Artificial intelligence is revolutionizing identity & access management

AI can help decision-makers in IAM processes to make well-founded decisions by placing applications in the relevant context. When applying for or recertifying authorizations, for example, it can be shown whether the requested authorization or the authorization to be confirmed should only be granted to one person or whether it has already been granted to several employees with similar characteristics (e. g. a location, a job title, a joint project being worked on). Historical data can also be included here - if an authorization has already been confirmed several times without any significant changes having taken place, it is more likely that it is still correct. Conversely, if a requested authorization was previously rejected, the request should be checked more closely. Similarly, authorizations should be examined more closely in the context of recertification if employee characteristics have changed (e. g. following a change of organization or task).

Classification based on AI pattern recognition enables approvers to make more efficient, well-founded decisions and to better justify them. This can be used for all approval decisions. This primarily relates to managers who initially approve authorizations for their employees.

In the context of zero trust implementations, a decision must be made for access requests as to whether full access is granted, partial authorization is granted (e. g. read-only instead of write) or re-authentication is required. This decision metric can be controlled by AI. For example, if anomalies are detected that indicate a threat, a request for multi-factor authentication can be made for the next access request. This is also a useful option for access management solutions (such as Okta or Ping Identity), which can be controlled by AI.

A recurring process in the IT landscape is the introduction of new applications, which are usually connected directly to the IAM system used. Various data about the application is required for such a connection. This includes, for example, how authorizations are assigned - whether there are different levels, such as profiles, composite profiles, roles and composite roles in SAP. It is also relevant which authorizations and user accounts already exist, how these can be created, changed and deleted and which are available by default. The need for emergency users also plays a role.

Much of this information is already available, for example in the manufacturer's manuals or in completed technical concepts. Using these documents, the connector definitions and IAM initial fillings required for application onboarding can be prepared and then only need to be cross-checked and supplemented if necessary.

New employees or employees whose area of responsibility changes are often faced with the question of which specific authorizations they need and should apply for. If appropriate organizational or departmental authorization concepts exist, employees or their managers can use them. They can be used to compare the actual authorizations already assigned with the target authorizations recorded in the concept. Based on the criteria defined in the concept, it is possible to determine which authorizations are also useful. As a rule, the criteria are based on employees' functions and activities. These can be evaluated with AI support via the employee's job description, for example, so that an individual initial authorization recommendation can be made.

AI can also play a central role in applying for authorizations. Many companies have a large number of authorizations that are often difficult to understand - whether due to unclear names or a lack of descriptions. Even if descriptions are available, they are not always comprehensible to everyone. This leads to employees inadvertently applying for inappropriate authorizations or not being able to apply for them themselves. Instead, the helpdesk often has to step in to put the request into a comprehensible form.

A chatbot can significantly simplify this process. Employees can describe to it which authorizations they need and receive suitable suggestions. If the selection is too large, the AI asks specific questions to narrow down the search. Once the right authorization has been found, the chatbot can submit the request directly on behalf of the employee.

In many cases, authorization descriptions are not appropriate for the target group. They contain abbreviations, are too generic or too cryptic. Particularly in the case of business roles (bundling of authorizations for often several applications), it is difficult to create a comprehensible description that correctly reflects the content. And once it has been created, it is often not updated even when the role content is adjusted. This use case can be covered by a GenAI, which can be given appropriate specifications regarding length, level of detail, style, etc. in order to obtain consistent and useful authorization descriptions, especially for business roles.