I’ve published across a bunch of outlets over the years, and a bunch of this work was published while I was inside companies. But the ideas are portable. I care about systems, operating models, and decision rules: how to design access that doesn’t rot, how to govern non-human identities before they govern you, how to scale programs through hypergrowth without collapsing into spreadsheets and tribal knowledge. Where I reference a vendor, treat it as “one implementation of a broader pattern” and take the pattern with you.
This is not a ‘look at all the stuff I’ve done, it’s more of a map of problems I keep seeing again and again, and the frameworks I keep pushing for because they work.
If you’re new here, welcome. This is my living “content index,” a curated map of what I’ve published over the years across identity security, hybrid cloud, modernization, and the craft of technical product marketing. I write for practitioners first: SecOps, IAM/IGA folks, platform engineers, and IT leaders who are tired of hand-wavy guidance and want something that actually holds up when the incident hits or the auditor shows up.
How to use this:
- Start with “Start Here” if you want the through-line in under an hour.
- Pick a track that matches your current situation.
- Treat this as a library. Skim the intros, then pull the pieces you actually need.
Places to Find me:
LinkedIn: https://www.linkedin.com/in/matthewromero2021
YouTube (new): https://www.youtube.com/@TechThatMattRs
Choose your track (pick the mess you’re dealing with)
Most people start with Track A, Track D, or Track H because that’s where the world is headed (agents and NHIs) and where the world is hurting (incidents and blast radius, with hybrid cloud, app modernization, and the day-to-day enterprise reality).
If you’re here for the technical PMM side of things, jump straight to Track G.
Track A: Agents and non-human identities
If you’re deploying AI agents, automations, bots, service accounts, or anything that runs unattended, start here. This is inventory, ownership, boundaries, and lifecycle, before sprawl becomes policy theater.
A good starting point is the NHI Ownership Security Checklist I created for Veza: https://veza.com/blog/nhi-ownership-security-checklist
Because “who owns it” is the control most orgs skip, and it’s the reason everything else fails. Rotation, reviews, approvals, and incident response all depend on having an accountable owner.
Track B: Access reality across SaaS, cloud, and data
If you can’t answer “who can do what” without ten spreadsheets and a prayer, start here. This is the visibility layer, posture, and making effective permissions usable for decisions.
Track C: Least privilege, roles, and drift control
If RBAC is failing, access reviews feel performative, or privilege creep is everywhere, start here. This is mechanics: role mining, role hygiene, and continuous least privilege based on reality.
Track D: SecOps and incident-shaped identity security
If you’re in incident mode, threat hunting, or responding to identity-first intrusions, start here. This is blast radius, containment questions, OAuth abuse, and what “access” means during IR.
A great use case is in the blog post “Ransomware Isn’t Just Malware Anymore.” It’s an Identity Problem: https://veza.com/blog/identity-ransomware-ispm
This one snaps the mental model into place fast. Once you see ransomware as permissions and lateral movement, you stop arguing about tooling and start reducing blast radius.
Track E: Compliance and receipts
If auditors are coming, regulators are involved, or you’re tired of compliance theater, start here. This is evidence-grade governance: controls you can prove quickly.
Track F: Disconnected apps, legacy platforms, and the seams
If your risk lives in the apps that don’t integrate, the platforms no one wants to touch, or the data paths no one documented, start here. This is governance for the ugly enterprise reality.
Track G: PMM craft and technical storytelling
If you want to see how I build technical content that holds up in front of engineers and execs, start here. This is demos, ghostwriting, asset strategy, and credibility rules.
I have a great primer on Creating Engaging Technical Demos: Best Practices to Drive Conversions: https://www.linkedin.com/pulse/creating-engaging-technical-demos-best-practices
This one shows how I approach the demo process. How to define the audience, set the problem, prove it live, and leave the client with something they can do.
Track H: Hybrid cloud, modernization, and enterprise reality
If you want the earlier backbone that shaped how I think (migration sequencing, legacy data, resilience, cost realism), start here. Same operator mindset, different era of problems.
Start Here (Top Posts)
1) When Hypergrowth Meets Identity Reality (LinkedIn)
https://www.linkedin.com/pulse/when-hypergrowth-meets-identity-reality This is the hypergrowth story told the way operators talk about it. It starts with the uncomfortable truth: governance breaks not because people are bad, but because velocity turns “temporary exceptions” into permanent risk. It pushes hard on incident math, not marketing math, and treats IGA as the mechanism for changes that stick and don’t quietly come back next sprint.
2) Beyond Human: Securing Agentic AI and Non-Human Identities in a Breach-Driven World (Unite.AI)
https://www.unite.ai/beyond-human-securing-agentic-ai-and-non-human-identities-in-a-breach-driven-world/ This piece makes the agent problem legible: agents are actors. Actors have identities, credentials, permissions, and blast radius. It ties agentic AI to the existing NHI sprawl problem and calls out what breaks in most programs: no ownership, static secrets, and no visibility into effective access. It’s breach-shaped thinking, not futurism.
3) Copilot, Can You Keep a Secret? (LinkedIn)
https://www.linkedin.com/pulse/copilot-can-you-keep-secret This is the “AI assistants inherit your mess” essay. It starts with SharePoint as the corporate junk drawer, then adds Copilot as an assistant that can surface and summarize sensitive content on demand. The point is not “Copilot is scary.” The point is “over-permissioned data plus AI retrieval equals silent exfil paths.” It gives concrete steps: inventory the agents, map what they can access, restrict sensitive sites, govern agent creation and training, and audit frequently.
4) Moving to the Cloud is About Controlling Costs, Not Reducing Costs (Data Center Knowledge)
https://www.datacenterknowledge.com/industry-perspectives/moving-cloud-about-controlling-costs-not-reducing-costs This anti-hype stance reframes cloud as cost control, chargeback clarity, and agility, not automatic savings. It also calls out the migration reality most people avoid: the migration itself costs money, and some workloads are not cheaper in cloud. It’s the kind of argument IT leaders can use with finance without getting laughed out of the room.
5) Identity Is the New Control Plane (Veza)
https://veza.com/blog/identity-new-control-plane The story is not “identity is important.” The story is that identity risk has become a business health indicator because the identity landscape outgrew the controls built to govern it. It frames modern incidents as boring and repeatable: dormant accounts, partially deployed MFA, and service accounts with permissions nobody realized. It connects identity to regulatory exposure and operational resilience, which is the language that actually moves budgets.
Track A: Agents and non-human identities
If you’re building agents, you’re building a workforce that scales faster than governance. The predictable failure mode is unattended identities with wide permissions, weak ownership, and no lifecycle.
Core reads
Beyond Human (Unite.AI) https://www.unite.ai/beyond-human-securing-agentic-ai-and-non-human-identities-in-a-breach-driven-world/ This is your “agents are identities” framing with a breach-shaped lens. It connects agentic AI to the same operational failures we already know from NHIs: unknown ownership, static secrets, unreviewed scopes, and no evidence trail. The value is that it gives security teams permission to treat agents like access paths, not toys.
NHI Ownership Security Checklist https://veza.com/blog/nhi-ownership-security-checklist/ This is the control that makes everything else possible. It turns “who owns this bot?” from a shrug into a concrete checklist you can operationalize, including what ownership means, what evidence to keep, and how to enforce it without stopping delivery.
What Are Non-Human Identities? https://veza.com/blog/what-are-non-human-identities/ This establishes the taxonomy clearly enough that teams can stop debating terms and start scoping controls. It’s useful because it frames NHIs as a scale problem, not a “one more account type” problem, which changes how you govern them.
Non-Human Identity Management https://veza.com/blog/non-human-identity-management/ This reads like a program blueprint: discovery, ownership, rotation, review, retirement. The value is the lifecycle approach, it makes NHIs governable with repeatable process instead of a quarterly cleanup that never finishes.
What Is Machine Identity? https://veza.com/blog/what-is-machine-identity/ This expands the concept beyond service accounts into keys, tokens, certs, workloads, and app identities. It’s useful for getting platform teams and security teams aligned on what “machine identity” actually includes so the program doesn’t miss half the risk surface.
More depth
All the Keys, Visualized: Governing 90+ Non-Human Identities https://veza.com/blog/governing-non-human-identities/ This is the “scale is not an excuse” piece. It shows how to take a large messy inventory and turn it into something you can govern through classification and prioritization, instead of treating it like an unsolvable backlog.
OpenAI Identity Governance and Least Privilege https://veza.com/blog/openai-identity-governance-least-privilege/ This translates “AI access” into governance controls: membership, roles, data access paths, and least privilege. The value is the enterprise framing, it’s written so security, platform, and business stakeholders can all see their piece of the risk model.
AI, Identity Security, and Privileged Access https://veza.com/blog/ai-identity-security-privileged-access/ This focuses on the uncomfortable truth: AI-powered workflows accelerate privileged execution. It’s useful because it lays out where privilege shows up in agent tool use and orchestration, and why allowlists, scopes, and break-glass controls need to exist before you ship.
Track B: Access reality across SaaS, cloud, and data
This track is for “we have identity systems, but we still cannot answer who can do what.” It’s about effective permissions, not identity screenshots.
Core reads
Identity Is the New Control Plane https://veza.com/blog/identity-new-control-plane/ This is the thesis that ties the whole library together. It reframes identity as the operating boundary for modern enterprises and makes the case that “access reality” is what determines blast radius, not intentions or org charts.
Identity Visibility and Intelligence Platform https://veza.com/blog/identity-visibility-intelligence-platform/ This defines the IVIP layer in practical terms: visibility into effective access across systems, normalized enough to use for governance and response. The value is that it gives teams a framework to describe what they’re missing between IAM and enforcement.
Identity Security Posture Management (ISPM) https://veza.com/blog/identity-security-posture-management-ispm/ This shifts the conversation from point-in-time controls to continuous drift. It’s useful for teams that already have reviews and MFA but keep getting surprised by privilege creep, stale access, and non-human identities proliferating in the background.
More depth
IVIP mapping to operations https://veza.com/blog/identity-visibility-intelligence-platform-veza/ This is where IVIP stops being a concept and becomes workflows: reviews, IR triage, compliance, and prioritization. The value is the operator translation, it ties “visibility” directly to actions.
Gartner Hype Cycle context for IVIP and AI for access https://veza.com/blog/identity-visibility-intelligence-platform-gartner-hype-cycle-2025/ This is category positioning with just enough analyst context to be useful for internal alignment. It helps teams explain timing and why this layer is emerging now.
Analyst landscape post https://veza.com/blog/analysts-veza-leader-identity-security/ This is useful as a market narrative artifact. It frames the shift from traditional IGA and IAM conversations toward access visibility, intelligence, and posture, which is the direction your overall canon is pushing.
Track C: Least privilege, roles, and drift control
This track is about reducing standing privilege without turning governance into paperwork theater. It’s the “mechanics” section.
Core reads
Privilege Creep https://veza.com/blog/privilege-creep/ This names the most common failure mode: temporary access becomes permanent because the system has no reliable rollback muscle. The value is that it explains privilege creep as an operational reality, then frames what controls actually reduce it.
Role Mining and AI https://veza.com/blog/role-mining-ai-identity-security/ This is about using reality to build roles: usage patterns, common entitlements, clustering. It’s useful because it makes role engineering feasible when the permission model is already messy.
RBAC Role Engineering https://veza.com/blog/rbac-role-engineering-access-governance/ This frames role engineering as hygiene, not a one-time “role project.” The value is the long-term operating model: roles drift unless you maintain them like any other production system.
Light IGA https://veza.com/blog/light-iga/ This is the pragmatic path for orgs that cannot wait 12–18 months for classic IGA to land. It’s valuable because it’s honest about constraints and focuses on fast risk reduction with a modern access reality layer.
Track D: SecOps and incident-shaped identity security
This is the responder track. It’s about blast radius, containment questions, and the fact that identity-first intrusions are boring and common.
Core reads
Verizon 2025 DBIR: third-party risk and identity sprawl https://www.linkedin.com/pulse/verizons-2025-dbir-third-party-risk-identity-sprawl This is a practitioner interpretation, not a stats dump. It pulls the identity-shaped threads out of breach data: third-party exposure, credential misuse, and how access paths outlive their justification.
Identity ransomware ISPM https://veza.com/blog/identity-ransomware-ispm/ Reframes ransomware as an access problem: permissions determine reach, speed, and damage. Valuable because it shifts focus from “detect malware” to “reduce blast radius.”
Beyond insider risk: identity threat response https://veza.com/blog/beyond-insider-risk-identity-threat-response-veza-crowdstrike/ This is the “alerts to answers” workflow. The value is the decision flow during an incident: identify the actor, map what they can do across systems, then act with confidence.
Stopping insider risk with CrowdStrike Falcon https://veza.com/blog/stopping-insider-risk-veza-crowdstrike-falcon/ This is a stack story that demonstrates why detection alone is insufficient. It shows how identity context answers the only question responders care about: what can this identity touch right now.
Identity-first attack: vSphere UNC3944 https://veza.com/blog/identity-first-attack-vsphere-unc3944-2025/ A concrete case showing identity-first intrusion patterns. Valuable because it’s a reminder that valid credentials plus access paths often beat malware controls.
Malwarebytes ThreatDown identity threat detection https://veza.com/blog/veza-malwarebytes-threatdown-identity-threat-detection/ This reinforces the same point from a different angle: identity context turns detections into actions. Useful for SecOps teams trying to reduce mean time to understanding.
Veza for security operations https://veza.com/blog/veza-for-security-operations-identity-security/ This is “how identity becomes operational.” The value is the workflow mapping: where identity fits into triage, investigations, and remediation rather than living as a separate IAM program.
Track E: Compliance and receipts
This is the “prove it” track. Controls are not real until you can show evidence quickly without a scavenger hunt.
Core reads
Access control compliance guide 2025 https://veza.com/blog/access-control-compliance-guide-2025/ Defines access control for IT pros and ties it to measurable evidence, not policy PDFs. Valuable because it makes compliance actionable and operational.
PCI DSS 4 compliance access governance https://veza.com/blog/pci-dss-4-compliance-access-governance-veza/ Connects PCI requirements to modern identity realities: service accounts, cloud entitlements, and effective access. Useful for teams modernizing PCI posture beyond annual review rituals.
Third-party risk management https://veza.com/blog/third-party-risk-management/ Frames third-party risk as identity risk once access is granted. Valuable because it focuses on lifecycle, review, and ongoing validation, not just vendor questionnaires.
Track F: Disconnected apps, legacy platforms, and the seams
Where governance breaks: the apps outside integrations, the “special” legacy systems, and data paths nobody documented.
Core reads
Identity integrations for IVIP, IGA, ISPM https://veza.com/blog/identity-integrations-for-ivip-iga-ispm/ Makes a simple point: if you cannot ingest permissions, you cannot govern them. Valuable because it reframes integration coverage as a security capability, not a convenience.
Access governance for disconnected apps https://veza.com/blog/access-governance-for-disconnected-apps/ A reality check for orgs that assume IGA covers everything. Useful because it shows how disconnected apps become long-lived risk pockets and what “good enough governance” looks like when integration is not perfect.
Enrichment rules identity classification https://veza.com/blog/veza-enrichment-rules-identity-classification/ Shows how context makes identity data usable. Valuable because it demonstrates how classification rules turn raw entitlements into decisions humans can trust and automate.
Azure access control compliance intelligent access https://veza.com/blog/azure-access-control-compliance-intelligent-access/ Frames cloud access control as governance and evidence, not just configuration. Useful for teams trying to align Azure control models with audit expectations.
How to choose data governance tools 2025 https://veza.com/blog/how-to-choose-data-governance-tools-2025/ Connects data governance to identity and access realities. Valuable because it calls out that governance is incomplete if you cannot map who can actually reach sensitive data.
Track G: PMM craft and technical storytelling
This is the “how I ship technical content that holds up under scrutiny” track. The through-line is credibility, proof, and respect for the audience’s time.
Core reads
Rethinking ghostwriting https://www.linkedin.com/pulse/rethinking-ghostwriting-b2b-tech-marketing-vs-control This lays out the real trade-off between speed and authenticity, and it gives decision rules for when ghostwriting is appropriate versus when it damages trust long-term.
Creating engaging technical demos https://www.linkedin.com/pulse/creating-engaging-technical-demos-best-practices Treats demos as proof systems, not feature tours. Valuable because it’s structured like an operator guide: what to show, what to say, how to survive Q&A, and how to leave viewers with repeatable takeaways.
Beyond whitepapers: solution briefs and 1-pagers https://www.linkedin.com/pulse/beyond-whitepapers-role-solution-briefs-1-pagers Defines asset types by job-to-be-done. Useful because it stops “make a 1-pager” from being meaningless and turns it into a purposeful artifact that sales and technical buyers actually use.
Beyond demos: strategic role of whitepapers https://www.linkedin.com/pulse/beyond-demos-strategic-role-whitepapers-technical-marketing Frames whitepapers as alignment tools and narrative anchors. Valuable because it argues for depth where it matters and for honesty about constraints, which is how you avoid marketing fluff and build trust.
More depth
Case studies, use cases, personas https://www.linkedin.com/pulse/unlocking-marketing-success-case-studies-use-cases-personas A practical taxonomy piece. Useful because it gives teams a shared language for what each asset is supposed to do and how to prevent mixing formats into content soup.
1910 sailboat restoration and technical PMM https://www.linkedin.com/pulse/what-1910-sailboat-restoration-taught-me-technical-product A metaphor that actually works: sequencing, craftsmanship, respect for constraints. Valuable because it shows how you think about long projects and technical truth, not just content output.
Securing Asana with Defender for Cloud Apps https://www.linkedin.com/pulse/securing-your-asana-environment-microsoft-defender-cloud A concrete SaaS governance example. Useful because it demonstrates you can translate security controls into real operational systems people use every day.
Windows 11 contrast themes https://www.linkedin.com/pulse/windows-11-contrast-themes-personal-experience Shows accessibility as productivity. Valuable because real humans are operating the tooling, not just abstract personas.
Track H: Hybrid cloud, modernization, and enterprise reality
This is the older backbone: migration sequencing, legacy data realities, resilience, and cost realism. Same operator mindset, different era of problems.
Core reads
Cloud cost realism (Data Center Knowledge) https://www.datacenterknowledge.com/industry-perspectives/moving-cloud-about-controlling-costs-not-reducing-costs/ This is the credibility piece for cloud economics. Valuable because it tells the truth IT leaders need when budgets get real: migration has costs, cloud changes spending shape, and “cheaper” is not guaranteed.
Data Center Dynamics: Extending IBM i with cloud analytics https://www.datacenterdynamics.com/en/opinions/extending-ibm-i-applications-with-cloud-based-data-analytics/ A practical argument for extension over rewrite. Valuable because it shows how to add cloud value without destroying what already works.
Data Center Dynamics: Freeing data from legacy systems https://www.datacenterdynamics.com/en/opinions/why-a-comprehensive-modernization-strategy-should-free-data-from-legacy-systems/ Positions data as the real modernization prize. Useful for leaders who need to justify modernization as business capability, not tech vanity.
Data Center Dynamics: Including legacy data in modernization https://www.datacenterdynamics.com/en/opinions/how-to-include-data-from-legacy-applications-in-data-modernization-projects/ This is the “OK, but how” piece. Valuable because it acknowledges constraints and lays out realistic approaches to pulling legacy data into modern workflows.
Microsoft Tech Community: IBM Power workloads migration value https://techcommunity.microsoft.com/blog/marketplace-blog/how-cloud-migration-of-ibm-power-workloads-adds-value-thanks-to-skytap-on-azure/3494047/ Shows how to talk about stubborn workloads in business terms. Valuable because it frames migration as risk-managed progression, not a rip-and-replace fantasy.
Microsoft Tech Community: Modernize legacy data with Azure-native services https://techcommunity.microsoft.com/blog/marketplace-blog/using-skytap-on-azure-and-azure-native-services-to-modernize-your-legacy-data/3641278/ Useful for teams trying to connect legacy systems to modern analytics and data services. It emphasizes integration patterns and sequencing, which is where most modernization projects live or die.
Skytap + Microsoft Synapse whitepaper (PDF) https://www.skytap.com/wp-content/uploads/2022/04/White-Paper-Skytap-Azure-Synapse.pdf A step-by-step wiring guide style artifact. Valuable because it provides implementation-grade detail, not just conceptual architecture.
Cloud Awards: Four critical steps for migrating apps https://www.cloud-awards.com/four-critical-steps-for-migrating-applications-to-the-cloud/ A migration sequencing piece that respects reality. Useful as a checklist for teams trying to avoid the classic failure modes of cloud moves.
Solutions Review: Backup and recovery questions https://solutionsreview.com/backup-disaster-recovery/four-key-backup-and-recovery-questions-it-must-ask-during-deployment/ A practical DR decision tree. Valuable because it forces teams to answer RTO/RPO/testability questions early instead of discovering them mid-incident.
Retail TouchPoints: DR for retail https://www.retailtouchpoints.com/blog/a-primer-on-cloud-based-backup-and-disaster-recovery-for-retail/ Resilience explained in business terms without losing technical truth. Useful if you need to communicate DR value to non-technical stakeholders.
The New Stack: IBM i modernization guide https://thenewstack.io/a-step-by-step-guide-to-modernizing-ibm-i-applications/ A mainstream developer audience angle on IBM i modernization. Valuable because it shows how to translate legacy modernization into modern engineering language.
Paying off technical debt through cloud migration https://vmblog.com/archive/2022/12/28/paying-off-technical-debt-through-cloud-migration.aspx Frames migration as debt reduction and operational simplification. Useful for readers who need to justify migration as risk and maintenance reduction, not just innovation.
IBM i skills gap https://www.linkedin.com/pulse/how-address-ibm-i-skills-gap-2024-evolving-challenge-matthew-romero/ Modernization is a people problem too. Valuable because it addresses institutional knowledge, hiring realities, and why skills risk becomes operational risk.
Including legacy data in projects https://www.linkedin.com/pulse/how-include-data-from-legacy-applications-projects-matthew-romero/ A practical LinkedIn version of the same modernization thesis. Useful for readers who want a quicker on-ramp than the industry pubs.
Quantum computing for IT pros https://www.linkedin.com/pulse/quantum-computing-pros/ Shows your consistent move: take a complex topic and turn it into an IT mental model. Valuable because it demonstrates how you communicate emerging tech without hype, using architecture and ops metaphors that IT people actually understand.
Conclusion
Ok, so you’ve scrolled all the way to the bottom. If you made it all the way down here, thank you. That tells me you’re not looking for a highlight reel. You’re looking for something you can actually use.
So what’s next is simple. This page exists so the work doesn’t get scattered across platforms and lost to time, algorithms, or employer context. It’s a single place I can point people, and a single place I can find my own trail later.
If you are thinking of this as a library, do not try to “consume” it. Pick the track that matches what you’re dealing with right now, grab one or two pieces, and use them. If you come back later for a different problem, this page should still be here, still useful, still a map.
As I publish new things, I’ll add them to the index when I can, and I’ll keep tightening the structure as it grows. If you hit a dead link or you think a track is missing something obvious, tell me. That kind of feedback is how this stays practical instead of turning into a pile.
Matthew Romero
Tech That MattRs 
Leave a comment