KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
In recent years, the maturity and coverage level in identity and access management have been continuously expanded. The information and tasks in extend far beyond IT, usually involving the entire organization and requiring additional efforts. With AI, relief could be provided for end users and process participants in specific scenarios. The presentation will introduce concrete use cases and their prerequisites that we observe with our clients.
In recent years, the maturity and coverage level in identity and access management have been continuously expanded. The information and tasks in extend far beyond IT, usually involving the entire organization and requiring additional efforts. With AI, relief could be provided for end users and process participants in specific scenarios. The presentation will introduce concrete use cases and their prerequisites that we observe with our clients.
Welcome to the Cyber Talk on artificial intelligence and identity and access management. Yeah, since I guess we will win the award for the shortest title in this conference, I will give you a short overview what we will talk about or I will talk about in the next 50 minutes.
So, but before that, my name Isad and somebody just some minutes ago or some hours ago told me I should probably tell the Dutch people here. I'm not from KLM, I'm partner at Cyrex.
And yeah, I'm gonna guide you for the next 15 minutes through several use cases in identity and access management paired with artificial intelligence that we are currently pursuing with our customers and partners. So I'm gonna gonna show you some advantages in artificial intelligence in this field. Probably we will heard some of these use cases before, but maybe we can step a little bit deeper in there because we're on the way with some of our customers to, to get this very, very specific.
Now, after this I wanna tell you about our challenges of course, and hopefully we'll have some discussions and questions. I'll hurry up if we will have time for that. One note upfront, I deliberately avoided to give you a theoretical introduction on artificial intelligence. We've heard about that a lot, many times before in this conference. There are many, many experts out there talking about artificial intelligence who really can make a brilliant job on teaching that we as cyber we're experts in identity and access management and we definitely focus on our customers and that's and their needs.
So this is the point I'd like to start customers and our needs. So this is Mrs. Smith. She's quite a good example for an secondary approver of one of our customers. She's working in the banking department and as such, she is responsible for one special access, right? So she is responsible to grant or to review the incoming assignments, rev access, right assignments, but also she's responsible to check on them in a periodically recertification process. In the last years, there were several more access rights that came to her or were given to her.
And for instance, there were acceptance environments, infrastructure rights, and they were all gave given to her as a business owner for this access, right? And she's now responsible for several more exercises and she and her colleagues have to spend some days in the year to deal with these over 500,000 individual tasks. So that's quite a lot of time that she could better invest in her day to day, day-to-day business tasks in the banking department. So if only there would be an exciting technology that possibly could relieve her.
So yeah, we've heard a lot about it. And of course the field of AI is vast and extensive. There are a lot of opportunities given here and a lot of models and a lot of technology that can, that can help in different ways, especially since the breakthrough of generative ai. I'm promised I'm not gonna go through all of these different models. I'm not gonna give you a theoretical background on that. I just wanna take it to, to have a look on what, what can we do now and probably find some solutions for Mr. Smith.
Yeah, we can, we can answer questions far more than chatbots. I know we, we often discuss that and often people say, oh no, it's another chat bot.
We are, we are really way far beyond this chat bot thing because we can't really interact. I, I know you've heard a lot about it the last days, we talked a lot about it. So we can have a dialogue, we can react to this, what we've heard before, and yeah, we can adopt also behavior, answering behavior. For instance, maybe answering behavior for access requests as a secondary approval. Let's have a look on it later in a minute.
Of course, we can automate tasks and integrate these models into processes. So how could that help Mrs.
Smith, we were thinking about this more from a data side point of view. We are thinking about her task itself.
So in, in this use case from our client or customer, it is, it's that way that there's the access request coming in and you have the approval by the manager and the manager is looking at the employee and his task and his whole situation. He has a lot of things to, to think about before he gives his AP his approval. But Mrs. Smith as a, as the secondary approver. So she's more responsible for the access, right? She's looking at it from a more business perspective. So she knows her access, right? And she exactly knows the information that are, are behind her access, right?
So she knows whether it's a critical, right, whether it's a privileged access, right? Whether there is a temporary limit. So is it only allowed to be granted for some weeks, some days or yeah, whether there are some segregation of duty criteria, whitelisted units or units that are always allowed to use this access rights. Then also she can have the request. We have only two main informations here. So we know the access duration and the reason and then we have, we have the identity who requests these access rights.
We know the unit internal external, whether it's a metro person, whether it's a shared account per possibly or a technical account or system account. The status of this person and also the prior assigned access rights. So what I wanna say, or what I wanna point out here is we have a lot of information and it's all structured data and of course all this together helps with the Smith to finally have a likelihood to approve based on the risk that she finds out she will approve or reject the request. And it's a perfect decision process that could be perfectly automated.
I, I mean we have heard some others talking about it before, can perfectly automate it with an AI model. And we've researched a lot of historical data on the decision decisions that were made in this client or customer situation and we found out that they rejected only 5%, sometimes say five to 8% so that they don't feel that guilty. But however, it's 5%, no more rejections. So that means that they do 95, that they have 95% of tasks and questions that they don't reject. They just forward it. We don't know why they forward them.
Possibly they forward them because they of course have a very intense look on the request and decide that it's good. Sometimes they forward it because they don't have time to really observe these requests. But however, we know that there's a high number of requests that could be automated or approved. So depending on the risk appetite, we could, we think that we could reduce the task of Mr. Smith within the periodically recertification process.
Yeah, for around 30, 85 or 90%. I think that would make her pretty happy. So we know that we make you pretty happy and the request for that is quite demanding. Yeah. And it's something that we cannot achieve by, by bundling exercise in business roads, which was which, which was the solution in the years before. So we always try to build better business roads and better bundle them, but think we will be much better with that. There are several more use cases that we could talk about.
I will not step into these use case use cases in detail as I did with the first one since the first one is, yeah, one of my, our favorite use cases that we are actually really working on, but maybe I can talk about them just for some minutes. We have the transformation of access rights.
So in the, in the last years we often had a lot of problems with getting As is data from legacy systems. So you sometimes get a screenshot or a PDF and then you're in the situation to have one P person sitting there in the identity and access management department and he's literally trying to transform the data from the picture. So the access rights given him from the picture, Bloomberg is beautiful example that we often see.
So, and he's trying to, to transform them in a, in a way so that the identity and excess management system can make a reconciliation afterwards. That is quite time consuming and we know that there are pretty nice also generative AI models that could, you know, analyze the picture or analyze the P-D-F-P-D-F would be easier but the picture and transform it into a machine readable format. And so we could process that. I think it sounds easy, but it's, yeah, pretty nice if you could give this one person another very good task and job.
For many years we, we worked on this privileged access management topic and issue. We always thought about what we, what we're gonna do with these videos. So I think especially in the high regulated market, that's where we are mainly having projects. We always had the problem, who's gonna look on all these video materials?
So yeah, we lock them. Yeah, we have these video logs and files, but yeah, often we just look there after something happened and then it might be too late. So how do you say computer vision really hits its limits here in the latest years, but now we have really a progress with generative AI and we can now have these video sequences analyzed by and generate AI system for instance. So why don't we ask the, the system, the the program, what is in the video sequence, what is in there and maybe we can compare it afterwards. That's what we're trying now to with the ticket information and the use.
And then we can react very quickly and say whether we skip that, whether we interact this session or have a four eye principle. That might help to get a little bit deeper here.
Finally, I have to look the time finally we had the chat bot. I will do this a little bit quicker because I think everybody has enough imagination what this could mean.
I mean we, we have a knowledge holder here. Somebody who really comes in, knows the, the specific language, this specific processes of the company, of this special identity and access management system that is in place. I mean it would be amazing since we often find identity and access management teams in the IT or in the operation units and it's not that service oriented as it might maybe should be. So having a really good chat bot could help customers in the business units on the one side, but also the identity and access management team.
Since we often find colleagues searching around for, you know, process documentation and a lot of other tickets, JIRA tickets or something like the two to find out whether it's a bug or whether it was requested 10 years ago would be nice to have somebody to ask. Finally, we have a lot of head monopolies in these teams. So people who are staying very, very long in this identity and access management teams, often they are external.
I mean, me speaking as an external consultant, that's nice, but I think it can be better done and would come back for other projects. We prefer that.
However, identity and access management is a very presentate field for artificial intelligence. So we have use cases that impact the whole company and everybody has to do and to deal with identity and access management in the companies. I know it's not for you, but unfortunately the tasks are unpopular for many, many other people who have to deal with them. So there's a lot of chance to really help the customers here and we have a lot of patterns, we have a lot of reputation. We have gonna be a little bit faster.
We have data and technology, we, we have data that will stored for many, many years since we always needed the audit trades and since we have a lot of regulation here in the last years, there is kind of quality in the data. And what I really like about it is the data is owned by the organization itself. So you don't have to go and find some other places or sources for your specific data. So everything is there. You could just go and start setting up your ai, but why don't we see more use cases and why is AI not the first use case that they go for and try to, to start with it in a bank.
So that's what we ask our customers and we were talking about about it with a lot of AI teams as well. And one of the main problems is as well the data privacy. So we heard about it a lot of times these days before, but again, identity and access management has a lot of, has a lot to do with personally identified data and all the solutions that we see are as are, are cloud solutions. So the AI technology that is used is often a cloud technology. So people are a little bit afraid to put all the personalized data into the cloud and start with these use cases. There are some other points.
So we don't have really, we are not really, we don't have confirmed review assessments. So that means that the auditors didn't really agree on our plan to skip the secondary approver or maybe not to skip it but to, you know, automate it. So kind of lot of issues.
However, we think there's much power in our artificial intelligence. We see that the market is not, not in the high regulated market, that we are not still there.
We, we are kind of missing some tools that really offer artificial intelligence modules. But we think the reason is that you need customer status and we need to build up these models together with the customers. We go need to go out there and ask the assurance or the bank to do it together with them and that's where we stand and where we are working from. So that's kind of our mission and I hope that we can go there in the next years and push that a little bit further. So yeah.
Some last words we, we are Cyrex a little new company from Frankfurt Consulting in identity and access management and privilege and access management. Yeah, I think due to the time, come to our counter and talk to us then we can tell you more about that. Thank you. Thank you.
Okay, does anyone have any questions? Ish, do we have any online? Two questions. What is your take on clean data as a prerequisite and data privacy issue for ai?
Yes, it would've been one of our con con non contra points or points where we say that's kind of a challenge of course. So identity and access management data, we have a lot of them and yeah, they need to be clear and I think one of the most important questions, especially with these secondary approver use case is the question whether you can really rely on the data that we have before because we've seen a lot of this mass agree behavior.
Yeah, you have thousands of requests that you have to review. You only have a daytime or, or two days time, whatever you, you don't have time to watch them or to see them or check them all. And we know that there has been a lot of, yeah and there is a lot of unclear data and we have to discuss that actually because there are dif two different ways to see it. You can say why would, why would a request review from such and secondary approver be better tomorrow?
So why, why do I need to, you know, clean up the data because this reflects how he's kind of deciding how he did the decisions the last years. On the other side, I would say we wanna go beyond that. We wanna go and be better and wanna be, wanna have clear data and we wanna have good decisions. So my recommendation would be yes, we need cleared, cleared data and yes, we need to have a look on that.
Yeah, sorry. Thank you No more. Okay. Thanks a lot.
