I’ve had dozens of conversations with security practitioners that all circled back to the same underlying question:   

"What can AI actually do for identity security?"  

Security leaders aren't just curious about AI-native IAM platforms - they're eager for it. They have specific feature requests, concrete use cases, and real expectations about what this technology should deliver. After spending nearly two decades in cybersecurity, I've rarely seen this level of market appetite for genuinely new approaches.  

But what struck me most is that the excitement isn't really about AI itself.   

It's about finally having a path forward for problems that have plagued identity governance for two decades.  

IAM saw no innovation for two decades  

Here's something that became crystal clear at the recent Gartner IAM Summit I attended: the identity governance space has been stuck in neutral for two decades.  

I realize how that sounds, especially surrounded by scores of IAM vendors at the event.   

But consider the evidence. Cybersecurity as a whole has transformed dramatically. We saw breakthroughs in endpoint detection, cloud security architectures, threat intelligence platforms.   

Meanwhile, identity governance?   

Organizations are fighting the same battles they faced in 2005:  

• The workflows are still manual.   

• The policies are still hard-coded.   

• The integrations are still nightmares.   

• The access reviews still meaningless checkbox exercises.  

The problems haven't evolved, and neither have the solutions.  

Why identity governance resisted innovation  

Identity governance presents an exceptionally difficult innovation challenge.  

The problem isn't talent or investment. It's that identity exists at this challenging intersection of entrenched human behavior and sprawling technical complexity.   

Organizations have authentication workflows embedded in muscle memory, access request patterns that feel immutable and legacy systems that aren't going anywhere.  

Breaking into this environment means fighting institutional inertia at every level. Prior to AI, the fundamental challenges in identity governance hit a hard ceiling. The manual work required was simply too complex for humans to execute reliably at scale, while the variation across systems was too nuanced for traditional automation to capture.   

Security teams found themselves drowning in access requests they couldn't meaningfully review. Integration backlogs grew to absurd lengths – with some organizations reporting over 600 applications waiting to be onboarded, with timelines stretching beyond eight years. The traditional toolkit simply couldn't scale and  everyone in the industry understood this, even if they didn't say it out loud.  

CISOs are finally ready for AI-powered IAM

When people ask what makes AI-native identity platforms different from traditional IAM solutions, the distinction goes far beyond adding a chatbot or using AI for anomaly detection.  

Here's how I think about the fundamental differences:  

The key insight behind Opti (and what separates truly AI-native platforms from those with AI features added on) centers on specialized models purpose-built for identity challenges. These aren't general-purpose language models with IAM prompts attached.   

These are systems trained specifically on identity data: learning from extensive exposure to diverse application authorization schemes, entitlement architectures, and access patterns.  

During the summit, I sat down for an interview with Information Security Media Group (ISMG) to discuss how AI-native platforms are transforming identity security.  

The conversation reinforced what I was hearing throughout the event: security leaders are ready to move beyond theoretical discussions about AI and start implementing solutions that address their most pressing challenges.  

IAM practitioners didn't just want to hear about AI capabilities in theory -they had specific problems they wanted AI to solve.  

1. Can it automatically figure out what permissions this person actually needs?

2. Will it help us finally onboard our legacy applications?

3. Can it explain why this access request is risky in language our managers will understand?  

The answer to all of these questions is yes, but what's more interesting is that people are now ready to ask them. A few years ago, these questions would have seemed like science fiction. Today, security leaders expect AI to handle this level of complexity. 

The urgency is real. Recent industry research shows that the overwhelming majority of breaches - approximately 80% trace back to identity-related issues: compromised credentials, excessive permissions, or unauthorized access.  

The traditional playbook clearly isn't working, and organizations are recognizing that they need a fundamentally different approach.  

The 3 core capabilities of AI-native IAM

Based on the conversations at Gartner and working with early customers at Opti, I see 3 core capabilities that will define successful AI-native IAM platforms:  

1. Understanding entitlements at scale  

Every application has its own authorization model. An "admin" role in Salesforce grants entirely different capabilities than an "admin" in your HR system or financial planning tool. Traditional IGA solutions attempted to normalize these differences through manual mapping, a process that proved both error-prone and impossibly time-consuming.  
 
AI-native platforms need to understand these entitlement models deeply and automatically. Not just pattern-match similar-looking roles, but genuinely comprehend what specific permissions enable users to accomplish across vastly different applications.  

2. Shifting to automated remediation workflows  

Here's something that consistently surprises people about Opti: we have a "remediate" button that actually solves access problems when you click it. No tickets to file. No manual workflow to trigger. No waiting for someone to execute changes across multiple systems.  
 
This sounds simple, but it requires AI models that can reason about the safest way to revoke access, understand dependencies between entitlements, and orchestrate changes across integrated applications - all while maintaining audit trails and compliance requirements. We're the first and only player doing this at scale, and customer reactions have validated how much this capability was needed.  

Ending the rubber-stamp problem in access reviews

Most user access reviews default to approval because reviewers lack the necessary context. Managers approve requests they don't truly understand due to insufficient context, time, and proper tools to make informed decisions. When nearly every request gets approved regardless of appropriateness, the review process becomes security theater rather than actual governance.  

AI-native platforms need to prioritize what genuinely matters, surface least-privilege alternatives, and provide the business context that makes reviews both faster and more effective.  

This means using AI to identify which entitlements actually carry risk, which users have anomalous access patterns, and what appropriate access looks like based on peer analysis and job function.  

Security professionals want AI to eliminate the manual work that's consumed their teams for years. They want to finally integrate those legacy applications sitting in their backlog and access decisions that happen in minutes rather than weeks.  

But they're also sophisticated about it. CISOs have been burned by overhyped technologies before. They want to see how the AI actually works, understand what data it's trained on, and know that it won't hallucinate incorrect access decisions.  

This skepticism is healthy and necessary. The distinction between AI-native architecture and AI-enhanced features matters enormously for actual outcomes.  

The professional services problem

One conversation I had at the Gartner Summit particularly stood out. A CISO from a Fortune 500 company told me their current IGA implementation had a queue of over 600 applications waiting to be onboarded, with their vendor estimating an 8+ year timeline to integrate them all.  

Eight years.  

This isn't an isolated case - it's the norm for traditional IGA platforms.   

Each integration requires extensive professional services work to extract identity data, understand the application's unique entitlement model, normalize that data, and build provisioning workflows.  

What should be a software solution has become a services business. The majority of enterprises struggle with incomplete application coverage, and satisfaction remains low even for successfully integrated systems.  

AI transforms this equation fundamentally. At Opti, our models learned from extensive training across diverse application types.   

When encountering a new application, the AI leverages this learned understanding of common authorization patterns to normalize data automatically -compressing weeks or months of professional services into hours or days.  

Why the 20-year innovation gap is finally closing

I'm often asked why we started Opti in 2024.   

The timing came down to a critical insight from conversations with leading AI researchers: large language models would become very good at many things, but the real opportunity was in making them excellent at specific, complex domains.  

The identity space needed more than generic AI capabilities. It required AI-native architecture where specialized models trained on IAM-specific problems could understand and reason about identity at a level no human team could achieve at scale.  

Before AI, fundamental problems in identity governance - understanding complex entitlements, making contextual access decisions, automating integrations, handling dynamic workflows - simply weren't solvable.   

The market is ready for intelligent identity governance in a way it wasn't even two years ago. The combination of growing breach statistics, expanding application sprawl, and proven AI capabilities has created both urgent need and genuine opportunity.  

Security leaders who embrace AI-native platforms now have a path to solve problems that have frustrated them for decades. Real-time remediation. Automatic application onboarding. Access reviews that actually catch inappropriate permissions. Workflows that adapt instead of break.  

The 20-year innovation gap in identity governance is finally closing. The question isn't whether this transformation will happen - the technology and market demand make it inevitable. The question is whether your organization will lead this shift or spend the next several years catching up as the industry moves forward.