Table of Contents
Fetching ...

AI-Driven IRM: Transforming insider risk management with adaptive scoring and LLM-based threat detection

Lokesh Koli, Shubham Kalra, Rohan Thakur, Anas Saifi, Karanpreet Singh

TL;DR

The paper addresses insider threats that exploit legitimate access by developing an AI-powered Insider Risk Management (IRM) system that replaces static PRISM scoring with an adaptive AI framework using an autoencoder. The risk score is defined as $R = (W_p \cdot S_p) + (W_A \cdot S_A) + (W_C \cdot S_C) + (W_{IP} \cdot S_{IP}) + (W_B \cdot S_B) + (W_D \cdot S_D) + (W_{CA} \cdot S_{CA})$, subsequently normalized to [0,1], enabling real-time risk assessment and automated policy enforcement. Key findings include a reduction of false positives from 42% to 17%, an increase in true positives from 65% to 85%, and a 47% decrease in incident response time, all while scaling to 10 million log events per day with sub-300 ms query latency. The work demonstrates a scalable, proactive architecture suitable for on-premises and hybrid environments, with future directions spanning federated learning, explainable AI, graph-based anomaly detection, and alignment with Zero Trust principles to enhance transparency and compliance-readiness.

Abstract

Insider threats pose a significant challenge to organizational security, often evading traditional rule-based detection systems due to their subtlety and contextual nature. This paper presents an AI-powered Insider Risk Management (IRM) system that integrates behavioral analytics, dynamic risk scoring, and real-time policy enforcement to detect and mitigate insider threats with high accuracy and adaptability. We introduce a hybrid scoring mechanism - transitioning from the static PRISM model to an adaptive AI-based model utilizing an autoencoder neural network trained on expert-annotated user activity data. Through iterative feedback loops and continuous learning, the system reduces false positives by 59% and improves true positive detection rates by 30%, demonstrating substantial gains in detection precision. Additionally, the platform scales efficiently, processing up to 10 million log events daily with sub-300ms query latency, and supports automated enforcement actions for policy violations, reducing manual intervention. The IRM system's deployment resulted in a 47% reduction in incident response times, highlighting its operational impact. Future enhancements include integrating explainable AI, federated learning, graph-based anomaly detection, and alignment with Zero Trust principles to further elevate its adaptability, transparency, and compliance-readiness. This work establishes a scalable and proactive framework for mitigating emerging insider risks in both on-premises and hybrid environments.

AI-Driven IRM: Transforming insider risk management with adaptive scoring and LLM-based threat detection

TL;DR

The paper addresses insider threats that exploit legitimate access by developing an AI-powered Insider Risk Management (IRM) system that replaces static PRISM scoring with an adaptive AI framework using an autoencoder. The risk score is defined as , subsequently normalized to [0,1], enabling real-time risk assessment and automated policy enforcement. Key findings include a reduction of false positives from 42% to 17%, an increase in true positives from 65% to 85%, and a 47% decrease in incident response time, all while scaling to 10 million log events per day with sub-300 ms query latency. The work demonstrates a scalable, proactive architecture suitable for on-premises and hybrid environments, with future directions spanning federated learning, explainable AI, graph-based anomaly detection, and alignment with Zero Trust principles to enhance transparency and compliance-readiness.

Abstract

Insider threats pose a significant challenge to organizational security, often evading traditional rule-based detection systems due to their subtlety and contextual nature. This paper presents an AI-powered Insider Risk Management (IRM) system that integrates behavioral analytics, dynamic risk scoring, and real-time policy enforcement to detect and mitigate insider threats with high accuracy and adaptability. We introduce a hybrid scoring mechanism - transitioning from the static PRISM model to an adaptive AI-based model utilizing an autoencoder neural network trained on expert-annotated user activity data. Through iterative feedback loops and continuous learning, the system reduces false positives by 59% and improves true positive detection rates by 30%, demonstrating substantial gains in detection precision. Additionally, the platform scales efficiently, processing up to 10 million log events daily with sub-300ms query latency, and supports automated enforcement actions for policy violations, reducing manual intervention. The IRM system's deployment resulted in a 47% reduction in incident response times, highlighting its operational impact. Future enhancements include integrating explainable AI, federated learning, graph-based anomaly detection, and alignment with Zero Trust principles to further elevate its adaptability, transparency, and compliance-readiness. This work establishes a scalable and proactive framework for mitigating emerging insider risks in both on-premises and hybrid environments.
Paper Structure (19 sections, 5 equations, 6 figures, 8 tables)

This paper contains 19 sections, 5 equations, 6 figures, 8 tables.

Figures (6)

  • Figure 1: System architecture of the proposed AI-enabled insider risk management framework.
  • Figure 3: False Positive Rate in PRISM vs. AI-Based Risk Scoring
  • Figure 4: Improvement in True Positive Detection Over Time
  • Figure 5: Reduction in False Positives After User Feedback Loops
  • Figure 6: Breakdown of Detected Policy Violations
  • ...and 1 more figures