ITTech Pulse Exclusive Interview with Kevin Paige, Field CISO at ConductorOne

Mr. Kevin Paige, Field CISO at ConductorOne, shares insights on identity security, Zero Trust, and aligning cybersecurity strategy with real-world enterprise execution and risk management in this catch-up with ITTech Pulse.

Can you share your career journey, from managing information protection in the US Air Force to CISO roles at Flexport and MuleSoft, and now as Field CISO at ConductorOne?

My career in security started in the US Air Force, though not in cybersecurity — I began as a Law Enforcement and Physical Security specialist. But I had a knack for computers, and when the ILOVEYOU and Melissa viruses hit, I was the one who figured out how to clean our systems. That moment pulled me into computer operations and changed the trajectory of my career.

From there, I moved into systems administration and networking, which quickly led to early network security roles. I was responsible for the full boundary architecture — firewalls, proxies, VPNs, DNS, mail servers, the entire perimeter stack. I learned security by building it from the ground up.

Then I got the chance to learn how to break what I’d built. War dialing, war driving, UNIX and Windows offensive testing, web application attacks. Understanding the attacker’s perspective fundamentally changed how I thought about defense. I spent 12 years across these roles in the Air Force before transitioning out.

I moved into DoD contracting, focused on secure UNIX, networking, and Microsoft architectures, and then into civil service with the US Army. As part of the Deputy Undersecretary’s Business Transformation office, I helped bring modern technology strategies into the Army — building early IaaS and SaaS capabilities for federal and DoD use. That included standing up some of the first Application and Product Security functions for cloud-facing DoD software and working directly with startups to help the Army build fast, scalable, secure solutions for finance, logistics, and other critical business systems.

Read More: ITTech Pulse Exclusive Interview with Jason Baker, Managing Security Consultant, at GuidePoint Security

When I decided to move into the private sector, I took security leadership roles at Salesforce, MuleSoft, and Flexport — each one an opportunity to build security and technology programs from scratch. That’s where I developed many of the principles that guide me today. There’s nothing like building from zero to teach you what actually matters versus what just looks good on a slide.

Thirty years of building, breaking, and rebuilding security programs led me to one conviction: the number one risk in the enterprise is identity. That’s why I’m at ConductorOne. As Field CISO, I get to take everything I’ve learned — what worked, what failed, what I’d do differently — and help organizations solve the identity and access challenges I’ve lived through. And I get to bring that practitioner perspective directly to our product and executive teams, so what we build actually reflects what security teams need.

With certifications like CISSP, CEH, and experience in Zero Trust, cloud security, and incident response, what core principles guide your approach to aligning cybersecurity with business goals?

Four principles guide everything I do:

First — Security is a business enabler, not a cost center. My job isn’t to say no. It’s to reduce risk while increasing productivity. Every security decision I make starts with the same question: does this help the company move faster and safer? If it only does one, I haven’t finished thinking. My CISSP training grounded this — at its core, security is risk management, and risk is measured in business impact.

Second — Build security in, don’t bolt it on. Security has to be embedded in how teams build, not layered on after they ship. This takes cross-functional partnership — security working alongside engineering, product, and operations from day one. The way I explain it: we don’t put brakes on a car to make it go slow. We put them on so you can go faster safely. Security should be that brake — the thing that gives the business confidence to accelerate.

Third — Every incident is an architecture lesson. This comes directly from my incident response experience. When something breaks — and it will — the question isn’t just ‘how do we contain it.’ It’s ‘what did this reveal about a systemic weakness we didn’t see?’ I run after-action reviews that feed directly back into security architecture. The goal isn’t just recovery — it’s making sure the same class of failure can’t happen again. That loop between incident response and architecture improvement is what turns reactive security into resilient security.

Fourth — Assume compromise, verify everything. This is Zero Trust, but I mean it as an operating philosophy, not a vendor checklist. Every identity, every device, every connection is continuously validated — not because I assume people are malicious, but because that model limits blast radius when something does get through. My offensive security background reinforced this: once you’ve seen how attackers move laterally through trusted connections, you stop trusting connections and start verifying them.

As Field CISO at ConductorOne, how does the platform help organizations advance their IGA maturity curve, and why do you see most stuck in outdated approaches like manual access reviews?

To answer why most organizations are stuck, I have to be honest — it’s not really a technology problem. It’s a purchasing problem. Most organizations bought their first identity governance tool to pass an audit. The compliance team was the buyer, so the tool was optimized for generating reports, not for giving security teams real-time understanding of access. That original decision shaped everything. You end up with a system designed to prove you did a review, not to actually improve your access posture.

On top of that, you’ve got the practical reality I see in almost every customer environment: identity data is fragmented across dozens of systems. Multiple HRIS platforms, AD forests, cloud directories, SaaS apps with their own permission models — nobody has a single view of who has access to what. And when you don’t have that view, the only option is manual reviews where managers certify hundreds of entitlements they don’t fully understand. They rubber-stamp, compliance is satisfied, and the actual risk doesn’t change. That’s where most organizations are stuck — somewhere between spreadsheets and a tool that only covers half the environment.

In terms of advancing the maturity curve, the way I think about it from the field is in stages. Most customers come to us at Stage 1 or 2 — manual reviews or partial automation. The first unlock is visibility. Before you can govern access, you have to see it — all of it, across every application, every identity type, human and non-human. That’s what ConductorOne does first: connect to everything and build the unified picture that’s never existed before.

Once you have visibility, you can move to policy-driven governance — automating the straightforward decisions, routing exceptions to the right people with context, and replacing quarterly review cycles with risk-based triggers. And the end state is what we talked about earlier: Zero Standing Privileges, just-in-time access, continuous evaluation.

Read More: ITTech Pulse Exclusive Interview with Michael Campell, Chief Product Officer, Hyland

What I’ve learned as Field CISO is that you can’t skip stages. Customers who try to jump straight to ZSP without building visibility first end up right back where they started. The maturity curve is real, and the role I play is helping organizations understand where they are, what the next step looks like, and how to get there without disrupting the business.

Drawing from customer field experiences post-2025 Series B, what real-world lessons have you learned translating high-level cybersecurity strategy into technical reality at ConductorOne?

The biggest lesson I’ve learned in the field is that the gap between cybersecurity strategy and technical reality almost always lives in the same place: how people actually work.

Here’s what I mean. Strategically, everyone agrees on the vision — least privilege, Zero Standing Privileges, just-in-time access. On a whiteboard, it’s clean. But when you sit down with a customer — say, a fast-growing company with hundreds of SaaS applications and thousands of entitlements — the reality is different. They came to us because their User Access Reviews were failing. Not failing a compliance audit — failing operationally. Managers were getting spreadsheets with 300 line items to certify.

They didn’t understand half the entitlements. They rubber-stamped everything just to get it done. The review was technically ‘complete,’ but it caught nothing. Compliance was met. Security was not.

The strategic answer was ZSP — Zero Standing Privileges. Eliminate persistent access, move to just-in-time, review only the exceptions. On paper, it’s a clean evolution. But here’s what I learned in the field: you can’t jump from broken UARs to ZSP in one step. The gap is that customers don’t have clean enough data to know what ‘baseline’ even means. They don’t know which entitlements are actively used versus inherited three job changes ago. They can’t tell you which service accounts are critical versus orphaned.

So the real translation work wasn’t deploying ZSP. It was building the visibility layer first — connecting to every application, discovering every entitlement, establishing who actually uses what. Only then could we move customers from rubber-stamping 300 entitlements to reviewing the 15 that actually changed or triggered a risk signal. That shift — from ‘certify everything quarterly’ to ‘focus on what changed and why’ — is where the strategy became real.

The lesson I carry into every customer conversation now is this: don’t lead with the destination, lead with the discovery. If you walk in talking about Zero Standing Privileges before the customer can even see their own access landscape, you’ve lost them.

Start with visibility. Let them see the problem. Then the strategy sells itself. That’s something I couldn’t have told you from a strategy deck — I had to learn it in the field. And it’s a lesson that directly shapes how our product team prioritizes features post-Series B: discovery and visibility first, automation and ZSP on top.

You’ve noted the IAM pyramid is upside down today—what 2026 shifts, like AI-driven real-time controls, will make identity the missing fourth pillar of cybersecurity alongside network, endpoint, and app security?

When I talk about the IAM pyramid being upside down, I mean that most organizations have invested heavily in authentication — passwords, MFA, SSO — while underinvesting in what actually matters more: governance, lifecycle management, and real-time access decisions. The foundation is thin and the top is heavy. That’s why things keep breaking.

Now, why is identity the missing fourth pillar? Think about what the other three pillars actually do. Network security asks ‘is this traffic allowed?’ Endpoint security asks ‘is this device healthy?’ Application security asks ‘is this code safe?’ But none of them ask the most fundamental question: ‘Is the right entity doing this right now, and should they still have this access?’ Every firewall rule, every endpoint policy, every application control implicitly assumes you’ve already solved identity. When you haven’t, the other three pillars are working on flawed assumptions.

What’s changing in 2026 is that we finally have the technology to close that gap — but the same technology is also widening it. On one side, AI agents and agentic workflows are creating identities at a scale we’ve never seen. These aren’t users clicking through a UI — they’re autonomous systems making API calls, spawning sub-processes, and accessing data 24/7 with credentials that were provisioned once and never reviewed. The identity surface is exploding.

On the other side, AI is giving us capabilities we’ve never had. Real-time continuous access evaluation — not quarterly reviews, but systems that analyze context in the moment: who’s requesting access, from where, to what, does this pattern match their role, has anything changed since this entitlement was granted? Identity Threat Detection and Response — ITDR — is becoming a real discipline, not just a marketing term. And AI-powered lifecycle automation can finally make governance operational instead of ceremonial.

So the shift in 2026 is that identity moves from a checkbox function to an active, real-time security control — and that’s what makes it a true pillar. Not something you set up once during onboarding and review once a quarter, but a continuous,context-aware system that the other three pillars depend on. That’s the future I’m working toward at ConductorOne.

Beyond identity, what 2026 trends like vulnerability management pitfalls or cloud-native protections do you predict will reshape cybersecurity priorities for IT leaders?

I’ll hit three trends that I think are going to force IT leaders to fundamentally rethink their priorities in 2026.

First — vulnerability management is broken at scale, and most organizations don’t realize it yet. We’ve seen over 21,000 CVEs disclosed in just the first half of this year — that’s an 18% jump from two years ago. But the real problem isn’t the volume. It’s the speed. The time between a vulnerability being published and active exploitation has collapsed to same-day in a growing number of cases. Traditional patch cycles — scan monthly, prioritize quarterly, patch during maintenance windows — simply can’t keep up. The organizations that will get ahead in 2026 are the ones that shift from ‘scan and patch’ to continuous, risk-contextualized prioritization. Not every CVE matters equally. The ones that are actively exploited, in internet-facing systems, with access to sensitive data — those need to be measured in hours, not quarters. IT leaders who are still running vulnerability management like it’s 2019 are accumulating a debt they can’t see until it’s a breach.

Second — cloud-native security is going through a major convergence, and it’s catching teams off guard. The old model of buying point solutions for each problem — one tool for container scanning, another for infrastructure misconfigurations, another for runtime threats — is collapsing into Cloud-Native Application Protection Platforms, or CNAPPs. What’s changed in 2026 is that runtime context is now driving prioritization, not static scan results. Tools can now see what’s actually running in production, what’s exploitable right now, and what’s connected to critical assets — using technologies like eBPF for kernel-level observability. The IT leaders who get ahead here are the ones who stop thinking about cloud security as a checklist of tools and start thinking about it as a unified risk picture across code, infrastructure, identity, and runtime.

Third — and this is where it all connects — AI and agentic systems are accelerating every problem I just described. AI agents are creating new attack surfaces faster than security teams can inventory it. AI-generated code is introducing vulnerabilities at a pace human review can’t match. And AI-powered attacks are collapsing the exploitation window I mentioned even further. But the same AI is also the answer — AI-driven vulnerability prioritization, AI-powered runtime detection, agentic security workflows that can respond in real time. The IT leaders who win in 2026 won’t be the ones who blocked AI. They’ll be the ones who figured out how to secure it while enabling it. That’s the balancing act that defines this year.”

What key advice would you offer IT and tech professionals on implementing effective identity governance and avoiding common access management traps in 2026?

I’d focus on three traps I see organizations falling into right now, and the advice that comes from each:

Trap one: You’re governing human identities and ignoring everything else. In 2026, non-human identities — service accounts, API keys, AI agents, bots — outnumber human users by ratios of 100-to-1, and in some industries 500-to-1. OWASP just released their Top 10 Non-Human Identity Risks, and the number one risk is improper offboarding — machine credentials that were never deprovisioned when a service was sunset. Most organizations have never governed these identities at all.

My advice: Treat non-human identity governance with the same rigor as human identity. If you can’t answer ‘who or what has access to this system and why’ for every identity — human and machine — you don’t have governance, you have a spreadsheet.

Trap two: Treating identity governance as a technology purchase instead of an accountability structure. I’ve seen the data — only 23% of organizations have a formal enterprise-wide strategy for managing agent identities. Ownership is fragmented: security says it’s IT’s job, IT says it’s the AI team’s job, nobody owns the whole picture. You can buy the best IGA platform on the market, and it won’t matter if nobody is accountable for the outcomes.

My advice: Before you evaluate a single tool, answer one question: who is the single person accountable when an access review doesn’t happen? If you can’t name them, start there, not with a vendor RFP.

Trap three: Confusing compliance with security. Access certifications that exist to pass audits are not the same as access governance that reduces risk. I’ve seen environments where managers rubber-stamp quarterly reviews on hundreds of entitlements because the process was designed for auditors, not for actual risk decisions.

My advice: Design your access reviews around risk, not frequency. High-risk entitlements — admin access, cross-environment service accounts, AI agent credentials — get continuous or event-driven review. Low-risk access can follow a lighter cadence. The goal isn’t ‘all reviews completed,’ it’s ‘inappropriate access detected and removed.

Thank you, Mr. Kevin, for taking the time to share your insights with us.

Write to us [⁠wasim.a@demandmediaagency.com] to learn more about our exclusive editorial packages and programmes.