The model recommended the access. The auditor asks the basis.
Most breaches resolve to an access problem — a stolen credential, an over-provisioned account, a permission that should have been revoked. Models now grant, flag, and recertify access at scale. The question that follows every such decision is whether it can be explained.
Access is the recurring root cause. Stolen credentials, accounts provisioned with more rights than the role requires, and the joiner-mover-leaver who accumulated permissions across years and never had them trimmed are the conditions most intrusions exploit. Kenya's KE-CIRT/CC advisories return repeatedly to access controls and multi-factor authentication for a reason, and with roughly nine in ten attacks beginning with phishing, the credential is the front door. Identity is not one security domain among many; it is the one that most often decides whether an intrusion becomes a breach.
The problem compounds quietly. An employee changes roles and gains new permissions without shedding the old ones; a project ends but its access persists; a contractor leaves and an account lingers. Across thousands of identities and years of accumulated grants, the gap between the access people hold and the access their role requires widens steadily, and it is precisely this excess that an attacker inherits when a single credential is phished. The periodic recertification meant to close the gap becomes, under that volume, a manager clicking approve down a list nobody has the context to question — a control that certifies nothing while appearing to.
Artificial intelligence has moved into the centre of identity governance. Models score access requests and recommend approval or denial, flag anomalous access as it happens, and drive the periodic recertification campaigns in which managers confirm who still needs what. The decision to grant, revoke, or flag is increasingly a model recommendation that a human ratifies — frequently in bulk, frequently without the context to second-guess it. The efficiency is real; the problem is what happens when the recommendation is wrong and someone has to account for it.
Access decisions are audited more heavily than almost anything else in security. ISO 27001 and SOC 2 examinations turn on access governance; the Central Bank of Nigeria's risk-based cybersecurity framework for banks and payment service providers sets access-control expectations; POPIA and the NDPA both require appropriate access measures. At each of these the organisation must demonstrate that access is appropriate and that someone with authority confirmed it. When the confirmation rested on a model recommendation, 'the system suggested it' is not a defensible sign-off — it is the absence of one.
The post-incident question is sharper still. After a breach, the forensic investigation asks who had access to the compromised system and why they had it. The access decision becomes evidence. A grant that a model recommended, ratified by a manager who trusted the recommendation, with no record of the reasoning behind either, is the gap the investigation lands on. The organisation can show that access was granted; it cannot show why it was appropriate, which is the only thing the investigation actually wants to know.
And the human identities are no longer the larger problem. Service accounts, API keys, and the non-human identities that let systems talk to one another now outnumber people in most enterprises, and they are the access least likely to be recertified at all — provisioned for an integration, granted broad rights for convenience, and never reviewed because no manager owns them. They are also a favoured route for an attacker who has already gained a foothold, precisely because they are powerful, persistent, and unwatched. An identity programme that governs only its human accounts is policing the smaller half of its own attack surface.
It is worth being precise about what Syni is and is not in this workflow, because the market is crowded with identity-governance and privileged-access tooling that already does provisioning, enforcement, and access analytics well. Syni does not replace that machinery. What the established tooling does not do is make the reasoning behind an access decision — and behind a manager's recertification of it — auditable. The provisioning is solved; the defensibility of the judgement is not, and that is the narrow, real gap these products address.
An access decision the model recommended but no one can explain is not a control. It is a finding waiting for an auditor.
Where each sits.
Akki governs the identity data that feeds the model — the directory, the HR record, the entitlement catalogue, the access logs — as one inspectable substrate, and logs what drove each recommendation. When the auditor or the forensic investigator asks what the model was looking at when it recommended a grant, the answer is a query rather than an excavation.
Solva structures the reasoning behind a grant, a revocation, or an anomaly flag, and refuses to recommend access on a thin justification, drafting the rationale a recertifying manager can actually read and ratify. Underneath each decision sits the audit trail the ISO 27001, SOC 2, or central-bank examiner expects. The recertification stops being a bulk rubber-stamp and becomes a reviewed decision, because the reasoning is in front of the person signing.
Where identity data is processed by external analytics or a managed provider, SyniSense anonymises the identifiable employee and customer detail at the perimeter. In an internal identity programme its role is lighter than in the sharing and sovereignty workflows; where access governance is outsourced or cloud-analysed, it keeps the personal data of the workforce inside the boundary.
For the identity and access lead, recertification stops being a ritual that certifies nothing. Each access decision carries the reasoning behind it, so the manager confirming it is confirming something they can see rather than waving through a list, and the campaign produces a defensible record instead of a compliance artefact nobody believes.
For the auditor, the examination shortens. The evidence that access is appropriate — and that an authorised person reviewed it on a stated basis — is produced rather than reconstructed, which turns the access portion of an ISO 27001 or SOC 2 audit from a scramble into a query.
For the forensic investigation after an incident, the access question has an answer. Who had access to the compromised system, and why it was appropriate, is on the record, so the investigation can establish the path of the intrusion rather than stalling on permissions nobody can account for.
For the board and the regulator, the standing access risk that sits on every risk register — the accumulated, unreviewed permission waiting to be exploited — is materially reduced, because the recertification that is supposed to catch it now actually does. Governance becomes the thing it was always claimed to be.
For the machine identities that no one recertifies, the same reasoning applies for the first time. Because the basis for a non-human grant is recorded and reviewable, the service accounts and keys that quietly accumulate broad, persistent rights become visible and accountable rather than invisible and assumed — closing the access path attackers most rely on once they are already inside.