TL;DR: Role mining fails when teams rely on spreadsheets, siloed data, and manual policy validation, according to Lumos. The governance lesson is that access modelling now has to absorb continuous context, not just cleaner workflows, and Lumos says Albus applies agentic AI to attribute analysis, access mapping, and RBAC/ABAC policy generation.
NHIMG editorial — based on content published by Lumos: Identity Management Using Albus for Role Mining
Questions worth separating out
Q: How should security teams mine roles without creating brittle access policies?
A: Start with high-quality identity sources, then limit the first wave of roles to attributes that are stable, well-owned, and easy to explain to auditors.
Q: When does ABAC create more governance risk than RBAC reduces?
A: ABAC becomes risky when attributes are inconsistent, poorly governed, or too dynamic for the organisation’s review cycle.
Q: What do IAM teams get wrong about agentic role mining?
A: They often mistake faster analysis for better governance.
Practitioner guidance
- Validate identity data before mining roles Inventory which systems actually supply the attributes used for role engineering, then measure completeness, freshness, and owner accountability across HRIS, IdP, cloud apps, and key business systems.
- Separate role design from policy approval Use automation to surface candidate roles and access patterns, but require business and security owners to approve exceptions, edge cases, and final enforcement rules.
- Tie mined roles to lifecycle events Map each approved role to joiner, mover, and leaver triggers so that provisioning, modification, and removal happen through the same governance path.
What's in the full article
Lumos's full blog post covers the operational detail this post intentionally leaves for the source:
- The step-by-step Albus prompts used to inspect user attributes and build role tables
- The specific access buckets the vendor uses for birthright, universal, self-service, and restricted access
- How Lumos says policy validation flows into enforcement through its lifecycle management workflow
- The vendor's examples of how business app owners review and fine-tune access recommendations
👉 Read Lumos's analysis of agentic AI role mining and RBAC policy design →
Agentic AI role mining: are RBAC policies keeping up?
Explore further
Manual role mining fails first at the evidence layer, not the policy layer. The article is right to focus on fragmented identity data, because access governance breaks when no one can reconstruct the attributes behind a role decision. That is a lifecycle and governance problem as much as a modelling problem. Practitioners should treat role mining as evidence curation before policy creation.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do role mining outputs stay useful after org structures change?
A: They stay useful only if roles are linked to lifecycle governance. That means recertification, mover events, and offboarding must feed back into the role model so that it reflects current business need. Without that loop, mined roles become historical snapshots that preserve stale access instead of preventing it.
👉 Read our full editorial: Agentic AI role mining exposes the limits of manual RBAC governance