The Innovation We Need is Strategic, Not Technical

In my recap of RSAC 2025, I referenced the open letter that Patrick Opet, CISO of JPMorgan Chase, published in which he spoke about how essential security guardrails are being broken down by the lack of secure-by-design thinking in modern integration patterns within the SaaS world. His open letter challenged Cloud and SaaS providers to step up their security posture, and he called out the way in which modern identity protocols like OAuth are being used as contributing to the problem. The summary: industry is sacrificing foundational controls in exchange for business velocity, and creating a growing surface of identity and token-based vulnerabilities in the process.

Here’s an uncomfortable truth we must confront when trying to understand how to respond to Opet’s call-to-action. Most of the risks being called out already have solutions – at least technically. The standards, protocols, and architectural patterns required to address them already exist. What’s lacking is the organizational will to implement them, the investment required to modernize infrastructure for security, and the discipline to prioritize long-term resilience over short-term delivery.

And this isn’t just a failure of vendors. It’s also a consequence of enterprise buyers rewarding compliance over capability, and executives framing security as a function of audit readiness rather than operational integrity.

Standards ≠ Security

Any conversation about this situation must necessarily discuss this fundamental disconnect. More than once, I’ve heard a senior IT leader assure me their APIs are “secure” because they’ve implemented OAuth. However, while standards do provide a foundation for security, they are not guarantees for security in of themselves. Implementation matters. Configuration matters. Layering matters. After all, deploying OpenID Connect for authentication means little if the authentication method is still password-based and single-factor.

Let’s look at Opet’s concern about session token theft, an increasingly common attack vector. This risk wasn’t unforeseen by those working on modern identity standards. It is among the many reasons why the Financial-grade API (FAPI) security profile was created by the OpenID Foundation. Originally designed for the financial sector, FAPI improves security for the OAuth and OpenID Connect standards by explicitly defining a security profile designed to ensure consistent and robust security measures across implementations of the standards with no room for misinterpretation. FAPI adds stricter constraints and requirements, like mandatory Strong Customer Authentication (SCA) and Mutual TLS, while also specifying additional controls like Demonstration of Proof-of-Possession (DPoP) and Proof Key for Code Exchange (PKCE). These aren’t experimental ideas. They’re proven, deployable measures that can be adopted by any organization (not just FIs), designed to eliminate many common attack vectors, including the ones highlighted in Opet’s letter.

Complementing this, the Shared Signals Framework (SSF) and Continuous Access Evaluation Profile (CAEP) provide a mechanism to continuously align session state with real-time risk posture. CAEP enables cloud providers and enterprises to stay ahead of evolving threats by providing an event-based mechanism to add much needed context into the continuous adaptation and enforcement of access policies beyond the initial session established.

But here’s the problem: few organizations implement these controls at scale (unless forced by regulations like Open Banking). Why? Because they require real effort: redesigning app architectures, updating legacy integrations, and investing in a deeper understanding of token and access lifecycle management.

The technology is here. The risk is clear. The inertia is organizational.

Compliance ≠ Security

We may think its obvious, but the fact remains that too many organizations still optimize for compliance, not security. Security leaders are pushed to check boxes and meet deadlines, not to redesign systems around identity assurance. Dev teams are incentivized to ship features fast, not to integrate securely. Executive teams often lack visibility into how quickly small risks compound into systemic exposures. All while CISOs lack budget to implement the programs that could help mitigate the unfolding nightmare.

Vulnerabilities like session hijacking and over-scoped permissions are therefore the entirely predictable outcomes of the fragile and hard-to-monitor architectures of systems that have been designed around minimum viable control.

We Don’t Need New Innovation. We Need New Priorities.

Cybersecurity threats are evolving at a rapid pace, and emerging technologies like AI are adding fuel to the fire. Compliance mandates will not be able to keep up, leaving organizations open to emerging threats unless they are proactive and innovative. Comprehensive identity security posture management can help organizations gain visibility and remediate weaknesses in their identity infrastructure, automate controls, and proactively reduce potential risks to their digital ecosystem. FAPI, SSF, and CAEP are amongst a set of standards-based, security-focused architectural patterns that can be implemented today. And as overused as the term may be, the principles of Zero Trust are key: trust no session, verify continuously, and assume compromise as a starting condition.

The response to Patrick Opet’s letter shouldn’t be a scramble to invent something new. It should be a serious look at why we aren’t doing what we already know works. It’s time we recognize that the gap isn’t technical; it’s cultural and strategic.