A day in the life with AI-powered identity security: Building a smarter access model

With all the headlines and noise about AI running rampant in the news and on our feeds, we want to anchor the AI discussion around the real and practical ways that AI can help your organization through its identity security challenges. The rapid proliferation of AI is creating historic levels of innovation, but it can also contribute towards growing security risks, especially in the realm of identity. In this interview series with identity security and AI experts, let’s discuss identity security issues many organizations experience on a regular basis. We will also walk through the ways SailPoint’s offerings and the AI capabilities that power them can bring value and practical solutions to these common issues that many organizations of diverse sizes and industries experience today.

A strong role-based access model is the foundation of an efficient and secure identity program. However, for most organizations, creating and maintaining roles is a painfully manual, expensive, and slow process that can't keep up with the pace of business and scale of identities. The result is often an outdated, bloated role model that creates security gaps and frustrates users. What if this entire process could be transformed by intelligence and automation?

I sat down with Alec Gruss, Senior Product Manager for Access Modeling at SailPoint, to discuss how AI-powered access modeling is helping organizations build and maintain better roles with a fraction of the effort.

HP: What are the most common day-to-day challenges and frustrations for identity teams when it comes to creating and managing user roles?

AG: The biggest pain point here is that access modeling is historically a very slow and manual process. It's been a process that up until recently, and for many customers, still is done in spreadsheets, and it's very error-prone. As companies are onboarding more SaaS applications, it has just become excruciatingly difficult to keep up with the scale. Customers historically have paid consultants good money to build out roles, and from the moment the consultants are done and the handover occurs, the roles they’ve built starting growing stale as new applications get onboarded and you have joiner, mover, and leaver events. If you don't have a dynamic access model, which is not achievable using manual processes, you're just not going to be able to support use cases like least privilege. On the whole, what many organizations are left with is just a complete lack of visibility of their access model.

HP: What is the problem of "role sprawl" in the context of access modeling? How does SailPoint’s Access Modeling help prevent and clean up the mess of having too many unnecessary roles?

AG: Role sprawl is an accumulation of roles over time. You can have new people that take over identity and access management that build new roles that may be similar, in some cases identical to what was already there. If there is an acquisition, the access modeling coming from this new company oftentimes is not merged, so now there’s another parallel model for the admins to figure out. There are these scenarios where you end up with not just two or three, but as we've seen in our analysis, 10 or more roles that are quite similar. This redundancy is a direct result of building static roles that can't really support joiner, mover, leaver events.

What we can do to support that, in the most fundamental sense, is build roles that support these events by including role membership criteria. Now, where AI comes in is both in the role discovery process and in role hygiene, which is keeping roles current as people move from job to job and new tools become part of a role. When we launched Dynamic Access Roles, that was in response to a lot of our customers that have what you would call multi-dimensional roles. Think of a nurse. The 'nurse' role is the core role, but then depending on the shift, what floor, whether it's pediatrics or oncology, the access that is given varies, even if the core job title is the same. Dynamic Access Roles allow you to get much more granular with attribute-based access control to support those events and that role hygiene. With AI discovering roles that are actually relevant and helping to clean up roles that are not, the access model becomes much cleaner and usable.

HP: How does SailPoint's AI-powered approach to access modeling practically solve the manual, spreadsheet-based, traditional role management frustrations?

AG: The mission of Access Modeling is to help customers get from that manual labor sitting in spreadsheets into intelligent automation. The core of our adaptive identity vision is really an access model that has a lot of areas of automation driven by what we can do with our AI and ML capabilities to provide customers with data-driven insights. It's not just guesswork; we're encoding best practices and providing the data to go along with that. A great example is using usage data to help customers get towards least privilege. So, what we aim to do is build a living, breathing model that evolves with our customers and that is calibrated along the way.

HP: That sounds powerful. Can you give me a 'day in the life' example? How does an admin responsible for building out a role model use this to do their job better and faster?

AG: Absolutely, let's put ourselves in the shoes of an identity admin, Maria, whose company just acquired a smaller company. The M&A process historically involves weeks and months of meetings and, again, spreadsheets to figure out what roles these new employees will have. A major pain point is that a lot of times we'll just see these parallel structures be left in place, further muddying up the access model.

Today, Maria would use Role Discovery to identify roles for these new employees. What Role Discovery is doing is looking across access patterns of the identities and the access they have to find good roles. And we're not talking days or weeks here; we're talking hours to days. We see customers reduce the onboarding experience of, say, new hospitals in the healthcare space from over a month to just a few days. She can start with 'common access' to handle the 80% of access that is birthright, which gets people up to speed very quickly. She then has time to refine with specialized roles and pull in usage data to actually start to get to least privilege, not after 18 months, but after a few weeks. The platform would have helped her get the majority of basic access ready to go right away, and then she can focus her valuable time on the special and niche cases which is where she is most needed.

HP: Let's break that example down. What are some of the specific, AI-powered capabilities that make this shift to easier and quicker access modeling possible?

AG: I’ll highlight this through the pain points our Access Modeling helps solve. We used to get the question a lot, 'Where do I start with access modeling?'. Role Discovery is that place. We have a feature called Auto-Scoped Role Discovery that has an ML algorithm that looks across your entire tenant and suggests good, high-quality roles — meaning they're unique and have a well-defined, significant population. It solves that 'where do I even start?' problem. To solve the 'day one productivity' pain, we have Common Access Roles. This feature bundles common, birthright access that an employee needs to be productive on day one. For the 'Are these roles any good?' problem, we have Role Insights. Building on our peer group analysis, activity data and Identity Outliers data can help keep these roles current, both in right-sizing them if access is not used, as well as suggesting new access be rolled into a role as new tools get adopted.

HP: It seems like the quality of the AI's recommendations is critical. What kind of data powers these insights, and how does it lead to building better, more secure roles?

AG: The answer to that question really starts with data quality. We strongly recommend investing the time to build out data quality, and specifically, I'm talking about enriching the context — the identity attributes and the metadata around access, both for roles and entitlements. The better the context, the better the explainability is to understand not just who has this access, but what this access is. From there, usage data from our Activity Data Insights helps with the question, 'Okay, how is this access being used? Is it being used at all?' That's something that helps with right-sizing roles and using explainability to drive a high-quality access model.

HP: When you automate complex tasks like role creation, how do you ensure safety and maintain human oversight?

AG: This goes back to one of our core design principles, and that is the human in the loop. I really see the strongest teams as the human-and-AI teams, where it becomes about augmentation. The AI is there to augment what the human is doing. The system can make recommendations and suggest roles or updates, but it is then up to the human to decide if the suggested roles do fit into what they want the access model to be. It's really about empowering the human as the expert and giving them the best possible tools to automate the manual work that can be automated and letting them focus on the business knowledge and context that really makes up that final 10% of more specialized roles.

HP: What is the real-world business impact of deploying this kind of AI-driven access modeling?

AG: Time-to-value is huge. We hear from customers all the time that a process that used to take a month or more is now down to just days. A well-maintained access model also significantly strengthens your security posture by enforcing least privilege. It also accelerates business agility because you're spending less time on manual tasks and really leveraging automation to think strategically. Finally, it simplifies the compliance posture and helps simplify audits. We are increasingly hearing from customers that they want to reach the maturity stage with their identity security that they want to start doing role composition certifications. These massively reduce the number of certification line items that have to happen, which simplifies and speeds up the auditing process.

HP: Is this the end state, or just the beginning? What is the long-term vision for AI in access modeling and role management?

AG: No, this is absolutely an evolving thing. The access model will still use roles as an important component, but we see AI being able to be much more proactive about suggesting new roles and who should get access. We see groups of products moving into a much more proactive state, and we see this becoming much more of a self-driving, self-healing access model. Roles that are becoming stale are highlighted by the system before they are stale. The goal is to have a role model that will maintain itself, with human experts managing by exception and setting the framework for how that autonomous governance happens, but where humans are very much in the driver's seat.

HP: What's the most important thing for a CISO or identity leader to understand about the potential of AI-powered access modeling?

AG: The biggest takeaway is that a strong role model is the foundation of any scalable identity security program. What is clear is that spreadsheets are not an appropriate tool anymore. At the scale of SaaS offerings and with the advent of AI agents, leveraging the full capabilities of AI is the only practical way to build and maintain a role model in the modern enterprise. It's impossible to achieve things like least privilege or pursue a Zero Trust framework without these things in place. AI-powered access modeling isn't a futuristic concept; it's a practical tool available today that transforms your role management from a costly, manual chore into an efficient, intelligent, and continuous process.

Building a living, breathing access model

For most organizations, building and maintaining a role-based access model is a slow, manual, and error-prone nightmare. The traditional process, often managed in spreadsheets and based on outdated interviews, simply cannot keep up with the dynamic nature of modern business. Doing access modeling the hard way results in "role sprawl" — an accumulation of unnecessary and overlapping roles — and creates significant security gaps, leaving the principle of least privilege as an unattainable goal. This manual effort not only drains resources but also hinders business agility and complicates audits.

SailPoint Access Modeling in SailPoint Identity Security Cloud transforms this painful, static process into an intelligent, living system. By leveraging AI to analyze access patterns and usage data, it moves role management from the world of guesswork and spreadsheets into the realm of data-driven automation. Identity teams can rapidly discover and create high-quality roles, right-size permissions based on actual need, and maintain a clean, effective access model that evolves with the business. It turns the core of identity security from a manual chore into an efficient, continuous process that strengthens an organization's entire security posture.

Ready to build a smarter and more secure access model? Learn more about how Access Modeling can help you.