IAM Myth: AI Will Fix It
Artificial intelligence (AI) will do it for us. We cannot handle all the identity mess we have. We cannot define roles, we cannot make good approval and certification decisions, we are not able to maintain our security policies. We do not have the knowledge and skill to do it, as competent identity management professionals are few and far between. Luckily, AI is coming to our rescue. Let’s buy some magic AI stuff, and it will do it all for us. Problem solved.
Artificial Garbage
I’m sorry to break it to you, AI is not going to save you.
AI is a great tool, but it can only do us much as it was taught to do. It cannot sort out your mess, because your mess is vastly different from anyone else’s mess. Cleaning up your identity mess requires detailed knowledge about your users, organization, systems, practices, goals and policies. This is a knowledge that AI could not learn from anywhere else but your organization. Unfortunately, you do not have enough data to train AI yourself. Even worse, your data are almost certainly wrong. There is noise in the data, good decisions are mixed with wrong decisions, there are hidden policy violations, and the users are massively glossref:[over-provisioned]. If you attempt to train AI on that data, you will get artificial garbage instead of artificial intelligence. The algorithm will repeat all the mistakes that you have done in the past. It will only further embed the mess you have, instead of clearing it up.
Useful AI
Having said all the sad things about IT, there are tools and methods in the AI family that can provide great value to you. There are mechanisms that look for patterns in your data. Role mining is looking for common combination of privileges, suggesting definition of new roles. Outlier detection looks for users that have different privileges that their peers. Such algorithms can provide suggestions to you, suggestions to improve your identity management set-up and practices. However, the algorithms cannot work autonomously. They provide suggestions, however they need your supervision. There will be good suggestions, and there will be a lot of garbage as well. You have to tell what is right and what is wrong. AI will not magically provide the knowledge that you do not have. AI can make you much more efficient, but it will not work without your knowledge. AI is a tool that can help you, it cannot replace you.
AI cannot save you if you have no idea what you are doing. It can only help you to do your homework more efficiently. The responsibility is till yours, and yours only.
Therefore, do not try to replace identity management expertise with AI. It will not work. What can work is to make the experts work much more efficiently by employing AI-based tools. However, you will still need the expertise in the first place. You still need to hire identity and cybersecurity professionals. Technology cannot do it alone. You still need the right people on board.