Webinar Recording

Redefining IAM: Harnessing AI to Identify Risk at the Speed of Change


Log in and watch the full video!

In an increasingly complex and rapidly changing business, IT and regulatory environment, traditional approaches to identity governance must evolve to keep up with the rate of change. Given the dynamic nature of today’s business, managing entitlements and conducting access reviews have become particularly challenging, for example.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Welcome to our cold webinar, redefining IM harnessing AI to re-identify risk and the speed of change. How I am can use AI to enable access predictively with less effort risk. This webinar are supported by sale point. The speakers today are Paul OV, who is chief product officer at SalePoint technologies. And me Martin Kuppinger I'm principal Analyst at Koa. Before we start some quick information on housekeeping notes, and then we directly will jump into the topic of today's webinar. As you might already have noted. We have a series of upcoming virtually events, all of them in a very modern format with panels, with presentations, keynotes, and all that stuff. The next one will be around cybersecurity and enterprise risk management, more cybersecurity, enterprise risk, definitely far more interesting as those slightly boring titles. First, then there will be one around cloud first strategy and roadmap. So how do you really execute successfully your cloud first strategy?
And then there will be one around privileged access management for your enterprise. So a lot of these events, a lot of other stuff coming from us have a look at our website, have a look at our, at our blog post and videos with that. We already entered the housekeeping. There's not much to say here, basically audio control. We have muted you, we are controlling this. You don't need to care for that. We will do a recording of the webinar and the podcast will be available short term. Usually by tomorrow, we also will provide both slide X for download. So you don't have to take exhaustive notes here and last, not least there will be a Q and a session by the end of the webinar. However you can. The questions at any time and the go to webinar control panel, usually the right side of your screen, there's an area questions and there you can enter the questions.
And so once you have a question, that's enter the question so that we have a list of questions by the end, that can do a very lively Q and a session, providing more information to you, answering your questions with that. Let's have a look at the agenda for today. As I said, two speakers, I'll start, I'll talk about current challenges in IM deployments and how modern technologies and specifically how AI and an ML could help in overcoming these in the second part. And Paul drew love, as I've told you, chief product office at sale point, we'll look at how this can be done in practice. So he will bring in really the, the practical perspective on that considerations for the efficient use and insight into sale point predictive identity as the tool sale point uses to deliver on that. And then part number three will be case session. As the more questions we have, the more interesting that part will be. So let's start with a perspective on some of the common challenges within identity management and identity governance.
So also why project frequently fail? What are the symptoms for our diseases behind? And some of them apparently can be healed by technology. Not all of them, to be honest, but so it all starts with users complaining. So when, when we look at companies, when we are engaged by customers, let's say we trouble is our identity management. What could be the reason? So, so some common reasons for complaints are access requests. So what do I need to do my job? I don't know what to request. I don't find it. I don't understand it, et cetera, worst case they are asking me for, for some SAP T codes. I've seen that in, in real life. And I don't know what an a PT code is at all a transaction code and the other area, apparently access reviews.
So this rubber stamp certification doesn't really make sense. We need to come to an approach which helps us to understand the risk and focus on the reader risks instead of having lengthy lists and complex metrics is no one understands again. So this is one of the, these areas that apparently we need to work on that there, another area is, is manual work in some area it's more, more the administrative side, which is one thing. But the other side is, again, the lack of automation, auditing review complex manual. Re-certification no one likes it. And the results are not positive. They are not good. They don't deliver on what is requested at the end. So we need to get better. There processes might be too lengthy. This is more something where I don't think technology helps at much at the end. Technology helps us implementing these process.
But the real problem here is that two too few companies spend time on writing down, defining their processes, looking at standard process frameworks. We have these on hand, others have these on hand on what is the best practice for identity measurement process. If you don't have that, the results of what you implement usually are poor escalations. So to speak the, the, the other, other side of, of user complaints, too many escalations because people don't work on the review until it's escalated. If you make life simpler for the users, if you do it better, it helps audit findings. So complex audits, they find a lot of stuff you don't have to grip on. You read risks and all the stuff that pops up when the audit comes, then it's delayed. You should do it earlier. You should identify it earlier. Again, one of the, these challenges, and apparently again, outside of technology or somewhat related to technology, it's still that a lot of identity management and IG process projects are failing because there are, are tend to be too complex, not well planned or just the wrong approach for the right problem.
So again, there are various things and some of these are, are really more project management, planning, things. Some are selecting the right technologies, understanding the requirements, defining the process and others really are having technology that helps you overcoming some of those things. You need to do a re-certification, you need to do certain things. People need to be able to request access, or there's an automation behind it. So that's required. So it doesn't, you, you can't just say, okay, I don't do that. So then the question is how can technology help us doing that better? And, and when we look at access governance specifically, we, we, we need a couple of, of things here. So, so we need the access to the systems, and this should cover as many systems as we can across all deployment models. So we need to connect to the systems, but we also need the death in, in, in, in the analytics.
So we need deep insight into how do these things correlate, etcetera. Again, that is an area where, where technology can help us doing things better because this insight and how things relate and, and where the problems occur. That is a lot of analytics. And if technology helps us doing that analytics, our life gets simpler, gets better, and all of these needs to be both effective and efficient. So at the end, we need to deliver focus on what really is required, where do we need to engage with the people, automation, where automation can be used so that all the, the, these things become easier than they are in many of the approaches we are seeing today. And, and when I look at the reality, when I look at, when I talk with businesses, when I hear where they are in, in, in the state of their anti management, then it's very frequently that a worst case, not even have re-certification.
And I just say, you need it, because if you look at ISOs 27,001, for instance, it's us, you need to check your access controls. So there's the need for IM there's a need for privilege access management trust from standard, what is a good practice in information security and as part of access management. So you can't avoid it. If they have it, then most are complaining because it's too complex or not that long that I've seen it. Last, someone showing me the stack of paper, 70 pages, seven oh, pages of excess entitlements for various users, where he should put in, put on his his time and say his signature and say, all good, doesn't make sense. So there's a simple question. And we all know AI solves all the problems of the world as we've learned from the marketing people of many, many companies in it and beyond it.
So, no it doesn't, but if you do it right, it can help us in various areas. So the big question here apparently is will AI solve all these challenges from what I've told you already? It is apparent no, not all of them. So using best practice process, well defined process, stuff like that is not solved by AI, but there are apparent things like all these analytics, things recommendations for entitlements or identifying. Where's the really risk you need to look at in your re-certification. What is what you really need to mitigate that are apparent areas for applying some sort of what commonly is called AI. So let's look a little bit deeper at that. So general AI it's would be, would be, I think it's probably better for call that way. The ability of a machine to intuitively react to situations. It has not been trained to handle in an intelligent way, in a human way.
Yes. That's the point does not exist. Not yet. And with some certainty, not in the next, not in the foreseeable time. So, but there are some things which, which we could call AI, even if it's not general AI in, in, in the, in the, the really narrow sense. There, there are a lot of examples. So some of you might have Alexa or some of you might rely on Spotify recommendations, by the way, I neither have Alexa nor I do. I use Spotify, but I use sometimes people translations, some areas might be picture recognition or intelligent automation. And automation deal is one of these areas, machine learning, something which can help and AI itself. So AI is there, there are things, apparently a lot of things are sold as AI, which are only to certain extent, really AI you, but you also could argue and say, okay, what, what, what a augments, the human doing is drug better is AI. And then why not?
So very clearly a lot of the technologies we see are, are, are, are trust conventional technologies. So there are things like pattern recognition, many of the, the, the algorithms behind pattern recognition date back to the 1960s. So, yes. Okay. I, I, when I started working with it, there also was a lot of expert systems back in these days, there was an AI discussion. So it's a long way to there, but we are the point where things help us doing things better. So we shouldn't be too negative on that. It's more that, that we should be just clear, why do we do it? And, and what's about it. So there are examples of maybe current or not that current maybe potential or, or never, never popping up opportunities. So intellectual property management, that is for instance, one of these areas where can, you can do a lot. We hear a lot on the other hand about, so in the rest of time, not going too deep into that about autonomous vehicles, we're still, there are a lot of technical, technical issues as we every now and then here in the news.
On the other hand, if you look at a standard new vehicle, then there's already a lot of augmentation of the driver in. So, so I like this, this automated distance control. And so I, I don't need to care much when I'm, when the traffic is little queuing or so my, my vehicle does it for itself and I am. So I even started to trust it that it really works reliable. And sometimes it works better than me, but apparently there are also many open questions to be defined. So really responsibilities of various persons and, and organizations within that. But yes, there are apparent or opportunities and these opportunities are not only in the broad area of, of our daily life. They're also in this area of what, what we, what we do in it. And they're just the, this, can we do things better, more autonomous, better supported, better augmented by AI.
So when we look at not this, this big thing of general AI, but at narrow AI or machine learning, that's why we start talking about the real AI. So to speak. That is where we talk, start talking about what does it mean when it really works? And so ML factually, that is, that is about, it works when, when we have the training. So technology is trained to do the job. It is focused on a certain task. It's something which is not very broad. It's, it's very focused. It doesn't some somethings very good because strength to do these things and it delivers, it provides a business value. And when we look at some of these common diseases and symptoms, why I am and IGA, then there are apparently some which can be drained, where we can drain, which solve the business problem. And that is where we need to look at and to think about how can we do it better?
So what are characteristics of, of successful AI use cases here? It's yes, we need the data and we need to drain it. We need to improve it. There must be new data in there. So at the end, it's about a critical mass of data. That's clearly one of the topics Paul can also then elaborate on later on in this talk, it's need to be something repetitive. So it is helping users finding the right access. It is about helping user identifying the risks. It's about doing the learnings, the analytics, all this experience in an automated manner, instead of saying, oh, I, I do identity management. It's narrow, it's focused, it's repetitive.
And it's a, it's a contained system where all these things happens. So when you look at this and this would be the more the drop of the vendor, or when you implement it, your perspective is this really math. So, so what are the skills? And this should come from, what are the challenges we have and can we well solve it, but we also then need to look at, does it work as expected and where could be the challenges? So if you, this is more, more, probably a, a perspective of someone building an a I solution, but if we turn slightly around, it is, does it help us in our problem?
Is it implemented correctly? And where are areas where, where it could be sort of counterproductive. There is areas where things could go fundamentally wrong. So we need a robust eye AI, and we get it with it, but by testing it. So, so also checking situations, scenarios. And I think it's very important for everyone building on that, also playing around and, and checking, doesn't go if we do something wrong, if there are some strange data, doesn't still do the right thing. There might be things which are not perfect. So don't blindly trust it, but it helps you. It augments you, it doesn't replace you. And apparently vendors need to build the robustness in the systems. So also, and that's something you should do then when you do it. So look at worst case scenario, what could go, go for fundamentally wrong, check them, check your data, look at retraining.
If required, if you do it. And specifically as an end user monitor it, that is very important. And I'm a big believer. Also, when we look at AI that AI should be explainable. So it is always a need that we, we understand if we put in that, or if this is the data, this is the outcome. Or if that is in there, then that will be the result. If there's something totally unexpected, we have a problem. So look at the explainable aspects of AI, and that means accuracy earlier or early explainability retrospective analyzes reduce the data bias again, very important. So there are various things at the end of the day to consider when you are shifting towards AI. And some of the things are to consider by the vendor. Some of them are to be considered by you as the organization using it. So yes, there's a potential of AI.
And when we look at narrow AI, yes, there's this ready to use. This is what really a augments people, a augments users. We can use it. And we are right there. So back to where started with identity access management. After this, this very fast journey, through some aspects of AI, the big question is how does AI help am? So some of the areas I see where AI helps most are recommendations, recommend in access requests recommend in access reviews. So the adaptation, so understanding if there are new external, different risks, some data from other systems, how does this change risk? How does it, what do we need to adapt? Because things have changed maybe even automation towards adaptation of entitlements, then very, very simple or not simple to do, but, but apparent risk identification. What, where are the real risks? And that is where we already use a lot of AI in many use cases and also modeling then as a consequence of this.
So when we have learned that this is the useful use case, that makes sense that what is used, et cetera, then we can go towards modeling. So in a nutshell, we have a couple of areas where we need to get better in identity management. We should be careful with AI. So not go over the top in our expectations, but narrow AI can be used and there are various considerations and we need to be always careful and, and track and train and do, but then there's a potential of AI in a broader sense for helping identity management and how this could work, how could go into predictive identity management. That is what Paul will talk about. Some I hand over to Paul chief product officer at sale point, Paul, it's your,
I appreciate the, the great kickoff to the conversation. You know, as I think many people probably recognize, you know, AI is a hot topic across a wide variety of, you know, technology areas. I think the key is learning how to wield, you know, something so new and maybe a little overhyped in some cases and in a way that can be productive in the short term. And so, you know, I'm excited to be here today to talk a little bit more about sale points, approach to AI, you know, and the way that we view that through predictive identity. So, you know, in some ways I hate to start off with a buzzword, but in reality, it's a good place to start the conversation. I know many of the organizations that have joined the call today, see a tremendous amount of value in digital transformation. And, and I, everybody is in a slightly to digital transformation, but the future is going to be digital and, and maybe even more so given the current pandemic, you know, reality that we're living in.
And so as we better prepare ourselves to govern, you know, this, this wide ranging set of digital assets, you know, we have a lot of work to do on the identity and access management side in order to help organizations go through that digital transformation in a safe and secure way when it comes to granting access to users so that they have the right access at the right time. But more than that, you know, I, I was recently reading a study of digital business by MIT and Deloitte that showed that, you know, organizations that have successfully completed the digital transformation, ultimately innovate faster. They drive better collaboration internally and externally to their businesses, you know, and, and so therefore I think it would be hard to find, you know, any organization that is, you know, not looking at digital transformation as a reality in their, in their business, but as a byproduct of that, you know, ultimately we have to be in, in a position to put in better identity governance controls in order to make sure that as we bring on new systems and new data repositories and all those kinds of things, we do it in a safe way.
So as I look at identity governance in 2020, you know, I'm often asked, you know, what's really driving a need for predictive identity. And while I fundamentally believe that digital transformation in a lot of ways is at the core, ultimately the complexity of the infrastructure that we're being asked to manage from an identity perspective is, is the main culprit with more users, more applications, more data, the security stakes, and ultimately the compliance, thanks go up exponentially. So if you think about all the identity, data and processes that will be required to manage the it systems of the future, you know, it's nearly impossible to think, think that humans, you know, especially as, as fallible as we are, could actually keep up with it. I, I thought, you know, Martin's point at the very beginning talking about, you know, the user complaints and particularly the escalations, you know, is, is absolutely spot on in terms of the things that we're hearing, you know, as, as significant issues.
So ultimately, you know, sale points betting on artificial intelligence and machine learning as a way to help organizations and the users in those organizations, you know, sift through and make sense of this incredibly complex world, a, a world that you know, is seeing massive acceleration in the adoption of cloud and organizations are having to really contemplate what every point of digital access is. Not just the traditional ones, where we've looked at applications in a data center and our employee users, but now our contractors and our business partners and our vendors and other people that may need access to our systems, let alone the actual, either physical robots or logical robots in the case of, of something like an robotic process automation, all of that has to be included in the way that we are looking at identity governance going forward. Unfortunately, we get to do this in a increasingly complex regulatory environment.
I don't think anybody, you know, that I, that I've talked to recently and probably on this call, you know, expects the regulatory environment to get friendlier to us as, as time goes on. And therefore, you know, my, my contention is that a human based approach to identity governance can no longer keep up. And so, you know, that that's where AI and ML really come in. And, and I like the definition that Martin used, you know, about general AI versus narrow AI. I think in a lot of cases, you know, where we are seeing the most significant opportunity to really change the game, you know, is in narrowly applying AI to particular use cases and driving, you know, some very interesting outcomes. So let's talk about what some of those outcomes might be. You know, as, as identity is becoming the, what I would call the central nervous system for security and compliance, and ultimately enabling the business to use a wide variety of it, resources, it fundamentally has to sit at the center of your it infrastructure, allowing us to connect everything, see everything, and ultimately aid in the decision making on who should have access to what.
So lemme give you a few examples of how the, the sale point predictive identity vision will really change the way that organizations approach identity governance. You know, first and foremost, identity is powered by artificial intelligence. I think, you know, we are at a point where, you know, the early days of sale point, we recognize this idea that identity risk management, you know, could be a very powerful way to think about, you know, not just the, the regular process automation of gen one, you know, early generation identity and access management tools, but really looking at, you know, the right access for the right user at the right time through a risk lens. Well, fast forward, you know, quite a few years, maybe, maybe almost 15 years, you know, and I think artificial intelligence and machine learning really gives us the ability to lay down that foundation.
And so, you know, as we look towards the future, we believe that identity governance systems are going to fundamentally have to, you know, it, it, I guess, exists on a platform that infuses identity and machine learning through everything that we do. It's not a bolt on, it's not a side process. It's not something that you can get from, you know, another area. It has to be something that is actually, you know, very specifically implemented as part of the full solution and that baseline transformation that we will go through as, as we really look to power identity, you know, through the context of AI will, will, will improve user experience. It'll eliminate a lot of the manual work that Martin talked about. It'll streamline our identity processes and reduce the number of escalations that ultimately have to happen, you know, and, and I think we'll have a big impact on the number of audit findings that are out there as well.
You know, I also believe that as we go forward, we have to look at access in a much more agile delivery mechanism. And it may not be that we go through a process where we try to, pre-provision nearly as much access. We may look at it a little bit differently. We may look at it as something that we wanna do more in real time or near real time, so that, you know, we're, we're not opening the aperture of, you know, security and compliance risk until we actually, until the user actually needs to use the access that, that they're, they are attempting to use. So, you know, I think as we look at that, you know, the agility of the systems is going to increase significantly, but at the same time, we, we also wanna make sure that we're always providing access in a very secure and, and compliant manner and that we do it across all identities. So, you know, back to the point I made a minute ago, the landscape's changing the types of applications that are in use. The types of identities that are interacting with those applications, you know, are, are growing, you know, vastly from what we saw just a few years ago.
Another interesting point. And, and this one is, is a, you know, what I, what I would call near and dear to my heart, you know, this idea of creation and maintenance of access models, you know, has to be much more automated than it's been in the past. You know, I, I think back, you know, maybe a little over a decade when, you know, state of the art in identity and access management, you know, particularly on the identity and access governance side, you know, was, was role based access control. And, and I think a lot of organizations have experimented with roles. I think some organizations have done a very good job of implementing, you know, our back relatively, you know, by the letter of the law. I think a lot of other organizations have struggled under the weight of, you know, really getting a, a well-defined or role model.
One of one of the reasons is it's very difficult to predict what access needs to look like on an ongoing basis, you know, as, as you, as you go through the process of defining something, even, you know, as simplistic as, as a role model where you sh you know, I think conceptually I defining business functions and defining the access that those business functions need, you know, feels like a relatively simplistic task, but I think anybody that's gone through that process, you know, has found that it is, it is difficult. It's difficult because, you know, actually understanding exactly what access is required, you know, is, is not as transparent as one might like, but it's also difficult because the organization changes the it infrastructure changes on an, on an ongoing basis. And keeping those things in, in, in alignment is very difficult. And so, you know, ultimately I think AI will be one of the key ways that we solve that problem, you know, not by sitting down with a Excel or, you know, another offline semi-automated process and trying to build role models, but actually allowing the system to make recommendations on what the model should look like and not just role models, all kinds of policy models, you know, and it can do that by observing behavior and then defining patterns that it starts to see and popping those out for somebody and saying, Hey, look, you know, this department and the role that is associated with that department looks like it needs to evolve because access is now being granted outside of that role, it's being approved, it's being recertified, you know, and therefore we ought to broaden the definition of the role so that we have a more precise alignment.
You know, that's something you can absolutely do through a fairly manual role mining process. But, you know, the idea is to make this a much more continuous process, which brings us to another interesting area and something that I, you know, I think is, is, you know, maybe far past time, you know, the idea of activity monitoring and user behavior that you know, is always been a little bit outside the purview of an identity and access management system. But I think what we're going to find is that, you know, understanding who should have access, who does have access is not enough. We have to understand how people are using their access. I'll go back to my role modeling example. You know, one of the, one of the challenges I think with current approaches to role mining is that AC the, the actual activity or the use of access is not considered in the definition of the role.
And so, you know, I, I may find a population of users that has have similar access, but that access pattern within those users may be very different. Some users may not use it at all. Others may be, you know, power users and we can get much more precise in the way that we build our policies. And we build our roles and flag anomalies that are not just based on who has access to what, but also, I think, you know, the, the increasing need to understand exactly how that access is being used and apply it in the context of a lot of the, the identity and access governance, you know, models that we use. And finally, you know, I think AI driven risk models, you know, will ultimately become very important in the way that we, we think about identity going forward. You know, the, the goal ultimately is to support a very autonomous decision making process so that, you know, I, I, I'm not always requiring, you know, a multi-level approval process.
For example, when somebody requests access to a, a new application, we'll let the system make a risk determination on whether an approval is even required. And, and if it's a low risk access by a low risk user, and, you know, the AI engine says, well, this is a, a very normal thing for somebody in this job function to request, we'll just let it go through. We can mark it as approved by AI. So that from an audit perspective, you know, there's still visibility to it, but I don't have to go through the normal process. And then the escalations that may be associated with that to try to get some of the access they need, I can streamline that process significantly. At the same time, we can leverage G engine to say, wow, this is anomalous. It doesn't look like it is a valid request by a user who should have that access.
Let's immediately kick that to a security administrator that really understands who should have access to that particular, you know, application or platform. So I, I, I can, I can, you know, leverage the system both ways I can leverage it to reduce friction. I can also leverage it to increased friction, but that, that real time risk assessment is going to be what allows us to, to go through that process. So, as, as I look at, you know, the, the SalePoint predictive, you know, vision SalePoint, predictive identity, vision, you know, through more of a, a capabilities model, you know, the, the reality is, you know, we're, we're looking at kind of four major components of functionality, predictive modeling. You know, that's all about helping us reduce deployment cost and complexity by discovering, creating access models and policies using machine learning, you know, real, really allowing organizations to visualize, compare, verify how identity or how access is distributed across job functions, locations, departments, you know, all of those different things in a much easier way than, than we've traditionally tried to do that.
Autonomous identity is all about trying to improve the delivery of access and automate as many of the, the lower risk tasks as we can. One of the common words that I hear people describe their access programs and identity and access programs today is, is fatigue. And that fatigue is creeping in across a wide variety of use cases, you know, with access certifications, probably being one of the leading ones, you know, and I think, I think 10 years ago, access certifications again, were state of the art in the way that we would think about applying and identity and access management system to improve the way that we are controlling access to, to information in the company, but with the, the amount of applications and number of users, you know, I think a lot of, of people have returned to kind a rubber standing approach. It just says, I'm gonna get through the process.
I'm not really worried about the effectiveness of the process. You know, autonomous identity actually allows us to go through and automate a lot of the low risk tasks, get things back to the human users in the system that, that we really need them to look at, you know, versus just asking them to complete, you know, a, a, a, a fairly mundane task, like an access certification at a hundred percent of the access, because that's the way that we traditionally thought about it. I, I think we can get to a point where we're cutting out 50, 60, 70 5% of the access that we need to, you know, include in the, in the human part of the certification process by allowing AI to become the engine that actually drives the certification for all the low risk and, and, and things that are not anomalous in any way, adaptive security is the third area.
And, you know, this is all about detecting and, and addressing risky users and their access, you know, alerting when we see behaviors and could that behavior could be, you know, an anomalous access request, somebody requesting something that nobody else in their department has access to, or has ever been approved for access to, could be that we're looking at it through the, the lens of activity. And all of a sudden, I start to see, you know, a, a pattern of activity and, and usage by a particular user or an account that is very divergent from what, you know, the, the rest of their peers look like, you know, but just leveraging the, the realtime data, the models that we have to begin, you know, adapting in real time to the, the wide variety of, you know, threats that, you know, could, can become overburdening, you know, to the, to the business and it, without some, some very good automation and then finally continuous compliance.
And while I always think that, you know, continuous compliance sounds a little bit like a continuous root canal, that's not really what we're looking at. You know, we want to use machine learning and, and the sale point predictive identity approach to, to really streamline the way that we think about compliance, get out of these big periodic cycle events that we have to go through, you know, reduce the amount of, of work that has to be done by the business, you know, by, by auto certifying things where we can, you know, going to more micro targeted certifications, you know, of, of anomalous events, you know, and just allowing the baseline access to kind of being a continuous state of certification as long as no major changes have happened. You know, so I, I think this is, is going to be a big area. You know, I think a lot of the investments and a lot of the struggles that I see, you know, by customers, you know, are around some of the compliance controls and, and, and being able to move more into a continuous data compliance, I think is going to be a, a very important aspect of the way that we will, you know, ultimately want this to function in the future.
So we've covered a lot of background on, on the sale point, predictive identity vision, and, and kind of how we define that. I want to turn now to the, the way that we're actually innovating, you know, through some very specific use cases on practical applications of, of AI and identity and, and kind of connect back to some of the things that, that Martin highlighted, you know, as he talked about some of the opportunities that he sees from an AI perspective in, in the, in the identity area. So there's four things that I wanna highlight. I wanna talk a little bit about peer group analysis. I wanna talk a little bit about recommendations, and then I'll kind of wrap up on outlier detection and come back around to access modeling that I referred to earlier, you know, peer group analysis, you know, very interesting way to, to begin to think about, you know, some, some early narrow applications of AI, you know, a lot of organizations, you know, may already be doing this on a departmental level, may, may be looking at things on the location level, but we really wanna, you know, broaden that out.
And we want, we want to, we wanna provide an engine that ultimately allows us to, to use peer group analysis, you know, as a baseline AI construct through a lot of the different ways that we will think about applying controls and applying business process to identity, you know, as time goes on, you know, ultimately the goal is to really find the outliers, find people that don't match well or events that don't match well to the way that access is being used, you know, within a particular peer group in the system. You know, we, we ultimately wanna minimize the manual effort of doing that analysis and then use the information that is gleaned from the peer group analysis, which should be an ongoing, realtime, you know, set of information. We want to use that to simplify and ultimately improve access modeling, you know, as, as part of that process, because that allows us to, to really leverage this as part of the risk analysis and, and that, you know, ultimately is where we're trying to get in a lot of the, the applications of, of controls, you know, and ultimately the way that we think about identity.
But so I know this is a kind of an overwhelming visual, but it just shows you, you know, very quickly how fast an AI system can go in and can begin to provide some real context for how you should manage identity. You know, in this particular screenshot, we're showing some clustering, there's some new ones, there's some alerts on existing ones. You know, we've identified some outliers, people that kind of sit outside of a peer group, but have access that may span multiple peer groups that could easily be from somebody that had just recently moved departments or maybe acquired access over a long period of time and things weren't cleaned up as they moved departments. And therefore, you know, we need to go in and, and perform some very, you know, specific actions. So the, the nice thing about the system is, you know, it's generating all of this in the background.
It can provide visualization tools, but it can also embed the risk analysis component of this into other identity processes. The governance recommendations, you know, is, is another really interesting area. I think this is, you know, what, what I would call part of the crawl walk, run, definitely more on, on kind of the crawling and walking side, you know, of beginning to leverage AI in an identity and access management program, you know, and ultimately what it does is it allows us to provide more context to the business users, you know, when in, in a, in a, in an early AI implementation. So, you know, think of it just as a thumbs up or a thumbs down in an access request approval, or a thumbs up in a, or a thumbs down, you know, in the context of an access certification. Let me just make a recommendation on what the person being asked to either approve new access or certify existing access should do.
We've already found that that context is hugely in informational to somebody that may not really understand the details of the access. So it means, you know, for the things that are thumbs up looks good. I can go through those and approve them very quickly. So the things where the system is saying, you know, Paul, in this case, shouldn't have access to what, what I'm looking at. Then I can spend a little bit more time really looking at looking into, you know, why Paul's requesting that, or why Paul already has access to that before I make my decision in terms of governance recommendations. You know, the other thing that we wanna be able to do is actually leverage the recommendation to drive autonomous decision making. So, you know, ultimately allowing the system to self-certify certify things that it deems are low risk, and it has high confidence in implementing those recommendations.
So it, you know, governance recommendations not only becomes, you know, contextual, but I think importantly becomes, you know, a way that we actually begin to reduce the workload on the business. The next big area is outlier detection. I, I commented a few minutes ago on, on some of that, but, you know, ultimately, you know, it helps us to identify individuals that are outliers from the norm, you know, and, and because of the, the highly visual modeling aspects of it, it makes it very easy to identify identities that need to be, be managed. I actually think outlier, detection's going to become one of those, you know, first phase of deployment kinds of, of use cases where we let the AI system go in. And as you add a new application, one of the first things we do is we go look at people with outlier access to that application, you know, and, and, and that immediately begins to reduce the overall risk profile that we're seeing, you know, within the identity system.
And then finally on the access modeling side, you know, this is one that I'm again, very excited about, just because I think, you know, people can get very hung up in, in some of the project issues that Martin highlighted, you know, I think can stem from the fact that, you know, an over analysis can really lock people into not getting value out of the system as early as they would like. And I think as we move to a much more automated approach, you know, where we don't try to answer every, you know, question at the outset of the deployment, but we actually allow the system to begin learning as soon as you connect it to the first target application. And as you add more applications, and as you, you add more users, the system is constantly recommending, you know, updates and changes and, and evolution of that, that role model or policy model, you know, it, it's going to be incredibly beneficial, you know, to the organization. And, and I think, you know, not only allow us to reduce the deployment complexity, but also simplify the ongoing maintenance of the system, you know, particularly as an organization goes through, you know, changes in its it environment or changes in its overall organizational structure.
So with that, let me at least have a printed copy of these. So I'm not completely dead in the water. Let me just wrap up by saying, you know, as, as we look at it from a sale point perspective, you know, we really believe AI extends and enhances identity, the three big areas that it, that it's going to help the most in managing risk. It's going to allow us to govern smarter. And it's ultimately going to allow us to increase efficiency, you know, of the identity and access management system and, and, and ultimately, you know, help us automate, you know, the identity processes and the delivery of access, you know, on a much more consistent basis. But one of the things that I, you know, I do get questions, you know, a lot from organizations, you know, as, as we start looking into what an AI enabled, you know, identity and access management program would look like is, you know, is this two futuristic?
And I don't think it is. I think when you look at it through the practical lens of how we can quickly improve specific areas, those narrow use cases that, that Martin talked about within the identity realm, you know, it's much more approachable. And, and, and as I mentioned earlier, it's a, it's a crawl, walk, run approach. I don't expect everybody to immediately turn on autonomous certifications as an example, but you can start by just showing the recommendations and then you can start, you know, by allowing the recommendations to auto, you know, fill the, the decision. And then ultimately we can, you know, move away from even asking anybody to look at at certain, you know, types of access, because it it's all approved by the model. And it it's in a continuous state of compliance. You know, I have heard auditors and, and regulators push back a little bit at first, when you start talking to them about taking an, an automated approach, but I've also talked to customers that have sat down with their auditors and just mathematically shown them that the quantity of access that has to be managed by the organization is now so significant that AI is really the only approach that's going to allow them to stay in control.
And those are great conversations to have and ones that I'm very excited to, to see us having as an industry. So I wanted to thank everybody for their time today. And, and now I'll hand it back to Martin for Q and a
Thank you, Paul, and thank you for your quick, quick reaction on the technical issue on your computer. Things happen. Anyway, we are then right now at the point where we start our Q and a session as Paul noting, as I've said at the beginning, the slide suppose Paul will be available for download. So you can then have a look at the, a few closing slides, Paul didn't bring up. And so let's go to the QA. And if there are any questions from you, don't hesitate to enter them. Now I'd start with one. And I think it's an interesting one. I know Paul and you and me already had discussions about it, that, that aspect and that question, which came in is AI mostly limited by the data given by, from the environment or given by the environment it interacts with. So at the end, to which extent does it depend on the amount of data you have?
Yeah. I, I think that, that ultimately AI is very data dependent, but I also think that, you know, that the ability to start using and applying AI doesn't necessarily require an organization to have a massive amount of, of historical data, you know, for certain use cases. So, you know, outlier, detection's a great, great example. You know, as soon as I load a new target system, you know, could be cloud app, could be a SAS app, could be a on-prem app, doesn't matter, you know, and, and, and start looking at it through the lens of, you know, just initial peer group analysis. You know, I, I don't have to have a lot of data to understand that there are, you know, people with certain identity attributes that don't match well, you know, to the access that they possess and therefore, you know, probably need to be looked at as an outlier, if I'm doing, you know, quantitative analysis from an ML perspective, that requires a lot of access history data, you know, I probably have to let the, the system run for a period of time before I can, can, you know, get to some of those advanced use cases.
But, you know, I think we're finding a lot more opportunities to use AI, you know, at the very beginning of a SalePoint project, not something that, you know, has to, to wait until somebody is, you know, a year or two years into their program to really provide value.
Okay. Thank you, Paul. Next question. I think that's one, which is good for you to answer great for you to answer a question to Paul. So, so how soon do you think Paul that AI and ML related features will start appearing in commercial IM products? I think the answer is they are here.
I, I think they're here in certain products. You know, we, we started several years ago, really beginning our journey and, and over the course of the last, last 12 months, we've introduced a number of, you know, new AI services and then, you know, extended that feature set into both our identity IQ and identity now platforms. And we're starting to see customers, you know, leverage those in production. You know, there are other IM vendors that are a little bit further behind on that, but, you know, I, I think the future is here in terms of, of the way that SalePoint uses it.
Okay. So we, we already can see it and there will be more from your expectation. Another interesting question is can identity governance or identity access governance based on, on AI and ML help or better help preventing data breaches just,
Yeah, I think that it can, you know, and I think it does so, or potentially does. So in three ways, you know, one is by improving the model such that, you know, we're, we're only granting access to the people that really need it. We can reduce the aperture of unnecessary access that has been provisioned. And, and I think, you know, ultimately we look at the threat landscape, you know, the more access that's out there that can be leveraged in a potential threat, you know, type of a scenario, you know, the, the worse off we are. I think the other big thing is by looking at, at, at it through and an activity lens and, and not just looking at who has access, but how that access is used. You know, I think we have the ability then to leverage ID and access governance, to be much more detective in, you know, the real time use of access, you know, maybe in a, in a potential breach scenario, you know, and then ultimately, I, I think, you know, when, when, when you look at it through the context of, you know, just making sure that access is being cleaned up on a much more aggressive basis and, and not necessarily depending on a human to do that, you know, in a certification, but being able to show that a, a user stop using access or that a group of users no longer need that access, you know, in the context to role, we can be a little bit more aggressive in the deprovisioning of that.
And partly we can be more, we can be more aggressive because using AI and ML on the front end to approve new requests, I can actually streamline the delivery of access. So those two things I think go hand in hand to ultimately, you know, reducing the overall footprint as much as we can, but being in a, in a, also being in a position where we can streamline the delivery so that, you know, people aren't stuck in waiting for an escalated approval to get access.
Okay. One, one more question we just received from the audiences is how big do you see the risk that AI is being compromised, for example, by, by being Ristic by decisions or by information by learning put into, by humans. So, so my perspective and Paul, maybe you continue then was the answer would be the, the risk is relatively low. If you have a narrow AI for specific use case, such as such as the one, once we are looking at, in, in identity management and IGA, probably less than when it's, for instance, chat bot and other stuff. What is your perspective on that?
I, I, I would agree with that, that, that approach, you know, I think we have to be careful not to over architect the system that is so dependent on data, you know, that, that the insertion of malicious data into that, you know, could wield a very different result, you know, that then has anticipated, you know, it's one of the reasons I think a lot of the early AI use cases, you know, do not allow for a lot, do not allow for, you know, direct control by the administrators. You know, that they're much more self-contained algorithms. You know, we're not looking for a lot of tuning to happen because we wanna allow the system, you know, to, to ultimately self learn as much as possible without, you know, the potential for a rogue admin to come in, you know, and make a significant amount of changes that would ultimately, you know, yield, yield, challenging results.
Yeah. Which, which, by the way, it's an interesting trailer. So at the, some discussions was privileged access management solutions, which focus on, on identifying anomalies. And, and one of the apparent challenges is that maybe for instance, close to the years end, you might have things which only appear close to years end when you do the years end bookings and stuff like that. And then you might want to enter, for instance, lean say, okay, this is just unexpected normally. Or you might want to enter during summer vacations, some maintenance windows just totally different people have, have access. So it's, I think it's a, it's an interesting balance to have here, but I think it's very apparent. We, we, we are seeing there's a, a huge potential in using applied AI or narrow AI machine learning to improve what we are doing in identity management and iden governance.
But we also need to be apparently very careful not to, to go over the top, so to speak. We are at the end of the time we have for today. So thank you for all the attendees to this group and call webinar, hope to have you soon in one of our upcoming virtual events, other webinars, conferences, whatever else. Thank you very much to you, Paul, for your presentation, for the insights, as I've said, CX will be available for download. I hope that was interesting to you and wish you a nice remainder of the day. Thank you. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Evolving Identity and Access Management for the Digital Era

Join Identity & Access Management experts from KuppingerCole Analysts and Broadcom as they discuss how business IT is changing, and the implications for IAM. They will define modern IAM and explain why and how IAM needs to change to support modern app development, regulatory compliance,…

Analyst Chat

Analyst Chat #154: 2022 Wrapped Up - Major Trends in IAM and Cybersecurity

Another year gone already! It's time to take a look back at 2022. Martin Kuppinger and Matthias talk about what happened in the past year and identify top trends in IAM and Cybersecurity. They go beyond technology but also look at processes and business models. By this, they also…

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00