What is available solution to implement AI solution in identityIQ

Which IIQ version are you inquiring about?

[Replace this text with your version of IIQ. The more specific you can be (7.1, 8.3, 8.X), the more people can help. If you do not know, put Unsure.]

Please share any images or screenshots, if relevant.

[Please insert images here, otherwise delete this section]

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

What is available solution to implement AI solutions in identityIQ using onPrem options. LLM should not fetch data from outside network

Hi @kumar_priya,

If you are looking to enable AI capabilities in IdentityIQ (IIQ), SailPoint provides this through AI-Driven Identity Security integration.

  1. Ensure that AI-Driven Identity Security is enabled in IdentityIQ by importing the init-ai.xml file and configuring the AI integration components.

  2. In IdentityIQ, navigate to Global Settings → AI-Driven Identity Security Configuration (AI Configuration) and configure the connection details. This option becomes available after the AI integration has been installed.

  3. You will need an Identity Security Cloud (ISC) tenant. Generate the required Client ID and Client Secret in ISC and use them in the IIQ AI configuration page to establish the secure connection.

  4. For customers with strict network requirements, SailPoint uses a Virtual Appliance (VA) that is deployed within the customer-controlled environment to securely communicate with IdentityIQ and ISC.

  5. Once the configuration is completed successfully, AI-driven features such as Access Recommendations, Access Modeling, and other AI-based identity insights become available in IdentityIQ, depending on the licensed features.

Note: If the requirement is to use a completely isolated on-premises LLM that never communicates with ISC or any external SailPoint cloud services, SailPoint’s AI-Driven Identity Security offering does not currently operate in that mode and requires ISC integration.

Thanks,
SRM :expert_ambassador:

@kumar_priya Are you looking for Sailpoint provided AI driven solution? or custom solutions?

is SailPoint driven is onPrem or controlled solution ? because we don’t want data to be exchanged data outside

This is the documented approach from SailPoint, which requires the use of an LLM that may be hosted in the cloud.

Do you have any information on how the VA is configured? Specifically, I would like to understand what components and data the VA contains, and how it interacts with the LLM as part of the overall solution.

Hello, You may find the Virtual Appliance documentation helpful for understanding the VA architecture and deployment model:

SailPoint Virtual Appliance Documentation

Based on the documentation, the VA acts as a secure communication bridge between your on-premises systems and ISC, using outbound-only connections. For detailed information about the data exchanged with AI services and LLM interactions, I would recommend confirming with SailPoint Support team.

Hi @kumar_priya ,

Implement AI capabilities in SailPoint IdentityIQ while ensuring that all identity data remains within the organization’s network and is never transmitted to external AI services.

Implementation Steps

1. Define the Use Case

Identify the business problem AI will solve, such as workflow troubleshooting, access review assistance, policy violation analysis, identity search, or help desk support.

2. Prepare Infrastructure

Provision dedicated on-premises servers for:

· AI model hosting

· AI application/API layer

· Knowledge repository and vector database (optional)

3. Deploy a Local Large Language Model (LLM)

Install and host an enterprise-approved open-source model such as:

· Llama

· Qwen

· Mistral

· DeepSeek

The model must run entirely within the organization’s environment.

4. Restrict External Connectivity

Implement network controls to:

· Block internet access from AI servers

· Allow communication only between IdentityIQ and AI components

· Enable monitoring and auditing

5. Build an AI Service Layer

Develop a middleware service that:

· Receives requests from IdentityIQ

· Retrieves required identity and workflow information

· Interacts with the local LLM

· Returns responses to IdentityIQ

6. Integrate IdentityIQ

Connect IdentityIQ to the AI service using:

· REST APIs

· Workflow steps

· Rules

· Plugins

· Custom UI components

7. Prepare Knowledge Sources

Collect and organize:

· IdentityIQ design documents

· Workflow documentation

· Connector guides

· Operational procedures

· Internal support knowledge articles

8. Implement Retrieval-Augmented Generation (RAG)

Configure the AI solution to:

· Search internal documentation

· Retrieve relevant content

· Use retrieved information to generate accurate responses

9. Apply Security Controls

Implement:

· Role-based access control (RBAC)

· Authentication and authorization

· Audit logging

· Data masking for sensitive attributes

· Encryption in transit and at rest

10. Test in Non-Production

Validate:

· AI response accuracy

· Security controls

· Performance

· Access restrictions

· Audit logging

· Data residency requirements

11. Deploy to Production

Deploy the AI platform after successful testing and establish monitoring, support, and maintenance procedures.

12. Expand Capabilities

Gradually introduce additional use cases such as:

· Certification analysis

· Access recommendations

· Policy violation explanations

· Workflow diagnostics

· Identity analytics

High-Level Architecture

IdentityIQ → AI Service Layer → Local LLM → Internal Knowledge Repository

All components remain on-premises, ensuring that no IdentityIQ data leaves the organization’s network.

Any idea what is the requirement for VA ?

How Internal repository will be created/managed

@kumar_priya This mentioned in the above document: System and Network Requirements - SailPoint Identity Services

Seems above post is related to use an existing LLM (like GPT-4, Claude, etc.) and augment it with your own data. This requires you to index your documents into a knowledge base (vector store), and at query time, relevant chunks are retrieved and fed to the LLM as context. for this you need to prepare knowledge articles and keep them up to date. You also need to add additional sources via MCP to fetch details from external sources like Git, Jira, etc. These are few things you need to care of when you are building your own LLM.

Blocking internet access on VAs is one option to control the use of AI tools. However, would it be a better approach to allow access only to approved AI solutions and block all other AI services based on security recommendations?