Securing Human and AI Identities: Insights from Mike Towers, Veza’s Chief Security & Trust Officer

Every AI agent becomes an identity needing governance.

Mike Towers has built his security playbook around spotting shifts in identity, trust, and enterprise risk across global pharma, cloud, and AI-driven environments. He reveals how to lead identity-first security programs, enable digital trust as a business enabler, and why managing human and non-human identities is the ultimate edge for next-generation security leaders.

Over the years, enterprise security has undergone dramatic shifts. Looking back, which change reshaped your perspective the most, and Why?

The shift from perimeter-based to identity-based security fundamentally changed how I approach risk. When I was CISO at pharmaceutical companies, we realized our traditional castle-and-moat defenses were meaningless when a single compromised credential could access crown jewel IP from anywhere. This drove home that identity isn't just an IT function—it's the new perimeter. Every security decision now starts with "who has access to what and why?"

You often speak about digital trust as more than a security function. How do you see it evolving into a core business imperative?

Digital trust is becoming the foundation of business velocity. At my previous companies, we couldn't accelerate drug development or enable remote clinical trials without proving we could protect patient data. Today, enterprises can't adopt AI, enable partners, or complete M&A without demonstrating control over access. Trust isn't about saying "no"—it's about enabling the business to confidently say "yes" to innovation while managing risk transparently.

In your experience leading identity-first security programs, what key lessons, both successes and missteps, stand out for enterprises making this transition today?

Success comes from starting with visibility, not control. Early in my career, I tried to implement strict access controls before understanding our permission landscape—it failed spectacularly. The breakthrough came when we first mapped who could access what across all systems, then used that intelligence to drive controls. Also critical: don't treat identity as a technical project. It's a business transformation that requires executive sponsorship and clear value metrics.

With the rise of non-human identities like bots, service accounts, and applications, how should enterprises rethink risk management? 

Non-human identities often outnumber human ones 45-to-1 and have more privileged access, yet most organizations can't even inventory them. Enterprises need to apply the same rigor to machine identities as human ones: know what exists, understand their permissions, and enforce least privilege. At Veza, we've seen clients discover AI tools with production database access they didn't know about. The key is treating all identities—human or machine—as potential risk vectors requiring continuous governance.

As Veza scales identity-first security, how do you ensure access decisions across joiner, mover, and leaver processes remain accurate and compliant? 

Accuracy comes from understanding effective permissions, not just assigned roles. Traditional IAM shows you group memberships; we show what someone can actually do with their access. For joiners, we enable role mining based on peer analysis. For movers, we automatically flag permissions that no longer align with their new role. For leavers, we trace access paths across all connected systems. The magic is continuous monitoring—access drift happens daily, not just during major transitions.

Leading global, distributed security teams requires more than technical expertise. What leadership principles have helped you inspire teams during times of rapid transformation?

Three principles guide me: First, clarity of mission—everyone should understand how their work protects the business. Second, psychological safety—in security, people must feel safe reporting mistakes or near-misses. Third, celebrate learnings over blame. During one transformation, we turned a major incident into our best training tool by focusing on systematic improvements rather than finding fault. When teams see leaders admit mistakes and focus on solutions, they become more innovative and resilient.

Having secured patient data and pharmaceutical IP, what lessons from that experience do you find most applicable to broader enterprise Security?

Life sciences taught me that your most sensitive data is often in the hands of third parties—CROs, manufacturing partners, research collaborators. This external access challenge exists everywhere now. The key lesson: you can't secure what you can't see, and visibility must extend beyond your four walls. Also, regulatory compliance in pharma showed me that good security practices often become tomorrow's compliance requirements—get ahead of the curve.

Looking ahead, how will AI and automation redefine digital trust, and what should enterprises be doing now to prepare for this future?

AI will multiply the identity challenge exponentially; every AI agent becomes an identity needing governance. But AI also offers solutions: imagine AI-driven access reviews that understand context and risk, not just checkboxes. Enterprises should start by establishing visibility into all identities today, because you can't govern AI-driven access if you don't understand human-driven access. The winners will use AI to make access decisions more intelligent while maintaining human oversight for critical risks.