2025‐09‐30

IPSIE WG Meeting Minutes

Date: 2025-09-30

Attendees

• Aaron Parecki (Okta)
• Dean H. Saxe (self)
• Karl McGuinness (self)
• Jon Bartlett (Zscaler)
• Shannon Roddy (self)
• Gail Hodges (OIDF)
• Bjorn Helm (Yubico)
• Chris Anderson
• Travis Tripp
• Jen Schreiber (Workday)

Agenda

• Welcome and antitrust policy reminder https://openid.net/policies/

• OpenID Contributor Agreement reminder https://openid.net/intellectual-property

• Reminder about OpenID Slack

  • invite link: https://join.slack.com/t/oidf/shared_invite/zt-30zg9louv-3HgJEwIL7vB3uWv2KEbLtw

• Community Events

  • OAuth Working Group interim meetings in September
    • https://events.oauth.net/
  • IPSIE panel at Oktane - Sep 25-26
  • SailPoint's Navigate - Sep 29 week
  • Authenticate, October 13 - 15 in Carlsbad, CA
  • IIW XVI October 21 - 23 in Mountain View, CA
    • https://www.eventbrite.com/e/internet-identity-workshop-iiwxli-41-2025b-tickets-1393125719529?aff=oddtdtcreator
  • IIW Agentic AI unconference on October 24 (Friday)
    • https://agenticinternetworkshop.org/
  • IETF 124, November 1 - 7 in Montreal, Canada

• Upcoming call schedule

  • Dean out Oct 7
  • Oct 14 cancelled - Authenticate
  • Oct 21 cancelled - Identiverse

• IPSIE Playbook 2025-2026 planning

• Interop Event Planning and Rescope

• AOB

Notetaker: Dean H. Saxe

• Dean is ooo next week, Aaron will run the call
• Call will be canceled 10/14, 10/21 for IIW, Authenticate
• Oktane discussion
  • feedback at the event - there is a lot of interest in everything AI
  • IPSIE is creating the secure way to do enterprise IAM
  • If AI tool adoption is slowed by lack of IAM mechanisms, how do we help people adopt AI tools via IPSIE
  • in other words - what are the controls IPSIE needs to help enterprises get comfortable with adopting AI?
  • Our current linear approach isn't moving fast enough, we're tackling the least interesting problems first at AL1/SL1
• Update from Gail
  • (in chat from Gail) This is link of IPSIE Playbook for this brainstorm. Hosted at OIDF google drive for now: https://docs.google.com/document/d/1g60L-9Nap5eTdom0aAIGztTK9UZTe4gKqccAsxtSPIM/[email protected]&sharingaction=manageaccess&role=writer&tab=t.0
  • high level overview from Gail covering the document
  • is the AI use case the driving use case for IPSIE? If so, how do we collaborate with the AIIM CG?
  • (everything Gail spoke about is in the doc, please review the doc in lieu of live notes)
  • Open discussion
    • JonB - good to target CISOs, but they may not have the right tech depth, target CISO and their orgs
    • Karl - ride the coattails of AI initiatives to drive conversations. Makes sense to reposition the discussion
      • agree with top level goal
      • challenges - we discussed surface area already, this may change the sequencing of profiles
      • Biggest CISO issues are securing managed endpoints with attestation, securing MCP
      • might need to reconsider the levels doc to include AI
    • Dean - target RPs in addition to IdPs
      • Gail says the CISO conversation was focused on RPs
    • Karl - echoes RP focus
      • talking to large RPs it is difficult to get a PM to say that their customers are asking for this feature
      • in the past 12 months with AI, this seems to be changing with a focus on security infra to achieve their AI goals
    • Jen - the way to get buy in is via the AI route or the customers asking workday (as an RP) for the tooling
    • Dick - AI pixie dust?
      • Aaron - reframing IPSIE to cover the AI problem space since there's a lot of investment here
      • Dick - is there consensus on what needs to be AI ready?
      • Aaron - not yet - we need to find that consensus with Gail's help to talk to the right leaders. What do customers want out of their IdPs and SaaS tools to help them adopt AI.
      • Dick - no industry consensus on what should happen with AI. His recent experience is that CISOs are keen on IPSIE to help them roll out secure services
      • Gail - we're trying to establish WG consensus on an AI angle to IPSIE. Chasing where the dollars are right now.
      • Karl - response to Dick - this is about messaging, how does a strong foundation is session / identity management provide a base to build tooling with AI
        • this is not defining an AI standard
      • Aaron concurs with Karl's statements
    • TO DO: Put the doc on the GitHub wiki
    • JonB - this is a natural progression for IPSIE. Will we include the cross app access work happening in OAuth WG?
    • Aaron - no clear answer. Spec is the "Identity Assertion AuthZ Grant"
    • Aaron - goal is to reframe what we have in the roadmap to align with ongoing AI investments and where IPSIE can improve the security
      • looking for feedback on what is required from IPSIE to support these tools
    • Karl - concerned that we're stuggling to get to SL2 in the WG. Not sure how a scope change helps up make more progress faster
    • Dean - do we need more co-chairs or project management help? how do we scale the work of the group?
    • Aaron - this is a reason to bring in AI - helps justify the time that people are spending on IPSIE or get more people engaged in the work
    • Karl - useful topic to focus on. We need to figure out how to increase our momentum
    • Dean - we are open to ideas on how to move faster - people, technology, etc.
    • Travis - AI is taking away most of his time to talk about/work on IPSIE. There must be a clear integration between IPSIE and AI to make this happen.
    • Aaron - sees the challenge with AI consuming people's time. We should not completely abandon our existing scope - e.g. using SSO to enable AI app federation - but we need to engage with the communities where these topics are discussed (e.g. MCP)
    • Travis - are there any existing attacks that we know could be mitigated by IPSIE-style profiles?
    • Aaron - our scope is already huge. We won't define prompt injection solutions, but we can define how federation systems, SSF work with AI agents
    • Karl - it's all the level 3 capabilities, most of the concern is back to access to the data once the tokens have been cut
    • Aaron - what I've been hearing in these calls is that basic SSO is not enough to motivate people. Perhaps we need to start at the higher level?
    • Travis - there are missing security elements in agent workflows. do we need an IPISE AI level? Questions whether we know what the exact problems are that we need to tackle
    • Dick - AI stuff could be distracting from the original IPSIE scope
    • Dean - focus on the higher maturity levels, this will build the lower level requirements. AI becomes a driver
    • Karl - likes the idea of focusing on the high level maturity. Need to focus on the outcomes/capability model to align to.
    • Jon - having the IPSIE roadmap slide would help focus the WG discussion
    • Karl - is there an example of OIDF doing something similar to this refocusing? Are there examples of working groups that are driven by sometihng other than regulatory deadlines?
    • Shannon - there's a good example in R&E federation banding together and developing SAML. We built the organization before the standard.
    • Karl - is there an existing organization that has the agenda and means?
    • Shannon - R&E built the incommon federation that handles that.
    • Aaron - closing thoughts or what you want to tackle next week?
    • Jon - get feedback from organizations we represent on whether this is a good path.