How AI Changes the Way IT Teams Think About Access Management

For most IT teams, access management still looks like this: a Slack ping turns into a ticket, a ticket turns into approvals, approvals turn into manual clicks across consoles, and offboarding turns into "hope we remembered everything."

AI changes the mental model.

Instead of treating access as a service desk queue, IT can treat access as an automated policy system, with AI handling the messy human interface (intent, context, edge cases) and automation doing the deterministic work (provision, deprovision, audit).

---

Why access requests are still one of the biggest drains on service desks

A huge chunk of service desk volume is identity-adjacent: password resets, MFA resets, access requests, role changes, and "I'm locked out of X."

Even password resets alone are a material drag: It is commonly understood that about 20–30% of IT tickets are password reset requests, and for a 10K employee org that can cost ~$300K annually in service desk spend.

Now add access requests:

• onboarding/offboarding access
• app entitlement changes
• temporary elevated access
• vendor/contractor access
• approvals + audit evidence collection
  
  

In practice, the hidden tax isn't just ticket volume, it's the coordination cost: figuring out what the user needs, who owns the app, what policy applies, and whether the final access actually matches the original intent.

‍

The new model: "policy + automation" with AI at the edges

AI doesn't replace controls. It removes friction and ambiguity so controls can actually work.

What changes with AI

Old flow: tickets → humans interpret → humans route → humans provision  
AI-native flow: intent → policy evaluation → approvals (when needed) → automated provisioning → verification

The AI layer is used for:

• Intent parsing: "I need Datadog" → which environment, which role, which team, what duration‍
• Policy grounding: prerequisites (training, employment status), least-privilege role mapping, exceptions‍
• Routing: who should approve based on ownership + risk‍
• Guardrails: anomaly detection (e.g., request doesn't match role/peer baseline), escalation when needed‍
• Audit-ready summaries and reporting: who requested what, why, who approved, what was provisioned

‍

How automated provisioning and deprovisioning works

Provisioning: IdP as source of truth + SCIM for lifecycle

Most modern orgs centralize identity in an IdP (Okta/Entra ID). The critical move is to make the IdP the control plane:

• ‍Request is approved (or auto-approved under policy)
• Harmony updates group/role membership in the IdP
• The app receives lifecycle changes through SCIM, a standardized HTTP-based protocol for identity provisioning across domains
• Harmony verifies the downstream state matches the requested entitlement

Okta's own SCIM concept docs frame this as the mechanism that makes provisioning consistent across SaaS apps.

Deprovisioning: event-driven removal, not "someone remembers later"

Deprovisioning should trigger on real lifecycle events:

• HR termination
• Contractor end date
• Role change (mover)
• Access expiry

The difference between "modern" and "legacy" is whether removal is automatic and complete across all connected systems, or partial and delayed (creating orphaned access).

The risks of not modernizing access flows

1) Credentials are still the front door

Verizon's 2025 DBIR reports credential abuse was the initial access vector in 22% of breaches. In the same Verizon research, analyzing SSO provider logs, the median daily credential-stuffing volume was 19% of all authentication attempts, and up to 25% for enterprise orgs.

If access workflows are slow and messy, teams compensate with bad patterns, like shared accounts, overbroad roles, approvals in DMs. This behavior increases blast radius when credentials inevitably leak.

2) Identity incidents are already widespread

IDSA reports 94% of organizations have had an identity-related breach and 99% believe it could have been prevented.  
That's not a tooling gap, it's a process gap.

3) Offboarding gaps quietly turn into standing risk

If deprovisioning isn't automatic, you accumulate lingering access (dormant/orphaned accounts, leftover group memberships, unmanaged app invites). Those accounts don't page anyone when they become dangerous.

What "better" looks like, and the metrics that move toward it

When teams modernize access, the wins are measurable:

• Ticket volume reduction in identity-related work, starting with resets/access requests
• Faster time-to-access, think minutes, not days, because provisioning becomes API-driven and policy-based (SCIM + IdP groups)
• Lower error rate due to fewer wrong roles and fewer missed removals, and because humans stop doing repetitive console work
• Audit readiness improves because approvals + provisioning events are captured as structured records, not Slack archaeology

Access management is like production infrastructure: define policy, automate execution, verify state, and continuously reduce the manual surface area. As IT scales, manual access workflows don't. The future belongs to policy-based systems where AI removes friction, automation enforces controls, and access management runs like production infrastructure.

‍