Intelligent Authorization Agent

This feature is currently available only to customers participating in a Private Preview. If you'd like to participate and be among the first to try this feature, ask our support or account team for details.

Intelligent Authorization Agent (IAA) is an AI-powered access-approval agent that automates Secret Server approval workflows, streamlining the process and reducing the risk of unauthorized access while enhancing compliance with existing security policies.

IAA evaluates each access request based on:

  • the requester’s identity

  • the requester’s stated intent

  • contextual risk signals

  • historical patterns

  • your organization’s policies

IAA vs. Manual Approval

Traditional manual access approvals can be time-consuming for both administrators and users, are prone to human error, and may not adequately assess the risk associated with each request.

IAA addresses these challenges with automation based on comprehensive data, enhancing security and efficiency while still enabling human administrators to analyze approvals and intervene as necessary.

Most importantly, IAA will not grant additional access beyond what is requested. In addition, administrators are able to give feedback on past approvals, allowing IAA to learn and adapt over time to improve its decision-making capabilities.

Recommendation vs. Automated Decision

IAA operates in two primary modes: recommendation only and automated decision.

In the recommendation mode, IAA provides suggestions to a human approver.

In the automated decision mode, IAA can approve or deny requests based on predefined criteria.

The process flows like this:

  1. Request Submission: A user submits an access request, including a ticket number and justification.

  2. Risk Assessment: IAA evaluates the requester's risk score, location, business hours, and other contextual signals.

  3. Ticket Verification: IAA retrieves and analyzes the content of the associated ticket from systems like Zendesk.

  4. Decision Making: Based on the analysis, IAA either denies the request or recommends approval to a human approver.

  5. Feedback Loop: Administrators can provide feedback on IAA's decisions, which is used to improve the system's accuracy over time.

Enabling IAA

IAA must be enabled, given a service user, assigned a profile, and assigned to a workflow.

  1. Enable IAA

    1. Navigate to the Intelligent Authorization Agent page.

    2. Select Edit.

    3. Change the State switch to Enabled.

    4. Accept the AI usage agreement.

  2. Create a service user

    1. Navigate to the Add Service User page.

    2. Assign appropriate roles/permissions; you will attach this account to an IAA profile later.

IAA Profiles

IAA can run multiple profiles—each with its own approval strictness.

You must assign one profile to one workflow.

You define a profiles with two key points: Recommend vs Decide mode, and specific Authorization Instructions.

Mode Behavior
Decide IAA automatically approves or denies the request
Recommend IAA only recommends an action; a human still approves/denies

Creating a profile

  1. From the Intelligent Authorization Agent page, select the Profiles tab.

  2. Select Add Profile.

  3. Provide the following:

    1. Name – a descriptive profile name

    2. Mode – Recommend or Decide

    3. Service User – select a previously-created service user

    4. Authorization Instructions – IAA supports three prompt templates that guide how access requests should be evaluated:

      1. Check Creator: IAA verifies that the user creating the access request is not the same as the system referenced in the ticket (e.g., Zendesk). This prevents users from creating their own tickets to justify access.

      2. Check Location: IAA checks whether the requester's location is unusual or inconsistent with expected behavior.

      3. Ignore Ticket: IAA skips validation of the reference ticket and does not use it as part of the access decision.

  4. Assign to a Workflow.

Access Requests

1. View requests

To view access requests handled by IAA, navigate to the Access Requests page.

This is not the same as the Secret Access Requests page.

The columns show:

  • request details

  • the IAA profile used

  • the outcome: Approved, Denied, or Recommended (if the profile is in Recommend mode)

To view additional data about a specific access request, click its row in the table. Data include:

  • requestor account

  • data and time

  • requestor comment

  • IAA’s reasoning for its recommendation or decision

2. Provide feedback

  • Feedback: Users can provide feedback on IAA’s decisions by giving a thumbs up or flagging them. This feedback is collected by our AI operations backend to continuously improve IAA’s accuracy.

    • Thumbs up – Indicates the decision was appropriate

    • Flag – Indicates the decision or its reasoning was incorrect or needs improvement

Zendesk Integration

Zendesk integration supplies IAA with ticket context (e.g., confirming that a database bug-fix ticket exists for the request). To connect to Zendesk from the Delinea Platform:

  1. Navigate to the Add Connector page.

  2. Select Zendesk and enter the following:

    1. Display Name

    2. Base Address

    3. API Key

    4. Email (API user)

  3. Click Save.

IAA Decision Factors

When IAA evaluates an access request, it considers the following (non-exhaustive) checks:

  • Ticket number – Matches the ITSM ticket (e.g., Zendesk) with the access request

  • Ticket justification – Request reason must align with ticket description

  • Ticket owner – Requester must match the ticket’s assignee or requester

  • Request justification – Denied if missing, insufficient, or unrelated

  • User risk score – Critical/high-risk users require stricter scrutiny

  • User attributes:

    • Day of week (requests on weekends are flagged)

    • Working hours vs. off-hours

    • Login location anomalies

    • MFA status (denied if 2FA is absent)

AI Safety Statement

Data Privacy and Processing

Delinea Azure OpenAI, provided by Microsoft, to enhance our offerings. Key data handling and privacy features include:

  • Regional Data Hosting: All data is hosted and processed within the same region that you have selected for your cloud operation, ensuring compliance with regional data handling regulations.

  • Data Deletion After Processing: When Azure OpenAI finishes processing data from the Delinea Platform, the data is immediately deleted from Azure and not retained by Microsoft. This ensures that evaluation data is handled securely and transiently.

  • No AI Training with Customer Data: Delinea does not use customerdata to train AI models. We are committed to ensuring that customer data is used strictly for the purpose of delivering the services requested and maintaining privacy and integrity.