A Promise of Rapid Transformation
AI offers several concrete benefits for IAM:
IAM Domain | How AI Can Make a Difference |
Access Governance | Automation of access reviews, permission suggestions, and smart recertification |
Stocking | Automatic assignment of roles based on position, team, and context |
Anomaly Detection | Behavioral Analysis (UEBA), detection of suspicious movements, real-time alerts |
Support and Help Desk | AI Chatbots for Password, Access, and Request Management |
Safety | Identification of high-risk accounts, excessive privileges, and atypical activities |
These use cases have already been partially implemented by some providers, and IAM solution vendors are increasingly incorporating AI-powered features.
The Pace of Innovation vs. the Pace of Business
Despite this acceleration, several obstacles are slowing down adoption:
- Varying Levels of IAM Maturity
Many companies are still in the process of laying a solid foundation: SSO, MFA, lifecycle management (Joiner-Mover-Leaver), and basic access governance. AI is emerging even as these fundamentals have not yet been fully established. - Complexity of Architectures
Environments are often hybrid: on-premises, cloud, multiple SaaS platforms, non-human identities, and legacy systems. AI cannot magically resolve this complexity; it requires clean data, clear processes, and robust integration. - Issues of Trust and Governance
Who is responsible for an AI-driven decision to grant access? How can an “opaque” decision be audited? The risks of bias, automated errors, and a lack of transparency are very real. - Regulation and Compliance
Frameworks such as DORA require traceability, oversight, and audit evidence. AI that makes decisions in a “black box” can complicate compliance rather than simplify it. - Skills and Culture
AI in IAM requires new skills: data, machine learning, security, governance, and business expertise. However, IAM teams are often already stretched thin, with few resources available for experimentation and skill development.
A transformation that may overwhelm companies
The real danger is that AI is advancing faster than organizations' ability to adapt:
- Vendors are rolling out AI features every quarter.
- Reports on AI in cybersecurity and IAM are becoming increasingly common in the media.
- At the same time, companies must manage basic IAM projects, migrations, regulatory requirements, and security incidents.
In this context, it’s easy to get carried away by the promise of AI while remaining bogged down in operational priorities. The result: IAM AI projects stuck in the pilot phase, proof-of-concepts that never make it into production, and frustration among executives who see their competitors or software vendors announcing rapid progress.
What This Means for IAM Practitioners
For consultants, practice leaders, and IAM managers, there are several possible approaches:
1. Don't wait for the "perfect solution"
AI in IAM is not a finished product, but a set of capabilities that are gradually maturing. It is better to:
- Start with simple, measurable use cases (e.g., decision support for access reviews).
- Aim for gradual improvement rather than a complete overhaul all at once.
2. Strengthen the fundamentals before moving on to advanced AI
Before automating with AI, you must ensure that:
- The JML (Joiner-Mover-Leaver) processes are clear and well-documented.
- Roles and access policies are clearly defined.
- Identity data is clean and centralized.
AI amplifies what already exists; it does not provide a long-term solution for failing processes.
3. Keep people in the loop
When it comes to AI, the most realistic approach is:
- AI makes suggestions; humans make the decisions.
- AI to detect, humans to investigate.
- AI for automation, humans for supervision and validation.
This minimizes risks while taking advantage of productivity gains.
4. Anticipate the necessary skills
The IAM of the future will require:
- An understanding of the basic principles of AI and its limitations.
- The ability to assess risks (bias, transparency, compliance).
- Stronger collaboration among IAM, data, security, and compliance teams.
An inevitable transformation, but at its own pace
AI will undeniably transform IAM. It will accelerate certain processes, improve threat detection, and make access governance more proactive. But this transformation will not happen overnight, and its pace will vary greatly depending on the maturity of individual companies.
The risk is that the discourse on AI will create overly high expectations, even though the actual capacity for adoption is limited by:
- The IAM Maturity Model,
- The complexity of environments,
- Regulatory constraints,
- A lack of skills.
The companies that will succeed won't be the ones waiting for the "magic AI solution," but rather those that:
- IAM is strengthening its foundations,
- Are conducting targeted experiments with AI,
- Ensure that humans retain control over critical decisions,
- And they view AI as a means to gradually achieve maturity, not as an end in itself.
AI will transform IAM; the question is not whether it will, but at what pace and with what level of control. And that is what will set apart the companies that are merely undergoing the transformation from those that are driving it.
