Summary: Groups accumulate members over years and reorgs — a project group from five years ago still carries 40 members, most of whom finished their engagement and never left. Oleria, an AI-native identity security & governance platform, breaks group membership sprawl with dedicated Group Membership campaigns that give group owners per-member usage and peer evidence, AI-recommended decisions, and a direct path to remove — so membership stays current without manual audit effort.
Groups accumulate. A group created for a project five years ago still has the original 30 members, plus a dozen who joined for a specific task and never left. Membership audits catch this in theory but not in practice — most identity tools don't have a campaign type scoped to group membership specifically.
The classic outcome: 95% of enterprise permissions go unused (Microsoft Security), and a meaningful share of that comes from group memberships nobody owns. Without a review surface for groups themselves, sprawl compounds.
Oleria's AI evaluates each group member against the same three signals — Dormant Days, Peer Group Analysis, HR Changes — and recommends Approve, Needs review, or Reject for membership. Group owner reads and signs off.
Group sprawl over time Eliminated
Owner-led membership reviews From sporadic to consistent
Dormant members in groups Surfaced and removed
Audit findings on group membership Eliminated
Groups that accumulate members silently are a standing access risk — every stale member is an open door with an unknown blast radius. Oleria's Group Membership campaigns give group owners the evidence and the interface to keep membership current. See it in action.
When a member is removed from the group, any access tied to the membership is cleaned up across connected apps — automatically, in the same workflow. The audit trail shows both the membership decision and the downstream access changes. No separate ticket; no manual cleanup.
AD groups have their own dedicated campaign type (Active Directory Group Membership), with AD-specific signals — descriptions, distribution-list reach, AD-attribute match. The general Group Membership campaign covers app-level groups (Okta, Entra, Salesforce sharing groups, etc.). Most organizations run both as parallel campaigns.
The campaign surfaces the unowned status as a finding. IAM admin gets notified; ownership is assigned. The membership review still completes — IAM owns the review by default for unowned groups, with ownership assignment as a follow-up action.
The person accountable for the group's purpose. For project groups, typically the project lead. For functional groups (e.g., "engineering-leadership"), typically the senior leader. Group ownership is inherited from the connected directory (AD, IdP, or SaaS app) and flows automatically from existing tools where ownership data is present.
A campaign type scoped to a group's membership rather than a user's access or an application's access list. The group owner is the reviewer; each member is a line. Per-member evidence (dormancy, peer match, HR change) drives the recommended decision. Membership campaigns coexist with Application, AD Group, and User campaigns.
