In this talk, we will dive into a common headache for identity teams: shadow admins. These are users who, thanks to some mix-ups in permission settings, end up with admin powers they shouldn't have. The “traditional way” of dealing with shadow admins is mapping all of them and letting the identity team decide what to do with it. This approach can work only if the number of shadow admins is small, however, our research, that is based on data of more than 50 organizations, reveals that in most of the big organizations there are hundreds of shadow admins and sometimes even more.
We will present a novel method that not only finds the shadow admins, but also recommends the identity team which permissions should be revoked to mitigate as many shadow admins as possible. For instance, we discovered that in most organizations more than 70% of the shadow admins can be resolved by revoking one single permission. Our method is based on algorithmic tools and AI. We will share the core concepts of it and show a few real-life examples.