No Trust Podcast – Identity, AI, and the Shift Toward Zero Trust with Richard Bird

In this episode of the No Trust Podcast, hosts Jaye Tillson and John Spiegel sit down with Richard Bird, Chief Security Officer at Singular AI, to unpack how identity is evolving in security, what mentorship really looks like, and why the next frontier in Zero Trust lives at the intersection of AI and governance.

PODCAST

John Spiegel

9/22/20257 min read

a man in a suit and bow tie
a man in a suit and bow tie
No Trust Podcast – Identity, AI, and the Shift Toward Zero Trust

In this episode of the No Trust Podcast, hosts Jaye Tillson and John Spiegel sit down with Richard Bird, Chief Security Officer at Singular AI, to unpack how identity is evolving in security, what mentorship really looks like, and why the next frontier in Zero Trust lives at the intersection of AI and governance.

From the Foundations: Mentorship, Identity, and Misapplied Trust

Richard opens by walking us through his journey—from early roles in identity at large financial institutions to his current work securing AI infrastructure. A theme that recurs: identity has too often been treated narrowly. Humans get identity; machines, IoT, AI agents—not so much. But in a modern digital estate, everything needs identity.

He shares how mentoring shaped him—not as someone telling people what to do, but as someone who listens, reflects, helps people anticipate failures, and learn. Misapplied trust (overly broad access, undefined identity duties) is often baked in because decisions made for business convenience override security.

Identity as the Keystone of Zero Trust

Richard recalls how his view shifted: identity isn’t a component—it’s the foundation. In Zero Trust architectures, identity is what everything else depends on: authentication, authorization, auditability. In his words, poor identity governance ends up making or breaking security.

He points out how most organizations have a messy identity stack (“ball of spaghetti”), with ill-defined roles, overlapping privileges, or business processes that undermine identity hygiene. Fixing this, he argues, is the low-hanging fruit for improving security posture.

AI, Agents, and the New Control Plane

The conversation moves into AI: what happens when you have autonomous agents, models, features that are “smart” and operate in complex systems. Here, Richard emphasizes:

  • The majority of breaches will occur at the authorization layer, not authentication. Even a well-authenticated identity can wreak havoc if privileges are out of control.

  • Governance over “contextual data” (what the agent/AI knows, does, and under what conditions) is essential.

  • Organizations need control planes purpose-built for agents and AI—systems that can manage identity, authorization, audit, policy, and adapt as agents learn or behave in unexpected ways.

Practical Lessons & Hard Truths

Richard shares what’s working (and what isn’t), offering concrete advice:

  • Hunt down “persistent, unearned trust”: legacy access, services still trusted without reassessment, identities with privileges no longer needed.

  • Don’t get stuck worrying about hypothetical threats (quantum, etc.) before you’ve fixed your current authorization gaps.

  • Build practice in governance just as you do in technical security: periodic reviews, clear mapping of who is allowed what, and with what justification.

Why Tune In

Because this isn’t theory. Richard draws on rich experience securing identity at scale and now in AI; the episode is full of straight-talk about what leaders actually need to change. If you care about Zero Trust in practice (rather than buzzwords), this one brings clarity to what’s ahead.

Listen Now!

Edited Transcript

Jaye: Welcome back to the No Trust Podcast. Today we’re cutting through the noise around Zero Trust, identity, and the future of cybersecurity. We’re joined by someone I first met at Black Hat — Richard Bird, Chief Security Officer at Singular AI. Richard, can you introduce yourself?

Richard: Sure. My story starts in a small town, the son of a charter fishing captain. None of the jobs I’ve had for nearly 30 years even existed when I was in high school. Today, I work in AI security and governance as CSO at Singular AI. Before that, I was at a series of startups and before that in the corporate world.

It’s humbling to look back. I never thought, “I want to be a CIO or CISO.” Those roles didn’t exist for me. Instead, I got here because people along the way saw something in me I didn’t see in myself. They didn’t just bet on me — they invested in me. That’s why I still see myself as a practitioner at heart. I enjoy building, being part of the community, and challenging how we think about security architecture. Because let’s be honest, we’re not doing a great job. Cyber losses keep escalating. We fiddle with the next shiny product but can’t explain why attackers are winning.

Early Careers and Mentoring

Jaye: I relate to that. I started studying mathematics, ended up doing computing, and stumbled into my first job at ID Software — playing Doom and Quake every day. I had no grand plan either. I enjoy mentoring people today because careers rarely follow a straight line.

John: Richard, you mentioned people investing in you. Let’s talk about mentoring. How important has it been in your journey?

Richard: It’s been everything. Early in my banking career, I had mentors like Joe Jensen — a steady executive who taught me humility without tearing me down. He helped me realize that ego and too much responsibility too early can be dangerous.

I try to pay that forward. Sometimes it’s formal mentoring with executives, sometimes it’s conversations with people just starting out. One young professional I spoke with recently was charging ahead in her early 30s. I told her: prepare for that first big punch in the face. It’s inevitable, and the best way to survive is to expect it. That’s what mentoring is about — not dictating, but listening, guiding, and helping people prepare for reality.

Jaye: Exactly. Mentoring doesn’t have to be formal. For me, it’s often short conversations at airports, conferences, or coffee shops. Someone says one thing at the right moment, and it sticks. The best advice often comes that way.

John: That’s part of why we do this podcast — to get those perspectives out there, like the water-cooler conversations we missed during COVID.

From Identity to Zero Trust

John: Richard, you’re known for identity. Can you share how that started?

Richard: Back at JPMorgan Chase, I was asked to join a centralized security function. I wasn’t a “security guy.” My boss asked, “What do you know about identity?” I said, “Not much.” She said, “Perfect, you’ll be great at it.”

That launched me into identity. Coming from IT operations, I thought transactionally: everything looked like a transaction. I asked questions like, “Why don’t we authenticate after login? Why not continuously?” Those “dumb” questions helped us build one of the first massive centralized identity control planes.

Years later, when I first heard about Zero Trust, I resisted. As an identity guy, I thought Zero Trust meant friction, barriers. I didn’t understand the architectural vision. It wasn’t until John Kindervag — the “Godfather of Zero Trust” — explained that every packet should have an identity that it clicked. Identity isn’t just part of Zero Trust; it’s the keystone.

Rethinking Identity

Jaye: Many people see identity as the foundation of Zero Trust. But it’s not just humans anymore, right?

Richard: Exactly. Identity has been misapplied for decades. We focused on human identities, but everything digital — machines, IoT, services, AI agents — needs an identity. Humans don’t even directly exist in the digital world. They’re proxies.

The history goes back to 1961 at MIT, when IBM installed a mainframe that required accounts and passwords. Within hours, a grad student hacked it to sell computing time. From the start, identity was flawed. And we’ve been living with that mess ever since.

Most organizations today have what I call a “ball of spaghetti” — poorly defined accounts, service IDs with excessive privileges, no classification. Identity isn’t managed with the rigor of other security domains. Even in breaches like MGM, the technology worked — but business decisions to grant persistent access undermined security.

The AI Challenge

John: Let’s fast-forward. You’re now at Singular AI. What problems are you tackling?

Richard: Identity prepared me for this. After identity, I moved into API security, which is the transport layer for AI. That naturally led me into AI security and governance.

At Singular, we’re building a control plane — not just for security, but for governance, compliance, observability of AI services, agents, and features. Why? Because the real risk in AI isn’t authentication — it’s authorization. Once an AI agent is inside, bad things happen at the authorization layer. That’s where identities are over-privileged, tokens are static, and controls are weak.

The last six months, I’ve seen demand skyrocket. CISOs are realizing their edge, DLP, and endpoint tools aren’t enough. Something is happening — whether unreported breaches or just a growing awareness — but everyone suddenly wants assessments.

Advice for CISOs

Jaye: If you could give one piece of advice to a CISO today, what would it be?

Richard: Hunt down persistent, unearned trust in your environment. That’s the biggest unaddressed risk. Old accounts, long-standing privileges, systems trusted by default. Eliminate those, and you cut risk immediately.

Too many leaders get distracted by future threats like quantum computing. Quantum may matter someday, but it won’t fix today’s problems. Focus on foundational security controls now.

Jaye: Right. Keep an eye on the future, but don’t ignore the present.

Lighter Side: Food & Travel

John: On a lighter note, we always end with food. What’s your go-to Sunday dinner?

Richard: Cooking is my release. I bought an Italian pizza oven — my “ancient Roman microwave.” Sometimes it’s Neapolitan pizzas, sometimes thick Tuscan pork chops cooked on a Tuscan grill inside the oven. Just salt and pepper, but the heat cooks it perfectly. Add cast-iron potatoes, and it’s incredible.

Jaye: Now I’m hungry. How about travel? Favorite place you’ve been?

Richard: Ireland. The first time I landed in Cork, I felt that deep connection to my family’s roots. I’d retire there if the weather wasn’t so rough. Travel broadens perspective. I tell young people — don’t wait. Find a way to go. Couch-surf if you must. Seeing the world expands your thinking in ways nothing else can.

Closing Thoughts

Jaye: Richard, thank you. We only got through half our questions, so we’ll have to bring you back for part two.

John: Yes, thanks for the time, and thanks again for the conversations we’ve had at Black Hat.

Richard: My pleasure. These flowing discussions are where real value lies. Appreciate you having me.

Why This Conversation Matters

Richard Bird brings sharp clarity to some of the thorniest issues in security:

  • Mentorship is about guidance, not dictation.

  • Identity is foundational — but applied to everything, not just people.

  • The biggest risk today is persistent trust.

  • AI requires new control planes, especially at the authorization layer.

This episode is a reminder that Zero Trust isn’t about buzzwords — it’s about eliminating blind trust wherever it hides, from service accounts to AI agents.