If you are looking to enable AI capabilities in IdentityIQ (IIQ), SailPoint provides this through AI-Driven Identity Security integration.
Ensure that AI-Driven Identity Security is enabled in IdentityIQ by importing the init-ai.xml file and configuring the AI integration components.
In IdentityIQ, navigate to Global Settings → AI-Driven Identity Security Configuration (AI Configuration) and configure the connection details. This option becomes available after the AI integration has been installed.
You will need an Identity Security Cloud (ISC) tenant. Generate the required Client ID and Client Secret in ISC and use them in the IIQ AI configuration page to establish the secure connection.
For customers with strict network requirements, SailPoint uses a Virtual Appliance (VA) that is deployed within the customer-controlled environment to securely communicate with IdentityIQ and ISC.
Once the configuration is completed successfully, AI-driven features such as Access Recommendations, Access Modeling, and other AI-based identity insights become available in IdentityIQ, depending on the licensed features.
Note: If the requirement is to use a completely isolated on-premises LLM that never communicates with ISC or any external SailPoint cloud services, SailPoint’s AI-Driven Identity Security offering does not currently operate in that mode and requires ISC integration.
This is the documented approach from SailPoint, which requires the use of an LLM that may be hosted in the cloud.
Do you have any information on how the VA is configured? Specifically, I would like to understand what components and data the VA contains, and how it interacts with the LLM as part of the overall solution.
Based on the documentation, the VA acts as a secure communication bridge between your on-premises systems and ISC, using outbound-only connections. For detailed information about the data exchanged with AI services and LLM interactions, I would recommend confirming with SailPoint Support team.
Implement AI capabilities in SailPoint IdentityIQ while ensuring that all identity data remains within the organization’s network and is never transmitted to external AI services.
Implementation Steps
1. Define the Use Case
Identify the business problem AI will solve, such as workflow troubleshooting, access review assistance, policy violation analysis, identity search, or help desk support.
2. Prepare Infrastructure
Provision dedicated on-premises servers for:
· AI model hosting
· AI application/API layer
· Knowledge repository and vector database (optional)
3. Deploy a Local Large Language Model (LLM)
Install and host an enterprise-approved open-source model such as:
· Llama
· Qwen
· Mistral
· DeepSeek
The model must run entirely within the organization’s environment.
4. Restrict External Connectivity
Implement network controls to:
· Block internet access from AI servers
· Allow communication only between IdentityIQ and AI components
· Enable monitoring and auditing
5. Build an AI Service Layer
Develop a middleware service that:
· Receives requests from IdentityIQ
· Retrieves required identity and workflow information
· Interacts with the local LLM
· Returns responses to IdentityIQ
6. Integrate IdentityIQ
Connect IdentityIQ to the AI service using:
· REST APIs
· Workflow steps
· Rules
· Plugins
· Custom UI components
7. Prepare Knowledge Sources
Collect and organize:
· IdentityIQ design documents
· Workflow documentation
· Connector guides
· Operational procedures
· Internal support knowledge articles
8. Implement Retrieval-Augmented Generation (RAG)
Configure the AI solution to:
· Search internal documentation
· Retrieve relevant content
· Use retrieved information to generate accurate responses
9. Apply Security Controls
Implement:
· Role-based access control (RBAC)
· Authentication and authorization
· Audit logging
· Data masking for sensitive attributes
· Encryption in transit and at rest
10. Test in Non-Production
Validate:
· AI response accuracy
· Security controls
· Performance
· Access restrictions
· Audit logging
· Data residency requirements
11. Deploy to Production
Deploy the AI platform after successful testing and establish monitoring, support, and maintenance procedures.
12. Expand Capabilities
Gradually introduce additional use cases such as:
· Certification analysis
· Access recommendations
· Policy violation explanations
· Workflow diagnostics
· Identity analytics
High-Level Architecture
IdentityIQ → AI Service Layer → Local LLM → Internal Knowledge Repository
All components remain on-premises, ensuring that no IdentityIQ data leaves the organization’s network.
Seems above post is related to use an existing LLM (like GPT-4, Claude, etc.) and augment it with your own data. This requires you to index your documents into a knowledge base (vector store), and at query time, relevant chunks are retrieved and fed to the LLM as context. for this you need to prepare knowledge articles and keep them up to date. You also need to add additional sources via MCP to fetch details from external sources like Git, Jira, etc. These are few things you need to care of when you are building your own LLM.
Blocking internet access on VAs is one option to control the use of AI tools. However, would it be a better approach to allow access only to approved AI solutions and block all other AI services based on security recommendations?