Technology is reshaping identity management at the local and federal levels, requiring agencies to better understand their data and how systems connect, officials said Tuesday.
Speaking at the Okta Government Identity Summit in Washington, Heather Dyer, chief information security officer (CISO) at the U.S. Postal Service, said that identity management has evolved over the past year from securing data to enabling operations.
“Identity is it’s not just users, it’s applications, it’s service accounts, it’s nonhuman identities, it’s devices. And you have to look at all of that holistically,” Dyer said. “We are also business enablers now. We don’t say ‘no,’ we say ‘yes,’ and ‘how do we do this securely?’”
Suneel Cherukuri, CISO for the District of Columbia, said a similar shift is underway at the local level, but with unique complexity. Unlike most municipalities, he explained that D.C. serves residents, businesses, and international entities – including consulates – making its services broadly accessible.
That open access combined with the inability to simply block incoming interactions puts heavy pressure on identity verification systems, Cherukuri explained.
“Most people do not know the difference between a federal government and D.C. government. They think that the D.C. government is actually the federal government. So, by de facto, we become the prime target every single time … they’re not happy,” Cherukuri said.
After major progress over the past five years, a newer zero trust approach has strengthened systems, creating a more reliable foundation for managing access, Cherukuri said.
Dyer added that zero trust investments – such as multifactor authentication and privileged access controls – have reduced risk at the federal level, but emerging threats from artificial intelligence (AI) are reshaping priorities and requiring constant adaptation.
“A lot of the risk of AI is really the users and exposing data that they shouldn’t be,” Dyer said. Instead of restricting access, she said the Postal Service is prioritizing controlled adoption with visibility and safeguards while clearly communicating risk to business leaders.
In D.C., Cherukuri said the city is expanding mandatory AI and cybersecurity training to ensure employees understand risks and the value of data.
Looking ahead, both leaders emphasized that agencies must embed security from the start as AI accelerates both innovation and threats.
Dyer said that her mission remains unchanged: “to support the core mission of the Postal Service, which is to continue delivering mail packages six, sometimes seven days a week … and the mission doesn’t change to do that securely.” She added that agencies must “stay one step ahead” as adversaries increasingly use AI to launch attacks at scale.
Cherukuri echoed that AI will be critical to improving government services but requires coordinated strategy and oversight across D.C.’s more than 100 agencies. He warned that rapid AI-driven development introduces new risks. “If AI wrote it, that means you can also break into it much faster,” he said, adding that “it’s never going to really work without the human in the loop.”