AI in IAM: Friend or Foe?
I still remember when my father asked whether we should buy a PC or another typewriter. This was back in 1990, when PCs were not commonly found in households.
A PC was a special investment and a luxury item, much like a color TV - at least for my family. I was in the 8th grade at the time, and I remember telling my father that computers would rule the future, so we should buy one to learn them. Unfortunately, my father ended up buying another (and our very last) typewriter for school paper writing and homework.
I learned keyboard typing on a typewriter in the 10th grade in 1992. Then, in 1995, during my freshman year at Indiana University, I was first exposed to email (Pine email / Unix Pico) and the World Wide Web (WWW) through the Netscape Navigator browser. I learned HTML and started creating websites for my family's business. I remember debates about the ethics of copying HTML/JavaScript source code from other websites, especially the cool mouseover JavaScript code. The period from my family's decision on purchasing a PC to me building websites marked a paradigm shift, and since entering the workforce in 1999, we've all experienced a cascade of technological advancements that have fundamentally transformed our daily lives and work environments.
Today, we are experiencing a new wave of technology, with Artificial Intelligence (AI) at the center of it. To the public, AI may not have a noticeable impact on their lives, but for those in business, IT, and cybersecurity, the impact of AI on daily work activities is undeniable.
A key question is whether AI is a threat to Identity and Access Management (IAM)? I think it depends how you embrace the changes. A few areas where AI has been impacting or where I see it impacting positively:
- Identity Data Analysis
IAM relies on the quality of identity data companies have in their authoritative sources (e.g., HR). Many IAM transformation projects fail due to poor data quality and lack of governance. No matter how fancy the new Identity Governance and Administration (IGA) platform is, without accurate, reliable, and consistent data, it will result in garbage in, garbage out.
Recognizing this, IAM professionals analyze the data early in the project, often dumping source data (e.g., HRIS or Active Directory) for analysis. However, this usually ends in static analyses like top-down comparative, statistical, and violation analysis. While better than nothing, it lacks innovation. This is where AI comes in. By loading data into AI platforms like Copilot, there are numerous opportunities to use AI for data analysis. We can start with AI plug-ins to access the data, then use targeted questions to build algorithms to learn, and uncover data quality issues, suggest patterns, and access control models based on top-down and bottom-up data exposed to AI. This needs further exploration, but there's potential for AI to improve authoritative data analysis and define robust access control models and IGA workflows.
- CodingDespite the desire for no-coding (custom coding) and 100% configuration IAM deployments, some level of scripting and coding is often necessary due to the nature of IAM and data importing/normalization/clean-up processes supporting the business logics. Though I'm not a developer, hearing from developers about AI's potential, the time has come for AI to assist by understanding developers' intentions and providing robust and advanced code blocks. This saves time, effort, and cost for IAM projects.
- DocumentationLet's admit it: some IAM practitioners (or IT in general) are not great at documenting. We're focused on getting things into production and not on creating and maintaining documentation. Despite the importance of documentation, we often neglect it, possibly because of fear of making grammar mistakes or not knowing how to write clearly.
Thankfully, AI can help here. AI can provide inspiration for writing sections, such as leading paragraphs or expressions. While I wouldn't necessarily copy and paste, AI can offer ideas or suggestions for improvement. AI could've been the best friend or grammar tutor we didn't have in school back then, working as a partner to enhance our work quality and save time.
You may be wondering “what about the IGA solutions providing a built-in AI capabilities?” Yes, IGA vendors do offer AI / Machine Learning capabilities, but I believe this is still in the early stage and more to has yet to be explored and demonstrated by them. Perhaps, I will cover this topic in the future.
After reflecting on my father's decision to buy the last typewriter over a computer, it was likely because of his lack of knowledge and understanding of PCs at that time. He didn't realize their value or how they could be applied to the family. We can view AI similarly. We can stay comfortable with Google searches and rely on previous work products and experiences, but at some point, they may become outdated and obsolete, much like the typewriter gathering dust in my parents' crawl space. While we need boundaries in adopting AI (e.g., avoiding confidential information leaks, plagiarism), we should explore AI's full potential within ethical and professional limits.
I believe there are a lot more benefits from AI to be our friend than a foe. But we need to use common sense when we use this powerful tool.
Johnny Shin, Managing Director
[email protected]| Connect on LinkedIn
Johnny started his cybersecurity career in 1999, implementing one of the first SSO projects. Since then, he has built his career around IAM as an engineer, architect, project / program / account / practice lead, and has led a number of global and large-scale IAM programs.