User Identity

User identity management is entirely informal. New employees get accounts created by whoever handles IT that day, with whatever access seems right. There is no user identity register, no documented role definitions, and no record of who has access to what. 'Who has admin access to production?' gets answered with 'probably the engineering leads, let me check.'

None — AI has no user identity records to reason about because nothing is documented.

A spreadsheet lists user identities and their application access, but it drifts from reality within weeks. Role definitions are informal — 'developer' might mean read-only in staging for one person and full admin in production for another. Terminated employees appear as active. New hires granted access last month are missing entirely.

Can list documented user identity records but cannot verify whether the spreadsheet reflects actual access state or identify accounts that should have been deprovisioned.

An identity provider manages user identity profiles with SSO, role assignments, and group memberships. But entitlements are granted on request without consistent documentation of business justification. Risk indicators like failed login attempts and privilege escalation patterns are not tracked as part of the user identity record.

Can query the IdP for current role assignments and group memberships but cannot assess whether access levels are appropriate without business justification records or behavioral risk signals.

Every user identity profile contains structured role assignments, application entitlements with business justification, access request audit trails, last-access timestamps, failed login history, and behavioral risk scores. A security analyst can query 'show me all users with production access who haven't logged in for 90 days and their original access justification' and get a documented, verifiable answer.

Can perform access reviews, detect dormant accounts, flag excessive entitlements, and assess behavioral risk indicators for anomaly detection.

A validated user identity schema enforces attribute types, links every entitlement to an approved request with business justification, maintains credential lifecycle records (creation, rotation, expiration), and validates consistency across all connected SaaS applications. AI agents evaluate user identity risk programmatically using structured behavioral baselines.

Can detect access anomalies, enforce least-privilege by comparing entitlements to usage patterns, automate access certification workflows, and predict credential compromise risk from behavioral signals.

Continuous identity governance auto-adjusts user identity access based on role changes, behavioral analytics, and real-time risk scoring. Entitlements are granted and revoked dynamically as job functions evolve. Peer group comparison flags anomalous access patterns before they become security incidents. The user identity record is self-documenting and always current.

Can autonomously manage the user identity lifecycle — provisioning, adjusting, and deprovisioning access in real time based on behavioral, organizational, and risk signals across all SaaS applications.

Ceiling of the CMC framework for this dimension.