Managing access requests to data can be an overwhelming job for data stewards – and the pressure is mounting. The number of data users will continue to explode as AI capabilities make it more accessible for all users – not just analysts or data scientists – to derive insights from data.
In other words, we are entering a world where everyone is a data consumer. And if everyone is a data consumer, that means data stewards are a flesh-and-bones bottleneck between everyone and data insights.
How can we keep data access pace with an antiquated, but compliance-required, access review process?
Consider the questions a data steward asks themself:
- Do I have enough information to make an access decision?
- Do I really know what data consumers are requesting access to?
- Do I really know how much access I am giving them?
- How do I make my decision confidently?
- How do I know my decisions are consistent with other data stewards’ decisions?
- How can I hedge my decision when I’m not sure?
- How can I ever keep up with all these requests!?
Those questions, coupled with the pressure of increasing review throughput, can cause compliance issues and slow data access wait times to days or weeks.
That’s why we developed Review Assist, a capability within the Immuta AI layer that is the first step towards alleviating data access review using AI.
What is Review Assist?
Review Assist monitors access request determinations made by humans (the data stewards), and finds trends across three factors that determine access approvals, temporary approvals, or denials. Those factors are:
- The data/data product itself, meaning the trends are associated with the specific requested data.
- Metadata about the requestors, such as the groups and attributes they possess.
- LLM-generated topic analysis of the requestor’s responses to the access request form.
Once Review Assist has identified trends, it begins to form a recommendation about whether the data steward should approve, temporarily approve, or deny the request.
An AI-generated justification for the decision will accompany that recommendation, which is pre-populated to submit along with the access determination. This AI-generated justification is based on the trends across the three factors above, as well as prior human-entered justifications. For temporary approvals, Review Assist also considers past temporary approvals to determine the recommended duration.
How does Review Assist work?
Let’s run through a quick example that only considers the first two factors:
Requests for data product Y:
Denials appear to be strongly correlated with being in the Intern group (and approvals are correlated with NOT being in the Intern group).
Now we have a new request for data product Y:
Clete: Group = Sales
Review Assist would recommend APPROVE since Clete is not in the Intern group. So the steward would see this recommendation, along with an AI-generated justification:
Your request is considered LOW risk because a high percentage of users with similar characteristics have been granted access, and there are no clear reasons to deny this request based on past approval decisions.
These recommendation details help the steward understand why his request should be fine to approve. Since they’re based on past data stewards’ similar determinations, the steward can feel confident in their approval decision. Once approved, Clete will automatically be provisioned the data in the data platform and can query it immediately.
Now, let’s take this example a step further and consider the third factor.
When exposing data products to users, data stewards can include custom request forms that gather all needed information from the requestor in order to make an access determination. These request forms can have three types of answers: free text, drop-down, and multi-select.
Let’s say data product X has the following questions in its request form:
Now, let’s look the same users, but requesting a different data product, Data Product X, using this above request form which now allows Review Assist to topically analyze the requestor’s responses in addition to the user’s groups and attributes:
Requests for data product X:
As you can see, form responses that topically include direct marketing or intern projects seem to result in access denials. And the answers to these new questions actually changed two determinations from APPROVE to DENY (Fran and Hank). Responses that topically align with fraud prevention analysis are tied to approvals.
Now, Clete is back with this request for Data Product X:
Clete: Group = Sales; Q1: Q2 Enablement; Q2: Competitive Analysis
Clete’s request is now less clean-cut. While he is not in the Intern group (good), his question responses don’t topically align to past approvals’ responses (bad). So in this case, Review Assist would instead register this request as medium risk and recommend a temporary approval. This outcome hedges risk with a justification such as:
Your request for this data product is considered MODERATE risk since you are not in the Direct Marketing group or an Intern, and 3 similar users have been granted access with no denials. You will be granted provisional approval for 14 days.
Once those two weeks have passed, Immuta will deprovision Clete’s access automatically.
Get a more in-depth look at Review Assist in this demo:
Combining Review Assist with AI agents
As you can see, Review Assist handles most of the legwork in tracking historical access determination trends and generating meaningful justifications. As those trends strengthen over time, and your team builds trust in Review Assist, it will be possible – and potentially more efficient – to delegate work to AI agents.
Consider the following scenario: It’s the end of the day, and a steward has a pile of requests they haven’t yet gotten to. But, they have been using Review Assist for quite some time and trust its recommendations. So, the steward opens their AI agent interface, which is configured to talk to the Immuta Marketplace provisioning APIs over Model Context Protocol (MCP), and asks it for help getting through the requests. This may include actions such as:
- Show me outstanding requests.
- Process requests you determine to be high risk and low risk, and leave the medium risk ones for me to manually review.
- How many medium-risk requests remain?
- Summarize common themes to why they are medium risk.
This allows the steward to not only quickly make determinations on outstanding requests, but also efficiently interrogate details of those requests through the AI agent.
Watch a video of this in action:
Increasing throughput, accuracy, and consistency
The Immuta Marketplace provisioning app + Review Assist is meant to address all the concerns that currently plague data stewards in a way that accelerates data access, but maintains accuracy and consistency. Here’s how it answers some of stewards’ most pressing questions:
Do I have enough information to make an access decision?
Within the Immuta Marketplace provisioning app, you are able to customize request forms that ask relevant questions to be able to make a confident, informed determination. But more interestingly, Review Assist tracks the trends and consistency in request form responses, and presents those insights as a recommendation as well.
Do I really know what data consumers are requesting access to?
The Immuta Marketplace provisioning app has two characteristics that make Review Assist extremely accurate. First, it grants access to users, not roles or groups. Second, it grants access to exactly the data requested, no more.
When granting access to roles or groups, this is rarely possible. That’s because there are always other users in the group or role that will get access to more data than they need. Any determination is partially blind to who is in the role/group and what data that role/group already has access to, as well as future grants to that role/group. Conversely, with Immuta the Marketplace provisioning app, you know exactly what data you are granting to whom, which also makes Review Assist highly accurate and trustworthy.
Do I really know how much access I am giving them?
The answer from the prior question carries over here as well. Since an individual is gaining access to the specific data they requested – and no more – it is clear exactly what level of access you are approving. This is not true when granting access to a role/group. Additionally, Review Assist evaluates all recommendations within the bounds of the data in question, meaning its recommendations are not blurred by implied access via groups/roles.
How do I make my decision confidently?
Review Assist recommendations are based on past decisions. Just like any AI model, the more data it has, the smarter and more accurate it will be. Over time, the amount of thought and effort required of you to make a determination will decrease, and confidence increase.
How do I know my decisions are consistent with other data stewards’ decisions?
Historical determinations are a powerful function within Review Assist. When sharing review responsibilities with other stewards, Review Assist’s recommendations will help future stewards by leveraging and exposing past determinations.
How can I hedge my decision when I’m not sure?
When Review Assist has enough data, but not a clear trend, it will recommend a temporary approval. The duration of that temporary approval will be based on past durations (or if none exist, a sensible default). You can accept this recommendation, or of course, make your own. In general, temporary approvals provide a path to access that reduces overall risk and does not require a binary approve/deny decision.
How can I ever keep up with all these requests!?
Hopefully this one is clear. Over time, you will need to put less and less thought into access requests because Review Assist will learn from past behavior and present those determinations as recommendations. As discussed above, once a foundation has been built and a level of trust is established with Review Assist, it is possible to leverage AI agents for clear-cut decisions, removing manual “from scratch” human interactions from many requests.