SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Enterprise security permission sprawl cleanup keys padlocks flat
#
Data Analytics
#
Digital Transformation
#
PAM

Opal launches AI tools to tackle unused permissions

Thu, 19th Mar 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Opal Security has introduced three artificial intelligence tools for access governance, alongside research indicating widespread unused permissions across corporate systems and a growing manual review burden for security teams.

The launch includes Paladin, an automated access evaluation agent; OpalScript, a policy language for codifying access rules; and OpalQuery, a natural-language query tool for exploring access data. Together, the tools are designed to help organisations identify unused access, write policy rules and automate some approval decisions.

Data from Opal Labs shows that 48.6% of employees hold at least one entitlement they have not used in more than three months, while four in five resources have at least one stale assignment. More than 40,000 active access assignments had also gone unused over the same period.

Those figures reflect a broader issue in identity and access management, where permissions often accumulate as employees change roles, join projects or receive temporary access that is never removed. Unused entitlements can increase operational complexity, create extra work for audit and compliance teams, and widen the number of accounts and systems that need review.

Manual burden

Organisations could face as many as 900,000 manual access reviews a year, accounting for an estimated 213,000 hours of reviewer time, according to Opal. The figures underscore the strain on security, IT and governance teams that still rely heavily on human checks to approve, recertify and revoke access.

Paladin is intended to reduce some of that workload by acting within the approval chain for access requests. The system reviews the requester's identity, access history, ticket references, resource sensitivity and stated justification before either approving the request or escalating it for human review.

It also checks project management systems including Jira and Linear to confirm that referenced tickets exist, remain active and match the requested resource. Each decision is logged with a record of the reasoning behind it.

Unlike recommendation tools that leave the final step to a human manager, Paladin is positioned as an active reviewer with authority to make decisions in some cases. If it escalates a request, the user can submit more context for another round of evaluation.

Policy language

Alongside the agent, OpalScript gives security teams a way to define access policies using a Python-like syntax. Administrators can write scripts directly or use an AI assistant to generate and edit them in natural language.

The aim is to let teams express internal rules that may be difficult to enforce through standard settings alone. One example is a separation-of-duties policy stating that "GitHub admins cannot be Panther admins." Another customer example included a workflow requiring a ticket number, a group-based authorisation check, time-limited access, admin notifications and automatic approval logic tied to entitlements.

OpalQuery, the third product, focuses on search and reporting. Users can ask plain-English questions about their organisation's access data, and the system translates those requests into structured queries against Opal's identity and access graph. Results can then be saved, shared or exported as audit evidence.

Access sprawl

Opal argues that the need for automation is growing as organisations adopt more software services and begin deploying AI agents, which can create and discard access needs much faster than traditional employee workflows. In that environment, periodic manual review cycles may struggle to keep up with changes in who or what has access to critical systems.

Its research found that auto-granted access is up to 50% more likely to go unused than access that has been manually reviewed. That suggests convenience in provisioning can carry a trade-off when organisations lack reliable ways to revisit or remove permissions later.

Howard Ting, chief executive officer of Opal Security, linked the product launch directly to that pattern.

"Organisations are drowning in access they can't see, track, or clean up fast enough," Ting said.

He added: "Excessive and outdated privileges are a fundamental breakdown in how organizations manage trust. Every unused permission is an open door, and most organizations have thousands of them sitting undetected. Our goal is to help teams get ahead of this problem so they can move faster while also mitigating their risk."

The new tools are now available to customers, extending Opal's broader platform for identity security and access governance, which is used by companies including Cloudflare, Databricks, Elastic, Figma, Grammarly, Scale AI and Verily.

Related stories
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Cyber insurance now common among North American SMBs
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
Autonomize launches healthcare AI platform version 3
CERN joins OpenSearch foundation as associate member