Knowledge Hub: Identity Intelligence

Last updated: April 3, 2026

How to use Knowledge Hub to customize how Identity Intelligence agents detect and flag security issues.

Key Use Cases

  1. Non-Human Identity (NHI) security discovery — Define rules for identifying stale service accounts, orphaned app registrations, and over-privileged non-human identities.

  2. Separation of Duties (SoD) violation detection — Upload SoD rules or let the agent generate them from user/role/permission data.

  3. Dormant account identification — Define what "dormant" means for your organization (last login threshold, activity criteria, app-specific rules).

  4. Custom security rules — Define organization-specific detection criteria tailored to your environment.

  5. Severity level rules — Define your own issue severity criteria to make alerts easier to filter and more actionable.

How to Scope Context

  • Per agent type — Each specialized agent (NHI Threat, Terminated Accounts, SoD, Dormant Cleanup) can have its own context.

  • App-tagged — Point agents to specific app instances (e.g., "only scan this Entra ID instance").

  • Custom instructions — Provide natural-language instructions that define how issues should be detected and remediated.

Tips for Reliable Results

Identity Intelligence agents analyze your environment using natural language rules. To get the most consistent results:

  • Be precise — The more specific and deterministic your instructions, the more repeatable the results. Instead of "find risky accounts," specify exact criteria like "accounts with no login in 90+ days that have admin-level permissions."

  • Test consistency — Run the same query multiple times to verify you get consistent results.

  • Validate against known issues — Compare agent-detected issues against your known ground truth (e.g., confirmed terminated accounts).

  • Use the feedback loop — Dismiss false positives, refine your context rules, and re-run to verify the agent adapts.

Quality Check

After adding context:

  • [ ] Run real-world queries through the agent with your data

  • [ ] Execute the same prompt multiple times — check for consistent results

  • [ ] Compare flagged issues against known ground truth

  • [ ] Test the feedback loop: dismiss an issue, add context, re-run — does the agent adapt?