Notifications
Clear all
Topic starter
27/06/2026 1:00 pm
TL;DR: Explainable AI in IAM matters because access reviews, role mining, and governance documentation need auditable reasoning, not just high accuracy, according to Nexis. Probabilistic AI can support identity decisions, but deterministic governance still has to explain why a recommendation was made and let practitioners verify it before acting.
NHIMG editorial — based on content published by Nexis: IAM Why 99% Accurate AI Isn’t Good Enough for Identity Governance
By the numbers:
- In pilot deployments with mid-sized enterprises, NICO reduced recertification review time by 60-70% by surfacing high-risk assignments first.
Questions worth separating out
Q: How should security teams use AI in identity governance without losing control?
A: Security teams should use AI to prioritise reviews, surface anomalies, and draft governance content, while keeping approvals, exceptions, and certification decisions with accountable humans.
Q: Why is 99% accurate AI still not enough for IAM decisions?
A: Because IAM errors are not evenly distributed.
Q: What do organisations get wrong about explainable AI in IGA?
A: They often treat explainability as a nice-to-have explanation layer rather than part of the control.
Practitioner guidance
- Require visible rationale for every AI recommendation Ensure access, role, and documentation suggestions can be traced to the attributes, rules, or patterns that triggered them.
- Keep final access decisions with accountable humans Use AI to prioritise cases and surface anomalies, but preserve human approval for entitlements, exceptions, and recertification outcomes.
- Fold data-quality checks into normal IAM workflows Flag mismatched attributes, stale role descriptions, and inconsistent entitlement patterns during reviews instead of running separate cleanup programmes.
What's in the full article
Nexis's full article covers the operational detail this post intentionally leaves for the source:
- How the NICO co-pilot explains flagged data quality issues inside recertification and role management workflows.
- The practical distinction between deterministic governance logic and probabilistic LLM assistance in identity operations.
- How BYO LLM changes deployment control for sensitive IAM workflows in regulated environments.
- How MCP enables external systems to query governance data without custom integration work.
👉 Read Nexis's analysis of explainable AI in identity governance →
Explainable AI in IAM: are your governance decisions still auditable?
Explore further
27/06/2026 2:08 pm
Explainability is a control requirement, not a usability feature. IAM decisions affect segregation of duties, access recertification, and compliance evidence, so a model that cannot justify its recommendation is missing part of the control itself. The operational question is not whether the AI is often right, but whether its logic is reviewable when the 1% outlier matters. Practitioners should treat reasoning visibility as a governance prerequisite, not a design preference.
A few things that frame the scale:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting only partial visibility.
A question worth separating out:
Q: Should IAM platforms expose governance data to copilots and AI agents?
A: Yes, but only with explicit interface governance. If copilot or agent access is allowed, the platform must limit scope, log every query, and protect sensitive entitlement and policy data like any other control surface. Identity data is valuable precisely because it is reusable, so reuse has to be governed.
👉 Read our full editorial: Explainable AI in identity governance: why 99% accuracy falls short
