Notifications
Clear all
Topic starter
25/06/2026 5:21 pm
TL;DR: AI and machine learning are being used to automate access modelling, certification recommendations, and outlier detection in identity programmes that now span employees, contractors, machine identities, and AI agents, according to SailPoint. The core issue is not intelligence alone, but whether access governance can keep pace with scale, role sprawl, and review fatigue.
NHIMG editorial — based on content published by SailPoint: Reimagine identity security with AI: Intelligent access. Resilient security
Questions worth separating out
Q: How should security teams use AI recommendations in identity governance without losing control?
A: Use AI recommendations to reduce review volume and highlight anomalies, but keep explicit governance rules for privileged, regulated, or cross-functional access.
Q: Why does role sprawl weaken identity governance at scale?
A: Role sprawl weakens governance because it creates overlapping, outdated, or overly specific entitlements that no one can review consistently.
Q: What do security teams get wrong about identity outliers?
A: Teams often treat every outlier as a threat, when some are legitimate exceptions caused by unique jobs or organisational structure.
Practitioner guidance
- Rebuild roles before tuning automation Review whether current roles map to actual business duties or to accumulated exceptions.
- Set explicit rules for AI-assisted access decisions Decide which request and certification cases can be recommendation-assisted and which must remain manually adjudicated, especially where privileged access, regulated data, or cross-domain entitlements are involved.
- Use outliers as governance evidence Investigate recurring identity outliers for signs of policy drift, bad role design, or exception creep, then feed confirmed patterns back into access model updates and review criteria.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of access modelling and role discovery workflows for identity teams that need implementation detail.
- Specific product behaviour for access request recommendations and access certification recommendations in day-to-day governance.
- How identity outliers are surfaced and prioritised inside the platform for investigation.
- The vendor's framing of dynamic access roles and how it reduces role counts in large organisations.
👉 Read SailPoint's blog on AI-driven access modelling and identity recommendations →
AI-powered identity security: what changes for IAM teams now?
Explore further
25/06/2026 5:58 pm
AI-assisted identity governance only works if the underlying access model is already coherent. Machine learning can accelerate role discovery and review decisions, but it cannot compensate for an access structure that is already bloated, inconsistent, or poorly owned. That makes access modelling a prerequisite, not an afterthought. Practitioners should treat AI as an amplifier of governance quality, not as a substitute for it.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to the 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
A question worth separating out:
Q: How do you know whether AI is improving identity security or just speeding up reviews?
A: Look at revocation quality, exception rates, reviewer fatigue, and how often recommendation-driven decisions are overturned. If automation only increases throughput, it may be hiding weak governance. If it improves the accuracy and consistency of access decisions, it is supporting the programme rather than replacing it.
👉 Read our full editorial: AI-driven identity security still depends on cleaner access models
