Access Intelligence, sometimes also called Identity and Access Intelligence (IAI), is one of the hype topics in the Identity and Access Management (IAM) market. Some vendors try to position this as an entirely new market segment, while others understand this as part of Access Governance (or Identity and Access Governance, IAG).

The first question is what defines IAI. From my perspective there are two major capabilities required to call a feature IAI:

  • It must use advanced analytical techniques that allow for a flexible combination and analysis of complex, large sets of data.
  • It must support the analysis not only of historical and current access entitlements, but also of access information in context and based on actual use, ideally in run-time.
The first requirement is tightly related to the second one. IAI clearly cannot just rely on traditional reporting mechanisms. Analyzing more data and working with more complex data models will require other technologies, specifically Business Intelligence/Analytics and Big Data technologies.

The second requirement extends the current reach of Identity and Access Governance. IAG traditionally focuses on the comparison of as-is and to-be information about access entitlements in various systems. It also provides reporting capabilities on the current state of these entitlements, including information, for example, about high risk accounts etc.

IAI goes far beyond that, though. It should also enable analysis of the actual use of data, not only of the entitlements. Which documents have been used based on which entitlements? Is there high-risk information people try to access without sufficient entitlements? This analysis is based on information from various systems such as User Activity Monitoring (UAM), server log files, DLP (Data Leakage Prevention) systems, etc. It also can provide information back to other solutions. Access Intelligence thus becomes an important element in Information Stewardship.

IAI helps in moving from a static view to a dynamic view, especially once it supports real-time analytics. One could argue that this leads to an IAM version of SIEM tools (Security Information and Event Management). I’d rather say that it goes beyond that, because it combines IAG with IAI.

Identity and Access Analytics is just a logical extension and part of IAG tools. It allows for better governance. Thus, this should not be a separate set of products but become a part of every IAG solution. It is, by the way, only one of the areas where IAG has and will change. In my presentation about “Redefining Access Governance: Going well beyond Recertification” at EIC 2013, I talked about eight areas of advancement for IAG – and I admittedly missed one in that list that I covered in other presentations, which is IAG for Cloud Services. The video recording of the session is available online.

More information about the current state of the IAG market is available in the KuppingerCole Leadership Compass on Access Governance.