1. AI is no longer a fantasy, it’s a reality that IAM must not miss
Two years ago, we asked whether artificial intelligence (AI) could represent a revolution for IAM in our article “Artificial intelligence: a revolution in IAM? – RiskInsight”. We already emphasized the need for a nuanced approach, based on concrete use cases, test-and-learn logic, and a requirement for trust compatible with the specific challenges of identity and access.
Today, the assessment has become more precise: AI has not caused the disruption that some predicted, but it is beginning to find a real, more targeted, and above all more pragmatic role within IAM.
What we also observe is that AI leads to an expansion of the scope of IAM: IAM must now also address issues related to AI and AI agents. To delve deeper into this point, we invite you to explore our article “Securing AI Agents: Why IAM Becomes Central – RiskInsight”.
As a reminder, AI is progressively establishing itself as a lever for transforming information systems, and IAM is no exception to this trend. Faced with the multiplication of identities driven by transformations of different natures, whether it be infrastructure evolutions with the cloud, business vision changes with the rise of CIAM, or the arrival of new technologies like AI agents, organisations must deal with increasingly rich and difficult-to-maintain authorisation models.
In this context, AI promises to make IAM services more efficient and accessible, whether through intelligent recommendations, conversational assistants, better data utilisation, or processing volumes that are difficult to manage with traditional approaches.
However, these contributions call for caution. IAM directly concerns access security: at this stage, AI must remain an assistance tool, under human supervision, as responsibility cannot be delegated to it. In practice, it still primarily manifests as peripheral components (copilots, chatbots, agents) that enhance existing systems without disrupting critical functions. The challenge is therefore no longer so much about whether AI has a place in IAM, but rather about identifying where and how to apply it in a truly relevant way.
2. What AI use cases truly make sense in IAM?
The contributions of AI in IAM are unevenly distributed:
- Identity Governance & Administration (IGA) concentrates the bulk of initiatives thanks to its data volumes and frequent decisions (reviews, validations, recommendations).
- Access Management (AM) is also heavily featured, with projects primarily aimed at accelerating and streamlining the user authentication process.
- Privileged Access Management (PAM) is seeing the emergence of more targeted uses, particularly around the detection and monitoring of privileged behaviours.
- The potential of AI in Customer Identity and Access Management (CIAM) remains relatively underexploited, even as it is becoming strategic. This is particularly evident in the emergence of AI agents capable of interacting or acting on behalf of users, especially through chatbots.
- AI currently offers limited value for Trust Services, where processes are already largely automatable without AI, and is positioned more as peripheral support.
To organise these initiatives without ending up with a long list, two main categories of use cases can be identified:
- Those that aim to resolve current challenges in existing processes.
- Those that make it possible to address new issues that traditional approaches cannot cover.
The value of AI first emerges from current IAM pain points…
This first family of use cases generally constitutes the most natural entry point, as it relies on existing IAM processes.
AI then plays an accelerating role, by reducing costs and operational burden, while improving the experience, quality of service, and speed of execution, without calling into question the control model.
…to become a lever for overcoming the limitations of traditional approaches
The second category of use cases falls into a different category: here, AI is no longer merely aimed at saving time but unlocks analytical capabilities that are beyond the reach of traditional approaches, by cross-referencing multiple data points (identity, organisation, permissions, usage, events) across large volumes of data. In particular, it enables the large-scale detection of atypical access, such as rare combinations of rights, authorisations inconsistent with a role, or accumulations linked to successive exceptions.
AI also enables the analysis of career trajectories, identifying how certain profiles evolve over the course of job changes, projects or emergencies, to target remedial actions. It also enables intelligent prioritisation of these remedial actions by combining application criticality, data sensitivity and usage signals, whilst in the field of PAM, emerging uses aim to identify behaviours involving unusual privileges to trigger enhanced controls.
Finally, this also paves the way for delegating lower value-added tasks, such as handling Level 1 tickets, for which automation was technically feasible but economically difficult to justify. Today, some AI-powered IAM solutions make this substitution realistic and accessible.
The multiplication of pain points and automation avenues should not lead to the indiscriminate deployment of AI. Some needs can be effectively addressed using simple rules or algorithms, and whenever access is involved, every potential error carries a security risk. It is therefore essential, once use cases have been identified, to select and prioritise them, rather than accumulating initiatives.
3. Prioritise AI in IAM before it becomes a pile of initiatives
Once relevant use cases have been identified, it is necessary to determine which ones to focus efforts on, as not all justify the same level of investment. Prioritisation can thus be based on two key axes: added value and implementation complexity.
The challenge here lies in the ability to analyse these two aspects rigorously for each use case.
The first axis, relating to value, can thus be understood through several sub-criteria:
- Operational cost reduction: measuring how the use case helps avoid certain recurring costs.
- Efficiency gains and reallocation of efforts: the ability to free up time and redirect teams towards higher value-added tasks.
- Reducing cyber risk: the impact of the use case on reducing identified cybersecurity, IT, or control risk.
- Contribution to regulatory and strategic issues: to what extent does the use case meet a priority regulatory or strategic expectation (e.g., DORA, ECB, audits).
- Impact on the affected populations: assess who the use case serves and with what frequency of use, as modest but daily use by a large number of users can create more value than a more ambitious use case limited to a restricted scope. The main populations to consider are generally IAM administrators, IAM integrators, end-users, and approving managers.
The second axis, complexity can be assessed according to four complementary dimensions, consisting of:
- Technical complexity: the technological effort required to deploy the use case, whether in terms of integrations, architecture, AI models used, or dependencies on the existing information system.
- Organisational complexity: the level of coordination required between teams, scopes, and processes to effectively support the use case.
- Associated risks: cyber, regulatory, or operational risks that may be introduced or reinforced by the implementation of the use case.
As a reminder, this approach aims primarily to guide thinking and structure decision-making; it is only a proposal that must therefore be adapted to each context.
High-impact but quick-to-deploy use cases should be prioritised. Conversely, those requiring significant effort (unavailable data, complex integrations, high security requirements) for limited benefit should be discarded or deferred. To make the trade-off concrete, a “matrix” logic works well:
However, this approach also requires being clear on one point: AI depends heavily on data (quality, completeness, traceability, repositories) and the ability to exploit it securely. Without solid foundations, even a promising use case will remain at the demonstration stage. To generate value in real-world conditions, it must be able to rely on sufficiently robust IAM foundations: data quality, structured repositories, process stability, clarity of the authorisation model, etc. Thus, prioritisation must be confronted with the reality of available solutions and their maturity.
4. A booming market, with usage still largely unequal
The IAM market is strongly energised by AI, with expanding roadmaps and the emergence of so-called “AI-native” products, designed from the outset to integrate assistance, analysis, and automation mechanisms. These approaches generally address either a targeted need or a differentiation strategy in a rapidly evolving market.
In parallel, traditional IAM solutions are progressively enhancing their offerings with AI functionalities and generally benefit from greater resources than AI-native players to support this transformation, primarily in cloud environments, which are more conducive to their deployment than on-premises architectures.
However, there remains a notable gap between promise and reality in production: most of the functionalities available today are still peripheral assistance (search, summarisation, copilots) rather than AI truly embedded in critical functions.
Adoption also remains gradual, particularly in large organisation, where the priority remains optimising existing systems, stabilising repositories, reducing technical debt, and ensuring compliance. AI-native approaches, still relatively new, must be integrated into a realistic roadmap and a clear operating model. AI should not be seen as a miracle product, but rather as a lever to be incorporated into a global IAM transformation.
5. Conclusion – From the announcement effect to a controlled trajectory
AI applied to IAM seems to be reaching a turning point. The real challenge is not to accumulate use cases: it is to build a coherent, selective, and sustainable approach. Because it intervenes in access decisions, AI in IAM requires a higher level of caution than in other areas. The promise of automation must never mask the responsibility of humans and organisations. Any recommendation must be understandable, contestable, and justifiable, especially in an audit context. It is necessary to clearly define who validates and who arbitrates, ensure the acceptance of business teams without which AI will be bypassed, ensure regulatory compliance, and rigorously frame the data exposed to assistants to prevent any exfiltration of sensitive information.
To maintain this trajectory, it is not enough to evaluate use cases in isolation: the foundations must be evolved (quality of identity data, repositories, role model, controls), an operational model capable of supervising AI on a daily basis must be defined, and emerging uses, particularly around AI agents, must be secured. AI for IAM should therefore not be thought of as an immediate revolution, but as a gradual progression, from assistance modules to advanced analysis capabilities, ultimately leading to better-controlled automation.
Ultimately, approaching AI in IAM well means moving forward pragmatically, targeting uses that offer the best balance between value and complexity, maintaining control over sensitive decisions, and staying attentive to the real market maturity.
6. Five priorities to move from AI ambition to IAM results
In summary, here are the key points to bear in mind to adapt to this transformation:
- Identify AI use cases that truly make sense for IAM, whether they involve improving existing processes or unlocking new capabilities for analysis and automation.
- Objectively define the value and complexity of each use case to prioritise them for implementation.
- Build a progressive, controlled, and governed trajectory, rather than accumulating initiatives without an overall vision.
- The market is structuring itself rapidly: talk to your vendors to understand what they are really offering.
- Also inquire about emerging new solutions, particularly AI-native ones, and do not hesitate to contact us if you wish to discuss your initial field feedback or broaden your market vision.
