TL;DR: GenAI Descriptions for Entitlements reached a 98% median approval rate and helped customers turn undocumented access into reviewable context, reducing rubber-stamping and audit friction, according to SailPoint. The broader lesson is that AI earns trust in identity only when it is tightly scoped, human-reviewed, and tunable to local governance needs.
NHIMG editorial — based on content published by SailPoint: Trust at scale: How GenAI Descriptions for Entitlements earned customer confidence
By the numbers:
- Over 60% of entitlements in SailPoint Identity Security Cloud had no descriptions.
- The median approval rate across all customers is 98%.
- In January, the average unedited approval rate was 99%.
Questions worth separating out
Q: How should security teams use AI to improve access reviews without losing accountability?
A: Use AI to draft entitlement descriptions, not to approve access.
Q: When do undocumented entitlements become a governance risk?
A: They become a risk as soon as reviewers cannot explain why access exists or whether it is still needed.
Q: What do teams get wrong about trusting AI in identity workflows?
A: They assume trust comes from model output quality alone.
Practitioner guidance
- Inventory undocumented entitlements first Measure how many permissions lack clear business descriptions, ownership, or usage context, then prioritise them for certification cleanup before introducing AI assistance.
- Require human approval for AI-generated metadata Keep AI as a drafting layer and route every generated entitlement description through review, edit, or reject steps with named approvers and audit trails.
- Use local context to improve model usefulness Provide environment-specific key-value context for naming, application ownership, and entitlement purpose so generated descriptions reflect how the access actually works.
What's in the full article
SailPoint's full blog post covers the operational detail this post intentionally leaves for the source:
- How the review workflow handles edit, approve, and reject actions for generated entitlement descriptions
- How custom context is structured and applied to improve description quality in different environments
- How customers use the feature in quarterly audits and certification campaigns
- How SailPoint plans to expand the approach into roles, applications, and privilege discovery
👉 Read SailPoint's blog on GenAI descriptions for entitlement governance →
GenAI entitlement descriptions: what it means for access review governance?
Explore further
Trust in identity AI is a governance design problem, not a model quality problem. SailPoint's central insight is that customers trust GenAI descriptions because the workflow preserves human review, local context, and narrow scope. That is the opposite of a blanket AI automation story. The practical lesson for IAM teams is that AI becomes credible when it improves the quality of identity decisions without taking ownership of them.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
A question worth separating out:
Q: How can organisations tell whether AI-assisted entitlement descriptions are working?
A: Look for fewer rubber-stamped certifications, higher review completion quality, and cleaner audit explanations for access decisions. A healthy programme should also show that reviewers can edit or reject generated text without friction and that subject matter experts are handling the hardest cases.
👉 Read our full editorial: GenAI entitlement descriptions expose the trust gap in access reviews