Tomorrow is already here: AI driven Identity Governance at your fingertips

So what I love most from the last slide is embracing technology. This is really a nice thing. I love it. So are you still in in pub quiz mode? 108 days. Does that number ring a bell on you? 180 days?

Well, to make it easy, I have only 20 minutes. One eight days is the amount of of days a company detect earlier that they are breached. If they are using ai, if they are not using ai and this amount of money represents $1.8 million, just keep that in mind and I try a little bit to add more shed on how or why we do that. So is this just a, a new, a new market bus, what we are using with ai or is this really what we need and how we do that and how it could help you in, in real user experience every day? So let's start.

Every company want to be part of the digital transformation of course, but you always see the always growing numbers of identities. So that is literally will rise two and a half time in the next few years. This is really amazing what happened when it comes to service accounts and also to, to external accounts which come more and more inside of identity management systems. And I think not the, that the personnel you have in your IT space will rise in the same, in the same speech. So you have to do something which helps you to, to get it a little bit easier.

And what we always see what coming with that, with the idea is that more and more applications are connected to the systems, which leads to more and more entitlements how we call the access rights. We read from the, from the connected systems. So let's, let's do some math together. So assuming a company 3000 employees or 3000 identities might be a better word here. So including everything, what you have in terms of identities and Lord Google tells me that 67 applications are in average connected to a, to a company or a company half.

Well this is not my experience, but I just want to relay on a number which you can maybe lay evidence on that one and a half accounts. That might be because some go guys has more than one account in a company and they told us seven entitlements coming in average from an application. Well that's also a very low number because if you recognize how many ad cubes you might have in your id, there might be a hundred of entitlements which we are reading in. But let's stay on that. If you have done the numbers, so you will get one dot or 2.1 million entitlements you have to care about.

So how the hell will you do that with your hands on the keyboard? That's not doable. And it's not only, so this is, this is about the whole system. It's not only AD or Azure or SAP whatever, it's, so it's the whole systems which you have to care about.

So, and this was the reason why we said may maybe we have to do something in that and AI is one of the points. So we doing AI for at least one and a half, two years. So we came about and we try to figure out how could we pin something in terms of the, in the product that it can use in that, and it was so important for us and I don't want to talk very much about that slide, I can talk for an hour for that. But just that you see, we put it on what we call SailPoint Atlas. So it's in the basic of our product MML or machine learning, this is what we call ai, is that what we are using there?

And we put it in the, in the fundamental space of our identity management system. So it's not longer something you can add if you like. It's there and you can use it if you like, but we put it in the very basic thing. So what the question might be, how, how would, what did you do? How do you do that? How do you, how do you use AI for an identity management system? Does that make sense? Well these are not 3000 users. There are only four oh in a few, but we using AI and we use Yaar formula.

Not sure if you know that the yaar coffee sense, which shows the, the, the, the similarity of groups or the un similarity of groups. So we're using that stuff to find out do we have some outliers in there or let's say users which are different from the others And we are using that as well at building, so-called peer groups.

So we can use this formalism to say, well we have here we have patterns and we build from that patterns peer groups and when we have that peer groups we can say, well this or that identity seems different from the rest of the peer group that doesn't meet that this is a bad identity. And she's just different in terms of have different right setting. If you want to do the same procedure with something on your hand over your whole system. Let's say you have 67 applications connected and you want to figure out who is different in there. This will really a nice experience.

This is the moment when adventure starts because all plans ended. This is a nice thing.

So, and we found not only the, what we called the, the structural outliers we found although these outliers which have some only very low similarity and this are often enough, the often accounts, accounts which are forgotten somehow, but they are still active. The perfect thing how to enter a a company. So you know that more than 50% of all breaches occur coming from those orphaned accounts. So this is a thing where IE can help you in the very first place. So very easy to say it's, it's just right in the software built in and you can just click on it. It's doing that every day for you.

Ah, yeah, here are the low similarity outliers. So, and we show that in a, in a way that you can see the difference. So this confidence is a little bit different from zero to 100 you can see where this difference come from. So you can drive in if you like. So it normally wise should not care about the, the why is that, is that really necessary for me from an IT perspective, a marketing perspective, should I do that? So it's much easier to start from that point workflow. So we use trigger for that. So in a certain amount from different is from the rest of the peer group.

You can start automatically workflows, things like that. But it helps you to find out what is the trigger, where's the difference coming from and if you like you can a little bit dive even in there. So this is what I show you can here create the the the certification from there for example and it creates for you, we call that a micro certification that mean it's not a whole certification like I have to certify 100 people or something like that. So using this one guy and this certain excess and ask the manager, is this okay for you? Yes or no?

A simple yes it's okay then we have no longer an outlier but it's just double proofed. Yeah. So this is the idea behind that. You can be sure what the system found as an outlier is something you want to have and be aware of that, ask our questions for that. But we have this afterwards. I know. So the next point might be, so when we are using that thing found with similarities or not, we can use it as well in other points for example in recommendations. So we can say, well we found something which is different from the rest and we make in certifications a recommendation to someone.

We can say well look, the rest of the peer group has that well, so it makes sense to approve that, that's fine for us. Or to say, well there is a difference in there. Maybe you should revoke that. It's just a recommendation. You can overrule it anytime if you like, but the system helps you lot. How often did you face a certification where the manager says, I have no clue what you want from me. So where's the all above button and click on everything and you rubber stamp it. This is not the idea behind a certification to rubber stem something.

The idea is to get more revokes and we have found that, so we have controlled with our, with our customers, is this really value for you? Does it make sense to have something like that? So like the, the last speaker said, so don't have, don't be surprised by the prices. Yeah.

So the, we also lay evidence for the same thing and they found out that 50% more revocations would be happening if they followed the recommendations. This is a brilliant thing.

Yeah, this is exactly what you want to have. So 100% of the, of the approvals, so the recommendations to approve should be okay, seems to be okay for us. That's nice. If we have, we are, if we are on that high level and they are also 90, over 90% which are from the revokes, which are also okay and you will never get 100% in the revokes because some guys have different rights and they have the for for really reasons. That's okay for us. So it makes sense to follow that approach of find, this is a a very good example that it makes sense to have this recommendations basis on, on on AI algorithm.

So this is nothing what you can do with a fancy SQL statement. And the last one maybe is also very important. So I of course I don't know how many of you have ever designed a role model in an AGI project. Did you ever do that? This is alone is a very hard task sometimes because you have a lot of talking with people and things like that. But if you have once built up that role model and you leave it as it is, how long might it be value? Half a year.

A year And then it starts because you've got new, new applications, you have new entitlements or in there are changes in applications as well as in ad you know that there permanently are changes in there. So entitlements will change and that might, the roles should be also changed. But who will do the same exercise before like in the last half year and running through and which is necessary to put in a role or not. This is what this fast stupid is doing for you.

So he permanently controls which entitlements do I found on which roles and make a recommendation for you and say, well look, I found the falling entitlements on the same guys which had the same role. Doesn't it make sense to put this entitlement into the role and this on a daily basis every time, every time this is normally wise a really hard thing to do and this is done from the machine automatically. This helps a lot to strengthen the role model. Very nice. That is very reshaped and you're in a good shape and you have not let's say a explosion on roles on the users.

Like you have it 10 years before in ad with groups. Now this idea behind that, yeah, and this is another evidence we have from a customer that they say, yeah, this is really value for us because we found that we can save a lot of time in those kind of of certification if we use that as well in in the, in the reshaping of the map and time is at the end that what really counts. So there's just a few figures around that, but that is maybe just theory. So I don't want to spend much time in things how, how nice things might be. But this is just, is the result what we call in there.

So the real, the real the everyday scenarios you might have is something like a new worker. So a new guy is coming in the company and asking for access or you have your business managers who have to do ification, you've never ever told a lot about that or the internal auditors not know if you have internal auditors. They might be interested what you are doing in the system and how the, the access is involved over the years. So what is the journey for single administration SMSs for the, for the security team as well. And I try to lead to show a little bit around that.

And this is a really nice thing for me. So from an output perspective, so while we have the similarities in the, in the peer groups, it's not longer that the user has to ask for the access. So you know that you can automate something.

Yeah, so you can have some birth high provision, all that stuff. But normally wise the user comes to his place, he said good day to everyone and they, what did you have? What did you have looking regular and right and ask if there are some some rights missing in that nice case.

It's in, in that nice case, the access finds the user and not vice versa. So when the user logs first into the system, the system tells him, Hey look, your peer groups have this that right, do you want to ask for that right As well from that very point here. So it's very easy to give this information to someone because we have found out the similarity. So we can hand it over direct to a customer, which makes it more easier for first user when it comes in to ask for the correct rights or even request the the correct rights one stuff.

The next one might be, and I have this here in a little bit picture bit, little bit bigger picture, how the recommendations look like is doing enough, interesting enough, we don't stay fixed on that. What we have developed so far. So we are looking in the future. So we'll come with more recommendations where we bring in the usage of rights. So it's possible to get some information from the systems, how often the right is used. So this is what we bring in.

So even if a user has a maybe in his approved, he has a right for a good reason, but he didn't use it very often and that might be a very exp expensive license for example. So maybe it makes sense to give this, right, put it away from the user or only bring it to the user for a certain amount of time. Things like that. Yeah. So this might also help to make the recommendations a little bit better. This is what we are working on at the moment.

And this is again, when we say we spot that, that risk that we proactively say you can use what we found in terms of outliers, bring it in here and can start certifications from here. You can start workflows from here. You can have a deeper look inside, you can have an access inside. So clicking on the timeline and you see the whole activity from that user. So maybe you can find out where this right coming from, if you're interested in that. And this is what also an internal auditor might, might do. This is the point where I said you can start workflows from that.

So if the, the outliers reach a certain state, you can use that trigger and say, well I start a workflow from that. We give you, you don't have to reinvent the wheel. So we give you some templates for that that you can do it on an easy way, but you can of course change the kind of workflows and do whatever you like at the moment we have something in here starting from an email till, till disabling the account if it's if it's too over a certain limit, things like that. And the last thing might be that you can demonstrate compliance relatively easy.

If you are clicking on, on the activity, the inside history, you can look where those rights come from and as well you get more information if you click on the, in that case, on this activity history, you see more information what this guy, what this guy is doing inside, inside of the system with a certain, with certain rights he have in there. So the key capabilities are, as I mentioned, this is the, to give you more insights in that. And this is done really only by machine learning things. It's nothing fancy.

It's, so I think most of the speakers talking here are far away from that. This is very basic machine learning. What we are doing. It's not the, let's say it's not really rocket science, but it's a bit more like you can do with, with PowerShell scripts or with esquel scripts, but it's as it's serious mathematics I would say. But it's something with this very, very basic line. Yeah. But it helps a along to got to get more information from the amount of data you have. So you have the insights in there, you have can make informed decisions and you can have more simplified rule management.

What helps you a lot. What we are looking forward is to have more the, the large language model in there. So we will need or we will use AI in let's say in half a year around that, that you can create on an automatically basis description for your entitlements. We have found some really nice research from that and there was some really nice results. So we are really surprised that we can figure out the system, find the following thing and the large language models fill out some information, which is not very crazy. So obviously it's, it's doable to do something like that.

And maybe that helps a little bit to come around that really burden point when it means, well you have described your roles very good or you have to describe your entitlements very good. That might be doable for one or two weeks, but then daily business runs too fast and you say, yeah, and you don't only scripting in there or, or some, some basic points for you. You as the administrator know exactly what that is, but a certain person have no idea. A third person has no idea what that means and this large language model is officially doable to do something more around that.

This might be an interesting idea to deliver on that. So that was my quick things around how we see AI in, in a daily business. It's a very practical thing. It's working. So we have a lot of customers which are very successful using that. It's not just theory, it's in a daily business and you don't have to care about how is this doable. So this is running in a automated environment. And so just to give you an idea how, how really hard this, this thing is working, this AI thing, because I saw that a lot of guys say, yeah, some fancy SQL statements might be the same job.

May, maybe not really because we are running on AWS and we see a breathing in this AI space of thousand servers a day, which we have. But this is a lot in in terms of CPU capability and in terms of ram. So that was my two pence.

Mary, thanks. Many thanks.