Using Albus for Role Mining: The Agentic Way to Build Smarter Access Policies

Every customer call starts the same way: no one wants to manage access with spreadsheets, CSVs and guesswork. Authorization policies are too critical for security and compliance to be manual. That’s why we built Albus - the first truly agentic AI for identity governance - to bring autonomy, context, and clarity to role mining at scale.  

Why Traditional Role Mining Falls Short 

As organizations adopt GenAI and agentic frameworks, they’re demanding better visibility, governance, and automation – without the complexity or the slowdown. But building right-sized access controls isn’t as easy as it sounds. IT and security teams still struggle to untangle messy attributes, inherited permissions, and evolving org structures. 

Here’s why: 

• Fragmented & Siloed Data – Data lives across HRIS, IdP, cloud apps, and local directories. Titles and cost centers don’t tell the full story.
• Access Sprawl – Over time, users accumulate permissions that never get revoked.
• Distributed Ownership – No single team owns role maintenance. It’s shared (and often dropped) between app owners, IT, and security.

Why the Promised Land of Role Mining Remains Out of Reach

The idea behind role mining, first introduced in 2003, is simple: analyze user permissions, system logs, and access patterns to group users with shared needs. In practice, though, it’s anything but simple.

• Data Overload: The volume of users, entitlements, and policies makes it nearly impossible to process meaningfully at scale.
• Missing Business Context: Knowing who has access is easy. Knowing why is the hard part and is often undocumented.
• Constant Change: Teams, apps, and policies shift constantly, creating access drift that humans and manual processes can’t keep up with.

The Lumos Approach: An Agentic Way to Solve Role Mining

Albus makes role mining intelligent, contextual and collaborative. It is designed to handle the scale and complexity of a dynamic environment. Albus learns and understands context and adapts to your environment continuously; acting like a trusted teammate.

Albus goes beyond other static AI wrappers when it comes to managing access. It understands why access matters. It learns context. It makes recommendations. It asks clarifying questions. And, it acts with human oversight, always giving evidence-backed explanations so your teams always know how roles and policies are crafted and why. 

The Three Steps of Policy & Role Mining (with Albus prompts)

Policy and role mining doesn’t have to be a black box. With Albus, our AI identity agent, Lumos helps IT and security teams uncover, map, and operationalize access policies through three clear, data-driven steps; each guided by intuitive prompts and automated insights.

1. Find the optimum attribute selection for role creation
2. Map Access into Smart Matrix for Policy Management
3. Turn Insights into Action with Policy Validation

Step 1: Find the optimum attribute selection for role creation

Albus analyzes and understands your identity landscape including users, cost centers and other key attributes. It comes up with the evaluation criteria and ranks it across multiple dimensions to strike the optimal balance between manageability, granularity and coverage. 

Albus Prompt: Show me all user attributes in my source of truth (look at custom attributes) and create a table for each user attribute type and what percentage of the whole population (only active human identities) have one.

Step 2: Map Access into Smart Matrix for Policy Management

With the right visibility and intelligence in place, Albus now maps the access distribution across the entire application landscape. It groups it into different buckets of access types like: 

• Birthright access (auto-granted)
• Universal access (everyone gets it)
• Self-service access (AppStore approval-based)
• Restricted access (sensitive or privileged)

It analyzes multiple dimensions like who has what access, their attributes (role, title, department, etc) , entitlement types (read, admin, etc), and how access is actually used.

Albus Prompt: “Score my attributes for building policies based on coverage, granularity, and manageability.” 

Albus Prompt: Suggest access policies for me looking at the dimensions of worker type and team.

Step 3: Turn Insights into Action with Policy Validation

Albus generates right-sized RBAC/ABAC access policies and provides full transparency for review. Engage with business app owners and role owners to review findings and validate access patterns. They can confirm compliance requirements and help you fine-tune policies based on findings. Through each step of the process, Albus learns with your feedback and dynamically adapts to adjust roles and policy recommendations to meet your organizational needs. Albus enforces ABAC/RBAC access policies through your automation workflows or Lumos Lifecycle Management.    

Albus Prompt: Create an access policy for [specific team]. List birthright vs. self-service recommendations.

Why Lumos is Suited for Your Organization 

Lumos doesn’t just mine roles using static models. It delivers a self-governing, learning access model that scales with your organization. 

• Fine-Grained Data: Goes beyond AD or Okta groups to include detailed entitlement and usage data.
• Rich Context: Understands whether something is privileged, and allows admins to layer on business context like onboarding manuals or compliance frameworks.
• Agentic Approach: Albus doesn’t just suggest; it collaborates. It can generate role matrices, validate them with you, and continuously refine them based on data across multiple sources like HRIS, IdP, and app integrations.
• Integrated with Automation Workflows: Connects directly with Lumos LCM for seamless policy enforcement across joiners, movers, and leavers.

The Takeaway

Role mining doesn’t have to be a painful data exercise or become a major architectural overhaul. With Albus, Lumos transforms it into a continuous, AI-driven process - one that understands context, enforces least privilege, and scales securely as your business grows.

Getting started is simple:

1. Connect a few core systems like IdP and HRIS or AWS.
2. Have Lumos sync data.
3. Open Albus and ask your first question.
4. Be on your way to simplifying role engineering and RBAC/ABAC policy management.

Want to see more Albus prompts? Check here. 

Ready for a free assessment with Albus? Book here. 

Short on time? Attend our webinar “Bring Agentic AI to your IGA” for a live demo of Lumos’ AI-native autonomous platform and see a real-time role mining exercise. Register here.