Karl McGuinness
- Previously
- SVP & Chief Product Architect @ Okta
- Standards
- IETF OAuth WG · OpenID Foundation
- Focus
- Identity product, strategy, architecture
- Currently
- Advising identity startups
I’m a product and technology leader with 25+ years of experience building mission-critical, internet-scale identity and infrastructure platforms. At Okta I spent over a decade shaping how modern enterprises and the industry thinks about identity as foundational infrastructure.
I specialize in product architecture, the intersection of product strategy and system design. I translate ambiguous requirements into durable product structures: domain boundaries, APIs, platform extensibility, and investment sequencing that keep teams fast today and options open later.
This blog, Control Plane, is where I work through the harder questions: not just how identity works today, but what it needs to become as autonomous agents, delegated authority, and machine-speed decisions replace the human-centric models we built everything on.
Focus Areas
- Agentic identity: how authentication and authorization must evolve as agents act on behalf of principals and operate without human supervision
- Governance and authority: delegation chains and accountability structures that make autonomous systems trustworthy
- Trust infrastructure: protocols, assertions, and verification mechanisms that let systems make access decisions with confidence
- Enterprise identity: federation, lifecycle management, and the interoperability gaps that still make enterprise identity harder than it should be
Standards Work
Identity problems do not get solved in products alone. I contribute to the specifications that make systems interoperable.
IETF OAuth Working Group
- Identity Assertion JWT Authorization Grant (ID-JAG): a mechanism for applications to use identity assertions to obtain access tokens for third-party APIs, coordinating through a shared enterprise IdP via Token Exchange
- OAuth 2.0 Resource Parameter in Access Token Response: defines a
resourceparameter in token responses so clients can confirm the intended protected resource and mitigate resource mix-up attacks
OpenID Foundation
- OpenID Provider Commands 1.0: defines remote procedure calls from an OP to RPs enabling OPs to manage the full account lifecycle: activate, suspend, reactivate, archive, restore, delete, and unauthorize
- OpenID Connect Enterprise Extensions 1.0: extensions for enterprise OIDC deployments, co-authored with Dick Hardt
- IPSIE, Interoperability Profile for Secure Identity in the Enterprise: working group building interoperability and security profiles across existing specifications to move the needle on enterprise identity in practice, not just in theory
Background
Before Okta I worked across enterprise software, developer tools, and internet infrastructure. I’m drawn to the messy middle where product intent meets architectural reality, especially at enterprise scale and high stakes.
In product architecture work, I emphasize shared responsibility across product, UX, and engineering: product clarifies vision, value, and priority scenarios; architecture shapes system-level structure, preserves optionality, guides tradeoffs, and sequences investments as the business learns.
Get in Touch
If you’re building identity or platform capabilities at scale, or need a product architecture lens on strategy, roadmaps, or system design, I’m happy to compare notes.