TL;DR: Real entitlement clusters across teams and applications are shifting role design from a manual, spreadsheet-driven project to a continuous review process, so suggested roles can be approved as environments change, according to ConductorOne. The governance value is less about automation and more about keeping access profiles defensible, current, and easier to audit.
At a glance
What this is: C1 Deploy introduces AI Role Mining as a way to derive suggested access roles from real entitlement patterns instead of manual spreadsheets.
Why it matters: For IAM, IGA, and NHI practitioners, it matters because role drift, onboarding inconsistency, and weak audit defensibility are the same governance problem expressed across human, machine, and emerging agentic identity programmes.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read ConductorOne's analysis of AI Role Mining and role governance
Context
Role mining is the process of inferring access roles from actual entitlement patterns instead of building them from assumptions, interviews, or outdated directory attributes. In practice, it sits at the centre of identity governance because the quality of a role model determines how well onboarding, access reviews, and audit explanations hold up.
The article’s key point is that role creation does not have to remain a one-time modelling exercise. For practitioners running human IAM, the same tension shows up in IGA programmes, NHI governance, and increasingly in AI-driven identity workflows: if access is always changing, the role model has to be able to change with it.
Key questions
Q: How should teams use AI role mining without creating new role sprawl?
A: Use AI role mining as a starting point, not an automatic publishing engine. Require human review of each suggested role, tie it to a named owner, and reject clusters that are too narrow, too broad, or too dependent on temporary project access. The goal is fewer defensible roles, not more roles with an AI label.
Q: Why do role models drift so quickly in identity governance programmes?
A: Role models drift because organisations change faster than manual governance cycles. New applications, reorganisations, and exception-based access decisions accumulate between reviews, so a role that looked accurate when it was approved can become misaligned within months. Continuous entitlement analysis reduces that lag by surfacing changes while they are still governable.
Q: What breaks when role mining is built on directory attributes alone?
A: Directory attributes often describe hierarchy, not actual work. When role mining depends only on titles, departments, or manager fields, it misses the cross-functional access people really use and produces roles that are tidy on paper but weak in practice. That creates misleading governance records and brittle onboarding baselines.
Q: How do access profiles become more defensible to auditors?
A: Access profiles become more defensible when each role can be traced back to observed entitlement clusters, a review decision, and a named owner. Auditors want evidence of why access exists, not just a label. That trail is stronger when the role model is built from real usage and maintained as part of the governance workflow.
How it works in practice
How entitlement clustering turns access patterns into candidate roles
AI role mining works by analysing who has what access, then grouping users by shared entitlement patterns across departments, applications, and teams. Those clusters become candidate roles when enough people share enough of the same access to suggest a stable pattern. This is not policy writing from scratch. It is pattern detection over real entitlement data, followed by human review. The technical value is that clustering reduces the dependence on directory attributes that often fail to reflect how people actually work. The governance risk is that bad source data still produces bad roles, only faster.
Practical implication: validate the entitlement data feeding role mining before you trust the suggested roles.
Why continuous role mining matters more than one-time modelling
Traditional role engineering often freezes a snapshot of the organisation and turns it into a model that starts drifting immediately. Continuous role mining changes the cadence by re-checking access after connector syncs and flagging new clusters as the environment evolves. That matters because applications change, teams reorganise, and entitlement sprawl accumulates between formal governance cycles. The mechanism is useful only if the review loop stays tight enough to catch drift before the role catalogue becomes a historical artifact.
Practical implication: use recurring review cycles for suggested roles, not one-off approval gates.
How approved roles become a live access profile in governance workflows
The article describes an approval path where a suggested role becomes an access profile immediately after review, without a rebuild step or separate reconstruction workflow. That matters architecturally because it links analysis to enforcement instead of leaving role definitions trapped in a spreadsheet or disconnected design document. In governance terms, the role is only useful if it can be consumed by onboarding, access requests, and certification processes. The main control question is not whether the model looks elegant, but whether the approved profile becomes an operational identity object.
Practical implication: connect approved roles directly to onboarding and access request workflows so the model changes how access is granted.
NHI Mgmt Group analysis
Role mining only becomes useful when governance stops treating access models as static artefacts. The article shows that entitlement clusters can now be detected from live access patterns rather than from directory labels that age poorly. That shift matters because the real problem is not a lack of role ideas, it is role drift between business change and governance review. Practitioners should treat role generation as a continuous control, not a periodic design project.
The governance value of AI role mining is audit defensibility, not automation for its own sake. The strongest argument in the post is that every suggested role can be tied back to the cluster and the underlying data that produced it. That creates a more explainable role lifecycle for IGA teams, especially where managers, auditors, and reviewers need to understand why access exists. The practical conclusion is that role evidence has to travel with the role itself.
Continuous role mining exposes a naming and ownership problem that many IAM programmes still hide in spreadsheets. When access patterns are derived from real users, gaps appear in who owns the role, who approves it, and who is accountable when the role no longer matches the work. That is a lifecycle issue across human identities today and non-human identities tomorrow. Practitioners need role ownership, review, and retirement to be part of the same governance chain.
AI-assisted role mining is a sign that identity governance is moving toward evidence-based access design. The article points to a market direction where entitlement analytics, review, and profile publication become more continuous and less document-driven. That will pressure programmes that still rely on manual role workshops and stale job-title mappings. The implication is clear: identity teams will be judged less on how many roles they define and more on how quickly those roles reflect reality.
Real entitlement data is becoming the new baseline for role governance. Once the role model is derived from observed access, the debate shifts from opinion to evidence, which is a healthier operating model for IAM and IGA programmes. This also creates a bridge to machine and agent governance, where dynamic access patterns will be even harder to model by hand. Practitioners should prepare for evidence-led governance to become the expectation, not the exception.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- The governance lesson extends into lifecycle control, as explained in NHI Lifecycle Management Guide, where rotation and offboarding define whether identity evidence stays current.
What this signals
Role mining is moving from design exercise to operating control. That matters because identity programmes increasingly need access models that reflect reality, not workshop consensus. When a role can be derived from live entitlement patterns and published quickly, governance becomes an evidence process rather than a documentation process.
With NHIs outnumbering human identities by 25x to 50x in modern enterprises, the same pattern-based governance logic will matter well beyond human role engineering. Teams that learn to manage access by cluster, owner, and lifecycle will be better positioned when machine and agent identities create similarly volatile access patterns. The next programme gap is not role definition alone, but role evidence at scale.
Evidence-based governance will reward teams that can prove why access exists and when it should disappear. In practice, that means linking entitlement analytics to recertification, offboarding, and access request workflows so the role model remains usable after the initial approval. The organisations that do this well will spend less time arguing about spreadsheets and more time controlling drift.
For practitioners
- Audit role inputs before automating role mining. Check whether the source entitlements are complete, current, and mapped to the right users and applications. If the input data is stale or inconsistent, the mined roles will reproduce that drift at scale.
- Review suggested roles on a fixed cadence. Treat AI-generated roles as provisional until a human owner approves, edits, or rejects them. Use recurring review cycles so role changes track organisational change instead of freezing the current state.
- Link approved roles to live access workflows. Connect the accepted role profile to onboarding, access request, and certification processes so the governance model actually changes how access is granted and recertified.
- Assign ownership for role retirement. Define who is responsible for retiring roles that no longer match how teams work, especially after reorganisations, application changes, or mergers.
Key takeaways
- AI role mining improves governance when it turns real entitlement patterns into reviewable role candidates instead of spreadsheet-driven guesswork.
- The main risk is not automation itself, but role drift if suggested profiles are approved without clean data, ownership, and recurring review.
- Practitioners should connect mined roles directly to onboarding, requests, certification, and retirement so access models stay operationally defensible.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Role drift and entitlement governance map to lifecycle and access control weaknesses. |
| NIST CSF 2.0 | PR.AC-4 | Role approval and least-privilege access align with identity and access management controls. |
| NIST Zero Trust (SP 800-207) | AC-3 | Continuous access validation supports zero-trust access decisions based on current entitlement state. |
Tie mined roles to reviewable lifecycle controls and retire profiles that no longer match actual access.
Key terms
- Role Mining: Role mining is the process of inferring access roles from observed entitlement patterns instead of designing them entirely by hand. It helps identity teams find stable access groupings, but the output still needs human review because data quality, exceptions, and organisational change can distort the result.
- Entitlement Cluster: An entitlement cluster is a group of users who share enough access patterns to suggest they may belong in the same role. In practice, it is a data-driven signal, not a finished governance decision, and it must be evaluated against business context before it becomes a published access profile.
- Access Profile: An access profile is the approved set of entitlements associated with a role or identity pattern. It becomes useful only when it is connected to onboarding, access requests, and certification workflows, otherwise it remains a description rather than an operating control.
- Role Drift: Role drift is the gradual mismatch between a defined access role and the way people or systems actually work over time. It happens when business change, application change, and exception handling outpace governance review, leaving role definitions stale, inaccurate, or hard to defend.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by ConductorOne: C1 Deploy, introducing AI Role Mining. Read the original.
Published by the NHIMG editorial team on 2026-05-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
