Lately, the common theme in emerging identity security technology is AI. It’s all anyone wants to talk about. All of us in the IAM business have been scurrying to find a way to tell our customers and the market that, yes! We have AI! We've had it all along!
If that were so obviously true, why isn’t it more broadly known?
As an identity security technologist, I’ve experienced the growing pains of AI in IAM.
I recently read an interesting essay by a science fiction author. It distilled one main insight about AI that is highly relevant for identity security: AI is best used for tasks that are easy, but time consuming, because it can do easy things very fast.
Our customers say the same thing about AI in IAM. They don’t need AI to solve hard problems that people with actual “human” intelligence are not capable of solving. They want AI to do the tedious grunt work to free up their critical IT staff to do the hard work.
If an AI product or solution has access to data, then it can be relied upon to accurately report on or summarize the content of the data, provided you know what to look for. But knowing what to look for is exactly what AI can’t do nearly as well as humans, much less interpreting the results or turning it into an actionable plan.
Solving limitations of AI in IAM
Your next question should be, “Does your product do that?”
The answer is, “yes, but…”
Identity Manager deals heavily with role-based access control, the hot topic in AI for the past year, since it constitutes the mythical “easy button.”
AI in IAM using RBAC
Of course, once you scratch the surface, it turns out that what AI can do for RBAC unassisted is not exactly what you want. If we dig deeper into the entire reason for RBAC to begin with, it might be summarized like this: automate access assignment, providing the minimum appropriate access for all users according to what they need to do their jobs, while maintaining security policies to create an environment of least privilege. This sounds like it might be very time consuming, so AI is a natural fit, right?
Maybe not.
While we are asking for this easy button for roles, we are also recognizing that we have a problem with visibility of access, and that perhaps users might currently have oversubscribed or inappropriate access. The data that the AI can access has a potentially high error rate. AI in IAM will make RBAC policies based on what is currently assigned, without regard for whether it’s appropriate. So now, you may have automated replication of the very mess you started with, and you will have not only created risk, but you will also have queued up a lot of work cleaning up these automatically created roles. This is work that AI in IAM is not well suited to do.
Identity Manager: AI the way it’s meant to be
Identity Manager does use AI to assist in role management, but it does it by doing what AI does best. It analyzes the data and provides contextual information to people who are tasked with creating and maintaining roles. However, it leaves the judgment portion to the human beings who are responsible and accountable for their choices.
Identity Manager uses machine learning, an expression of AI, to perform peer group analysis and make recommendations not only for role management, but also to determine which requestable items should be requested by a user. This way, it can make recommendations on access reviews and attestations.
Understanding AI for best results
That was the “yes.” Here’s the “but.”
Your data may be hiding an entire category of useful information that can be utilized by AI in IAM – in this case using the latest hot AI tech: generative AI.
At our last Unite customer conference, some of our pre-sales architects showed an integration between Identity Manager and Azure OpenAI. Inside Identity Manager’s web portal, users can use natural language questions to pull data out of Identity Manager’s entire identity data catalog. The response is listed in the UI along with a query that can be used in Identity Manager to perform this same function later on, such as to create a role, policy or report.
In this example, a conversation was conducted with the AI to refine and build this query. The tabular results are shown, along with, if a human had concocted it, a very difficult SQL query.
The AI is very good at doing laborious technical tasks like creating SQL queries, but it needs to be told what to look for, often in an iterative way. The user began this with one question and then refined it after each response, in this sequence:
- Show the top 10 users with the riskiest entitlements. Include Department.
- Combine users into peer groups defined by department, title and manager. Show total users in group, entitlements in each group, and how many users in the group have this entitlement.
- Exclude entitlement ‘Domain Users’ from calculations.
- TotalUsers should be a count of users in peer group without reference to entitlements.
- Number of users with entitlements cannot be higher than total users in group.
The AI responded with the following table and SQL query, which could be used to create a policy, report or attestation:
This example utilizes Identity Manager’s web portal customization capability, integrating with a third-party AI tool to greatly enhance the utility and effectiveness of your IGA program. Imagine what other insights you could ask the AI to unlock or what hidden risks in your data you can have it uncover.
Conclusion
You don’t have to wait for our Identity Manager engineering team to build this capability for you. You can apply these innovations in the field today.
In this emerging world of AI-assisted everything, the sky is the limit to what you can do, provided you know how to use this revolutionary tool to the best of its abilities. Understanding its limitations can mitigate the risk to your organization and can prevent disastrous workflow inefficiencies.
AI is a potential force multiplier in your IGA and IAM programs, enabling you to focus on the human-centric processes that are less monotonous and more important to your business. Pairing AI with a strong solution like Identity Manager and having a thorough appreciation for what AI can and cannot do will uncomplicate the complicated, streamline the tedious and deliver a well-protected and perfectly optimized workforce.
