A Task For AI

Application Onboarding, A Near Term Task For AI

A couple of weeks back a colleague of mine asked me what I saw as the value of AI in IAM. The current state of generative AI is such that it can do much of the work that humans have been doing for years faster and in many cases with the level of quality of top humans in their respective fields. The full set of potential use cases for it is unbounded. What it can do now however is bounded by the amount of data available to it. For AI to do something it must first have been done well by people, and to be trained to do the work it must have been done enough to generate data to train an AI on. IAM is a developing science with a limited knowledge base where the inputs, outputs, and definitions of success are all hidden by the organizations that utilize IAM solutions. That may sound like an insurmountable barrier to AI success in solving IAM problems, but it is not. To understand why we have to go back just a little bit in time.

In the previous decade the big story in IAM and IT wasn't AI. It was the cloud. The majority of the IAM solutions being deployed today are no longer on-premises IAM solutions but on-cloud. The transition from on-prem to cloud-based IAM solutions has removed a technical barrier to utilizing client data to generate training sets for IAM configurations based on the client's data. The EULA of these tools removes any legal barrier, an example of which, from SailPoint is below:

"From time to time, SailPoint may use Customer Data or other aspects of Customer’s use of the SailPoint Offerings to generate patterns, statistics, and similar metadata that does not identify Customer or any of Customer’s Users (“Usage Data”). Usage Data is owned by SailPoint.", SailPoint IdentityCloud Customer Agreement and Terms

Saviynt similarly has a tool improvement clause:

"Customer grants Saviynt, its licensors and subcontractors a non-exclusive and limited license to host, store, transmit, display and process Customer Data as reasonably necessary for the purposes of (i) setting up, providing, monitoring and improving the Subscription Services," Saviynt Customer Responsibilities Conditions of Use

If there are any tools that don't permit their creators to use client data to improve them, I'd be surprised, please let me know.

This may seem ominous but assuming the information is only used to improve their tools in the long run this should benefit their clients by allowing trained AI tools to optimally configure client-specific IAM instances. The losers in this instance would be the people previously responsible for performing the configurations, not the organizations whose primary concern is that the configuration happens.

Any task in the IAM space that has a large dataset based on repeated inputs and outputs is up for grabs, so what's going to go first? My money is on Application Onboarding for common applications. It's worth noting that this application of AI won't be visible to end consumers, what they will see instead is the scope of out-of-the-box connectors for applications drastically expanding and automatic configurations for them becoming the norm.

Aside from access to the data which IAM providers already have, the two other things they need are large datasets and a definition of success, something to train a model towards. The former is why I qualified the type of applications that this will work for as common. Historically they would have had to be considered important enough to justify an effort to create an OOB connector, soon they will just have to exist in quantity. It's worth noting that the types of applications that will be covered by this will be limited to the user bases of the IAM systems in question, so if a toolset is currently heavily favored in manufacturing for example the future connector set will be as well.

The definition of success is a little trickier. As a consultant I've seen a lot of misconfigured application models across many clients. The industry preference for wording application onboarding contract KPIs in terms of "# of applications configured / time" forces software configuration teams to prefer speed to accuracy. There are wrong ways to configure applications in an IAM space and there is a way in which access needs to be modeled for IAM activities to occur. This problem can also be overcome, a simple way to estimate accuracy for example is "durability", if an application model hasn't changed it is likely the correct one. If a client's IAM team continues to fiddle with it, it is likely incorrect. There are probably teams of people working right now on better definitions of success in this area.

Going forward I think the model of "Accessible Data of sufficient quantity and a definition of success" will apply to more areas in the IAM space. This will eventually open up to areas beyond just application onboarding but for the near term that's what I would bet on. In terms of impact on the industry there are two changes I see this bringing, the first is: Application onboarding is going to become a niche capability. It will never disappear as new applications will continue to be created and AI can accelerate that process, potentially to breakeven or even growth although I doubt it. Armies of fresh-faced IAM consultants may no longer find themselves on large application onboarding teams.

The second impact I see is that this will reduce the cost of IAM operations resulting in increased adoption. If you no longer need multi-year million-dollar IAM contracts to move your company into a modern IAM solution you are more likely to do it. This may mean more work for IAM strategists and implementers but shorter contracts.

If your organization is considering implementing IAM or wants to make changes to their existing IAM solution such as reducing the cost, increasing the security and saving a lot of money with an Access Consolidation project, please reach out to us at Thornton Data Solutions.