The observation came during a conversation with Government Technology Insider following the Federal Cybersecurity Executive Summit hosted by Optiv + ClearShark. Brewer, director of public sector sales engineering at Ping Identity, framed the problem simply: agencies are caught in an ongoing "experimental phase" with AI and must build cybersecurity strategies on proven, adaptable concepts while the threat and technology landscape evolves rapidly.
Why identity platforms, not point products, are gaining traction
Brewer described identity management as moving through phases — alternating between point solutions and integrated platforms. Over the past seven or eight years, agencies often deployed multiple discrete tools — identity governance, authorization, authentication, identity verification, and card management — producing complexity and operational drag. Brewer argues the current corrective movement is toward standardized identity platforms that reduce the number of standalone products and integration points. Simplifying the stack, he said, cuts the number of unique administrators required and lowers the operational overhead of protecting agency environments.
Headless administration: AI as an operational accelerator
Brewer highlighted a concrete example of AI delivering immediate productivity gains: what he called "headless administration." Ping Identity released documentation in markdown to enable AI development platforms such as Claude Code to read product documentation and execute configuration tasks from plain language prompts. Brewer described asking such an AI to "build an authentication journey" or "add an OAuth application with these certificates," and having the system perform UI-driven tasks programmatically. The result, he said, is saving agency time by automating complex, manual configuration work and allowing teams to be more proactive.
Reverse proxying SAML and legacy applications against agentic AI and PQC risks
On the twin fast‑moving fronts of agentic AI and post‑quantum computing (PQC), Brewer counseled pragmatism. He warned agencies are unlikely to meet federal PQC readiness timelines for many legacy systems and recommended an interim technical control: place a reverse proxy in front of legacy applications. Specifically, Brewer urged agencies to reverse proxy Security Assertion Markup Language (SAML) applications — which he estimated constitute "probably 80 percent of the applications in the identity space" in government — because SAML "is not going to go quantum; it’s not going to go PQC." He observed that those SAML apps "won’t be ready for 2029," making reverse proxying a stopgap that can permit known operational traffic while blocking novel, unexpected, or risky flows associated with emerging agentic threats.
Policy, executive direction, and the gap to legislation
Brewer acknowledged existing guidance but urged clearer, binding direction. He noted agencies "just received an executive order from the White House on AI and how agencies are supposed to handle that," yet said the next step is legislation: "We need laws, policy, and infrastructure" so agencies can prepare for AI and PQC. In his view, current materials amount largely to guidelines and the "next thing that needs to happen" is legislative movement to codify expectations and timelines.
What this means for technologists, policymakers, and agency operators
- Technologists and security teams: Favor platform consolidation and integration to reduce administrative overhead; explore AI‑driven "headless administration" workflows to automate configuration and speed response; plan to deploy reverse proxies in front of legacy SAML applications as an interim protective control.
- Policymakers and regulators: Build on the White House executive order with concrete statutory measures and timelines so agencies can move beyond guidance and align procurement, upgrade plans, and security baselines for AI and PQC.
- Agency operators and procurement leaders: Prepare for multi‑year modernization work — expect that many identity applications will remain SAML‑based through 2029 — and prioritize integration strategies and controls that protect legacy services while enabling AI‑enabled productivity gains.
Brewer’s prescription is pragmatic rather than heroic: consolidate identity tooling, use AI to remove repetitive configuration work, and erect reverse proxies to shield legacy systems while awaiting firmer policy and quantum‑resistant upgrades. The immediate choices are technical and tactical; the larger question he leaves is political and procedural — when, and how, will law and regulation provide the timelines and funding agencies need to move from the perpetual experimental phase into durable operational readiness?
Original reporting: Government Technology Insider — Identity Infrastructure: How Agencies can Modernize Legacy Systems Without Disrupting Daily Operations




