How the AISF Context Engine Understands Identity Behaviour

The AISF context engine is the intelligence layer of the fabric. It analyses identity behaviour across systems, detecting anomalies and highlighting risks. It understands not just what identities can do, but what they actually do.

The engine builds behavioural baselines for each identity. When actions deviate from these baselines, the system flags them for review. This approach reduces noise and focuses attention on meaningful signals. It also correlates behaviour with policy changes, providing a deeper understanding of how governance affects risk.

This context-aware approach is essential for SMEs, where traditional monitoring tools generate too many alerts and too little insight.

Beyond access lists

Most identity security tools stop at access lists. They tell you what permissions an identity has. They don't tell you what that identity actually does with those permissions.

This is a fundamental limitation. Having permission to access a system is different from actually accessing it. And accessing a system is different from accessing it in an unusual way.

The AISF Context Engine bridges this gap. It doesn't just map permissions—it observes behaviour.

Building behavioural baselines

For every identity in your environment, the Context Engine builds a behavioural profile. This profile captures normal patterns of:

Access patterns

• Which systems does this identity normally access?
• At what times of day?
• From what locations?
• Using what devices?
• How frequently?

Action patterns

• What actions does this identity typically take?
• What data does it commonly access?
• What operations does it perform?
• What APIs does it call?

Relationship patterns

• Who does this identity typically interact with?
• What groups does it belong to?
• What resources does it commonly share?

These profiles are built continuously. The more data the Context Engine processes, the more accurate its understanding becomes.

Detecting anomalies

Once baselines are established, the Context Engine can detect anomalies—behaviour that deviates from the norm.

Access anomalies

• Accessing systems never accessed before
• Accessing systems not typically accessed at this time
• Accessing systems from unusual locations
• Using unusual devices

Action anomalies

• Accessing unusual data
• Performing uncommon operations
• Unusual data export volumes
• Unexpected privilege use

Relationship anomalies

• Unusual communication patterns
• Unexpected resource sharing
• Anomalous group membership changes

Each anomaly is scored by severity. Not every deviation is concerning—some are legitimate. The Context Engine uses risk scoring to focus attention on the anomalies that matter most.

Reducing alert fatigue

Traditional security tools generate too many alerts. Most organisations ignore them.

The AISF Context Engine addresses this in several ways:

Baseline-aware alerting

Instead of alerting on any deviation, the Context Engine only alerts on significant deviations. If an identity accesses a system they've never accessed before—that's interesting. If an identity accesses 50 systems they've never accessed—that's concerning.

Risk scoring

Every anomaly is evaluated based on:

• The significance of the deviation
• The sensitivity of the systems involved
• The permissions of the identity
• Historical patterns

Low-scoring anomalies are logged but not flagged. High-scoring anomalies trigger immediate notification.

Correlation

The Context Engine correlates anomalies across systems. A single anomaly in one system might not be concerning. The same type of anomaly across multiple systems—that's a pattern worth investigating.

Context enrichment

When anomalies are flagged, the Context Engine provides context:

• What's normal for this identity?
• What has changed recently?
• What policies apply?
• What related findings exist?

This context helps security teams understand whether an anomaly is concerning and how to respond.

Policy correlation

The Context Engine doesn't just detect anomalies—it correlates them with policy changes.

Policy change tracking

Every policy change is tracked:

• New role assignments
• Permission grants and revocations
• Group membership changes
• Policy exceptions granted

Impact analysis

When an anomaly is detected, the Context Engine can determine:

• Was there a recent policy change that explains this behaviour?
• Does this behaviour align with a new role assignment?
• Are there pending policy changes that haven't taken effect?

This correlation helps distinguish between:

• Legitimate behaviour that's unusual because of recent changes
• Anomalous behaviour that might indicate compromise

Drift detection

The Context Engine detects drift by comparing current behaviour to expected behaviour based on policies:

• A user with new permissions doesn't use them—potential drift
• A user with elevated permissions uses them differently than expected—potential compromise
• A user accesses systems outside their role—potential policy violation

Identity risk scoring

The Context Engine produces a continuous risk score for every identity. This score incorporates:

Permission risk

• What permissions does this identity have?
• How sensitive are those permissions?
• Are there elevated or admin permissions?

Behavioural risk

• How many anomalies have been detected?
• How severe are they?
• How recent are they?

Contextual risk

• Has the identity's situation changed recently? (New role, manager change, etc.)
• Are there external threat indicators?
• Is the identity in a high-risk category? (Departing employees, contractors, etc.)

Temporal risk

• When was the identity last reviewed?
• How long since the last access review?
• Are credentials stale?

Risk scores are dynamic—they evolve as behaviour changes. This means you always know which identities represent the highest risk.

Why this matters for SMEs

SMEs face unique challenges that the Context Engine addresses:

Limited resources

SMEs don't have SOC teams monitoring alerts 24/7. The Context Engine's intelligent alerting means security teams only investigate what's important.

Complex environments

Even SMEs have complex identity landscapes now—multiple cloud services, SaaS tools, remote workers. The Context Engine makes sense of complexity.

Compliance requirements

Auditors want evidence of identity monitoring. The Context Engine provides documented baselines and anomaly detection—audit-ready evidence.

Growing threats

Attackers are increasingly targeting SMEs. The Context Engine provides visibility into identity behaviour that most SMEs would otherwise lack.

The AISF advantage

The Context Engine is part of the AISF fabric—a unified approach to identity security that combines:

• Continuous discovery: Always knowing what identities exist
• Drift detection: Spotting deviations from expected states
• Behavioural analysis: Understanding what identities actually do
• Risk scoring: Prioritising findings by actual risk
• Governance orchestration: Taking action based on findings

Together, these capabilities give SMEs the identity security that was previously only available to large enterprises.

Get started

The Context Engine starts working the moment you connect your identity sources. It builds understanding from day one and continuously refines it.

You don't need to configure rules or define thresholds. The Context Engine learns what's normal for your environment and alerts you when it changes.

That's the power of autonomous identity security.