.png)
The most challenging project we are facing is applying for a banking license in France while running entirely on a macOS infrastructure. This would be a first for a retail bank. Lydia is currently an electronic money institution, but we made the ambitious decision to apply for a full banking license with the Banque de France, which is known as one of the strictest regulators in Europe. We chose to go through the French process, which demands the same level of compliance as traditional banks like BNP or Société Générale.
What makes me particularly proud is that we are doing this with a 100% macOS setup. Most banks use Windows, and the regulator is used to that environment. When they ask questions about antivirus, EDR, DLP, or Active Directory, they expect standard Windows-based solutions. We have to find ways to meet those expectations while adapting them to our Apple-based systems.
This is a significant technical and organisational challenge. We originally had a mixed fleet of Chrome OS and macOS devices, but we have migrated fully to macOS. This project is something we are proud of, but it continues to challenge us and occasionally frustrate us, especially when we need to explain why some of our answers do not fit into traditional expectations.
Today, the biggest concern for anyone managing identities is shadow IT. The main challenge is discovering tools that have not been approved or reviewed from a technical or security standpoint. The real issue is knowing what you do not know. You can protect yourself from tools you are aware of, even if they have vulnerabilities. For example, most banks run on Windows, and since they know the risks, they use solutions like CrowdStrike to mitigate them.
But when a tool is completely unknown, you do not know it exists, you do not know it might be vulnerable, and you do not know if user accounts have been created on it. So when someone leaves the company, those accounts might remain active. From a security perspective, this is one of the most critical risks. It is just as serious as the issue of Bring Your Own Device. Whether it is a tool or a device, if it is not under control, it poses a major threat.
I have been watching these new AI tools with a lot of curiosity, and I have also seen some of the world’s biggest companies completely miss the shift. Even giants like Google and Apple fell behind and now have to spend billions to catch up. What strikes me is that, even in 2025, some models still cannot answer very basic questions properly. That tells you how unreliable AI can still be.
For me, the real challenge is learning how to use these tools properly. You need to know how to write a good prompt, understand the type of data you are sending to the model, make sure the model is appropriate, and, above all, keep a critical eye on the answers it gives you. These are skills that should be taught from middle school all the way to business school. The biggest risk is copying and pasting blindly without questioning the output.
Another risk is the rise of a new form of shadow IT. Employees could use ChatGPT or other free AI tools with personal accounts, sometimes entering sensitive internal information like operational processes. That is where things could become problematic. At Lydia, we have a strict policy in place, along with Data Loss Protection mechanisms to monitor and contain such risks. For now, our controls are non-intrusive and focused on reporting, but we may move to stricter enforcement if needed.
I joined Lydia over 11 years ago, and I have held a wide range of roles: growth, marketing, customer support, fraud prevention… and now Head of IT. Even before I officially took on the IT function, I was always involved in technical matters like managing laptops, printers, and internet access.
Back then, things were very much in startup mode. Everyone brought their own Mac and access to tools was tracked in a simple Google Sheet. Each tool had a row, and we would just tick boxes to say who had access to what. When I formally took over IT in 2017, we realised that this system might no longer be good enough. That is when I started exploring identity and access management (IAM), even though it was not widely discussed at the time.
We realised how important it was to have a clear view of which tools we were using, who had access, when access was granted or revoked, and by whom. Today, we use hundreds of tools, and almost all of them are SaaS. Managing all of this manually was no longer sustainable. We needed traceability, automation, and real governance around our access systems.
I believe we were quite early in recognising this need, long before it became a mainstream concern in larger organizations.
The best piece of advice I ever received came from my grandfather. He used to say, “You pay the musicians at the end of the dance.” That applies perfectly to IT. You need to take a step back and avoid falling into the “this-is-how-it’s-done” mindset, where people say things like, “You go with Cisco for networking” or “Jamf for Mac management” just because that is what everyone else does.
At Lydia, we never choose tools based on who else is using them. When a vendor comes in and starts showing me a slide full of logos from other companies they work with, I ask them to skip it. That is not a decision criterion for us. What matters is whether the tool actually fits our needs.
It is better to take the time to properly assess your use case and choose the tool that suits it, even if it is less well known, rather than defaulting to the market leader. A Ferrari looks great, but if you have a family of six and you are driving on unpaved roads, it will not help you. What you need is a reliable Volvo station wagon. The best tool is not necessarily the flashiest one, but the one that does what you actually need.
Sébastien has been with Lydia since 2013 working in different departments and since 2023 as Head of IT, IAM et Cybersecurity.
%20(1).png)
.png)
.png)
.png)