In this discussion, Cristina Flaschen, CEO of Pandium, speaks with Heather Flanagan, Principal at Spherical Cow Consulting, and Shon Urbas, CTO of Pandium, about the complex realities of building integrations when identity, compliance, and data governance are on the line.

Heather’s Background and Identity-Centric Lens

Heather Flanagan draws on years of experience in identity standards, advising governments, nonprofits, and tech companies on secure identity flows. At Spherical Cow Consulting, she emphasizes that integrations are not just about API connections. They must preserve identity and policy context across systems. This lens shapes how she evaluates long-term integration quality.

Identity is the Data

In many cases, identity itself is the data being transferred. Systems are not just passing files. They are transmitting roles, permissions, and group memberships. A failure in handling identity correctly can result in unauthorized access or users being locked out. This is especially critical in sectors like government and education.

The Hidden Work Behind “It Just Works”

Heather and Shon note that behind every seamless integration is complex logic. Connecting identity systems like SCIM, SAML, and OpenID Connect requires shared understanding across platforms. A major challenge is the assumption that systems interpret identity attributes the same way.

Integration as Infrastructure

Shon sees integrations as core infrastructure, not just product features. At Pandium, his team treats them as reusable, composable flows. Even with modern tools, reliable integrations depend on clear contracts around data formats, identity handling, and error recovery.

MCP: Open Source, Not a Standard

Heather and Shon discuss the growing hype around MCP, the Model Context Protocol, often mislabeled as a standard. Heather explains that MCP is an open source project from Anthropic, not a true standard, since it lacks formal security reviews, governance, and cross-industry consensus. Shon notes that while it may help drive adoption of existing protocols like OAuth 2, it adds little technical innovation and risks moving too fast without proper safeguards.

When Identity Meets Governance

Heather stresses that integration design must align with governance requirements. In regulated environments, even passing a field like email may require approval. Developers must understand what data can be shared and what must stay controlled.

Building Trust Into the Stack

Trust requires more than encryption. It depends on visibility into what moved, when, and why. Heather advocates for logging and traceability as essential for debugging and for building confidence in identity-driven systems.

For more insights on integrations, identity, and APIs, visit www.pandium.com.
Read Heather's blog: https://sphericalcowconsulting.com/

Heather's book recommendation: Clockspeed: Winning Industry Control in the Age of Temporary Advantage