Mike Carroll

Mike CarrollEssays on where AI meets identity security: non-human identity, the agentic control plane, and code-level AI governance.https://carrolldot.com/en-usThe MFA bypass hiding in your Google Workspacehttps://carrolldot.com/blog/asp-mfa-bypass-detection/https://carrolldot.com/blog/asp-mfa-bypass-detection/App-specific passwords walk straight past multi-factor authentication and never show up in your audit logs. APT29 weaponized exactly that. Here is how to detect them across every user in your domain.Mon, 29 Jun 2026 00:00:00 GMTIdentity SecurityITDRMFAIncident ResponseGoogle WorkspaceThe AI control plane moves from protocol to principalhttps://carrolldot.com/blog/control-plane-protocol-to-principal/https://carrolldot.com/blog/control-plane-protocol-to-principal/As MCP goes stateless and base models absorb native capability, the control point for AI moves from the protocol to the principal: the identity, its credentials, and the purpose of its actions.Tue, 23 Jun 2026 00:00:00 GMTAI x IdentityMCPNHIIGAAI agentsYour AI agents are privileged identities you forgot to managehttps://carrolldot.com/blog/agents-are-privileged-identities/https://carrolldot.com/blog/agents-are-privileged-identities/An AI agent is a non-human identity with the lifecycle of a service account. Run every one through the same five gates: provisioning, least privilege, secret rotation, audit, deprovisioning.Fri, 19 Jun 2026 00:00:00 GMTAI x IdentityNHIIGAPAMAI agentsYou can't secure the AI you never inventoriedhttps://carrolldot.com/blog/ai-bill-of-materials/https://carrolldot.com/blog/ai-bill-of-materials/SBOMs became mandatory after Log4Shell proved you cannot secure what you have not inventoried. The same reckoning is hitting AI. Here is what an AI Bill of Materials covers, and why I built a scanner that produces one.Fri, 27 Mar 2026 00:00:00 GMTAI governanceAIBOMSBOMsupply chain securityChinese AIAI inventoryYour SOC 2 dashboard is green and still cannot answer the AI questionhttps://carrolldot.com/blog/soc2-tools-dont-cover-ai/https://carrolldot.com/blog/soc2-tools-dont-cover-ai/Vanta and Drata are excellent at infrastructure compliance. They were never built to scan your code for AI providers, and that is exactly the question enterprise buyers are now asking.Sun, 15 Mar 2026 00:00:00 GMTAI governanceSOC 2VantaDratacomplianceAI inventoryThe EU AI Act applies to you through your buyers, not Brusselshttps://carrolldot.com/blog/eu-ai-act-through-your-buyers/https://carrolldot.com/blog/eu-ai-act-through-your-buyers/US founders keep saying the EU AI Act does not apply to them. It does, through enterprise procurement. I have watched this exact ripple play out three times in thirty years.Sat, 14 Mar 2026 00:00:00 GMTEU AI ActAI governancecomplianceprocurementregulation