New Capability: CIEM Scope Event Triggers

JeremyL · March 18, 2026, 10:15pm

Description

CIEM Source Scope Event Triggers prevent ungoverned cloud entitlements by providing customers with additional event triggers to automate notifications through workflows whenever new scopes are added and infrastructure monitoring source connector configurations change. Customers can now create triggers for when new scopes are added that are not currently being governed by CIEM, providing visibility in the event that cloud scopes are added in an unauthorized fashion. Furthermore, customers can now use the Auto Include disabled event as a workflow event trigger when an IAM Admin/Source Admin user toggles off the Auto Include functionality. Finally, the Disable (unselect) scope event can be used as a workflow event trigger when an IAM Admin/Source Admin enables or disables specific cloud scopes (AWS accounts, Azure subscriptions, or GCP projects). These triggers provide immediate visibility into monitoring gaps, enable customers to create custom workflows such as help desk tickets or alerting IAM and Cloud Admins to the changes, and ensure that all cloud infrastructure remains under active ISC governance.

Problem

Undetected configuration changes in a customer’s Cloud Scopes (AWS Accounts/Azure Subscriptions/GCP Projects) result in ungoverned cloud entitlements. The absence of automated alerting mechanisms force customers to rely on manual periodic reviews, creating visibility gaps and delaying accountability for infrastructure security.

Solution

CIEM Source Scope Event Triggers introduce new workflow triggers that automate monitoring when new scopes are added and Source Connector scope configuration changes. IAM Admins can now trigger workflows based on new scopes being detected that are not currently under governance (disabled), on the enabling or disabling of individual Cloud Scopes (AWS accounts, Azure subscriptions, and GCP projects), and on the enabling or disabling of the Auto-Include Scopes toggle. These specific event triggers allow customers to immediately detect monitoring gaps, create custom workflows such as help desk tickets, and ensure all cloud infrastructure remains under active ISC governance.

Product Naming Terminology:

New Scope Detected: A new AWS account, Azure subscription, or GCP project was detected by SailPoint CIEM.

Auto-Include Scope Setting Changed: A user has disabled or enabled the Auto-Include Scope functionality for a source. When auto-include scope is disabled, SailPoint CIEM will not check for newly added AWS accounts, Azure subscriptions, or GCP projects.

Scope Selection Changed: A user has changed the scope selection for a source. If a cloud scope is deselected, SailPoint CIEM will no longer check for changes to that specific AWS account, Azure subscription, or GCP project.

Who is affected?

All CIEM customers.

Action Required

View and subscribe to these CIEM Source Scope Event Triggers in the Event Triggers dashboard to begin building your Workflows utilizing these triggers.

Important Dates

Sandbox rollout started Monday, 3/9
Production rollout started Monday, 3/16

What is Next Up?

CIEM customers can search by Cloud Resource in ISC Search.

Topic		Replies	Views
New Capability: Machine Identity & Account Workflow Event Triggers Product News workflows , identity-security-cloud , new-capability , machine-identity-security	6	365	January 8, 2026
New Capabilities: CIEM – MIS, AIC Heat Map, and Source Scope Insights Product News access-intelligence-center , ciem , new-capability , machine-identity-security	1	369	February 11, 2026
Capability: New Source Account Event Triggers Product News identity-security-cloud , event-triggers , new-capability	0	1583	March 16, 2022
Ensuring Compliance: New Entitlement Alerting in Identity Security Cloud Community Blog workflows , identity-security-cloud	0	205	October 29, 2024
Native change detection in sailpoint identity now ISC Discussion and Questions identity-security-cloud , access-requests	5	133	June 14, 2025