Government technology experts at Think AI for Government 2025 asserted that data-readiness presented a significant barrier to AI adoption in the UK public sector.
Among them was data scientist, Dr Iain Brown, who wrote in Think Digital Partners that AI offers the potential to enhance public service outcomes, improve operational efficiency and save taxpayers’ money. However, he writes, “AI’s effectiveness hinges directly on the quality of its input data. Inaccurate or incomplete datasets risk flawed decisions that adversely impact individuals and erode public trust.”
IAM as a ‘source of truth’
Identity and access management (IAM) platforms contain a rich source of organisational data. If that data is cleansed, deduplicated, and structured in a way that is accessible to large language models, organisations stand to gain better outcomes from generative AI and AI agents.
Identity governance and administration software (IGA) helps large organisations to regularly review, reassign, and revoke access as people join, leave, or change roles within the organisation.
The role-based data stored within IAM and IGA platforms is extremely valuable for creating predictive models.
Consider the NHS, which employs 1.55 million people. Each person has been assigned access to buildings, departments, and software applications, relative to their roles.
If correctly structured for AI, IAM data can be rapidly analysed to identify patterns, detect anomalies, make predictions and optimise the maintenance of the live access model.
Applications of AI in IAM
Analytical identity intelligence can supplement IGA and privileged access management. It can be incorporated into decision and role recommendation engines to speed workflows.
By flagging unusual behaviour, AI offers an early warning system, alerting IT staff to misused credentials, or inappropriate levels of access.
Because AI can detect patterns and anomalies far more quickly than humans, it aids effective access management, for both regular and high-privileged activity. For example, a step-up to multi-factor authentication (MFA) can be triggered if unusual behaviour is detected during a login. This also works well for governing privileged sessions, particularly when combined with risk signals from the security operation centre.
Effective AI depends on data quality
An article in Think Digital Partners noted, “Personal information belonging to employees, customers and citizens that should have been deleted a long time ago is often buried deep in unstructured sources. …On average, 60-70 percent of government data brings no value to the organisation and is considered DROT (Duplicate, Redundant, Obsolete and Trivial).”
This was echoed in the State of Digital Government Review, January 2025, which found that “70 percent say their data landscape is not well co-ordinated, interoperable, or enables a unified source of truth.”
We see a lot of organisations who hope to achieve instant gains from AI, in spite of data bloat.
You can’t treat AI like a weight loss drug. There are no shortcuts to data quality. However, AI-powered identity clustering and peer group analysis can be used to speed deduplication and aid data cleansing.
As an example, we worked with an enterprise that was struggling with poor data quality. Its initial IAM estate comprised 100,000 identities; 129,000 application profiles; 50,000 business roles; and 350,000 entitlements. Using automation 5,000 role assignments were applied to the IAM estate, 800 roles were consolidated, and 17,000 roles were unrecommended.
This improvement in data quality yields immediate benefit in reduced workload and access review tasks. Data deduplication and de-provisioning of roles are increasingly important given that machine identities now outnumber human identities by 50:1 within a typical enterprise environment.
If you liked this content…
Report: Identity management a priority amid rapid AI adoption- UK leads in European government AI adoption
Why UK government AI projects stall – and what public sector leaders need to do next
The invisible workforce is already here – and most organisations don’t know it
AI won’t save government until it gets control of its documents
IAM must include machine identities
The definition of ‘Identity’ needs to be expanded to encompass non-human identities. These include cloud workloads, OAuth tokens, API keys that connect applications, scripts that log into databases, and RPA bots and AI agents that complete workflows.
Machine identities must be treated like human users and have their access privileges revoked once their work is complete. There are many examples of orphan tokens languishing on IT estates months or years after they have served their purpose, needlessly increasing the attack surface and exposing the organisation to increased risk of breach and compromise.
Authentication, PAM, IGA and authorisation services that were designed for employees, patients, citizens, and customers, are increasingly being used to govern access for machine identities.
In fact, we are finding that much of the data modelling, lifecycle, workflows and processes already provided in the IAM stack can also be used to control access for machine accounts and emerging agentic AI infrastructure.
IAM and agentic AI
As mentioned, AI agents’ identity and access management needs to be treated as rigorously as human users.
Agentic AI providers are evolving specific authentication and permission models that aid governance of these machine identities.
User tokens for appropriate access control, particularly involving delegation flows, are an important part of the emerging standards for agentic AI governance.
Agentic frameworks including Microsoft AI Foundry, AWS Bedrock, Google Vertex and Salesforce Agent Force have an AI agent authentication and permission model that we can integrate with to provide IAM services.
Microsoft AI Foundry has developed its Blueprint platform to govern access of agents. When a Principal Agent is created, its ‘child’ agents inherit the same policies and access controls as the Principal Agent. This makes IAM and IGA more manageable for human employees with responsibility for governing agent lifecycles.
As a long-established IAM platform provider, we are updating our Cloud Connectors to bring in new objects and types and extending our application governance to show where the application is using agents. We are also providing more just-in-time workflows to avoid agents having long-lived privileged access in the cloud.
Retain human oversight
Even with high-quality data, although AI accelerates the completion of work and increases efficiency it doesn’t remove human effort entirely. We cannot simply load up the data and hand over the reins to large language models and AI agents.
AI should augment decision-making, not replace it. Organisations still need humans in the loop to prevent AI agents overreaching their permissions, to identify when agents exhibit bias, and to avoid over-reliance on machine inference and predictions.
This human governance should be viewed as an enabler rather than a limitation. Human oversight safeguards against AI creating security risks, or giving bad or erroneous advice. Having a human owner, who has responsibility for specific AI activity, allows organisations to maintain accountability and increases trust in decisions that affect organisational outcomes.
As Sherlock di Schiavi, head of security architecture at the Office for Nuclear Regulation, has written, “AI is not magic, it’s probabilistic”.
Better data means more trustworthy AI, but human oversight is still non-negotiable. Governing agent access and privileges through robust, evolving IAM platforms is one of the most important steps organisations can take to harness AI’s transformative potential, securely and responsibly.
