AI in Identity & Access Management: Will It Disrupt or Sustain?

While digging through ISO 27001 experts on LinkedIn, I came across Alexandre Blanc’s insights on AI in security. Naturally, I was intrigued.

Who better to discus IAM, which forms the backbone of ISO frameworks and every security strategy? Identity & Access Management (IAM) is at the core of protecting sensitive data so that only the right people (or systems) have access to critical resources. Without it, organizations can face security breaches, compliance failures, and operational chaos.

It’s not surprising that the IAM industry is also going through an evolution due to the effects of AI. This brings us to questions like:

How much control should AI have? Where does human monitoring fit in? And can AI truly prevent risks like privilege creep?

Alexandre Blanc, Advisor, ISO/IEC 27001 and 27701 Lead Implementer, and LinkedIn’s Top Voice in cybersecurity, shares his insights on the above and more! 

The rise of AI’s role in IAM: Balancing automation with the human element

The global IAM market is projected to reach $22.94 billion by 2027, driven by automation technologies like AI. 

AI enhances Identity Access Management (IAM) by processing access requests faster with the help of user behavior analytics, access history, and contextual data. The same can be represented by the benefits of AI in Role-Based Access Control (RBAC) and automated decision-making. 

• Role-Based Access Control (RBAC): AI dynamically assigns roles based on user activities, job changes, or organizational needs. This drastically reduces room for human error and ensures precise access permissions while minimizing security risks.

• Automation of decision-making: AI can also automatically approve or deny access requests and accelerate processes. This is particularly useful in large organizations managing thousands of accounts.

This definitely makes life a lot easier for access and IT managers, doesn’t it? Now the question arises – will human intervention be eliminated? 

“A lot of compliance requirements and regulations, especially regarding confidential data and overall privacy, require accountability and responsibility to be enforced. This means having an actual human in charge and responsible for access to the data.

This shows that humans will have to be involved in the process, and therefore, the level of automation granted to the systems will have to match the risk appetite of the human responsible for the task.” – Alexandre. 

So, it is safe to say that despite AI’s capabilities, human involvement remains critical for compliance and accountability. 

In fact, many frameworks, such as GDPR and PCI-DSS, require meticulous access control and audit trails for compliance. IAM systems certainly provide granular permissions and detailed logs, and with the support of AI, the process can be automated to a certain degree and reduce human error. 

Challenges in AI-driven IAM

When asked about significant challenges that AI introduces to traditional IAM frameworks, Alexandre put forth some critical points:

“One of the major challenges is ensuring consistency in AI-driven decision-making and understanding how mistakes occur. Since AI processes vast amounts of data and parameters, the difficulty lies in auditing its decisions and enforcing policies to prevent repeated errors.”

Tailoring autonomous systems to operational realities adds another layer of complexity. Additionally, as an organization’s tech stack evolves, the attributes AI relies on for decision-making may shift, altering their weight and impact over time.”

From here, we can root out five crucial challenges of being overtly dependent on AI for identity and access management:

1. Failing to ensure consistency: AI-driven IAM systems risk making inconsistent or unpredictable decisions over time, leading to security gaps
2. Lacking explainability & auditing: AI’s decision-making process can be opaque, making it difficult to trace, audit, and correct errors
3. Struggling to adapt to change: As an organization’s tech stack evolves, AI may rely on outdated parameters, leading to incorrect access decisions
4. Neglecting human training: Without continuous input from IAM admins, AI engineers, and data scientists, AI models can very quickly become ineffective or non-compliant
5. Ignoring evolving decision parameters: AI systems may fail to adjust as risk factors change, causing them to misinterpret security threats.

We know that AI will struggle to stay relevant without human intervention. So, humans will be necessary, as far as IAM is concerned. Alexandre further adds:

Managing privilege creep: Handling exceptions

When an individual accumulates unnecessary access rights over time, it increases security risks, such as insider threats and compliance violations. This is a classic example of privilege creep.

What is privilege creep? Privilege creep occurs when users, systems, or AI accumulate excessive access rights over time, often due to role changes, temporary permissions, or poor access management practices. This increases security risks by expanding the attack surface and making enforcing the principle of least privilege harder.

Privilege creep is a significant concern in IAM, especially when automation and AI are involved. Highly restricted environments often require handling exceptions—rules that don’t fit neatly into automated logic. 

“Deploying a single AI system to manage the whole IAM stack is like deciding to fly blind, fully having to trust an AI automated pilot. Therefore, this raises the need for overlapping controls, based on audit capabilities, allowing continuous verification and assessment of the main system’s decisions.” Alexandre noted. 

What are some solutions for such exceptions? 

It’s pretty clear that one security level is insufficient for handling permissions and access in complicated IAM situations. Plus, AI systems don’t suffice either, at least not alone. Here’s what Alexandre Blanc thinks. 

Breaking it down:

• Conduct periodic access reviews to identify and revoke unnecessary permissions
• Enforce the principle of least privilege (PoLP) with AI-driven adjustments and human oversight
• Implement role-based access control (RBAC) for consistent and simplified access management
• Use privileged access management (PAM) tools to monitor and restrict privileged accounts
• Apply overlapping controls by combining AI automation with manual reviews for sensitive cases
• Leverage adaptive authentication to assess risk and apply step-up verification when needed

AI identities in IAM systems 

AI Identities in IAM systems seem like a topic in the future, but that’s hardly true. As we speak, AI identities are becoming prevalent in our systems, and there’s data to prove it. 

AI entities and processes function as autonomous agents, raising the question of whether they should have distinct identities and be managed within IAM systems. 

As they take on critical roles in security and automation, tracking and governing their access like human users may become essential. To this, Alexandre added:

“Given the growing foothold of AI processes in system management, these processes must be identified and tracked just like users. This is crucial for maintaining audit capabilities and pinpointing potential issues. 

That said, these mechanisms won’t be as prevalent as human identities; instead, they will depend on them. For the sake of responsibility and accountability, AI systems will remain under an entity’s oversight within the organization’s hierarchy. 

I use the term “entity” deliberately because we might certainly have some AI systems responsible for watching smaller AI systems as well.”

Integrating AI into existing IAM systems without disrupting current operations

Bringing AI into your IAM system doesn’t have to be a disruptive overhaul. Alexandre suggests a thoughtful, step-by-step approach to ease AI into your security processes while keeping everything running smoothly.

1. Start with audit mode only

Think of AI as an observer at first. Let it analyze access patterns, flag anomalies, and make recommendations without making any decisions. This way, you can see how it performs without risk to your existing workflows.

2. Validate AI’s decision-making

Before giving AI any control, let it run in read-only mode and compare its recommendations to what your team would decide. You’ll know it’s ready for the next step if it consistently aligns with your policies and expectations.

3. Gradually give AI more control

Once AI proves itself, start allowing it to make low-risk decisions, like automating approvals for routine access requests. This allows you to monitor how it handles real-world scenarios without fully handing over the reins.

4. Closely monitor AI’s performance

Even as AI takes on more responsibility, regular audits are a must. You need visibility into how decisions are being made and the ability to catch and correct any issues early on.

5. Scale AI’s role at a manageable pace

As confidence in AI grows, you can start using it for more complex decisions. The key is scaling up gradually so you can fine-tune the system along the way.

6. Maintain human supervision

No matter how advanced AI becomes, humans should always have the final say—especially in sensitive access decisions. Keep override capabilities in place and adjust the system as your security needs evolve.

Beyond IAM: Hybrid security

The future of cybersecurity lies in hybrid security models that integrate AI’s analytical capabilities with human expertise to create a resilient and adaptive system. Alexandre mentions that in the future:

“Humans will define policies, guidelines, and frameworks that are governing the implementation of Non-Human Identities (NHI), but the operationalization will require AI (or advanced automation for such process). In this context, stating “AI will” means well-scoped and controlled AI processes whose role is clearly defined within clear boundaries.” 

This is rightly so because AI can process vast amounts of data, detect anomalies, and automate responses at a scale impossible for humans alone. However, without clear boundaries and human oversight, AI-driven security decisions could lead to unintended risks, misconfigurations, or even privilege creep. 

A hybrid security approach ensures that AI enhances efficiency while humans provide strategic direction, ethical considerations, and critical decision-making in complex scenarios.