F&G Annuities and Life, the Iowa-based life insurance and annuity provider that protects over 700,000 policyholders across the US, faced a serious challenge related to Identity Governance and Administration (IGA). The requirement to certify employee access entitlements for multiple systems had become a burden to management. Using new IGA tools powered by Artificial Intelligence (AI) and Machine Learning (ML), F&G was able to get out from this challenging access certification workload.
IGA challenges confronting F&G
F&G has grown in recent years, mostly through acquisitions. The inorganic expansion of its workforce led to a situation where managers had to certify application access entitlements for larger and larger teams of employees. For example, to pass audits for Sarbanes Oxley (SOX), the company has to demonstrate to auditors that they have strong controls in place over access rights. For some financial controls, SOX requires a company to attest that their IGA policies establish segregation of duties. F&G also had to comply with the National Provider Identifier Standard (NPI), which mandates certification of access.
In IGA terms, F&G was not mature as a company. Their certification process was manual, meaning that managers had to go through long lists of employees every quarter and determine whether each person, on an induvial basis, should continue to have access to various critical systems. In some cases, an employee’s role might have changed, so he or she would no longer need access. Or, the employee might need access to a new system, and so forth.
The ad-hoc certification process was cumbersome and lengthy, leading to managers to skip steps in some cases or “rubber stamping” access and generally experiencing a phenomenon particular to the IGA field known as “certification fatigue.” As a result of these conditions, IGA at F&G had become nearly untenable in its current form. The organization recognized the need for a modern IGA system that could automate some or all of the certification process.
Operationalizing an AI-driven IGA solution
F&G worked with Integral Partners to design and implement a new IGA solution that would ease the certification burden and enable F&G to grow without experiencing administrative pain. The solution involved deploying Access Insights software on the SailPoint IdentityNow platform. Access Insights leverages AI and ML to make automated recommendations for the certification of access entitlements.
Integral set up Access Insights for F&G using the tool’s Recommendation Engine for role governance. In this case, role governance refers to assigning access rights by role, rather than on an individual basis. An employee of the accounting department might have access to systems A, B and C, while someone in the underwriting area would have access to systems D, E and F.
However, the Recommendation Engine can take the role governance process much further. With AI and ML, the engine can make inferences about an employee’s access needs. This is known as access modeling. For instance, if Joe works in the same department as Sally, then he might need access to the same systems that she has, even if they have different titles and formal roles in the organization. The Recommendation Engine is able to parse many parameters of Joe and Sally’s jobs to recommend roles and entitlements. As the system detects peer populations, regardless of departmental assignments, it might even dynamically create new roles based on inferred access needs.
Integral Partners has replaced F&G’s manual certification processes with IdentityNow certifications for their core and compliance sensitive systems. Using the tool’s IdentityIQ feature, F&G can set up standard processes that include birthright network access. The solution is able to make access recommendations with a role model algorithm that allows managers to certify access entitlements much more quickly than was previously possible. It will even be able to automatically assign access and process the entire certification. This will involve pairing the Access Insights role modeling module with the Recommendation Engine.
The solution provides F&G managers with a dashboard showing an overall view of their IGA program. At a glance, managers can see IGA data such as active users, most common roles/permissions, certification status, access history and more. Identity-centric charts display user data, such as location, job title and permissions. They can also get a quick read on certification decisions, revoked entitlements and late certifiers.
F&G managers now spend a good deal less time on certifications. They are not “fatigued” by the workload. And, the accuracy and relevance of the role entitlements has gone up. The audit process is faster, mostly due to auditors’ use of Access Insights and Dashboards. Auditors can directly access the system and obtain the evidence they require to establish that certifications have been performed properly.
Integral Partners continues to work with F&G on the next phases of their IGA modernization. They continue to tune the AI and ML used to automate certifications. In parallel, they are building a more robust role governance program.