Buyer question
Okta or Entra group doesn't match approvals: access drift explained
Access drift happens when the identity-provider group says one thing and the approval record says another.
For AI Clearance, the drift check is deliberately scoped: verify Okta or Microsoft Entra configured-group membership still matches the approval record inside the configured group boundary.
Last updated: 2026-06-10
Practical answer
Access drift happens when the identity-provider group says one thing and the approval record says another. For AI Clearance, the drift check is deliberately scoped: verify Okta or Microsoft Entra configured-group membership still matches the approval record inside the configured group boundary.
| Drift state | Meaning | Likely next action |
|---|---|---|
| Approved but missing | JSM says the grant is approved, but the configured group does not show membership. | Provision, investigate failed job, or document exception. |
| Observed without approval | Configured group shows membership without an active approval record. | Remove, approve retroactively, or record exception. |
| Expired but still present | The grant expired, but group membership remains. | Deprovision or extend through approval workflow. |
| Manual pending | A human fulfillment step has not been confirmed. | Reviewer marks fulfilled, deprovisioned, or verified. |
Honest limitations
Configured-group drift checks do not prove access outside the configured group. IdP and app admins must make that group control the real app, license, role, or resource.
Related next step
Review AI Clearance for AI access lifecycle evidence, or start with AI Clearance vs native JSM if you are deciding whether to build this yourself.
FAQ
Does AI Clearance scan the whole identity provider?
No. It checks the configured group for the connected catalog tool.
Can drift happen in manual mode?
Yes. Manual fulfillment can still diverge from the JSM record if nobody reconciles it.
Is this an IGA replacement?
No. It is a focused configured-group check tied to AI access approvals.