A day in the life with AI-powered identity security: Transforming compliance management

With all the headlines and noise about AI running rampant in the news and on our feeds, we want to anchor the AI discussion around the real and practical ways that AI can help your organization through its identity security challenges. The rapid proliferation of AI is creating historic levels of innovation, but it can also contribute towards growing security risks, especially in the realm of identity. In this interview series with identity security and AI experts, let’s discuss identity security issues many organizations experience on a regular basis. We will also walk through the ways SailPoint’s offerings and the AI capabilities that power them can bring value and practical solutions to these common issues that many organizations of diverse sizes and industries experience today.

Meeting regulatory compliance on a global scale is a formidable challenge. The process is often manual, resource-intensive, and prone to human error, creating significant financial and operational strain. For security and IT teams, the constant pressure of audits and the complexity of maintaining compliance can feel like a never-ending battle. What if you could shift from reactive, periodic audits to a state of continuous, automated compliance?

Today, we're speaking with Aaron Andrew, Product Manager for Compliance Management at SailPoint, about how AI is helping organizations move towards that reality, transforming compliance from a business necessity into a strategic advantage.

HP: What are the biggest day-to-day headaches and frustrations for teams responsible for compliance?

AA: The largest one I often hear is the volume of decisions that has to be made, often called 'cert fatigue.' Basically, it’s when customers and prospects have possibly millions of decisions they need to make on a quarterly or annual basis and they do not have the mechanisms to make those decisions quickly or efficiently. You may have a small number of system owners for a certain application who then go review thousands, tens of thousands, or hundreds of thousands of decisions around access in a very short period. So, customers are often asking how we reduce the number of decisions being made, how do we enable good reporting, and how do we make sure that those decisions happen in a timely fashion? There's various security controls and regulatory controls that overlap. Customers are also trying to figure out how they make sure that they’re not, for example, certifying the same access as a part of both controls, and that they’re truly just certifying the smallest number of things necessary to also keep their company secure and compliant.

HP: Why is this traditional approach to access review compliance failing in modern enterprises?

AA: When I hear traditional approach, it can mean a couple things. For a slightly more mature organization who has a homegrown tool or manual process, the ‘traditional approach’ can look like sending screenshots to your CISO, for example. It could be a number of other manual ways that are not convenient. These ways can take a lot of time. You're spending a lot of time literally manually managing digital paperwork, which can also take a lot of manpower, depending on the volume.

Traditionally, customers will have what we call ‘entitlement sprawl’. When you go and pull every access for every employee across every system, you get a huge number of entitlements, many which are unnecessary for people to have, and some are extremely high risk. The challenge is trying to determine which entitlements might be problematic. For example, having read-write access is very sensitive. Or maybe your accounting software should have a very different level of control from a tool you use to have icebreakers at a team meeting. So, trying to determine which entitlements are most important to certify from a risk perspective is really a scale problem. You do not want to default to the scenario that so many are in, where they certify every entitlement for every single person just because they lack the scale to scrutinize everything.

HP: At a high level, how does SailPoint's AI-powered approach to compliance change this dynamic?

AA: One of the things that we do today is make a recommendation for the reviewers using advanced peer group analysis, data modeling, and AI-powered approaches. We can do deep peer group analysis and data-driven recommendations for those reviewers to help them determine which entitlements are most important to certify based on risk. We see that this specific identity has this entitlement and it matches closely with their peer group, so the generated recommendation would likely be to approve. If the platform surfaces that there is a strong deviation of someone’s entitlement to their peer groups, it's very easy to tell what outlier access exists, and to really draw attention to help reviewers make smart decisions around the potentially riskier entitlements.

HP: Can you give us a 'day in the life' example? An admin gets the dreaded "the auditors have questions" email. How does your approach help them?

AA: Our approach today ensures that you always have that human-in-the-loop, where there is a person who is accountable and responsible for the decisions that are being made. At the same time, our platform comes with some really good reporting tools in the form of Secure Data Share (SDS) and Access Intelligence Center (AIC). I see a lot of customers who, rather than trying to have a person play intermediary with their internal audit team, will oftentimes just give their third-party person reporter-level access into ISC and just let them get the data they need about the compliance program. It's easy to enable those folks to go pull that data themselves.

HP: How does AI specifically solve the "rubber stamping" of access reviews?

AA: I think about this as an attention problem. Rubber stamping is when people go in and hit ‘approve’ on all the access questions because they don’t have the time to really certify who should have access to certain entitlements. Our customers come to us because they want to do a better job at certifying access properly, but they just don't have the tools that they need to make robust decisions at scale. Our framework helps them focus their attention on the access that seems most odd, out of place, or risky. We're enabling them to better spend the currency of their attention on the decisions that matter most. The benefit of that efficiency is not spending time on things that are much lower risk. If there's a 70% peer match, for example, that's probably not access that an admin needs to be deeply concerned about.

HP: What are some of the other critical compliance tasks that AI can automate and improve?

AA: We have a robust product today that detects access outliers using AI. You can go in there and see that a person has been flagged as having tons of anomalous entitlements. With that information that Identity Outliers provides, you can run a micro-certification on just those outliers, as opposed to having to wait for a certification cycle. Additionally, our certifications is an immutable platform that logs every action a person takes, who did it, and when, which is like a tamper-proof audit trail. We have a capability today that allows you to build smart roles that you can then apply via criteria. If there’s a role that defines access that's going to be granted and it's done in a logical, automated way, admins no longer need to go and certify every single access for every single person on that role. They can go certify the policy, which can distill thousands or tens of thousands of access decisions down to a single policy decision.

HP: When you automate much of the compliance process, how do you ensure safety and maintain human oversight?

AA: Every single feature we have today always requires a human-in-the-loop. That is a core design principle we have for AI. A human must be at least aware, and in almost all cases, make an approval or hit the ‘go’ button. We're never looking to completely take both hands off the steering wheel. We want to make sure someone is at least aware of what's happening and that we can prove to auditors that some logical human eyes saw and approved of the decisions that were being made. Additionally, we have policy-based guardrails which helps to remove the total number of decisions and combine them into logical groupings of a smaller numbers of decisions that are easier to track and explain.

HP: What is the real-world business impact of deploying AI-driven compliance management?

AA: Especially if you're in a legacy model today, you're going to find that with SailPoint, your teams have to spend quite a bit less time and endure a lot less pain doing manual processes. Automation allows your team to scale better. On top of that, you get operational efficiency, and there's lower risk of fines or breaches. Our tools also help customers automate and move towards the NIST standard of enforcing that least privilege. So, you have the operational benefits, the massive value of the lowered risk of fines and breaches, and the improvements to your security and compliance postures. All of those benefits on their own are incredible, but together, they become exceptionally powerful. People think about security as a cost center, but it doesn't have to be. With all the ways we help customers save time, limit breaches, and decrease the chance of fines, customers end up thinking about our tools as enablers of savings.

HP: What does the future look like for AI in compliance management?

AA: We have three big buckets. The first one I've alluded to is about roles as policy. The more we can drive customers towards certifying the policy that grants the access, the more we can drive them away from having to do that 'every access for every person' review. On top of that, if people have access to things that they shouldn't, you oftentimes won't know about that until it has existed for a long period of time. So, one of the other buckets we're looking to start implementing is real-time governance. If there are violations of those security policies, we could say, ‘quarantine that access’ and then trigger a micro-certification for that access in real time as the risk is discovered. The last area we are starting to look at is autonomous remediation where the platform can start picking out anomalies and correcting access, always with a human in the loop.

HP: What's the most important thing for a CISO or executive leader to understand about the potential of AI-powered compliance?

AA: The key takeaway is that you're never going to really get a strong, secure, agile handle and understanding of the access that exists in your environment without significant investment. What you get with us is an expertise that comes from working with thousands of customers. This enables us to build the kinds of things that help customers be agile and scalable in their security posture and in their programs, and to transform a very heavy cost center into something that still is a large investment but also has a pretty significant impact on saving money, strengthening security, and automating business workflows. All of these benefits can be transformative within an organization.

Transforming compliance from a cost center to a strategic advantage

The traditional, manual approach to compliance is no longer sustainable in the face of modern business dynamics and complex regulatory landscapes. The sheer volume of access decisions, coupled with a lack of deep visibility, leads to certification fatigue and rubber stamping, ultimately weakening an organization's security posture. By shifting to an AI-powered, policy-based model, companies can move from a reactive state of periodic audits to a proactive state of continuous compliance. This intelligent approach automates routine tasks, provides data-driven recommendations to human reviewers, and creates a tamper-proof audit trail, drastically reducing manual effort and the risk of costly fines or breaches. SailPoint transforms compliance from a burdensome cost center into a strategic function that strengthens security, increases efficiency, and enables the business to move faster and more safely.

Ready to learn more about how to master the audit with AI-powered compliance? Get started with SailPoint Identity Security Cloud.