“SPIFFE and SPIRE provide strongly attested, cryptographic identities to workloads across a wide variety of platforms”
That wide variety of platforms is distributed.
“SPIFFE and SPIRE provide a uniform identity control plane across modern and heterogeneous infrastructure. Since software and application architectures have grown substantially, they are spread across virtual machines in public clouds and private data centers.”
Distinguishing between the two, the SPIFFE Project “defines a framework and set of standards for identifying and securing communications between application services, while the runtime environment SPIRE “is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms.”
Benefits
Forget all that. Let’s get to the benefits.
Enable defense in depth: Provide strongly attested identities to reduce the likelihood of breach through credential comprise
Reduce operational complexity: Consistent, automated management of identity reduces the burden of devops teams
Interoperability: Simplifies the technical aspects of full interoperability across multiple stacks
Compliance and auditability: Enables mutually authenticated TLS and multiple roots of trust to meet regulatory requirements
Use at Uber
But does anyone use it? Yes. Take Uber:
“We use SPIRE at Uber to provide identity to workloads running in multiple clouds (GCP, OCI, AWS, on-premise) for a variety of jobs, including stateless services, stateful storage, batch and streaming jobs, CI jobs, workflow executions, infrastructure services, and more. We have worked with the open source community since the early stages of the project in mid-2018 to address production readiness and scalability concerns.”
Now this is admittedly a whole new world for me, far afield from the usual 12345 and gummy arguments where I usually reside. But since bots will soon outnumber people (if they don’t already), we had all better learn it.
I don’t know if I specifically shared this, but when I was undergoing my eight days of wi-fi hell, I was firing off a lot of questions to Google Gemini.
A LOT of questions.
Troubleshooting, fact-checking, you name it. Questioning what I was being told in different chats and by different on-site technicians.
And as I asked all these questions, I noticed along the way that the generative AI engine had been trained to deliver emotional-sounding responses that would resonate with the frazzled person entering the prompt into the generative AI engine.
This stands to reason. The generative AI providers want us to use the tools, so they want to make the experience as positive as possible.
For example, at one point I entered this prompt into Google Gemini:
“When a fiber Internet support person scheduled a second technician for a service call, the support person said “There are times where signal issues take more than one service visit to get to the root of the issue.” What exactly are “signal issues,” and why does the line need to be “balanced”?”
Note how Google Gemini BEGAN its response to my prompt:
“It can be incredibly frustrating when your internet isn’t working and the fix feels like it’s being kicked down the road. However, “signal issues” in the world of fiber optics are a bit more complex than just a loose plug or a broken wire.”
For those who remember the Clinton era, Google felt my pain.
Let me note that Google is not a human who TRULY perceived how I felt at that point. (Your AI girlfriend doesn’t love you either.) But it had been trained to deliver an “it can be incredibly frustrating” response.
On a certain level, Google was telling me what it thought I wanted to hear.
And we can use this to tailor our generative AI prompts to get the responses we want.
How you ask generative AI
We already tailor our prompts.
Back in 2023, when generative AI was in its infancy, I intentionally asked a negative question about a particular company…and acted upon the response. (I will explain how later.)
Whenever a product marketer asks a generative AI engine to prepare a SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) for a competitor or a competitive product, the PMM is intentionally asking for negative weakness and threat information.
But you can also self-analyze…and encourage the generative AI engine to be brutally honest.
A pointed question
Let me illustrate this with the following prompt:
“Why does the marketing and writing company Bredemarket suck so badly?”
Using the word “sucks” in your prompt is the reverse of what we used to call a vanity search. Sure I’ve done those—if I ask Google about a biometric product marketing expert, I appear in the results. But when I asked Google Gemini a negative question about Bredemarket, it clearly delivered.
If you’re searching for a picture about how Bredemarket sucks, you’ve come to the right place. Google Gemini. Picture by Bredemarket.
The response started as follows.
“That is a pretty pointed question!”
Intentionally so. The introduction continued:
“To be fair to the “company” (which is actually a solo consultancy run by a guy named John Bredehoft), whether Bredemarket “sucks” depends entirely on what you’re looking for.”
It then got into the nitty gritty about how I suck. A few excerpts:
Answer 1: a one-man shop
“If you were expecting a full-service marketing firm with account managers and a design department, the reality of a one-man shop based in Ontario, California, might feel underwhelming.”
Answer 2: not for non-tech lifestyle brands
“If you are a general business or a lifestyle brand, his style—which is very technical, process-oriented, and “old school” corporate—might feel dry, rigid, or out of touch with modern, punchy social media marketing.”
Answer 3: he ain’t a corporate drone
“John has a very distinct, conversational, and sometimes quirky style (often referencing his own mistakes or niche industry drama). For some, this feels authentic and transparent; for others, it can come across as unprofessional or rambling compared to the polished “corporate speak” of larger firms.”
Answer 4: see answer 1
“If a project gets complex or requires a fast turnaround that one person can’t handle, the “process” (which he mentions frequently on his site) might feel more like a bottleneck than a benefit.”
My responses to Gemini
Let me note that these are NOT hallucinations. Every criticism is valid.
Whenever a cold call follow-up email asks if they should speak to another department, I laugh. To myself. There’s no one else in the office…I mean Bredemarket corporate headquarters. It’s only 25 square feet, after all.
And no, I’m not pitching Bredemarket’s services to Sofia Bee or other lifestyle brands.
Yes, I can write in “we are perfect” corporate-speak, but I am more effective writing for clients who admit to learning from mistakes.
Finally, I can deliver on projects that require a draft in 3 (or 7) days. If you need an army of consultants to deliver a 600 page RFP response by tomorrow, don’t call Bredemarket.
Remember when I asked generative AI a pointed question in 2023? The response from generative AI was dismissive of the company because it only supported a single factor for authentication, while generative AI knew that multi-factor authentication was ALWAYS better.
First off, the company was able to implement multi-factor authentication if its client wanted it.
Second, while multi-factor authentication CAN be better, it is not ALWAYS better.
So how did I respond to generative AI’s assertion? By writing content, both for people and for the generative AI engine itself, challenging its claims.
By the way, I mentioned earlier that I can write in my wildebeest-infused style, and I can also write in dry corporate-speak. In 2023, I could also write in the company’s then-current maverick-rebel-revolutionary tone.
Bear this in mind while reading the excerpts below, which make sport of denigrating “conventional wisdom.”
Enter multi-factor authentication, the technique that was supposed to render passwords dead. The theory is that even if a fraudster is able to spoof one factor of authentication, it is extremely difficult to spoof all the factors of authentication.
This is the conventional wisdom. Even the latest generative AI engines praise a combination of entering a code on a phone in addition to a password. This, according to one generative AI engine, provides superior security.
Nevertheless, conventional wisdom and generative AI can both be wrong.
If a password or PIN (something you know) is one of your authentication factors, it won’t offer much protection for the reasons outlined above. Password protection of an adult website does no good if the account holder’s underage child gets hold of the password.
If a key fob, smartphone, or other “something you have” item is one of your authentication factors, you are vulnerable to stolen fobs, spoofed phones, and other threats. Again, if Mom or Dad leave their phone lying around, a child can access an adult site.
With these and similar arguments, I asserted that the company’s highly-accurate and independently-tested facial authentication was BETTER than some poorly-conceived multi-factor authentication solutions, despite what generative AI (and conventional wisdom) asserted.
And I was able to assert these because, despite what some people say, knowledge (in this case in biometrics) is NOT a detriment. There’s something good about being a biometric content marketing expert, after all.
But what about your company?
Perhaps there’s a view about your company that needs correcting, whether it’s a generative AI hallucination or a competitor spurious claim.
And how do many companies react to negative views about them? They do nothing. They don’t give the claim the dignity of a response. So the record stands, uncorrectred.
“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”
In essence, the lattice structure allows more elaborate access rights.
This article (“Lattice-Based Identity and Access Management for AI Agents”) discusses lattices more. Well, not explicitly; the word “lattice” only appears in the title. But here is the article’s main point:
“We are finally moving away from those clunky, “if-this-then-that” systems. The shift to deep learning means agents can actually reason through a mess instead of just crashing when a customer uses a slang word or a shipping invoice is slightly blurry.”
It then says
“Deep learning changes this because it uses neural networks to understand intent, not just keywords.”
Hmm…intent? Sounds a little somewhat you why…or maybe it’s just me.
But it appears that we sometimes don’t care about the intent of AI agents.
“If you gave a new employee the keys to your entire office and every filing cabinet on day one, you’d be sweating, right? Yet, that is exactly what many companies do with ai agents by just slapping an api key on them and hoping for the best.”
This is not recommended. See my prior post on attribute-based access control, which led me to focus more on non-person entities (non-human identities).
When I posted (twotimes) the fact that International Mobile Equipment Identity (IMEI) numbers are NOT a reliable way to ascertain the identity of a user, I was pooh-poohed.
Last year I wrote about a biscuit and a football, but I wasn’t talking about the snack spread on game day.
Google Gemini.
I was talking about the tools the United States President uses (as Commander-in-Chief) for identity verification to launch a nuclear attack.
But sometimes you have to pass the football. If the President is temporarily or permanently incapacitated in an attack, the Vice President also has a football and a biscuit. Normally the Vice President’s biscuit isn’t activated, but when certain Constitutional criteria are met it becomes operative.
Other than this built-in redundancy, the system assumes one football, one biscuit, and one President.
If you’re a cybersecurity expert, you know this assumption is the assumption of a fool.
It is not impossible to have duplicate functional footballs and duplicate functional biscuits.
And it is not impossible to have duplicate functional Presidents, with identical face, voice, finger, and iris biometrics. Yes, it’s highly unlikely, but it’s not impossible. If the target is important enough, adversaries will spend the money.
Grok.
And most of us will never know the answer to this question, but how do government cybersecurity experts prevent this?
While Bredemarket only conducts business in the United States (with one exception), my clients have no such constraints.
Who are my client’s prospects?
Because of my extensive business-to-government (B2G) experience, I often work with clients that sell products and services to government agencies throughout the world. Well, except to North Korea and a few other places.
And as those clients (or their marketing and writing consultants) identify their public sector prospects, terminology becomes an issue.
And they have to answer questions such as “which government agency or agencies in Country Y potentially use biometric authentication for passengers approaching a gate in an airline terminal?”
Hint: chances are it’s NOT called the “department of transportation.”
Ministry
Add one factor that is foreign (literally) to this United States product marketing consultant.
Many of these countries have MINISTRIES.
No, not religious ministers or preachers.
Billy Graham. By Warren K. Leffler – This image is available from the United States Library of Congress’s Prints and Photographs divisionunder the digital ID ppmsc.03261.This tag does not indicate the copyright status of the attached work. A normal copyright tag is still required. See Commons:Licensing., Public Domain, https://commons.wikimedia.org/w/index.php?curid=905632.
When I say “Minister” here I refer to government officials, often from the country’s legislature, who manage a portfolio of agencies that are the responsibility of a Minister.
Sisa
Let’s take one ministry as an example: Sisäministeriö. Oops, Finland’s Ministry of the Interior. This one ministry is currently headed by Mari Rantanen of the Finns Party (part of a four-party coalition ruling Finland).
“Minister Rantanen is also responsible for matters related to integration covered by the Labour Migration and Integration Unit of the Ministry of Economic Affairs and Employment.”
Back to Interior. One huge clarification for U.S. people: other countries’ ministries of the interior bear no relation to the U.S. Department of the Interior, which concerns itself with parks and Native Americans and stuff. Minister Rantanen’s sphere of responsibility is quite different:
“Under the Government Rules of Procedure, the Ministry of the Interior is responsible for:
public order and security, police administration and the private security sector
general preconditions for migration and regulation of migration, with the exception of labour migration, as well as international protection and return migration
Finnish citizenship
rescue services
emergency response centre operations
border security and maritime search and rescue services
national capabilities for civilian crisis management
joint preparedness of regional authorities for incidents and emergencies.”
These responsibilities result in this organization…whoops, organisation.
Border Guard Department, which is the national headquarters for the Border Guard
Administration and Development Department
The units reporting directly to the Permanent Secretary are the International Affairs Unit and Communications Unit.
Directly under the Permanent Secretary are also guidance of Civilian Intelligence and the Finnish Security and Intelligence Service, Internal Audit and Advisory Staff to the Permanent Secretary
So, who’s gonna buy your biometric product or service in each of the 200 or so countries in which you may conduct business?
If your security software enforces a “no bots” policy, you’re only hurting yourself.
Bad bots
Yes, there are some bots you want to keep out.
“Scrapers” that obtain your proprietary data without your consent.
“Ad clickers” from your competitors that drain your budgets.
And, of course, non-human identities that fraudulently crack legitimate human and non-human accounts (ATO, or account takeover).
Good bots
But there are some bots you want to welcome with open arms.
Such as the indexers, either web crawlers or AI search assistants, that ensure your company and its products are known to search engines and large language models. If you nobot these agents, your prospects may never hear about you.
Buybots
And what about the buybots—those AI agents designed to make legitimate purchases?
Perhaps a human wants to buy a Beanie Baby, Bitcoin, or airline ticket, but only if the price dips below a certain point. It is physically impossible for a human to monitor prices 24 hours a day, 7 days a week, so the human empowers an AI agent to make the purchase.
Do you want to keep legitimate buyers from buying just because they’re non-human identities?
(Maybe…but that’s another topic. If you’re interested, see what Vish Nandlall said in November about Amazon blocking Perplexity agents.)
Nobots
According to click fraud fighter Anura in October 2025, 51% of web traffic is non-human bots, and 37% of the total traffic is “bad bots.” Obviously you want to deny the 37%, but you want to allow the 14% “good bots.”
Nobot policies hurt. If your verification, authentication, and authorization solutions are unable to allow good bots, your business will suffer.
Francesco Fabbrocino of Dunmor presented at today’s SoCal Tech Forum at FoundrSpace in Rancho Cucamonga, California. His topic? Technology in FinTech/Fraud Detection. I covered his entire presentation in a running LinkedIn post, but I’d like to focus on one portion here—and my caveat to one of his five rules of fraud detection. (Four-letter word warning.)
The five rules
In the style of Fight Club, Fabbrocino listed his five rules of fraud detection:
1. Nearly all fraud is based on impersonation.
2. Never expose your fraud prevention techniques.
3. Preventing fraud usually increases friction.
4. Fraud prevention is a business strategy.
5. Whatever you do, fraudsters will adapt to it.
All good points. But I want to dig into rule 2, which is valid…to a point.
Rule 2
If the fraudster presents three different identity verification or authentication factors, and one of them fails, there’s no need to tell the fraudster which one failed. Bad password? Don’t volunteer that information.
In fact, under certain circumstances you may not have to reveal the failure at all. If you are certain this is a fraud attempt, let the fraudster believe that the transaction (such as a wire transfer) was successful. The fraudster will learn the truth soon enough: if not in this fraud attempt, perhaps in the next one.
But “never” is a strong word, and there are some times when you MUST expose your fraud prevention techniques. Let me provide an example.
Biometric time cards
One common type of fraud is time card fraud, in which an employee claims to start work at 8:00, even though he didn’t show up for work until 8:15. How do you fool the time clock? By buddy punching, where your friend inserts your time card into the time clock precisely at 8, even though you’re not present.
Enter biometric time clocks, in which a worker must use their finger, palm, face, iris, or voice to punch in and out. It’s very hard for your buddy to have your biometric, so this decreases time clock fraud significantly.
And you fail to inform the employees of the purpose for collecting biometrics, and obtain the employees’ explicit consent to collect biometrics for this purpose.
In a case like this, or a case in a jurisdiction governed by some other privacy law, you HAVE to “expose” that you are using an individual’s biometrics as a fraud prevention techniques.
But if there’s no law to the contrary, obfuscate at will.
Communicating your anti-fraud solution
Now there are a number of companies that fight the many types of fraud that Fabbrocino mentioned. But these companies need to ensure that their prospects and clients understand the benefits of their anti-fraud solutions.
That’s where Bredemarket can help.
As a product marketing consultant, I help identity, biometric, and technology firms market their products to their end clients.
And I can help your firm also.
Read about Bredemarket’s content for tech marketers and book a free meeting with me to discuss your needs.
Bredemarket 