Summary: Relying on outdated job descriptions to build access profiles results in massive over-provisioning and perpetual audit findings. Integrating Oleria Trustfusion, an AI-native identity security platform, solves this systemic vulnerability by continuously compiling usage-based access bundles derived from live peer data and actual application activity instead of static corporate templates.
95% of enterprise permissions go unused (Microsoft Security). Yet most IGA tools build role templates from job descriptions. The gap between what's defined and what's used is the source of perpetual over-provisioning and the constant audit finding on least privilege.
Most teams give up on role-mining because the data isn't there or the tool is too painful. Static role templates are the path of least resistance — and the path of least security. As Mark Carter, CIO & CISO at Vimeo, puts it: "the tools that exist today for identity and access management are mostly designed for a different era. They're 20 years old — and identity has changed massively in the last 20 years."
Oleria's AI computes the bundle from what role-holders actually use — peer coverage % and active-usage rate per line. The bundle owner reviews; the bundle is real, not aspirational.
Role-mining time Months → minutes
Bundle accuracy on first save Higher than legacy template
Bundle drift Eliminated (continuous refresh)
95% unused permissions stat Materially reduced over time
Every app connected to Oleria. The bundle composes per-app entitlements: M365 / Entra access, Salesforce profiles and permission sets at app-instance level, AWS account access, Snowflake roles, GitHub org membership, plus standard SCIM-connected apps. Bundle granularity matches each app's connector capability.
Every modification — add, remove, threshold change — is captured with author, timestamp, before/after, and reason. Bundles support reviewer assignment for high-impact changes. Bundle change history is part of the audit pack. The bundle is a first-class identity artifact, not a hidden config.
The bundle reflects what role-holders use, not what they hold. Active-usage rate (90-day login default) filters out the 95% unused tail. Bundle owner can also tighten thresholds (60-day, 30-day) or exclude specific apps from peer signal. Bundle hygiene is ongoing — but materially less ongoing than role-mining from scratch.
The set of identities sharing job-attribute combinations Oleria reads from HRIS — typically title + department + location. Peer attributes are configurable per organization. The bundle is computed from the access patterns of identities in the peer group, weighted by recent active usage.
Legacy role-mining is a months-long project: extract entitlements, cluster, propose roles, get sign-off, deploy, never touch again. Oleria computes the bundle continuously from observed usage of current role-holders. The author reviews and refines, but doesn't start from scratch. Bundles refresh as the role evolves, with no separate maintenance cycle.
