with systems of record where there's no traceability of what their actions or the decisions are. That doesn't make sense. And so I think the notion of the principles of zero trust do apply here. There need to be guardrails on agenetic that manages their life cycle, that manages their entitlement, that appropriately assigns stewardship, if you will, or ownership of the agent and the policies. As actors in the system that are acting autonomously, again, working with our systems, accessing our data on behalf of all of the principles of either zero trust and/or great identity security need to apply, but they need to apply at a scale and a speed that we've not seen before. The runtime nature of agenetic is of a scale that we've not seen before.
Christophe Bertrand
>> So let's put this in context. Tell us about some of your customers and how they've actually applied your platform and what are you seeing at this stage of what may not be necessarily early implementations, but certainly we're early in a cycle considering what agenetic will probably be doing in the next year or two years.
Andre Durand
>> So over the course of the last year, we've met with over 200 of our customers. These are large financial institutions. These are transportation companies. These are retailers. Most of the interest right now, the early interest is in detecting and securing what we refer to as the agenetic channel. So we've had the web channel and then along came the mobile channel of interaction. Of course, prior to that, we had the call center channel, the voice channel. Now we have the agenetic channel. So your notion that your personal agent acting on behalf of can go out to a company and do some research for you or make a recommendation or want to scan information on products and services. That's now the agenetic channel. So our customers are interested in knowing, is that a human who just showed up? Is that an agent that showed up? If that's an agent on behalf of who, is that who have an account with us already? So we actually could identify who that individual is and they're wanting to secure the, call it the web chat, if you will. That's the first motion. They're wanting to leverage agenetic to have conversations with their customers and consumers. They need to make sure that that agent is only accessing the right information, not everyone's information. So that's where most of the interest is right now. This week and actually today we announced our new agenetic core capability. This is the extension of the pink platform to help, as I said, secure the entire life cycle, to authenticate and to authorize agents working within our environments, doing things like what I described, securing the agenetic channel.
Christophe Bertrand
>> Well, this is very interesting. I certainly have interacted with multiple agents recently. I remember going around for about an hour with one agent for an airline. I will not name the airline. It was very clear that it was an agent and then they were trying to get to a human and then it would reset after an hour or something. So quite not there yet, but I can see how with a few tweaks it would be very, very efficient to help with very simple type of functions. Well, for an airline's going to be adjusting a reservation, things like that. Now for financial transactions or anything that has to do with healthcare, we get into a different world, the world of compliance. What's your take on it? Clearly you're ahead of the game with your platform. You're already powering business processes that leverage agents, having access to all sorts of records and of course engaging with end users. So how do you view the compliance and governance piece of it? And are there some maybe early learnings that you've observed from your early implementations?
Andre Durand
>> So I think everything that relates to governance of humans will apply to governance of agents. And it begins with knowing what agents are operating within your environment. So being able to discover an inventory, in essence, all the agents across your landscape. And agents are being built in multiple clouds right now. So a large enterprise might have a dozen different locations in which agents have been created and are acting throughout their system. So step number one is manage the life cycle of the agents. Step number two is we're assigning certain rights or permissions or entitlements for those agents to do things, to access things on our systems. And there needs to be good governance and controls over what permissions and what entitlements and who is the custodian of those agents so that humans have accountability for agents that aren't behaving correctly or maybe have been scoped permissions too broadly. So everything around governance of access that applied to humans is going to apply to agents, but it actually goes one step further than that. And it's what we refer to as the runtime control plane. Autonomous actors, if you will, in our systems that can make decisions and actually take action on systems of record, circumstances change in real time. And so we're actually going to need to be able to authorize their actions. That goes one step beyond what did we permission them to do a month ago or two months ago. Now they're actually taking action on systems and we need the decisioning to be a real time or runtime decision based upon all the context, all of the signals and data at that moment in time. So we're moving from more of a static, kind of a governance, pre-provision, pre-provision entitlements to a just in time, just enough real time or runtime decision.
Christophe Bertrand
>> Yes. Just in time governance almost. I think this is fundamental. I don't think I've heard it put in so many clear words recently and there are multiple layers of governance and compliance, access to data that's clean, et cetera, which is a big assumption. We're not there yet. I can assure you that. But for some specific processes, I can see how you can really have a pretty good domain of data that's clean, that's usable, that's compliant, and agents can do a good job. What I'm hearing you say though is very fundamental is you're treating agents just like humans. They are essentially the same. They need to be treated exactly the same with one difference. They may be more like kids, you need a parent, which is whether just in time decision making or changes will come into play. No, you're not going to do that. That's really not a good idea.
Andre Durand
>> The guardrails need to be tighter. The speed with which they can act, their autonomous nature, and the fact that there is no consequence for an agent that does something that we believe to be worst case malicious, much less naive as a child might make an action. So you can't have actors in our system dealing with systems of record, able to take action on systems and not have exceptionally tight guardrails. The consequence that has existed in humans interacting with systems has allowed us to extend a certain level of trust. They wouldn't do it. They could do it, but they wouldn't do it because the consequence was there. With agents acting in our system, there's no equivalent of a consequence for something that we deem to be, again, not malicious, maybe shy of malicious, but damaging to the company. So for that reason, the guardrails need to be much tighter.
Christophe Bertrand
>> Yeah. And I firmly believe that this is the biggest issue because in the end, you're always responsible for your... As a company, as a corporate entity, you're responsible for your actions, the actions of your company, the actions of your employees. Well, now it would be way too easy to say, "Oh, but it's the agents that did it."
Andre Durand
>> That's right. You won't be able to advocate that to say, "The agent made a decision. Your brand..." Now companies' brands are at stake and they have a new principal actor, again, that can act autonomously to provide incredible speed and efficiency, but because there is not the same level of consequence, the level of trust that we bestow these agents needs to be zero trust. This is where all of a sudden the principles of zero trust, just in time, just enough, contextually aware, real time decisions on can that action actually take place. These are not optional in the agenetic space. Not to say they were optional per se in great security, but we've taken a while to get there and it's complicated. Here we need to move much quicker.
Christophe Bertrand
>> Right. Just like you wouldn't let drunk kids fly a plane, you're not going to let agents run loose and make all sorts of decisions and that could impact even somebody's life. I mean, that's what we're talking about these type of applications. We have a couple of minutes left here. What would be your advice for our viewers? What is the thing you want them to take away from this conversation? What should they do next as they think about the next time they get this call, "Hey, we have this AI project. I need your perspective on it or help me do this, help me do that." What should they think about first?
Andre Durand
>> Well, I highly encourage experimentation of the what's possible. What we actually put into production now, and the level of care, and diligence, and duty to ensure that we have the right structure, the right frameworks, the right guardrails on agenetic to be responsible stewards of the trust that we've earned with our customers in our brand. It cannot be an afterthought. This is now a conversation that requires a lot of care and diligence. So while we're all compelled to move fast, and there's incredible advantage, competitive advantage to the level of efficiency and scale that we can get out of the agenetic landscape, it's not to be done carelessly. This is where now all the security principles and the right foundation, the right, as you said, clean data, decisioning framework, agenetic governance. All of these agents need to be harnessed appropriately to make sure that we don't have rogue things that are unexplainable impacting our brand and our companies.
Christophe Bertrand
>> Yes. And full traceability, obviously, so you can always improve and go back and figure out what happened. That's right. Well, Andre, this was fantastic. Thank you so much for your time. And to our viewers, thank you for watching us. Stay tuned for the next one. RSAC 2026. I'm Christophe Bertrand, principal analyst at theCUBE Research.
Christophe Bertrand