Who Did This? Identity and Accountability When Your Cloud Actors Aren't Human
Jie Wu, Pulkit Garg
fwd:cloudsec North America 2026 · Day 1
In the rapidly expanding landscape of cloud infrastructure, non-human identities – primarily **service accounts** – have become ubiquitous, performing a vast array of automated tasks from running CI/CD pipelines to managing complex cloud resources. This talk by Jie Wu and Pulkit Garg from Shopify addresses a critical and increasingly complex security challenge: maintaining identity, accountability, and control over these non-human actors, especially as their capabilities grow and their numbers proliferate. The speakers highlight how the traditional approach to managing these identities is failing, leading to significant blind spots during security incidents and making effective governance nearly impossible.
AI review
Competent practitioner talk from Shopify on a real and growing problem — non-human identity governance at scale. The problem framing is solid, the OPA-in-Terraform enforcement pattern is well-understood, and the River Slackbot demo is a nice concrete artifact. Nothing here is novel to anyone who's been paying attention to the cloud IAM space for the last two years, but it's honest work presented by people who actually built the thing.