Continuous Identity Reasoning — the missing layer between your IGA platform and the audit-ready decisions your team still makes by hand. A reasoning layer that sits above your IGA, governs across human, machine, and AI identity, and automates the judgment calls your team handles one ticket at a time.
§ 01 — The Premise
For fifteen years, the identity industry has confused provisioning with governance. The leading IGA platforms built remarkable engines for moving access through an enterprise. But the judgment behind every access decision — who should get it, under what conditions, with what guardrails, for how long — remains stubbornly, expensively manual.
We believe the next decade of identity governance belongs to a new discipline: Continuous Identity Reasoning. A reasoning layer that sits above your IGA platform, governs across human, machine, and AI identity, and automates the judgment calls your team still makes by hand.
§ 02 — The Argument
We learned how to move access through enterprises. Workflows, connectors, joiner-mover-leaver. The plumbing got built. The compliance checkbox got checked.
IGA platforms consolidated into a mature category. Yet governance maturity flatlined — most programs deliver a fraction of what was promised, years late, with armies of consultants still on retainer.
Non-human identities now vastly outnumber humans. AI agents request access autonomously. The bottleneck is no longer provisioning — it's the continuous reasoning required to govern it all.
§ 03 — The Pillars
The leading IGA platforms continue running. We sit above them as a reasoning layer — adding the judgment they were never designed to deliver.
Every governance signal that matters, evaluated at every access event, across every identity. Not periodic. Not event-driven. Continuous.
One unified reasoning engine across employees, contractors, service accounts, secrets, bots, and AI agents — not a separate tool for each.
§ 04 — The Architecture
For years, vendors have argued horizontally — IGA platforms vs. enterprise SSO tools vs. privileged access vaults — as if identity were a single market with one winner. It isn't. Identity is a stack, and the stack has layers that do fundamentally different work.
The layer the market has been missing — the layer that determines whether your IGA investment delivers a fraction of its promise or all of it — is the Reasoning Layer. It is not another IGA platform. It is the brain that makes IGA platforms intelligent.
How humans and machines request, review, and consume access.
Continuously evaluates every governance signal that matters across every identity, every request, every change in context. Explainable. Auditable. Policy-driven.
Workflow engines, connectors, role models, certification campaigns, lifecycle automation.
Directories, vaults, applications, the underlying entitlement model itself.
§ 05 — The Scope
Continuous Identity Reasoning is not “smarter access requests.” It is a unified reasoning engine applied uniformly across the five governance surfaces that define a modern identity program — human and non-human, employee and agent, request-time and lifetime.
Requests, approvals, reviews, certifications — reasoned against every contextual signal that matters at decision time.
Joiner, mover, leaver, contractor expiry, sponsored identity — governed continuously, not at events.
Service accounts, API keys, secrets, machine identities — inventoried, owned, lifecycle-managed.
Fine-grained Segregation of Duties across applications, evaluated at request, approval, and review.
AI agents, MCP servers, bot lineage — inventoried, governed, scope-validated continuously.
§ 06 — The Engine
We define reasoning the way computer science defines it: the systematic evaluation of multiple signals to reach a defensible conclusion. KeyForgeAI's reasoning engine operates in three tiers, each independently deployable, each fully transparent. Regulated buyers can stop at Tier 1. Innovation-led organizations can run all three. Every decision in every tier is explainable, auditable, and traceable to a named policy.
Rule-based evaluation of metadata at every decision point. If entitlement is privileged AND requester is contractor AND contract expires in <30 days, route to compliance approver and set expiry to contract end date. Every outcome is traceable to a named rule. Zero opacity. Fully audit-ready.
Peer access analysis, role mining, outlier detection, usage-based right-sizing. Classical machine learning techniques — clustering, classification, regression — that have been industry-standard in IGA for over a decade. Surfaces patterns humans can't see manually. Fully explainable through feature importance.
LLM-assisted policy authoring, natural language access requests, AI agent intent analysis, conversational audit explanation. Opt-in, off by default. Available for organizations ready to use generative AI — never inserted into the decision path without explicit configuration.
§ 07 — The Evidence
Every access event in your enterprise triggers a sequence of judgment calls. Your IGA workflow handles the mechanics — the routing, the approval click, the provisioning call. The judgment — the part that actually matters for risk, compliance, and audit — gets pushed to a manager who has thirty seconds and no context. Below: a sample of the questions our reasoning engine answers automatically. Your team is answering them today, by hand, one ticket at a time.
Is this entitlement actually privileged?
Has the requester completed required training?
Does this access violate SoD against existing roles?
Should this be JIT, not standing access?
Does the contractor's access expire with their contract?
Should this route to a risk-based approver?
Does this AI agent's request match its declared scope?
Which service account inherits this credential, and who owns it?
Should domain admin be removed after provisioning?
Are there provisioning dependencies that must fire first?
Does this MCP server expose sensitive scopes?
…and every other governance question that matters.
Every signal that matters × every identity × every change in context= the reasoning your team is doing by hand, today.
§ 08 — The Path
Identity programs evolve along a predictable path. Most enterprises are stuck at Stage 2 — they bought the platform, but the platform alone cannot move them forward. The Reasoning Layer is what unlocks Stages 3, 4, and 5.
Spreadsheets, tickets, tribal knowledge.
IGA deployed. Workflows running. Judgment still manual.
Metadata-driven decisions. Risk-based routing live. Every signal evaluated automatically.
NHIs, service accounts, secrets under the same reasoning as humans. Always-on.
AI agents reasoned about continuously. Lineage tracked. SoD enforced on bots.
We are not replacing IGA.— The KeyForgeAI Thesis
We are giving it the reasoning
it was always supposed to have.
Take the 5-minute self-assessment. Score your program against the governance decisions enterprise identity programs need to automate. Receive a gap report mapped to your existing IGA platform.