Head of Standards for , former Burton Group analyst and technology executive at Chase Manhattan Bank (now JPMorgan Chase).
In today’s complex enterprise environments, which span on-premises, multi-cloud and hybrid-cloud infrastructures, identity-based controls have become the security perimeter. That’s why now, more than ever, advances in identity and access management (IAM) are needed to keep pace with dynamic business processes.
One way to boost IAM’s capabilities is through generative artificial intelligence (GenAI). This can help automate and make access control and policy management more efficient and adaptive, though there are challenges and limitations to keep in mind as well.
Making User Provisioning More Efficient
One of the primary challenges facing many organizations is determining exactly which privileges new users (joiners) should have and then granting them efficiently. This challenge also applies when employees change positions in an organization (movers) and when they separate from the organization (leavers). While granting or revoking privileges can be handled manually or with workflows, the setup process can be tedious and time-consuming and, more importantly, prone to errors that could result in security risks.
In the case of joiners, AI can evaluate the privileges granted to other individuals in the same department as the new team member and, even more precisely, individuals who have the same role. In some organizations, the goal is that the new user should have the same permissions/settings as others in the group with the same role. Still, other organizations will take a different approach where access is granted only when it is requested or when the user has achieved certain milestones (like certification for a particular task).
AI systems can help analyze these different approaches as the goal is to give new employees the access they need to be immediately productive. AI can also potentially speed up this workflow while complying with least privilege principles to avoid over- or under-provisioning.
The same process can be applied to movers with the additional step of removing permissions that are no longer relevant to the employee's new role. Meanwhile, for leavers (especially individuals who have been with an organization for several years), revoking access can be complicated since permissions tend to accumulate over time. This is another example of where AI can shine by hunting for those dormant permissions that may be lurking in the corners.
Automating Risk Analytics
Given the degree of mobility and the speed of change in modern business, decisions on whether or not to grant a user access to a given resource often need to be based on dynamic criteria. For example, companies might want to deny access if a device is in specific countries. A process known as continuous access evaluation (CAE) now exists that enables this continuous monitoring and decision-making.
CAE decisions often involve several variables, including physical location, IP address, time of day, the resource being accessed, the health of the user’s device and even behavior patterns. AI possesses the speed and processing capabilities to make CAE decisions that are not feasible via previous approaches.
In addition to real-time analytics, AI can help teams review past events. When something goes wrong, such as a breach, AI can help speed up forensic analysis and the search for the root cause of the incident. Even on a day-to-day basis, when no breach or other problem has occurred, AI helps security teams review logs and verify that what should have happened actually did happen, and quickly detect anomalies that merit investigation and potentially update access policies.
Taming Multi-Cloud Identity
According to one , 87% of respondents reported having a multi-cloud strategy. This poses unique challenges for managing IAM since each cloud platform uses its own proprietary identity system. In addition to the scalability issue associated with managing identities and their access policies in two or more cloud platforms, multi-cloud also requires learning the technical details used by each cloud provider’s identity system.
AI can help automate the routine care and feeding of these duplicate cloud identity systems to maintain corporate IAM policies. An administration system powered by generative AI can “learn” how to manage multiple target systems by analyzing the available data on system configuration. It can also help enforce standard IAM configurations on each cloud platform, even though their identity systems use different formats and terminology. This capability would eliminate the need for an organization to train or hire security experts for each cloud platform they want to use.
The Limits Of AI
While AI offers tremendous promise for improving IAM, it is not without weaknesses. The first is simply that AI is unproven since we are still in the earliest days of adoption. It can also make mistakes if using a limited or insufficient data set. Even worse, AI systems are subject to what are termed “hallucinations.” Sometimes, these systems simply make things up.
Another significant issue with AI is intellectual property “leakage.” Any company’s IP that’s exposed to an AI system could potentially become available to competitors or others outside the owning enterprise’s domain. The dangers of such leakage have already become apparent in the music and publishing industries, and analogous problems exist with sensitive corporate IP.
Final Thoughts
Nevertheless, AI has enormous promise for reshaping IAM. It’s one of the few technologies that I believe actually lives up to the term “disruptive.” Since AI is immature and unproven, organizations should exercise caution by following these best practices when applying AI to IAM:
•Begin with isolated use cases or applications
•Test and verify outputs
•Deploy with human oversight using a co-pilot model
A successful rollout of AI for IAM requires finding a balance that harnesses AI’s power while maintaining awareness of its limitations.
is an invitation-only community for world-class CIOs, CTOs and technology executives.