Category Archives: Uncategorized

Access and “Somewhat You Why”

In case you missed it, I’ve been pushing a sixth factor of authentication called “Somewhat You Why.”

“As I refined my thinking, I came to the conclusion that “why” is a reasonable factor of authentication, and that this was separate from the other authentication factors (such as “something you do”).”

And now Identity Jedi Harvey Lee is also asking the “why” question, but specifically in terms of access control.

“[B]ecause we couldn’t determine why someone needed access, we built systems that tried to guess the answer for us….

“Roles were never about “least privilege.” Roles were our attempt to predict intent at scale. And like most predictions, especially in complex systems, they were right until they weren’t….

“Instead of front-loading permissions for every possible future scenario, we authorize the current scenario. Identity might still be the new perimeter — but intent is the new access key.”

Read “Intent Is the New Access Key.”

For example, if a dehydrated man wants to unlock a water tank, I have a pretty good idea of his intent.

Google Gemini.

How Do You Make Cash Payments to the CORRECT People?

In the United States, we forget that much of the world does NOT fill out W-9 forms.

Take the apparel industry in Jordan.

“In Jordan, the apparel sector relies heavily on a large migrant workforce, many of whom lack access to bank accounts and remain unbanked. Wage payments have traditionally been cash-based…”

To facilitate cash payments to unbanked apparel workers in Jordan, IrisGuard stepped in with its EyePay product.

“Cairo Amman Bank (CAB) Jordan…has launched a national-scale biometric cash salary payment network for unbanked workers. 

“With just a simple iris scan, employees can securely access their wages instantly, without the need for a bank account, PIN, or physical ID.”

I don’t think this is tied to an iris-based time and attendance system, but that is the obvious next step.

Bredemarket’s Biggest Accomplishments in 2025 (So Far)

I’m jumping ahead in the year-end post ridiculousness to cite Bredemarket’s two most notable accomplishments this year. Not to detract from my other accomplishments this year, but these two were biggies.

The first was my Biometric Update guest post in May, “Opinion: Vendors must disclose responsible uses of biometric data.” I discussed elsewhere my reasons for writing this, and created a Bredemarket-hosted video summarizing my main points.

Biometric vendors…

The second was my go-to-market effort for a Bredemarket client in September, which I discussed (without mentioning my participation) here. And there’s a video for that effort also.

Recent go-to-market.

I’ve accomplished many other things this year: client analyses, blog posts (both individually and in series), consultations, presentations, press releases, proposals, requirements documents, sales playbooks, and many more.

And I still have three more weeks to accomplish things.

Order in the Court: California AI Policies

Technology is one thing. But policy must govern technology.

For example, is your court using artificial intelligence?

If your court is in California, it must abide by this rule by next week:

“Any court that does not prohibit the use of generative AI by court staff or judicial officers must adopt a generative AI use policy by December 15, 2025. This rule applies to the superior courts, the Courts of Appeal, and the Supreme Court.”

According to Procopio, such a policy may cover items such as a prohibition on entering private data into public systems, the need to verify and correct AI-generated results, and disclosures on AI use.

Good ideas outside the courtroom also.

For example, the picture illustrating this post was created by Google Gemini—as of this week using Nano Banana.

Which is not a baseball team.

Google Gemini.

Detecting Deceptively Authoritative Deepfakes

I referenced this on one of my LinkedIn showcase pages earlier this week, but I need to say more on it.

We all agree that deepfakes can (sometimes) result in bad things, but some deepfakes present particular dangers that may not be detected. Let’s look at how deepfakes can harm the healthcare and legal professions.

Arielle Waldman of Dark Reading pointed out these dangers in her post “Sora 2 Makes Videos So Believable, Reality Checks Are Required.”

But I don’t want to talk about the general issues with believable AI (whether it’s Sora 2, Nano Banana Pro, or something else). I want to hone in on this:

“Sora 2 security risks will affect an array of industries, primarily the legal and healthcare sectors. AI generated evidence continues to pose challenges for lawyers and judges because it’s difficult to distinguish between reality and illusion. And deepfakes could affect healthcare, where many benefits are doled out virtually, including appointments and consultations.”

Actually these are two separate issues, and I’ll deal with them both.

Health Deepfakes

It’s bad enough that people can access your health records just by knowing your name and birthdate. But what happens when your medical practitioner sends you a telehealth appointment link…except your medical practitioner didn’t send it?

Grok.

So here you are, sharing your protected health information with…who exactly?

And once you realize you’ve been duped, you turn to a lawyer.

This one is not a deepfake. From YouTube.

Or you think you turn to a lawyer.

Legal Deepfakes

First off, is that lawyer truly a lawyer? And are you speaking to the lawyer to whom you think you’re speaking?

Not Johnnie Cochran.

And even if you are, when the lawyer gathers information for the case, who knows if it’s real. And I’m not talking about the lawyers who cited hallucinated legal decisions. I’m talking about the lawyers whose eDiscovery platforms gather faked evidence.

Liquor store owner.

The detection of deepfakes is currently concentrated in particular industries, such as financial services. But many more industries require this detection.