Beneath Seattle’s bustling Pioneer Square lies the remains of another city. After the Great Fire of 1889, local engineers elevated the street level, leaving behind the original storefronts and sidewalks in a warren of subterranean tunnels. This hidden underworld, known as the Seattle Underground, was buried to make room for progress. But it never disappeared, it just became invisible.

Today, our digital infrastructure mirrors that layered reality. Security teams are tasked with safeguarding an environment built on top of earlier architectures, older assumptions, and interfaces that weren’t designed for what they now support. At BSides Seattle 2025, more than a thousand practitioners came together on the Microsoft campus, in Building 92, to explore how we secure not just the software we run, but the systems we rely on, even when we don’t understand all their layers.

At the heart of these conversations was one stark realization: many of our systems don’t work for the people who depend on them or are managing workloads. Our concept of “identity,” long anchored in the assumptions of human behavior, is rapidly becoming unfit for the purpose.

We’ve Built Systems That Fail People by Default

Wendy Nather gave a raw and heartfelt keynote: “Falling Off the Edge, and How to Help.” Her core message: most people and organizations can’t secure themselves. And it’s not their fault.

Drawing from stories as personal as her husband’s sudden passing, and as far-reaching as the 800 organizations impacted by the Blackbaud ransomware breach, Wendy argued that security systems routinely break under stress, not because of poor training, but because of unrealistic expectations about who they serve and how. 

Security, she reminded us, must be usable on your worst day. Yet we keep shipping solutions that demand perfect recall, steady hands, and uninterrupted attention spans. From public infrastructure scraping by on end-of-life gear to nonprofits forced to duct-tape defenses together, the security poverty line is real. Budget, expertise, capability, and influence all determine who gets to defend themselves effectively.

Her talk reframed the technical session at the event. If security isn't accessible, it isn’t secure. And if we build systems that collapse under human stress, they’ll fail at machine scale even faster.

Wendy Nather

Humans Aren’t the Majority Of Identities Anymore

In her talk, “Beyond Humans: The Event Horizon for Identity & Access Management,” Heather Flanagan, founder of Spherical Cow Consulting and current chair of the IETF's SPICE Working Group, shifted the lens to something even more unaccounted for than the end users of systems: non-human identities (NHIs) that comprise our applicattions and services.

Today’s infrastructure is saturated with non-human identities (NHIs), namely APIs, service accounts, batch jobs, and ephemeral containers, which outnumber humans and often carry more privileges than they should. Yet we treat them like just another user in the directory. That thinking, Heather argued, is a fundamental risk.

“An API key is not an identity,” she said, “no more than a password is a human.” That framing is more than clever. It’s a call to reengineer how we define trust. APIs exist to expose privileged functionality to other systems. They are high-value targets by design. And without cryptographic attestation, contextual validation, and a lifecycle that reflects their purpose, not just their persistence, we are granting permanent access to temporary agents.

Emerging standards like WIMSE, SCITT, and SPICE offer a new path: identity that's portable, ephemeral, and verifiable. However, these are very early in their development, and without widespread adoption, our systems remain built on the equivalent of unsecured side doors. NHIs shouldn't mimic human IAM. They should become everything we wish human IAM could be.

Heather Flanagan

When Authentication Breaks

In her incident-packed session “When AuthN Breaks: Real World Failures,” Maya Kaczorowski, Founder of Oblique, took attendees on a tour of the last few years of authentication disasters. From the LAPSUS$ breach of Okta to attacks relying on MFA fatigue at Cisco and Uber, the theme was clear: identity protections built around human behaviors are often trivially bypassed. Especially when no one is watching.

What stood out most was how many of these failures stemmed from credential misuse and poor boundary enforcement. Static passwords, stolen OAuth tokens, and improperly scoped API keys played a role in breach after breach. Whether it's a session that never times out, a user with excessive privileges, or a system where credentials outlive the infrastructure they protect, the result is the same: a brittle perimeter defended by duct tape.

Maya called for us to implement phishing-resistant multi-factor authentication (MFA), stronger session management, and rigorous token rotation. More than anything, though, she reminded us that users will make mistakes. Our job is not to fix the user. It’s to build systems that assume the user can easily, mistakenly fail, and contain the blast radius when they do.

Maya Kaczorowski

Replacing Secrets with Attestation

Nivathan Somasundharam, DevSecOps Evangelist from Teleport, walked us through an elegant solution to solving secrets sprawl by moving away from long-lived secrets. His talk, “Implementing SPIFFE for Zero Trust Multi-Cloud Workload Authentication,” was a technical deep dive into how identity can be rebuilt from the ground up using cryptographic verification.

SPIFFE (Secure Production Identity Framework for Everyone) provides short-lived, attestable identities to workloads. Unlike long-lived API tokens or shared secrets, SPIFFE IDs are automatically rotated, workload-bound, and backed by cryptographic guarantees. This flips the IAM model on its head: instead of asking “does this token look valid?”, SPIFFE lets us ask “did this specific workload receive an identity through an auditable, provable process?”

In a world where workloads live for minutes and services stretch across clouds, this is what good Zero Trust can look like. SPIFFE recommends identity-based access by default. Nivathan’s examples, CI/CD pipelines, microservice isolation, and cross-cloud mTLS were compelling not just for their clarity, but for what they signaled. It's time for attestation to take its place.

Nivathan Somasundharam

Trust, Rebuilt for Reality

What emerged across every session, from human grief to ephemeral workloads, was a single, urgent theme: our systems are misaligned with the reality of who uses them, how they break, and what they protect.

Identity Must Be Contextual, Not Static

Across so many of the stories shared at BSides Seattle, the common failure point is the same: a mismatch between identity and purpose. Today’s IAM systems assume long-term associations, fixed roles, and minimal context. But trust isn’t binary; it’s a function of situation, risk, and time.

That’s why we must move toward identities that are:

  • Attested: Proven through verifiable, auditable processes.
  • Ephemeral: Bound to the task, not the entity.
  • Scoped: With minimal and time-limited privileges.
  • Portable: Able to traverse systems without translation loss.

This isn’t just theory. It’s engineering. And it starts with replacing static secrets with dynamic identities.

Risk Management Is Not Just Math

Adam Shostack’s keynote, “Risk Is Not Axiomatic,” drove home another critical point: most of what we call “risk” is really "uncertainty, poorly modeled." We need to treat risk models like scientific hypotheses, testable, debatable, and constantly updated. That lens is deeply relevant to IAM.

Current risk assessments often rely on brittle inputs, role definitions, password policies, and perimeters, without accounting for attacker choice or systemic sensitivity. When applied to NHIs, this leaves a wider gap in assessment. One poorly scoped API key can offer access far beyond what the risk register assumed.

So what should we do instead? Measure what matters. Build for attestation, not assumption. And always account for the human cost of system failure.

Adam Shostack

Building For The Worst Day, Not The Best Case

The Seattle Underground was buried not to hide failure, but to enable progress. It remains today as a quiet reminder that every layer of infrastructure we build sits atop the remnants of what came before. The same is true of our security systems. Your author was able to give a talk about how we arrived at our current state with NHI secrets sprawl and how we can build something better together.

At BSides Seattle 2025, every conversation came back to the same principle: trust must be rebuilt, intelligently, empathetically, and above all, realistically. Whether you're managing thousands of microservices or helping someone access a loved one’s data after a tragedy, the question is the same: Does your system work for people under stress? Does it protect data when no one's watching?

GitGuardian is actively building solutions that help teams secure the real infrastructure they run. The NHIs that make up our applications and critical systems. From secrets detection to non-human identity governance, we’re focused on helping security teams build for the messiness of reality.