Agentic AI Meets Identity: CISO Masterclass with Ashley Devoto and Emily Heath

In this Friday session hosted by Linx Security CEO and co-founder Israel Duanis, two respected leaders—Emily Heath (former CISO at AECOM, United Airlines, and DocuSign; board director at Wiz, LogicGate, and Gen Digital; and partner at Cyberstarts) and Ashley Devoto (CISO at Discount Tire)—cut through the noise on identity security in 2025. The conversation blends board-level governance, operator realism, and the coming wave of agentic AI.

Identity in 2025: from people to machines

“Identity is the fundamental pillar of security,” Emily reminds us, and that pillar now supports far more than humans. The modern estate is saturated with non-human identities—service accounts, machine identities, bots, and soon autonomous agents. Even mid-sized enterprises can carry hundreds of thousands to millions of identities once you count the machine layer. That scale shift changes everything: governance models, lifecycle management, and how we think about risk.

Ashley brings the operator’s lens: most recent incidents hinge on compromised credentials, and attackers’ speed has collapsed dwell time. Access needs change hourly, not quarterly, yet many companies are still doing quarterly access reviews. The gap between how fast risk accumulates and how slowly we certify access is where trouble lives.

“We’re trying to get to near real-time understanding of who has access to what, why, for how long, and how it’s being used—and to act quickly when it’s not needed,” Ashley says.

Governance has to run in real time

Both leaders agree: waiting for periodic audits is obsolete. Emily has watched the pressure rise from two directions:

Cyber insurance underwriters now drill deeply into identity, especially privileged access. The questionnaires are long, the calls are technical, and identity dominates the discussion.
Boards and audit committees expect evidence that privileged identities are governed and tested continuously. User-access reviews and segregation-of-duties issues still show up as common control gaps—but they shouldn’t in 2025.

“Why are we waiting every quarter or every year to do this? We just don’t have that luxury anymore,” Emily notes.

Identity as business enabler—and resilience backbone

Identity is no longer a compliance checkbox; it enables the business. Emily shares a timely example: organizations are training every employee on AI and rolling out low/no-code tooling far beyond IT. HR teams winning hackathons isn’t a meme; it’s happening. That empowerment only works when identity and access are designed for scale and safety.

Just as important, identity is now core to resilience. Backups alone don’t bring a company back; you need the identity fabric—the ability to re-establish trustworthy accounts, roles, and policies so systems can restart. Identity is therefore dual-use: it accelerates the front office and restores the back office when it matters most.

Retail realities: experience, scale, and trust

Running security for a nationwide retailer, Ashley connects identity to customer experience and revenue. Omnichannel models, complex supply chains, and a distributed workforce raise the bar. The expectation is “speed with assurance”—onboarding in hours, not days, with the right, minimal access from day one.

“Consumers now expect a higher level of care with their data,” Ashley explains. “Customer identity can be a competitive differentiator when you do it right.”

That means investing in identity user experience (for employees and customers), shrinking time-to-productive access, and aligning controls with business priorities like simplification, automation, and waste elimination.

You can’t protect what you can’t see

Visibility is table stakes—and still hard. Ashley is blunt: assets, apps, data, and identities must be visible before they can be protected or governed. Emily urges unification without centralization: security won’t—and shouldn’t—own every identity platform, but it must see across them.

Pivoting views by person (not just by application) changes risk management. If one user legitimately holds multiple privileged roles, their risk weighting increases. That warrants tighter detections, closer monitoring, and strong just-in-time (JIT) access—even if the access is legitimate.

“We don’t want to manage it all. That would bottleneck the business,” Emily says. “But we absolutely need the unified view to make smart decisions.”

Agentic AI: the opportunity and the guardrails

AI is no longer optional; it’s embedded in how teams work. Emily is clear: embrace it and build governance into everyday operations—from security operations to vulnerability management. Done right, AI gives defenders tools as powerful as the attackers’. The playing field won’t be perfectly level, but it’s closer than it’s ever been.

Ashley translates that into operating practice. Treat AI agents like service accounts with:

Clear ownership and purpose
Scoped, time-bound, and just-in-time access
Separation of duties and recertification
Runtime guardrails (rate limits, exfiltration controls, data flow constraints)
Kill switches for rapid containment

“The appetite from the business is full-steam ahead,” Ashley says. “Our job is to unlock the power securely.”

What leaders can do now

This conversation converges on a pragmatic blueprint. Start with comprehensive visibility into human and non-human identities. Move from periodic to continuous access governance and focus especially on privileged access. Design identity experiences that accelerate onboarding and productivity—speed with assurance—and make customer identity (CIAM) part of your brand promise. Finally, prepare for agentic AI by baking identity guardrails into provisioning and runtime.

Why this matters: Identity is the control plane for modern security and business velocity. In Emily Heath’s words, it’s the “fundamental pillar.” In Ashley Devoto’s, it’s how you safely go faster. Unify visibility, govern continuously, elevate user experience, and treat AI agents like first-class identities. Do that, and identity becomes both your growth engine and your recovery plan.