Delinea Authorization Powered by Iris AI

This feature is currently available only to customers participating in a Private Preview. If you'd like to participate and be among the first to try this feature, ask our support or account team for details.

Delinea Authorization powered by Iris AI (Iris Authorization) is an AI-powered access-approval agent that automates Secret Server approval workflows, streamlining the process and reducing the risk of unauthorized access while enhancing compliance with existing security policies.

Iris Authorization evaluates each access request based on:

  • the requester’s identity

  • the requester’s stated intent

  • contextual risk signals

  • historical patterns

  • your organization’s policies

Iris Authorization vs. Manual Approval

Traditional manual access approvals can be time-consuming for both administrators and users, are prone to human error, and may not adequately assess the risk associated with each request.

Iris Authorization addresses these challenges with automation based on comprehensive data, enhancing security and efficiency while still enabling human administrators to analyze approvals and intervene as necessary.

Most importantly, Iris Authorization will not grant additional access beyond what is requested. In addition, administrators are able to give feedback on past approvals, allowing Iris Authorization to learn and adapt over time to improve its decision-making capabilities.

Recommendation vs. Automated Decision

Iris Authorization operates in two primary modes: recommendation only and automated decision.

In the recommendation mode, Iris Authorization provides suggestions to a human approver.

In the automated decision mode, Iris Authorization can approve or deny requests based on predefined criteria.

The process flows like this:

  1. Request Submission: A user submits an access request, including a ticket number and justification.

  2. Risk Assessment: Iris Authorization evaluates the requester's risk score, location, business hours, and other contextual signals.

  3. Ticket Verification: Iris Authorization retrieves and analyzes the content of the associated ticket from systems like Zendesk.

  4. Decision Making: Based on the analysis, Iris Authorization either denies the request or recommends approval to a human approver.

  5. Feedback Loop: Administrators can provide feedback on Iris Authorization's decisions, which is used to improve the system's accuracy over time.

Enabling Iris Authorization

Iris Authorization must be enabled, given a service user, assigned a profile, and assigned to a workflow.

  1. Enable Iris Authorization

    1. Navigate to the Iris Authorization page.

    2. Select Edit.

    3. Change the State switch to Enabled.

    4. Accept the AI usage agreement.

  2. Create a service user

    1. Navigate to the Add Service User page.

    2. Assign appropriate roles/permissions; you will attach this account to an Iris Authorization profile later.

Iris Authorization Profiles

Iris Authorization can run multiple profiles—each with its own approval strictness.

You must assign one profile to one workflow.

You define a profiles with two key points: Recommend vs Decide mode, and specific Authorization Instructions.

Mode Behavior
Decide Iris Authorization automatically approves or denies the request
Recommend Iris Authorization only recommends an action; a human still approves/denies

Creating a profile

  1. From the Iris Authorization page, select the Profiles tab.

  2. Select Add Profile.

  3. Provide the following:

    1. Name – a descriptive profile name

    2. Mode – Recommend or Decide

    3. Service User – select a previously-created service user

    4. Authorization Instructions – Iris Authorization supports three prompt templates that guide how access requests should be evaluated:

      1. Check Creator: Iris Authorization verifies that the user creating the access request is not the same as the system referenced in the ticket (e.g., Zendesk). This prevents users from creating their own tickets to justify access.

      2. Check Location: Iris Authorization checks whether the requester's location is unusual or inconsistent with expected behavior.

      3. Ignore Ticket: Iris Authorization skips validation of the reference ticket and does not use it as part of the access decision.

  4. Assign to a Workflow.

Access Requests

1. View requests

To view access requests handled by Iris Authorization, navigate to the Access Requests page.

This is not the same as the Secret Access Requests page.

The columns show:

  • request details

  • the Iris Authorization profile used

  • the outcome: Approved, Denied, or Recommended (if the profile is in Recommend mode)

To view additional data about a specific access request, click its row in the table. Data include:

  • requestor account

  • data and time

  • requestor comment

  • Iris Authorization’s reasoning for its recommendation or decision

2. Provide feedback

  • Feedback: Users can provide feedback on Iris Authorization’s decisions by giving a thumbs up or flagging them. This feedback is collected by our AI operations backend to continuously improve Iris Authorization’s accuracy.

    • Thumbs up – Indicates the decision was appropriate

    • Flag – Indicates the decision or its reasoning was incorrect or needs improvement

Zendesk Integration

Zendesk integration supplies Iris Authorization with ticket context (e.g., confirming that a database bug-fix ticket exists for the request). To connect to Zendesk from the Delinea Platform:

  1. Navigate to the Add Connector page.

  2. Select Zendesk and enter the following:

    1. Display Name

    2. Base Address

    3. API Key

    4. Email (API user)

  3. Click Save.

Iris Authorization Decision Factors

When Iris Authorization evaluates an access request, it considers the following (non-exhaustive) checks:

  • Ticket number – Matches the ITSM ticket (e.g., Zendesk) with the access request

  • Ticket justification – Request reason must align with ticket description

  • Ticket owner – Requester must match the ticket’s assignee or requester

  • Request justification – Denied if missing, insufficient, or unrelated

  • User risk score – Critical/high-risk users require stricter scrutiny

  • User attributes:

    • Day of week (requests on weekends are flagged)

    • Working hours vs. off-hours

    • Login location anomalies

    • MFA status (denied if 2FA is absent)

Iris Authorization Safety Statement

Human-AI Oversight Requirement

Delinea Authorization powered by Iris AI (Iris Authorization) is designed to augment your skilled oversight – not to replace it. Iris Authorization can be set either to alert you or to take pre-specified actions. This automation still requires a “human on the loop” for customer oversight, audit and feedback, to ensure accuracy and to optimize results over time. AI models are probabilistic in nature, meaning they can inherently produce outputs that are inaccurate or incomplete. You and your end users bear responsibility for any decisions, recommendations, actions, or inactions that arise from utilizing Delinea Authorization powered by Iris AI.

Data Privacy and Processing

Delinea Authorization powered by Iris AI uses the Azure OpenAI service provided by Microsoft. Key data handling and privacy features include the following:

  • Regional Data Hosting: Your tenant data is hosted and processed within the same region that you have selected for your cloud operation, ensuring compliance with regional data handling regulations. But Iris Authorization data can be processed by Azure services in other regions.
  • Data Deletion After Processing: When Azure OpenAI finishes processing data from a Delinea Platform access request, the data is immediately deleted from Azure and not retained by Microsoft. This ensures that evaluation data is handled securely and transiently.
  • No AI Training with Customer Data: Delinea Authorization powered by Iris AI does not and will not use customer recordings or data to train AI models unless we obtain your specific prior written authorization to do so.
  • Data Included in Feedback to Delinea: When a user flags an Iris Authorization recommendation or decision, the specific data involved (their feedback explanation, the original access request, and the contextual risk data for that request) will become visible to Delinea engineers for troubleshooting analysis and resolution only.

Enabling the AI Agreement

In addition to enabling the Delinea Authorization powered by Iris AI capability, you must approve the AI Agreement before Iris Authorization can begin reviewing access requests.

To enable Iris Authorization for the first time:

  1. From the left navigation, select Settings > Iris AI > Authorization.

  2. Toggle the Iris Authorization State to Enabled.

  3. Review and approve the Delinea AI Agreement.