Overview
Identity Analytics (sometimes called Identity Intelligence) is the application of data science and machine learning to IGA data. Instead of static reports ("Who has access?"), analytics answers dynamic questions: "Who has too much access?", "Who is an outlier compared to their peers?", and "Who has access they never use?"
This discipline moves IGA from "Managing Administration" to "Managing Risk." By analyzing behavior and entitlement patterns, organizations can predict risks and automate remediation, reducing the burden on human reviewers.
Architecture
Reference Pattern: The Analytics Engine
The engine ingests static data (entitlements) and dynamic data (usage logs) to generate insights and trigger actions.
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Data Sources | IGA only, IGA + SIEM, Full Stack | IGA + Usage (SIEM/Logs) | You cannot detect "unused access" without usage logs. |
| Peer Grouping | Static (Dept/Title), Dynamic (Clustering) | Dynamic Clustering | Job Titles are often wrong. Dynamic clustering finds "people who do similar work." |
| Risk Scoring | Composite Score, Binary Alert | Composite Score (0-100) | Allows for prioritization. "Focus on users with Risk > 80." |
| Actionability | Dashboard, Auto-Revoke, Micro-Cert | Micro-Cert & Context | Dashboards are where data goes to die. Trigger a review or show context in the UI. |
| Model Transparency | Black Box, Explainable | Explainable | Reviewers won't revoke access because "The AI said so." You must show WHY (e.g., "0% of peers have this"). |
Implementation
Phase 1: Visibility & Cleanup
- Ingest identity and entitlement data.
- Identify "Empty Groups" and "Dormant Accounts."
- Identify "Orphan Accounts."
- Goal: Low-hanging fruit cleanup.
Phase 2: Peer Analysis & Role Mining
- Implement peer grouping algorithms.
- Identify outliers (users with 20% more access than peers).
- Suggest candidate Roles based on common clusters.
- Goal: Standardization and "Role Engineering."
Phase 3: Behavioral & Risk-Based
- Ingest activity logs (who accessed what).
- Flag entitlements that haven't been used in 90 days.
- Calculate dynamic risk scores for every user.
- Goal: Continuous compliance and automated least privilege.
Risks
- Bad Data Quality: If HR data (Manager, Dept) is wrong, peer grouping will be wrong, leading to false positives.
- "Black Box" Mistrust: Reviewers ignoring recommendations because they don't understand the logic.
- Alert Fatigue: Flooding admins with "Anomalous Access" alerts that turn out to be legitimate.
- Privacy Concerns: Analyzing user behavior (time of day, location) can cross privacy lines in some jurisdictions (GDPR/Works Councils).
KPIs
- Risk Reduction: Average Risk Score of the user population over time (should trend down).
- Revocation Rate (Analytics-Driven): Percentage of revocations triggered by analytics recommendations vs. manual reviews.
- Role Fit: Percentage of user access covered by mined roles (Target: > 80%).
- Orphan/Dormant Detection: Number of account anomalies identified and resolved.