Opportunity knocks: protecting identity to foster greater sharing of information across government
In this webinar, a US government identity assurance specialist and a private sector identity expert discussed how to share information securely across government – and why, in a fast-changing tech landscape, collaboration is key
Information sharing is vital to the work of modern government. It can catalyse better collaboration across agencies, unlock better services for citizens, and improve national security.
In a Global Government Forum webinar, Dr Babur Kohy, director of the identity assurance and trusted access division of the U.S. General Services Administration’s Office of Technology Policy, and Kelvin Brewer of the webinar’s knowledge partner, Ping Identity, discussed how government can introduce robust polices and processes to ensure secure data sharing. This discussion included the principles of a ‘zero trust’ security strategy; AI’s potential as a tool to commit identity fraud – and to protect against it; and how to build more “shatterproof” systems.
As Dr Kohy highlighted at the beginning of the webinar: “There are no shortage of opportunities across the government for better information sharing.”
And these approaches can both improve government operations and services for citizens, and better serve employees too. In Kohy’s role at the GSA – which provides services for the government’s 60 plus federal departments and agencies – one of his aims is to enable the government’s more than 2.3 million civilian staff to access work, benefits and other employment related services “behind one pane of glass”.
Yet, in a government as complex as in the US with a huge number of agencies each with their different missions, information sharing must be carefully orchestrated to ensure the right information gets into the right hands and that national security is protected.
Facilitating the safe sharing of information between agencies through ‘single-tenant architectures’ is one of Ping Identity’s focuses, as is assisting agencies in determining who among employees, citizens and partners should get access to data, said Brewer, who is director of sales engineering for the company’s US public sector arm.
Securing agency data is a “vital” starting point, he said, stressing that of the numerous technology-related challenges, ensuring cloud deployment is secured is “one of those that I think is most important to focus on”.
Picking up on Brewer’s point about the cloud, Kohy said the “human aspects” of cloud configuration management are key to boosting cybersecurity, given that more often than not “data is exposed based on some sort of human error”.
“I don’t think anyone is intentionally leaving doors open, but the adversary [trying to steal data] has to be right just once… and we have to be right 100% of the time,” he said.
He added that the GSA is working with industry partners to secure all of its assets and make them not just resilient but “shatterproof”.
“Resilience doesn’t seem to be enough, or it’s not going to be” as technology use advances, he said.
“Identity systems alone are a very core component of the technology stack, but on its own, it can only do so much.”
To improve identity fraud detection, Kohy’s team has contributed to the Identity Fraud Detection Playbook. Hosted on the federal government’s ID Management website, the playbook provides a foundational understanding of identity fraud techniques, detection methods and mitigation strategies, with an emphasis on threats such as synthetic media.
Responding to risk signals
One of the things the playbook aims to do is to make people aware of and able to pick up on risk signals.
As Brewer explained, this helps to move the focus from identifying fraud once a transaction has been made – whether it be a financial transaction, a transfer of data, or someone getting access to something they shouldn’t have access to through social engineering – to one where attempts to commit fraud are caught earlier, during authentication and authorisation processes.
This switch to a more proactive stance is something identity companies are focused on, he said.
To catch unusual activity earlier, Ping Identity is examining a number of different vectors – the methods and pathways cybercriminals use to gain unauthorised access to data or systems – to pinpoint the risk signals that indicate a bad actor might be at play.
Once a risk has been identified, an agency can decide how to proceed – to block a transaction, for example, or to add some friction into the system such as asking someone to re-verify their identity or re-prompting multi-factor authentication.
However, Brewer acknowledged the risk of ‘friction fatigue’ among well-intentioned citizens and businesses who might disengage from government services if they feel they have to “jump through hoops” to access what they need. Robust upfront vetting is therefore important here, so that friction is only introduced later if a risk signal is identified.
The benefits and challenges of AI
On the detection of fraud, talk turned to artificial intelligence, which Kohy said can be “an enabler or a disabler [of identity fraud] – it just depends on the intent”.
Widely available AI tools have been used to generate videos of a real person holding up their driver’s license to pass an identity verification ‘liveness’ check, Brewer explained. “That creates some very unique challenges for things that we think will prevent fraud.”
“Can we prevent the technology from going in that direction? No, we can’t. And so we, as vendors, are looking at how we can recognise fraud that has been generated by AI – what are the differences, what are the indicators – and then give an agency the ability to [add] some sort of friction [into the system] that the AI wouldn’t be able to pass.”
The technologies that can enable this are still in development, he said, but generative AI is already being used to help recognise risk signals that a person could miss.
To combat the risks posed by synthetic media, Kohy and his team have been helping one agency to use text detection to identify forgeries of documents including ID cards, and aim to roll their solution out government-wide.
Interrogating the FICAM Matrix
Kohy also gave the example of using AI tools to draw information from scores of documents within the Federal Identity, Credential and Access Management matrix.
The matrix is a comprehensive resource that organises and visualises the laws, policies and standards related to identity management within the federal government, as part of the GSA’s identity, credential and access management programme.
It includes hundreds of pages of documents that can take analysts months to review and compare. So, his division is experimenting with using large language models (LLMs) to expediate the process. Now, it might take just two minutes to find the answer to a identity-related question.
Another benefit is that LLMs – fed the same documents – will always interpret the security control for identity the same way, unlike people, who are open to subjectivity. “So, in those cases LLMs are very powerful,” Kohy said.
Agentic AI – which can be used to undertake a transaction on a person’s behalf and poses additional risks – is “going to be a game changer”, he said, so starting early and experimenting proof of concept in this way and then sharing across government and with industry partners is key.
As Brewer summarised: “AI is giving us some benefits and increasing security, but it’s also bringing in a lot of risk that we’re still trying to figure out how to react to. Things aren’t quite advanced enough that it’s an undoable challenge, but we want to make sure that we’re ahead of it as it’s developing.”
Zero trust
To help protect the United States from increasingly sophisticated cyber threats, the White House issued an executive order in 2021 which requires federal agencies and their suppliers “to modernise [their] approach to cybersecurity” by accelerating the move to secure cloud services and implementing a ‘zero trust’ architecture.
The zero trust security strategy has three core principals – to ‘verify explicitly’; ‘use least privileged’ i.e. to provide each user with only the minimum level of access needed to complete a task; and to ‘assume breach’: proactively anticipating cyberattacks by assuming users, devices and systems are already compromised.
For Kohy, base access controls related to the least privilege principal are the foundation of the zero trust framework, and while there are “a lot of opportunities to get to zero trust maturity quicker by using technologies that do exist… I haven’t seen just one single tech that has all the answers yet”.
Vendors such as Ping Identity understand the importance of packaging a technology bundle that will meet their clients’ needs, Brewer said, though he noted that this aim is a “moving target” due to innovations and advances in AI.
In the meantime, he said one of the technologies that has been groundbreaking in zero trust are those that orchestrate processes that watch for risk signals and can reduce or increase friction.
“Orchestration so important because it gives people – the administrators – the ability to quickly build processes that follow a standard and can easily be tested, instead of having to write scripts and code that then allow us to build out how we work with identities, what processes they need to follow and why. That’s key to managing this.”
Effective orchestration lends the ability to leverage new technologies – and respond to them – as they come out, and can lead to fewer mistakes.
“That’s going to be a continued innovation that’s got to improve and something that will impact zero trust. Pretty much everything we’ve been talking about is that ability to orchestrate processes that are easy to manage and easy to deploy and impact immediately the security of an organisation,” Brewer said.
A look to the future
At the end of the webinar, Brewer and Kohy discussed what the future holds for the secure sharing of information across government – and they agreed that collaboration is crucial.
Brewer said the power of collaboration shouldn’t just be mobilised between government agencies and teams, but between technology companies that would traditionally view themselves as competitors. Doing so through working groups and similar “is just so vital to making identity a better technology stack… and to identifying real problems and figure out real solutions,” he said.
Kohy agreed. “Probably the most important part is collaborating and trading notes with others that are in the community, whether it’s the government, academia, not-for-profit, or industry.”
He hopes the US government can play a part in bringing people together, facilitating the sharing of expertise and providing “a launch pad for agencies to transform their technology stack”.
He reiterated the point Brewer had made about the need for a mindset shift towards proactive management, and to capitalise on the opportunities that exist to drive modernisation and digital transformation.
And he concluded on the need for shatterproof systems. “Resilience isn’t going to be enough, because of advances in AI and because of cryptocurrency and emerging technologies like quantum computing. Shatterproofing AI is the biggest thing – I think it will be a big topic in the next five or 10 years.”
The ‘Getting information to the right people at the right time: how identity systems connect government’ webinar took place on 5 June 2025. It was hosted by Global Government Forum with support from Ping Identity.
Watch the webinar in full here, to hear Brewer and Kohy answer questions including:
– How you implement identity solutions in different environments at different agencies which each have different technology stacks.
– How humans can design cybersecurity systems when it is humans who are also trying to crack them.
– Whether a tighter focus on cybersecurity can catalyse improved technologies across government and, ultimately, improved services for citizens and for public servants themselves.
About Partner Content
This content is brought to you by a Global Government Forum, Knowledge Partner.
Related Posts
