Identity and Access Governance Framework (AIAGF): Graph Based Risk Scoring, AIAssisted Certification, Role Mining, and Continuous Privilege Lifecycle Governance
Main Article Content
Abstract
Enterprise Identity and Access Governance (IAG) is undergoing a fundamental transformation driven by cloud adoption, hybrid workforce dynamics, regulatory intensification, and the proven inadequacy of periodic, manual access certification in managing the risk of excessive entitlements. This paper presents the Adaptive Identity and Access Governance Framework (AIAGF), a production validated intelligent IAG platform that integrates Graph Neural Network (GNN)based identity risk scoring, AI assisted access certification, MLdriven role mining, and continuous privilege lifecycle governance across heterogeneous enterprise identity ecosystems. AIAGF introduces two novel algorithms: Algorithm 1 (AIAGF) constructs a dynamic identity entitlement knowledge graph, applies Louvain community detection for peer group formation, and computes a five factor composite risk score per identity using weighted ensemble of GNN node embeddings, Bilt behavioral analysis, SoD conflict scoring, peer deviation metrics, and historical pattern analysis. Algorithm 2 (IARS: Identity and Access Risk Scoring Engine) formalizes the multidimensional risk computation with Platt scaled probability calibration and Shape based explainability. The framework's access certification module achieves 64.3% AI precertification rate, reducing mean campaign duration from 97 days to 10.7 days while maintaining 98.4% certification accuracy. Driven role mining reduces role explosion from 8,241 to 1,134 business roles (86% reduction) achieving silhouette coefficient 0.71, with SoD conflicts reduced 94%. Experimental evaluations across 28 enterprise organizations (247,000 identities, 18month longitudinal study) demonstrates: 98.4% identity risk classification accuracy (AUC 0.981), 74% reduction in access violations, 89% certification cycle time reduction, and average $3.4M annual cost avoidance per organization. Comparative analysis against SailPoint Identity Now, Saviynt Enterprise, IBM Security Verify, One Identity Manager, and rule based baselines confirms AIAGF superiority across all metrics (McNemar's test, p < 0.001).
Article Details
Section
How to Cite
References
[1] Gartner Inc. (2020). Market Guide for Identity Governance and Administration (IGA). Gartner Research Note G00789234. https://www.gartner.com/en/documents/identitygovernanceadministration
[2] IBM Security. (2020). Cost of a Data Breach Report 2020. IBM Corporation. https://www.ibm.com/reports/databreach
[3] Verizon. (2020). Data Breach Investigations Report 2020. Verizon Enterprise Solutions. https://www.verizon.com/business/resources/reports/dbir/
[4] Gartner Inc. (2020). Magic Quadrant for Access Management. Gartner Research. https://www.gartner.com/en/documents/accessmanagement
[5] European Parliament. (2022). NIS2 Directive (EU) 2022/2555 on measures for a high common level of cybersecurity. Official Journal EU, L333, 80152.
[6] Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role based access control models. IEEE Computer, 29(2), 3847. https://doi.org/10.1109/2.485845
[7] Hu, V. C., et al. (2014). Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST SP 800162. https://doi.org/10.6028/NIST.SP.800162
[8] Ahn, G. J., & Sandhu, R. (1999). Role based authorization constraints specification. ACM Transactions on Information and System Security, 3(4), 207226. https://doi.org/10.1145/382912.382913
[9] Vaidya, J., Atluri, V., & Guo, Q. (2010). The role mining problem: Finding a minimal descriptive set of roles. ACM SACMAT 2007, 175184. https://doi.org/10.1145/1266840.1266870
[10] Pichler, M., Fadhili, W., RinderleMa, S., & Weske, M. (2018). Declarative access control for processaware information systems. ACM TOIT, 18(2), 134.
[11] Frank, M., Buhmann, J. M., & Basin, D. (2021). Inferring datacentric and processcentric access control policies. Proc. ACM SACMAT 2012, 112. https://doi.org/10.1145/2295136.2295140
[12] Ferraiolo, D. F., Sandhu, R., Gavrila, S., Kuhn, D. R., & Chandramouli, R. (2001). Proposed NIST standard for rolebased access control. ACM TISSEC, 4(3), 224274.
[13] Shu, L., Ma, F., Sun, L., Zhao, J., Liu, H., & Sui, Y. (2017). User identity linkage across online social networks: A review. ACM SIGKDD Explorations, 18(2), 517.
[14] Blondel, V. D., Guillaume, J. L., Lambiotte, R., & Lefebvre, E. (2008). Fast unfolding of communities in large networks. Journal of Statistical Mechanics, 2008(10), P10008. https://doi.org/10.1088/17425468/2008/10/P10008
[15] Lu, H., Vaidya, J., & Atluri, V. (2015). Optimal boolean matrix decomposition: Application to role engineering. Proc. IEEE ICDE, 297306. https://doi.org/10.1109/ICDE.2008.4497445
[16] Li, N., Tripunitara, M. V., & Bizri, Z. (2007). On mutually exclusive roles and separation of duty. ACM TISSEC, 10(2), 136. https://doi.org/10.1145/1237500.1237502
[17] Sandhu, R., & Samarati, P. (1994). Access control: Principles and practice. IEEE Communications Magazine, 32(9), 4048. https://doi.org/10.1109/35.312842
[18] Veličković, P., Cucurull, G., Casanova, A., Romero, A., Liò, P., & Bengio, Y. (2018). Graph attention networks. ICLR 2018. arXiv:1710.10903.
[19] Lundberg, S. M., & Lee, S. I. (2017). A unified approach to interpreting model predictions. NeurIPS 30, 47654774.
[20] NiculescuMizil, A., & Caruana, R. (2005). Predicting good probabilities with supervised learning. Proc. ICML, 625632. https://doi.org/10.1145/1102351.1102430