Hello. Good afternoon. Thank you for your time. Thank you for joining me. But first of all, have you been to the Jet G P T workshop that we've done? Have you seen what Patrick Parker can do? But this virtual video wasn't that great. That was really good. Generated from A to C. Very well done.
Thank you, Patrick. Good version.
So, okay, just kidding. Sorry. AI and machine learning and identity and access management. I'm looking at this from a slightly different perspective than, than Christiana did that.
Okay, this works. Okay. I will start out with a few words on terminology and basics, but just to lay a, a common foundation, I will look, have a look at use cases in iga, so I will get much more to the core of what we are doing as I am IGA professionals on a daily basis. And then the next step will be to assess these use cases.
What is my aim for this presentation? When you leave this room this afternoon, hopefully you have a means of assessing use cases for your own organization and to understand where they can provide benefit.
And if these are ones that can be immediately purchased by some of the vendors that are around out there in the exhibition area, or if this is something that you want to build, can build and can achieve some additional value within your organization by creating, building a new solution, combining maybe different data sources. So that's the idea, getting some help into decision making processes for the use of AI and machine learning in iga. That's my my goal for today. That you have a, yeah, a means of measuring two minutes for terminology.
This is, these are some rather old slides. They age well. This is good. First term is general ai.
This is a vision for many dec decades and this is something that many organizations and many people have been dreaming about for their whole life. I mentioned that yesterday in the, in the presentation for the, for the award ceremony. I have studied artificial intelligence in the late 1980s. So and finally we're here.
And even then, way back then, they were dreaming of that singularity, that general ai, it's the ability of a machine to intuitively react to situations that it has not been trained to handle in an intelligent way, in a human-like way. And it does not exist as of now. Discussions are around that I would still contradict since the late 1980s.
So ignore general ai, move over to narrow ai. This is machine learning as an example. Not the only way, but this is something where we can really say this is different because AI machine learning really works.
And what are some criteria to look at when we are looking at narrow AI as machine learning? First thing is you have to have codified training or a codified experience. You use something again and again to train a model, a machine learning model with that codified experience and learn over time. So it enables the program, the model, the ai, the machine learning model to independently complete the task that it has been trained to do. So the training second applicability, we are business people, most of us are. So it should be something that makes sense.
So it addresses a specific task, a repetitive task that aggregates ideally complex data so it can work with existing data.
And finally, the desired value, business value. So what you do really actually adds to what you want to do. It adds to your business, to your business proposition. It leverages maybe significant cost savings or you get better in processes, whatever. So this list could be extended.
So, but there's business value in the end. We are doing not that for art's sake and our free time maybe playing around with j g pt, yes. But when you do this in business, that needs to be a business value. And when does machine learning really shows show its strength? This is the case when you have these characteristics, a oh, this is an old version of the slide deck, access to historical data and a lot of data. The more data the better jet gtp, G P T 45, 4 0.5 terabyte of internet as training data. A constant flow of realtime data.
So to compare with the training data, realtime data, learn from the act upon it and a repetitive task to be completed. Repeat, repeat repeated from last slide. And ideally a limited scope of control. So if something goes wrong within your model, it does not have influences to the outside world
Use cases in iam. That is actually what we wanted to talk about. We have seen that before, but that was on a higher level. I'm really driving deeper into what can really be done in IM, and maybe what some vendors, if you go outside there actually already have as products identity analytics.
That is what they call that. So it's based on what we know from access analytics, traditional access governance functionality, but using machine learning to analyze digital identity data, identity data from multiple sources. The idea is to identify patterns and the behavior to prevent security threats, improve compliance and identify risk gaps. This is where you can add a layer of machine learning on top of that that is available. There's something you can buy. Is there a business value for you? I don't know.
You have to decide risk based authentication, not the IGA part, it's the iam, the access management part.
So adding on top of what Azure AD does and when you're doing authentication processes, adding another level of intelligence on top of that to take into account additional contextual factors, network, strength of authentication, time of day device, whatever. So you really can use that for denying access, requesting additional author authentication steps, et cetera. This is around, you can buy that adaptive access. This is access, this is more than authentication.
It's really machine learning, being able to monitor and analyze the user behavior over time and to identify if this behavior changes to something undesirable, unwanted, unexpected. This is something that is around predictive identity. Now we are getting closer to Philip k Dick and getting to minority report, identifying to protect or to predict that something happens maybe tomorrow. Matthias has behaved yesterday, very normal today was weird. Let's see what he does tomorrow. So being really predictive in that case and the there are solutions around that already as well.
But this of course has a more, yeah, a darker tone to it. Identity verification, very different area. But you can today use machine learning mechanisms to really use that to extract data from state, state issues, state issued ID cards and, and or for example for for face detection, et cetera, and ocr. This are all, this is all today based on machine learning and trained models that support their all. These are AI machine learning models that can be used here. I have to speed up password management. This is a bit, a bit of a weird one.
We are applying tomorrow's technology, machine learning to yesterday's authentication mechanisms, passwords. But nevertheless, there are mechanisms around that help you in identifying bad passwords and identifying bad password at admin time. You do not want to use that password.
You might, if you need one, take another one. That is the idea between password management and also reset mechanisms here.
So this is the sixth use case. So we are getting to the next three and this is good that Martin is not in here. Entitlement management, role management. So all of these solutions that currently are in the market are more or less aiming at supporting organizations systems in getting better in managing roles as an author authorization mechanism. And this is something that helps dealing with complexity. Complexity that we created and that we cannot deal with anymore.
So we really have support in getting better in slicing rows, cutting down rows, eliminating rows and splitting them up, et cetera, et cetera. So it's really ideally even oil mining, getting to rows, although we wanted to get rid of them from existing usage patterns and assigned entitlements within applications to get to business roles.
So yeah, this is to mention it, at least we've heard that before. Peer recommendations and verification. This is usually something that we as analysts really do not recommend to say, Hey, this guy is a colleague of that lady. She has these entitlements, he has all of them, but one, let's add that as well. Peer recommendation, they have it, you should have it as well. And he has one that she does not have. Doesn't need that. Remove that. So that is recommendation and verification on a peer by to peer basis.
The Analyst don't, but there are mechanisms that do this and access recertification, of course everybody loves this exercise at by the end of the year, being a line manager, getting huge excel lists and trying to identify why this person has this access and it needs to be ticked off.
These were all traditional.
For me, more or less traditional use cases in IGA scenario where machine learning helps in solving problems that we have. Because IGA is as it is, there are more modern use cases which have not yet well been covered within systems and where we can get better. We have heard that before and I really like that part in that present.
I like the presentation at all, but, but, but this was really good because conversation and generative AI has not yet arrived in AI and machine learning applications good with Patrick is here, but, but I think this is something that can contribute mass massively when getting better at processes within IM and iga for example, for supporting support the help desk, if there is a ticket coming up related to IM, and that has been solved in a similar manner for 20 times already.
This should be something for a machine learning process that just spits out the complete solution and hands it over to the help desk guy or lady or to the one who raised the ticket. That is really something where Im IGA can be supported by reducing errors and simplifying solutions and intelligent onboarding, really helping when you have large levels of fluctuation, onboarding contingent workers, onboarding remote workers, somewhere else. Just supporting the onboarding process by having guidelines, having yeah, some, some rules to help them in getting more quickly into the system.
This is not technology in itself, it's really conversational style onboarding, leading them the right way without any way out to the left or to the right. So to be more efficient there. So we are getting to my final use case, which is not a use case. We are not yet there. These are just the early stages of a AI and machine learning supporting in iga.
So more important is what your ideas are, what my ideas are, what the vendor's ideas are, and what huge Im IGA deployments owners ideas are. So this is more important. And when we have these ideas, we want to assess them.
We want to understand how these use cases behave in terms of cost, business value, timeline to implement data available, et cetera, et cetera. And this is what we look at. First of all, again, we have seen that before and we have seen that guy before, trustworthy data and lots of it is the foundation of value. So if you want to create value through the application of machine learning, you need to have the proper data to train with. Or you might have data that is transferrable, but, hmm, I wouldn't buy into that. So you want to train with your own data. So the question is, is it available?
Do you have it? Can you make it available?
If so, good. If not, maybe not. Second one again. Now Martin would be proud of me. Can machine learning cure inherit problems of static authorization? Static authorization is roles, recertification, role models, applying roles, everything like that. SOD rules as I've, as we've seen a full page of my, my use cases was full of dealing with roles and getting better with roles. So yesterday's authentic authorization process is being cured by machine learning and ai. Maybe this is not in the long run, something that you want to achieve today.
It can help ease immediate pains, but maybe you want to move towards more modern, more adequate authorization models and ai, machine learning can help there as well. Maybe that is the way to move forward. And role management might be short site trip, but we return to the proper way of the future, which is policy-based access, generating value through ai, machine learning.
And IM and iga, this is a slide that could be something that could be put on every slide when you evaluate a project or a project proposal.
But in the end, this is what you want to achieve and oops, there's no, okay, okay, no, no. Laser pointer added functionality is important. Does it really add new functionality that could not be done in any other way? Helps. Does it help in efficiency automation of course. Does it help in increasing your security posture, your compliance, the way you mitigate risks? Where whenever this is a yes, then you might want to look at that and I, I think that's not fair user experience on the last position on that slide. But making your audience more happy.
Augmented request and approval processes, passwordless and seamless authentication based on machine learning as a supporting technology, maybe that can help. And I promised that you get something like an assessment tool at the end of this presentation.
Assessing the use cases is of importance and I just started as an Analyst. Either we do graphics or we do mattresses. So this time we do metrics. And on the left side I have the use cases.
On the, on the axis I have some criteria, and this is far from being complete, but just to give you the picture. So we have from top down, entitlement management and role mining, predictive identity and intelligent onboarding as three examples and criteria to imply apply. I just chose the first four that came to my mind first. Is there value or even new functionality? Is the data available? How much AI is in there or is this just pattern matching plus a bit of something and does it heal the root cause or the symptoms?
And if we go quickly through entitlement management and road mining, high value, but really not new functionality.
We're just dealing with old problems. Data available depends on you. How good is your role model? How much ai, medium to high depending on the implementation. Does it cure the root cause or the symptoms? The symptoms you should deal with the root cost, which is role management, predictive identity, quickly, medium value, but new data available to be identified. Do you really have insight into what the user is doing at runtime? How much ai? Probably high root cost.
And the same is here. Root cost for intelligent onboarding high, depending on the regular employee turnover. If there are many changes, you can create good value, if not, not data available to be identified and how much AI you need to do a lot. And then you use ai. So I think it's medium. Final slide. One minute.
Okay, final thought when you want to apply machine learning to your IAM iga.
And we are talking about access management, we are talking about security, we are talking about governance and compliance. You need to have trust into what's going on into your system or in within your system. If your auditor comes around the corner and says, why did this happen when within your ai, AI controlled IGA system and you say, I don't know, machine learning did that, I think they won't be happy. So you need explain explainability. You need trust.
So efficiency, intelligence and automation for iga, nice without traceability I think in that area is not an option.
So you see that guy carrying that black box. If this is your machine learning model with the data that you have trained it with, you need to look inside that black box. You need to understand what's going on because your auditor, your cso, your regulator will want to do this as well. And they will ask these questions, you know, all of them. So in the end, you need something that is not yet really solved And it's, it's the more it gets critical, the more this is critical.
You need explainable ai. You need to understand why the machine learning model does what it does. There are new solutions available that control this black box where you can say, this was unexpected, this was wrong. Let's change the model, let's change the behavior. This is a very early stage. We are not yet there, but there are some products that actually allow for that. So that would be a way to move forward. There's lots of value to be earned with using AI and machine learning within IM and iga, but I think this is most probably the most important slide.
Make sure that you understand what's going on because chat pt, having having nice, surprising results is great. Surprising results in your IGA might not be what you want to have. Thank you.
