Artificial intelligence is revolutionising identity & access management

Since the introduction of ChatGPT at the latest, it seems clear that artificial intelligence (AI) has become a marketable mass phenomenon. Particularly in decision-making and anomaly detection, but also in documentation in order to carry out these activities more efficiently and quickly.

The integration of AI into Identity & Access Management (IAM) is a groundbreaking step for managing and securing digital identities and access rights. With the rapid development of GenAI and machine learning (ML), new opportunities are opening up to optimise IAM processes, close security gaps and improve the user experience. GenAI enables the development of intelligent IAM assistants and chatbots that support users in performing complex IAM-related tasks. These assistants can, for example, process requests for access rights, provide self-service functions or accelerate onboarding processes.

We provide an overview of how AI can be successfully integrated into IAM and show specific use cases.

The advantages of OAuth 2.0 for AI-driven IAM processes

Instead of developing your own solutions or relying on insecure methods such as API keys, proven standards such as OAuth 2.0 should be used. This offers several advantages, including increased security through robust mechanisms for authentication and authorisation, easier integration of different applications and systems and flexible support for different use cases.

Through OAuth 2.0, AI applications can be authorised to perform actions based on the user's permissions without revealing the actual credentials. This enables personalised services and delegated authorisation, which increases security. The AI application respects the limits of the authorisations of the users who are using the application at that moment. This also ensures that the AI application does not expose any information that users would not have access to on their own.

AI can help decision-makers in IAM processes to make well-founded decisions by placing applications in the relevant context. When applying for or recertifying authorisations, for example, it can be displayed whether the requested authorisation or the authorisation to be confirmed should only be granted to one person or whether it has already been granted to several employees with similar characteristics (e.g. a location, a job title, a joint project being worked on). Historical data can also be included here - if an authorisation has already been confirmed several times without any significant changes having taken place, it is more likely that it is still correct. Conversely, if a requested authorisation was previously rejected, the request should be checked more closely. Similarly, authorisations should be examined more closely during recertification if the employee's characteristics have changed (e.g. following a change of organisation or duties).

Classification based on AI pattern recognition enables approvers to make well-founded decisions more efficiently and justify them better. This can be used for all authorisation decisions. This primarily relates to managers who initially approve authorisations for their employees.

In the context of zero trust implementations, a decision must be made for access requests as to whether full access is granted, partial authorisation is granted (e.g. read-only instead of write) or re-authentication is required. This decision metric can be controlled via AI. For example, if anomalies are recognised that indicate a threat, a request for multi-factor authentication can be made for the next access request. This is also a useful option for access management solutions (such as Okta or Ping Identity), which can be controlled by AI.

A recurring process in the IT landscape is the introduction of new applications, which are usually connected directly to the IAM system used. Various data about the application is required for such a connection. This includes, for example, how authorisations are assigned - whether there are different levels, such as profiles, composite profiles, roles and composite roles in SAP. It is also relevant to know which authorisations and user accounts already exist, how they can be created, changed and deleted and which are available by default. The need for emergency users also plays a role.

Much of this information is already available, for example in the manufacturer's manuals or in completed technical concepts. Using these documents, the connector definitions and IAM initial fillings required for application onboarding can be prepared and then only need to be cross-checked and supplemented if necessary.

New employees or employees whose area of responsibility changes are often faced with the question of which specific authorisations they need and should apply for. If corresponding organisational or divisional authorisation concepts exist, employees or their managers can use these. They can be used to compare the actual authorisations already assigned with the target authorisations recorded in the concept. Based on the criteria stored in the concept, it is possible to determine which authorisations are also useful. As a rule, the criteria are based on the functions and activities of the employees. These can be evaluated with AI support via the employee's job description, for example, so that an individual initial authorisation recommendation can be made.

AI can also play a central role when applying for authorisations. Many companies have a large number of authorisations that are often difficult to understand - whether due to unclear names or a lack of descriptions. Even if descriptions are available, they are not always comprehensible to everyone. This leads to employees inadvertently applying for inappropriate authorisations or not being able to apply for them themselves. Instead, the helpdesk often has to step in to first of all put the request into a comprehensible form.

A chatbot can significantly simplify this process. Employees can describe to it which authorisations they need and receive suitable suggestions. If the selection is too large, the AI asks specific questions to narrow down the search. Once the right authorisation has been found, the chatbot can submit the request directly on behalf of the employee.

In many cases, authorisation descriptions are not appropriate for the target group. They contain abbreviations, are too generic or too cryptic. Particularly in the case of business roles (bundling authorisations for often several applications), it is difficult to create a comprehensible description that correctly reflects the content. And once it has been created, it is often not updated even when the role content is adjusted. This use case can be covered by a GenAI, which can be given appropriate specifications regarding length, level of detail, style, etc. in order to obtain consistent and useful authorisation descriptions, especially for business roles.

Conclusion

The integration of AI into Identity & Access Management (IAM) brings numerous benefits - from support with authorisation requests to detecting and responding to anomalies and more efficient documentation. Some of these use cases are already integrated into standard software, while others need to be customised to a company's specific requirements and implemented individually.

Through the targeted use of GenAI and other AI technologies, complex IAM processes can be simplified, risks proactively managed and future challenges better mastered. At the same time, it is important to keep an eye on the limits and potential risks. With a well-thought-out strategy, companies can utilise the full potential of AI in IAM - for greater efficiency, security and compliance. AI has the potential to not only optimise IAM, but to fundamentally transform it.

Ready to talk? Contact us.