Notifications
Clear all
Topic starter
12/06/2026 9:18 pm
TL;DR: Real entitlement clusters across teams and applications are shifting role design from a manual, spreadsheet-driven project to a continuous review process, so suggested roles can be approved as environments change, according to ConductorOne. The governance value is less about automation and more about keeping access profiles defensible, current, and easier to audit.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should teams use AI role mining without creating new role sprawl?
A: Use AI role mining as a starting point, not an automatic publishing engine.
Q: Why do role models drift so quickly in identity governance programmes?
A: Role models drift because organisations change faster than manual governance cycles.
Q: What breaks when role mining is built on directory attributes alone?
A: Directory attributes often describe hierarchy, not actual work.
Practitioner guidance
- Audit role inputs before automating role mining. Check whether the source entitlements are complete, current, and mapped to the right users and applications.
- Review suggested roles on a fixed cadence. Treat AI-generated roles as provisional until a human owner approves, edits, or rejects them.
- Link approved roles to live access workflows. Connect the accepted role profile to onboarding, access request, and certification processes so the governance model actually changes how access is granted and recertified.
What's in the full announcement
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- The AI role mining workflow for turning entitlement clusters into suggested roles
- The approval flow for editing, rejecting, and publishing roles inside C1
- The difference between automatic suggestions after sync and custom cohort analysis
- The practical onboarding and audit scenarios the vendor says the feature supports
👉 Read ConductorOne's analysis of AI Role Mining and role governance →
AI role mining and role drift: what changes for IAM teams?
Explore further
12/06/2026 11:17 pm
Role mining only becomes useful when governance stops treating access models as static artefacts. The article shows that entitlement clusters can now be detected from live access patterns rather than from directory labels that age poorly. That shift matters because the real problem is not a lack of role ideas, it is role drift between business change and governance review. Practitioners should treat role generation as a continuous control, not a periodic design project.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How do access profiles become more defensible to auditors?
A: Access profiles become more defensible when each role can be traced back to observed entitlement clusters, a review decision, and a named owner. Auditors want evidence of why access exists, not just a label. That trail is stronger when the role model is built from real usage and maintained as part of the governance workflow.
👉 Read our full editorial: AI role mining shifts governance from spreadsheets to continuous roles
