AI maturity in IGA is shifting governance from manual review

At a glance

What this is: This is an analysis of how AI is being used to mature IGA, with the central finding that manual governance models no longer scale for human users, service accounts, and AI agents.

Why it matters: It matters because IAM teams now need governance patterns that can handle non-human identity growth and changing decision pace without weakening approval quality, auditability, or least privilege.

By the numbers:

• Industry analysts predict that AI identities will soon outnumber human users 25:1.

👉 Read ConductorOne's blog on using AI to mature IGA governance

Context

Identity governance was built for human-paced review cycles, predictable role changes, and approvals that can be inspected after the fact. As organisations add more applications, distributed teams, service accounts, and AI agents, those assumptions break down and the governance model starts to lag behind the actual identity population.

The post frames AI as the mechanism ConductorOne uses to scale governance work, but the real issue for IAM teams is broader: whether IGA can move from manual certification and static policy enforcement to contextual, policy-driven decisions across human and non-human identities. That is the programme challenge, not the product feature.

For teams building out NHI controls, the operational question is no longer whether governance should exist, but how it can be made fast enough and consistent enough to keep up with the identities already inside the estate. The Ultimate Guide to NHIs is a useful baseline for that broader lifecycle view.

Key questions

Q: How should security teams use AI in identity governance without losing control?

A: Use AI to accelerate review, enrich requests, and surface risk, but keep policy ownership and final accountability explicit. The AI should support governance decisions, not obscure them. Teams should define which actions are advisory, which are automated, and which require human approval so audit evidence remains clear and defensible.

Q: Why do manual access reviews stop working as identity estates grow?

A: Manual reviews depend on human time, consistent judgement, and stable queues. As identity populations expand across people, service accounts, and AI agents, the review model becomes a bottleneck and quality drops. The result is not just slower governance, but weaker decisions and less reliable certification outcomes.

Q: How can organisations tell whether contextual access decisions are improving governance?

A: Look for fewer routine exceptions, faster certification cycles, clearer audit trails, and reduced reviewer fatigue. If context is useful, it should improve consistency without increasing false confidence. If approvals get faster but entitlement quality stays poor, the programme has accelerated administration rather than governance.

Q: What is the difference between AI-assisted governance and full governance automation?

A: AI-assisted governance helps people make better decisions, while full automation lets the system decide or act without a human in the loop. The difference matters because accountability, escalation paths, and evidence requirements change once the machine moves from recommendation to execution. Teams should be precise about that boundary.

Technical breakdown

Why manual access reviews break at identity scale

Manual reviews depend on human attention, stable entitlement patterns, and enough time to inspect each request or certification entry. Once the identity population expands across employees, service accounts, and AI agents, the review queue becomes the bottleneck, and inconsistency becomes part of the control itself. IGA then shifts from governance to administrative triage. The technical issue is not simply volume. It is that review systems built around human throughput cannot preserve decision quality when the subject set grows faster than the reviewers.

Practical implication: move high-volume governance work toward policy-based triage and contextual enrichment so reviewers handle exceptions, not every routine decision.

How context changes access decision quality

Contextual governance uses surrounding signals such as requestor history, entitlement sensitivity, and environmental risk to make access decisions more defensible. In the article, the vendor describes enriching requests with details about the requestor, entitlement, and risk, plus signals from connected systems through MCP. That architecture matters because static approval rules treat every request as equally clean or equally risky, which is rarely true. Context does not replace policy. It gives policy enough information to behave consistently under real operating conditions.

Practical implication: enrich entitlement decisions with requester, risk, and behavioural context before routing approvals or certifications.

MCP integrations and dynamic governance inputs

Model Context Protocol enables an AI system to pull contextual signals from other applications without hard-coding each integration separately. In governance workflows, that means the decision engine can evaluate factors such as unusual login activity or an approver being out of office before making a recommendation. The technical value is not automation alone. It is that governance can become responsive to live conditions instead of freezing access policy at request time. That shifts IGA closer to runtime-aware decision support, especially for complex estates with many upstream signals.

Practical implication: treat integrations as decision inputs for governance, not just reporting feeds, and validate which signals are allowed to influence access outcomes.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AI-assisted IGA only works when the governance model is explicit about what the machine is deciding. If an AI system is approving, denying, recommending, or routing access, the control boundary has moved from workflow acceleration into delegated governance. That creates accountability questions for evidence, override paths, and policy drift. Practitioners should treat the AI as part of the decision chain, not as a productivity overlay.

Manual certification was designed for low-frequency, human-paced review cycles. That assumption fails when identities scale across employees, service accounts, and AI agents at machine speed. The implication is not just more work, but a different operating model for IGA where the old review cadence no longer reflects the population being governed.

Contextual enrichment is the right direction, but only if the underlying entitlements are already well understood. Adding risk signals to broken governance does not fix bad entitlement design, it only makes the defects easier to process faster. Teams should therefore distinguish between decision quality and entitlement quality, because automation can magnify both.

Identity governance is becoming a control plane for mixed identity estates, not a human-only certification function. That means the discipline now has to govern people, service accounts, and AI agents with the same rigor, while recognising that each actor type produces different evidence, review windows, and escalation paths. The practical conclusion is that IGA maturity now depends on actor-aware governance design.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often governance programmes lack basic coverage before automation enters the picture.
• That visibility gap is why practitioners should pair AI-assisted review with the 52 NHI Breaches Analysis to understand how identity failures translate into incidents.

What this signals

Identity governance is moving from clerical processing to decision orchestration. That shift changes the programme objective from clearing queues to preserving accountability across human, service account, and AI-driven access paths. Teams that still measure success only by throughput will miss the more important question of whether decisions are actually more defensible.

Contextual enrichment will not rescue weak entitlement hygiene. If service accounts and AI agents already have excessive access, faster governance just helps the programme process bad states more efficiently. The better signal is whether review outcomes are tightening scope over time rather than simply accelerating approval volume.

For practitioners

• Separate policy automation from policy ownership Document which decisions the AI may recommend, which it may execute, and which remain human-only. Keep approval authority explicit so audit evidence shows where human accountability ends and machine delegation begins.
• Map review queues to identity type and risk Segment access reviews for employees, service accounts, and AI agents so high-volume non-human identities do not consume the same review workflow as human entitlements. Use risk tiering to reserve manual attention for exceptions.
• Validate contextual inputs before they influence decisions Check that requestor metadata, login risk, entitlement sensitivity, and approver availability are accurate, current, and authorised for use in governance decisions. Bad inputs create confident but unreliable approvals.
• Design exception handling for AI-driven recommendations Define what happens when the AI cannot classify a request, sees conflicting signals, or produces a low-confidence recommendation. Route those cases to a human decision path with clear escalation criteria.

Key takeaways

• The article’s core message is that manual IGA no longer scales once identity estates include large numbers of non-human identities and AI agents.
• The most useful evidence is the expected 25:1 expansion in AI identities relative to human users, which makes governance capacity a structural issue rather than a staffing issue.
• Practitioners should separate decision automation from accountability and design review workflows around identity type, risk, and escalation path.

Key terms

• Identity Governance And Administration: Identity Governance and Administration is the control discipline that manages who or what should have access, who approved it, and whether that access is still justified. In mixed identity estates, IGA must govern people, service accounts, and AI agents with different evidence and review expectations.
• Contextual Access Decisioning: Contextual access decisioning uses surrounding signals such as requester history, entitlement sensitivity, and environmental risk to shape an access outcome. It improves governance when the underlying policy is sound, but it can also accelerate bad decisions if the inputs are incomplete or untrusted.
• Access Review Automation: Access review automation uses software to help certify, deny, or escalate entitlements with less manual effort. The value is speed and consistency, but the control still depends on clear policy ownership, accurate identity data, and explicit human accountability for exceptions.
• Non-Human Identity: A non-human identity is a machine, workload, service account, token, API key, certificate, or AI agent that needs access to systems or data. These identities often outnumber human users and require lifecycle, privilege, and review controls that are designed for machine pace.

Deepen your knowledge

AI-assisted IGA and non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance controls for a mixed estate, it is worth exploring.

This post draws on content published by ConductorOne: From Manual to Intelligent: Using AI to Mature Your IGA Program. Read the original.