In this article
If you know Lumos, you know we believe deeply in the promise of autonomous identity (see our whitepaper for more details). We see it as the only path forward for an industry that struggles with a basic but essential question: Who has access to what, and should they?
Attack vectors have changed. Hackers aren't hacking in, they're logging in. And organizations have to assume that their authentication line of defense can and will be compromised. At the same time, IT environments are exploding, as the average org uses more than 650 applications. Threat and complexity levels are at all time highs, and companies can't avoid using Identity Governance platforms (IGA) anymore. But the traditional approach is too slow, too reactive, and too manual.
We know that an autonomous approach is the only way for companies to stay ahead, be proactive instead of reactive, and finally do IGA at the scale and speed they require.
Today, we're announcing Albus - the first AI Agent for Autonomous Identity Governance.
We built Albus because something is fundamentally broken in how identity is managed today.
But to understand why Albus matters, we have to understand how we got here.
The Challenge: Managing Access Needs More Than Visibility or Automation. It Needs Autonomy.
The challenge didn’t start with identity - it started with apps. As teams adopted their own tools, the number of apps in most companies exploded. Meanwhile, the nature of identity itself changed. It no longer comprised just people - service accounts, bots, agents, and scripts now make up the majority of identities, increasing the access surface up to 50 times.
But IT and security teams didn’t scale to match. Instead, they’ve been left reacting - fielding tickets, approving requests, and chasing down reviews - while users wait and risk grows. This is the APPocalypse: an explosion of complexity without the right systems to manage it.
To fight the sprawl, organizations turned to IGA. On paper, it promised order: control and governance over who receives access. But in practice, it added overhead. IGA tools became known as the most complex and costly identity initiatives to implement - so much so that even Gartner advises against attempting deploying an IGA tool without significant support.
Why This Is a Problem Autonomy Can Solve
The identity landscape is not just complex, it’s constantly evolving. And that makes it a perfect candidate for autonomy and agentic workflows. Here's why:
- Organizations are dynamic. Teams shift, roles evolve, and tools change. Static rules fall behind fast.
- It’s a constant tradeoff. Security wants control. IT wants fewer tickets. Business wants speed. Compliance wants regulatory adherence
- The data is a mess. Titles vary, access logs are noisy, and business context lives in many places.
IGA systems still expect humans to do all the work - define access, write policies, chase approvals, run reviews. But identity is 100x more complex than it was a decade ago. We can’t brute-force our way out of it. If you’re flying a Cessna, manually controlling the plane works. But IAM teams today are flying a Boeing 787 at 500 knots. You need autopilot - not to replace the pilot, but to keep the system stable.
That’s what autonomy means: a system that handles the time-consuming parts, while letting humans focus on the exceptions. It’s the only way to shrink time-to-value, reduce costs, and finally bring the APPocalypse under control.
The Promise: From Copilots to Coworkers
AI is not new to identity, but it never delivered on its promise. Rollout times stayed long. Maintenance stayed expensive. Teams still struggled.
Why? Because most AI in identity was just a copilot: flag an anomaly, suggest a role, surface insights on dashboard. It never closed the loop. It didn’t understand context, couldn’t learn from feedback, and never adapted to change.
In September 2024, everything changed. OpenAI released the o1 models, the first with real reasoning power. These models did not just generate an answer based on historical data. They could break problems into steps, ask clarifying questions, and course-correct with feedback. They could collaborate. That shift made true AI agents possible.
Because complex and nuanced problems aren’t solved in one shot. They’re solved through back-and-forth, clarity, and nuance. Copilots couldn’t do that. They couldn’t ask the right follow-ups. They couldn’t track multi-step plans. They couldn’t improve with feedback.
The newer models can. They learn, adapt, and work inside high-complexity environments while staying aligned to user goals. That’s the foundation for AI agents. And that’s where Lumos comes in.
We didn’t build just a copilot. We built the first true AI Agent for identity. A system that works like a coworker. It’s the only way to handle IGA at scale without endless maintenance costs and million-dollar rollouts. The chart above illustrates the paradigm shift. AI in identity today sits on the left side of that chart. Lumos is on the right.
Albus: Introducing Agency into Identity
Albus is the world’s first Identity AI Agent. It’s not just a copilot. It’s a teammate that helps you reason through tough access decisions and take action with confidence. With Albus, Lumos introduces something new to IGA: agency. It’s the ability for a system to understand context, make decisions, and adapt alongside you.
That’s what legacy and modern IGA tools are missing. Large enterprises like United Airlines and Mars, managing hundreds of thousands of workers, chose Lumos because it’s fast to deploy and easy to maintain. Modern companies like Pinterest and MongoDB picked Lumos because of how it keeps up with their very dynamic environment. With Albus, they get a system that reasons, learns, and keeps pace with the business.
Albus doesn’t just analyze access. It understands why access matters. It learns context. It makes recommendations. It asks clarifying questions. And, it acts with explanations built in; so IT and security teams always know what’s happening and why. That level of clarity is essential because it means you can automate without losing oversight.
We named it Albus for a reason. In Harry Potter, “Lumos” is a spell that lights up the tip of a wand - and Albus was always the wizard who showed what’s possible with that light.
Under the hood, Albus comprises multiple agents that specialize across use cases. The first use case of Albus is role mining, helping you build clean, scalable policies for RBAC and ABAC. Next, Albus will help uncover and investigate anomalous access before it becomes a problem. In the future, any identity workflow from access reviews to access requests will move from static dashboards to intelligent conversation.
Let’s show what that looks like in action.
Use Case 1: Create Roles and Policies That Actually Work
IT and IAM teams want one simple thing: make sure people have the right access from day one so they can get to work. Nothing kills momentum like logging in on your first day, ready to build something great, and hitting a permission denied screen.
Legacy and even modern IGA tools try to help, but they fall short. Every company has dozens of HR attributes, scattered systems, and years of access debt that skew any clean starting point. That level of noise turns role building into a multi-quarter effort, and most teams give up. Onboarding of employees either drags for weeks or leans on a "copy access" model from whoever’s been around the longest. Neither approach leads to least privilege and neither approach scales. That’s why 50 percent of IGA deployments are in distress.
However, clean roles don’t have to take quarters. Albus makes it possible to go from messy data to usable policies in weeks, not months, and helps you keep them current.
Albus starts by figuring out which HR attributes actually matter. A company with 10,000 employees might have over 5,000 unique title and team combinations. That’s too much to manage. Others, like “cost center” alone, are too vague. Albus evaluates every option and finds the combinations that are both predictive and practical. For the example above, Albus found that “worker type + cost center” was the sweet spot.
From there, it builds the role architecture. Albus groups access into four categories: universal, birthright (based on attributes), requestable (with approval), and restricted (with tight controls).
Once the structure is in place, Albus helps define what each role should include, and why. It doesn't just look at who has access. It also checks usage data and understands what each entitlement actually provides, like whether it grants admin rights or access to sensitive systems. Based on that, Albus suggests role combinations that are common, consistent, and easy to manage.
You can ask follow-ups, give feedback, and refine what “least privilege” means in your context. It’s a back-and-forth with an expert, not a black box. Albus works like a teammate who can analyze thousands of data points, give you a draft, and work with you to get it right.
The result is real scale. We worked with a global bank and built their full role architecture in under three weeks. Their team told us it would have taken twelve months without us. And by then, it would already be outdated. Albus helped them move fast, saved millions of dollars, and gave every employee a better first day.
And when the org chart changes, you don’t start over. You just ask Albus what needs to change.
Use Case 2: Find Anomalies Across All Your Access
Security teams want to make sure users have the access they need. No more, no less. But in a company with 5,000 employees, there are often over 200,000 accounts and more than 5 million entitlements. If someone has too much access, attackers can exploit it. The question is, where do you even start?
IGA systems were built to govern access, not detect threats. Even though identity is the new battleground, IGA is rarely used as a security product. You get dashboards, static rules, and manual reviews. But spotting meaningful risks in all that noise is overwhelming.
Now, picture a different approach. You ask a question like, “Show me all the anomalies in Google Cloud,” and Albus goes to work. It analyzes real usage, builds a baseline for normal access by job role, team, and location, then flags outliers with risky combinations. It scores each anomaly and explains exactly why it stands out.
The output might look like this: John Smith works in engineering. Albus finds he has Project Owner access to finance data in Google Cloud. That’s not a typical admin label, but Albus understands the access is privileged and not part of any baseline for engineers. It flags it as an anomaly. That’s the kind of insight that would take weeks of work to find.
From there, the use cases expand. Albus helps you surface SoD violations, generate risk reports, and prepare for audits. It doesn’t flood you with alerts. Instead, it gives you tools to explore your environment, surface meaningful risks, and act with confidence.
A CISO who saw this said it best: “We’d need to pay consultants millions to get that data.” With Albus, you’re not reading spreadsheets or writing queries. You just ask.
Are You Future Proof?
The real question for every leader today is this: Are you future-proof in a world where complexity keeps growing?
Think about how cars evolved. Moving from a manual stick shift to automatic transmission made driving easier long before full self-driving arrived. Identity is no different. You don’t go straight to full autonomy. But every step forward towards autonomy makes your systems faster, safer, and easier to manage.
Here’s what that looks like in practice:
- Save Time: Automate complex tasks like role modeling and access reviews without growing your team.
- Improve Security: Move from broad, overprovisioned access to precise, least-privilege access backed by real usage data.
- Scale Confidently: Albus responds to org changes and security threats in real time, without manual effort.
And now, that future is here. Albus is available to demo starting today for the use case of Policy Management. Anomalous access detection is next. More identity workflows will follow.
Getting started is simple. Connect a few core systems like Entra ID, Workday, AWS, or GCP. Give Lumos a day to sync. Then open Albus and ask your first question.
That’s it. Let’s try it out together! Book a demo today!
