AI-driven identity and alert overload: what should IAM teams change?

TL;DR: AI and machine learning are being used to reduce identity alert overload, with SailPoint citing 59% of cloud security teams receiving more than 500 alerts a day and almost half saying over 40% are false positives. The real governance issue is not automation itself, but whether identity programmes can separate trustworthy signals from noise quickly enough to support access decisions.

NHIMG editorial — based on content published by SailPoint: Artificial Intelligence as a Force Multiplier

By the numbers:

• 59% of surveyed IT professionals say they receive more than 500 public cloud security alerts per day.
• 38% receive more than 1,000 per day.
• Almost half say more than 40% of their alerts are false positives.

Questions worth separating out

Q: How should security teams use AI in identity governance without losing control?

A: Security teams should use AI to prioritise alerts, support peer-group analysis, and accelerate routine certifications, while keeping final authority on high-risk or ambiguous decisions.

Q: Why do false positives matter so much in identity review programmes?

A: False positives matter because they consume the same scarce analyst time as real anomalies, which weakens both access certification and incident response.

Q: How can peer-group analysis improve access certification?

A: Peer-group analysis improves certification by comparing a user’s permissions and activity to others in the same role or function.

Practitioner guidance

• Separate low-risk automation from exception handling Use AI to pre-sort alerts, suggest role matches, and draft certification decisions, but require human approval for anomalous or high-impact access changes.
• Build peer groups that reflect real job functions Define peer baselines from job family, system role, and access pattern rather than department labels alone.
• Measure signal quality before expanding automation Track false positive rates, review completion times, and the percentage of alerts that result in meaningful action.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• The specific AI and machine learning use cases discussed for access requests, role modelling, and access certifications.
• The examples used to explain peer-group analysis and how it supports anomaly detection.
• The vendor's description of how automation can accelerate low-risk identity tasks without replacing security judgment.

👉 Read SailPoint's blog on AI and machine learning as a force multiplier for identity →

AI-driven identity and alert overload: what should IAM teams change?

Explore further

View Full Forum →  |  NHI Foundation Course →