Axonius Documentation
Start typing to search…
  1. Asset Cloud
  2. Axonius Identities

How Axonius Leverages AI in Identities

AI Features in Identities

This section describes how Axonius leverages AI in Identities.

Role Mining

Analyzes existing identity and access data. It intelligently identifies common access patterns to discover natural, logical roles that reflect actual job functions.

Suggested Rules

Defines access based on common user attributes and access entitlements. They can be used to automate and streamline the provisioning of birthright access for new and existing users.

Suggested Profiles

Receives smart recommendations to right-size group membership to reduce sprawl.

Entitlements Consolidation

Identifies and reduces redundant or overlapping access entitlements.

ITDR/BA

Leverages AI-driven insights to identify suspicious identity behaviors such as anomalous access patterns and privilege escalations.

Rule Naming

Assigns a meaningful and consistent name to rules.

Profile Naming

Assigns a meaningful and consistent name to an identity profile.

Customers’ Control, Accessibility, and Settings

Customers have complete control over all 7 AI features, which are individually activated and turned off by default. Turning on/off the AI features is an admin-only privilege. Profile and Rule Naming features require the use of AI. See here for more information on Identities.

Deployment and AI models

  • Role Mining, Suggested Profiles and Rules, Entitlements Consolidation, and ITDR/BA all rely on Axonius’ AI model, and are available for both On-Prem and SaaS customer instances.
  • Profile and Rule Naming rely on Amazon Bedrock (API) for SaaS instances (N/A for On-Premise deployments).

Data Handling

  • The AI models access information solely within Identities, such as user profiles and employment information. This includes user and employment status, role, job location, and team, as well as user/device access and permission information, activity, and usage information.
  • Identities requires user data to function and provide insights. Customers would not be able to use the product if these details were de-identified, masked, or pseudonymized.
  • Data is always kept logically separate for each customer instance and is not shared between customers.

Training and Optimization

Customer data is not used to train the model for external use. However, if a customer uses the AI features, the AI model learns from their data to optimize results for them only.

Accuracy and Reliability

  • The AI models build their knowledge base using only the customer data, as validated by Axonius’ adapters.
  • Identities scan the customer instance and provide output on a daily basis.
  • Accuracy, integrity, and reliability are therefore fundamentally inherited from this source.

Transparency, Explainability, and Human Oversight

  • The AI output is clearly labelled as either "ML-generated" (On-Prem) or "Created by AI" (SaaS).
  • Identities provides recommendations that are always subject to human review by the customer before becoming effective.
  • The AI output is explainable. The explanation can be presented as a textual description detailing the reasons for the AI output, a table of all the variables that led to the output, or in a similar manner.
  • Identities does not engage in unsupervised automated decision-making.

Security and Integrity

  • The AI models build their knowledge base using only customer data, as validated by Axonius’ adapters, which insulates them from external threat actors.
  • When the AI model is deployed On-Prem, the data never leaves the customer’s instance.
  • When Amazon Bedrock is engaged for SaaS instances, additional guardrails are applied to prevent such attacks (e.g., zero retention, verification that the query is AQL, field type validation, end-to-end encryption, etc.). Additionally, Axonius adheres to cloud security best practices recommended by both AWS and our internal security experts.

Retention

  • The input is always discarded immediately after use.
  • The output for Suggested Rules and Profiles is kept for 1 day unless it is accepted (Identities performs daily scans and suggestions).
  • The output for the other features is kept for 3 days.
  • Amazon Bedrock has zero data retention enabled.

Updated about 11 hours ago