Speaking at RSA Conference 2024: GM's Road to Modern Consumer Identity
Speaking at the RSA Conference is one of those career milestones that feels surreal even in the moment. RSAC is the largest cybersecurity gathering in the world, and the bar for what makes the agenda is genuinely high. Getting to share the stage with General Motors to walk through their consumer identity modernization journey was a privilege.
What the session was about
GM, like every legacy enterprise that owns a direct relationship with millions of consumers, faced a consumer identity stack that had grown organically over years: multiple systems, fragmented policies, brittle integrations, and a security model built for a different era.
The session covered what it actually takes to modernize a CIAM platform at that scale:
- Why the legacy stack had to go. Aging infrastructure, fragmented sign-in experiences, and a security posture that could not keep up with modern threat models or regulatory expectations.
- Architectural decisions that mattered. Choosing a Zero Trust ready platform, separating identity from authorization concerns, and designing for resilience when you cannot afford downtime in customer-facing journeys.
- The migration itself. Moving millions of consumer identities is not a project, it is a program. Phased rollouts, dual-run periods, fallback paths, and the operational discipline required to keep the lights on during the transition.
- Zero Trust applied to consumers. Conditional access, risk-based authentication, and continuous evaluation in a context where you do not control the device, the network, or sometimes even the email address.
- Lessons that translate. What we would do differently, what surprised us, and what the operational reality was once the new platform was carrying production load.
Why this matters
CIAM has become the front door to the digital business. For an automotive brand like GM, the consumer identity layer touches every interaction, from financing applications to in-vehicle services to loyalty programs. Getting it wrong is not just a security problem, it is a customer trust problem and a revenue problem.
The modernization patterns we covered apply to any large enterprise sitting on legacy consumer identity infrastructure. The technology stacks change but the playbook does not.
Slides and recordings are typically posted to the RSAC presentation library after the event.
Thanks to the GM team for the partnership, and to the RSAC program committee for the slot.
Photos
Read next
- Digital Identity
Entra Agent ID Across Clouds: Part 5, Anti-Patterns
Final article in the five-part series on running Microsoft Entra Agent ID against third-party clouds. Closes the loop with the variants and failure modes that consume the same operational budget as the federated pattern without delivering its security properties, and ends with the takeaways worth pinning to the team wiki.
- Digital Identity
Entra Agent ID Across Clouds: Part 4, FIC, Cross-Tenant, and OBO
Fourth article in the five-part series on running Microsoft Entra Agent ID against third-party clouds. Opens up the Federated Identity Credential as a first-class object: single-tenant, cross-tenant SaaS shape, and the orthogonal world of on-behalf-of (OBO) where the agent acts for a signed-in user.
- Digital Identity
Entra Agent ID Across Clouds: Part 3, Managed Identity and Entra Objects
Third article in the five-part series on running Microsoft Entra Agent ID against third-party clouds. Pins down what the UAMI actually is in this architecture, why SAMI breaks federation, the three distinct Entra objects (UAMI, Blueprint, Agent Identity) and the three claims (sub, azp, oid) they each populate, and the production trade-off between federating the UAMI or the Agent Identity to the cloud.
Worth reading again?
Get the next one in your inbox.