Why friction is a security risk, with Dustin Heywood

If cybersecurity teams were rock bands, offensive security professionals would be the cool drummers; they don’t just have a fun job, they help show the rest of the team where to go.

In this episode of The Chasing Entropy Podcast by 1Password, Dave Lewis speaks with a legend of offensive security, Dustin Heywood, known to many as EvilMog. Heywood is an executive managing hacker and senior technical staff member at IBM, and the conversation runs the gamut from password cracking and Active Directory abuse to AI privilege creep and quantum planning. The through line is simple: most security failures start with access, trust, and bad assumptions about how systems behave under pressure.

Heywood’s background explains why he sees the problem this way. He came up through network engineering, military communications, enterprise infrastructure, and offensive security. That path matters because his view of security is operational, not theoretical. As he continually reiterates, businesses are not trying to be secure for the sake of security. They are trying to keep operating, and security has to support that goal or it gets bypassed.

Rethinking access for the agentic world

A big part of the episode focuses on the risks of agentic AI, although Heywood argues that AI is exposing access problems that were already there. He runs through some of the weaknesses he encounters in his day-to-day job that AI agents are set to exploit, like overpermissioned service accounts and broad integrations.  

Heywood’s main concern, and where he sees the biggest opportunity to make a difference, is the gap between identity and intent. He gives the example of a person using an agent to buy concert tickets at a specific time and with a specific budget, but 

A user might want an agent to buy concert tickets under a clear budget and time window, but today’s systems rarely encode that level of permission. In practice, the agent often gets broad backend access and can do far more than the task requires, to the detriment of both the human user and the ticket company.

I think we need to overhaul identity management as a whole [to adapt to agentic AI]…We don’t have an intent-based authorization process right now, and that's where we need to go.” - Dustin Heywood

That leads to the episode’s strongest point about machine identity. Most organizations still think about access in terms of human users. That model does not hold up when a company has thousands of employees and tens of thousands of machine identities tied to services, devices, integrations, and automation. If those identities are overprivileged, an AI layer on top of them becomes a force multiplier for existing risk.

Quantum mania?

The discussion then shifts to quantum threats, and Heywood takes the issue from abstract future risks to concrete concerns. He is less focused on dramatic “decrypt everything later” scenarios and more focused on the systems around the data. If quantum-capable attacks weaken the trust layers behind OpenID Connect, SAML, certificate authorities, VPN certificates, and federation systems, attackers do not need to break every encrypted file directly. They can go after the identity and key infrastructure that grants access. That is the planning problem security leaders need to understand now.

His advice on crypto agility to prepare for quantum computing is practical. Start with inventory, know where cryptography lives in your environment, how certificates are issued and renewed, and what would have to change if a major algorithm or trust model becomes unusable. He also points out that many companies still struggle with certificate management at a basic level. If certificate rotation is manual, the organization is already behind. Automation is not optional here.

Stronger credentials shouldn’t mean added friction 

On credentials, Heywood takes a hard line that is worth adopting: assume every password entered into a remote system will eventually leak. That changes the goal from “password theater” to unique credentials, automated rotation where possible, stronger storage, and lower user friction. If security makes daily work harder, people will work around it. His advice for security leaders is to strengthen weak and legacy encryption, start being more aggressive about clamping down on overpermissioned admins, and simplifying security wherever possible. 

Talk to your employees about friction in your environment. Eliminate friction spots in security and focus on how you can be a business enabler.” - Dustin Heywood

Security leaders who are dealing with AI adoption, identity sprawl, legacy authentication, or PKI debt should definitely listen to the episode. Heywood is refreshing because he treats security as a systems problem tied directly to business operations and user behavior.