Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm the director of the practice IAM here at KuppingerCole Analysts. My guest today is Martin Kuppinger. He is one of the founders and the Principal Analyst here at KuppingerCole Analysts. Hi, Martin. Good to see you.
Matthias, pleasure to be here again for this podcast.
Great to have you. And this time we are covering a topic which is getting more and more important. But I don't think that this is something that everybody already has on their radar when it comes to talking about current topics. And one of the current topics, of course, is machine learning, is AI, is ChatGPT, is generative AI, and this is getting more and more traction in traditional business processes, so there's more and more AI in there. So how has the role of AI in business processes changed and why is there a need for adding an identity layer to AIs in business processes? And this is our topic for today.
Yeah, I think there are two two huge topics because the first part of your question is, how is AI impacting business processes? That for itself probably would be a topic for a series of ten podcasts or so. And then you bring up the question about the role of identity in there. And so so basically, when we look at business processes, we learn more and more that there's a very significant potential of using AI backed technologies and AI for augmenting users. That can be in retrieving information, providing information like when you look at all these copilot types of applications. But it's also sometimes built in more into when you look at some of the RPA. So robotic process automation style of things. So another area is when you look at all this sort of speak metaverse type of applications with augmented reality, where you use VR glasses or goggles, and then they see something around what they currently do. And also this is AI and it's in the business processes. So we see we have a huge range of applications where AI is really already there. And then we have this question about identity, and I like to call it AIdentity. So this intersection between AI and identity, for me it's a bit, probably the best phrase, AIdentity. And this is a huge topic for itself because I think the first question we need to ask ourselves is, where do identities come in and how does this play into? And when we take such a huge field, such as AI, and look at the identity pieces, then as with any complex problem, I think the best way to tackle a complex problem is, by, so to speak, disassembling it into smaller pieces and then looking at the smaller pieces. And I believe there's quite a big range of use cases where identity plays into AI or the other way around.
And I think it's not as easy as all these visionaries envisaged way back in science fiction in the movie that is as old as you and I and Martin are, that there is a scene where the AI, the computer Hal says as an I, Sorry, Dave, I am afraid I can't do that. So, two times the word “I” in there. But the I way back then was just one computer. It was Hal, I think the problem today, when we look at machine learning, at AI, it's much more complex. There are various types of identities when we talk about AI, what are these?
What are these? I think this is the big question. And so when we when we look at this, then we are seeing also more and more use cases where we, for instance, are using tools like the large language models, like ChatGPT in concrete use cases. And that also then typically includes that we for instance, add something which is called RAG. So where we then really start adding our own content in a more private manner. So it's not the one, ChatGPT only we are working with, but we are using a sort of a mix of own private content so to speak which is protected and other content. And that already means that also ChatGPT in some way or the solution is acting in a specific incarnation. It's not the ChatGPT, which then may say, “I as ChatGPT will do that”, but it's it's really multiple incarnations of that. And I think this is part of it. But I think we also need to think a bit further. And when we think about AI then it means we as humans may at some point have something, an avatar, an agent, whatever, that acts on behalf of us. So there's Martin and there's Martin's Avatar, or maybe many avatars of Martin. And so then we have already identities we need for these avatars which are linked - that's a relationship thing - which are linked to Martin's identity. And that means we need to understand how these relate, but also what - and that’s then the next question - What are these avatars allowed to do or not? On the other hand, when we look at, for instance, let's say connected vehicles, smart traffic, then we have a lot of autonomous entities that are communicating with each other. Not only the vehicles, but also traffic control systems with all the entities, with traffic control systems, etc. And then things are communicating. These things have identities. And by the way, there's still someone in the vehicle. Today, usually it's a driver that is still responsible, that has a very interesting relationship to the vehicle about what the vehicle is allowed to do and where the driver needs to step in actively, etc.. And again, we need to understand this. We need to understand which identities are there, how are they related and also who has control about these, what are they entitled to do or not. And then going further down. And that goes surely beyond identity. But it also has to do with the identities. There are legal aspects, liability aspects, etc.. So I think what we really need to do is we need to deconstruct this and look at the different types of use cases to understand, so to speak, which types of identities we need and which relationships they will have. And this is, I think it becomes obvious from the first few things I have mentioned. This is a very huge challenge and it's a complex challenge because it means we're talking about identities of things, identity of humans, identity of, let's call it the broadest sense, services. So the avatars, etcetera, in some way are our services. We talk about relationships and we talk about a lot of things around entitlements and about liability, etc., etc. And trust, at the end of the day. Can I trust the avatar of Martin?
Exactly. And I think when we talk about “traditional” identity management, we are talking about people being represented in systems. So we get to these traditional things that we all know about, about lifecycle processes, about understanding what trust means, how secure, how trustworthy an onboarding process was. And I think all of this, including access, but also, as you said, liability, trust, responsibility and traceability afterwards, these are aspects that we know from traditional identity management when we talk about people. This was Matthias who committed that action within that system, and that exactly needs to be mapped to an artificial identity world, but appropriately, understanding their individual life cycles, their individual access, their relationship to to other identities, including human ones. And I think we can only today in this podcast, just scratch the surface of that topic. But it's getting much, much more important when we talk about identities, because tomorrow we will be asked who approved that loan request, and if it was an AI, if this is possible, it should be documented somewhere because the auditors will want to know.
I think “map”, this is a way too weak term here because in some way it still resembles, or means, we use what we know today and we apply it to it. I think it's way more about “evolve”. So, and this is not limited to the AI part. It's including the identity of things and dealing with autonomous systems, with digital doubles and maybe also digital twins, which are two different things. So the digital double is more my avatar for me, the digital twin is something which is more used in the IoT and the OT, and the technology world, etcetera where it comes to representing physical goods, sort of as a software, as the digital twin of the physical thing. So at the end of the day, I think it's more complex because it's also about way more complex relationships. On the other hand, I strongly believe we can benefit from that when we do it right because that will enable us to have the means to, at the end, control the limits of AI, of autonomous entities and way better than when we don't have this concept of identity and access entitlements, however we would call it another place where we need it, I think, to to to make it work. And we need it from the very beginning. And we need to understand that there are, for instance, different incarnations of AIs that are acting in different ways depending on who, so to speak, owns or controls them or... Yeah, is the current user, or the current owner, again two different concepts. And this is, I think, a lot of work, a lot of stuff we need to think about, but I believe we can get - we need to do it to build the foundation for governance and control and security of what we are currently developing in various areas.
Right. And what we are observing in some areas at least is still some kind of Wild West period of integrating machine learning, AI, into our business processes. And as you've mentioned, getting a grip on responsibility, on compliance, on control and management of that starts with adding unique identity and identification to a process that is acting either autonomously or on behalf of a person, even if that scales at a very large level, if there is lots of volatility in there, we need to understand what responsiblity, what control, what compliance means also in that area. And it's not only mapping, you're right, it's translating the principles that we've learned before to a changing world, including these new types of identities. We need to understand how to map them.
And the entire thing is really huge. And I think this is something we also need to understand. And we probably also need some means of..., I think ITDR isn’t exactly the right name then, identity threat detection and response, but the analytical capabilities of... Is something, be it an avatar being a piece of autonomous device, etc., acting on behalf of me, then I also should learn about, this is going off limits, so to speak. It can't be just that we say, okay, let's do this thing, happening or on behalf of the organization, working on behalf of the organization. We need mechanisms that also build a control layer here.
And if you just drill down to one simple example, if I have a support case with a product that I've just bought and I go to the website of an organization and there's a chat bot and that chat bot acts on behalf of the organization. And it gives some information to me and I act upon that and something goes wrong or the product is broken or it's just plain wrong, or even maybe mentioned in a way that is inappropriate towards a human person, there needs to be responsibility. If this chat bot misbehaves, if it gives false information, there's liability. So it has to have an identity. It needs to be understood what went wrong and the organization after that needs to take responsibility. So there is an identity to that chat bot.
Yeah. And there might be even, again, somewhat complex relations because there might be someone who provides the chat bot and, so to speak, even manages the chat bot on behalf of someone else, etc. So when I make an appointment with a doctor, there tends increasingly to be a chat bot, when I do that online. So and there's a service provider behind that chat bot. So, there's the service provider, there's the doctor, or many doctors and me and many other patients. And by the way, an area which is also quite sensitive from the privacy aspects. So I think, a ton of interesting questions. The best way to tackle it, to come back to that, is to really understand on one hand what do we need from, I would say, a control and governance perspective and on the other hand, to sort of deconstruct the entire thing,
disassemble the entire thing into the use cases, into smaller pieces we can better understand. They sometimes still very big, when you look at smart traffic. Again, you need to disassemble smart traffic into pieces to get a grip on it, because it's so complex, because it's not the connected vehicle, the connected vehicle is from an identity perspective, a very complex network of connected things with their identity and parties around that, humans, organizations, etc., insurance companies, leasing companies, drivers, police, whoever. And this is, I think, where we really need to start. We need to understand identity is a key element in addressing security and safety for our future AI powered, connected world and we need to understand which role it plays and can play in which use case and how do we sort of have this control and governance planes set up that really make it work?
Yeah, and I leave it with that. I think that really has shown the scope of what we are talking about. If somebody thinks that that identity is a solved problem, yes, it might be for people. But there are a lot more identities that we need to consider and just watch the space. We at KuppingerCole Analysts, we will work in that area and hope to support you in that. We will cover that area and we will continue that work. So watch the space. AI identities or AIdentities as you have coined it, I think this will be a topic that will evolve very strongly and we will have the need for identities to achieve a proper management and control of these AIdentities wherever necessary. Thank you very much, Martin, for being my guest today. Any final thoughts?
Many, but I think too many too to bring all of them up. I think it's very important, start thinking about AIdentity, take this in earnest. It's important to unveil the potential of AI and other emerging technologies without losing control. Thank you Matthias for inviting me.
Thank you very much, Martin, Bye bye.
