Randomized Controlled Trials for Conditional Access Optimization Agent
James Bono, Beibei Cheng, Joaquin Lozano
TL;DR
This study provides the first field RCT assessing a purpose-built AI agent for Conditional Access policy management within Microsoft Entra. In a production-grade environment with 162 identity admins, the agent-assisted group achieved a 48% improvement in accuracy and a 43% reduction in task time across four CA-policy tasks, with the largest gains on the Missing Baselines task. The results demonstrate the practical productivity gains of AI augmentation in identity governance and highlight task-specific heterogeneity, safety considerations, and design implications for adoption and governance. These findings support broader exploration of AI copilots/agents in enterprise IT operations and motivate longitudinal and cross-domain investigations to understand longer-term effects and integration costs.
Abstract
AI agents are increasingly deployed to automate complex enterprise workflows, yet evidence of their effectiveness in identity governance is limited. We report results from the first randomized controlled trial (RCT) evaluating an AI agent for Conditional Access (CA) policy management in Microsoft Entra. The agent assists with four high-value tasks: policy merging, Zero-Trust baseline gap detection, phased rollout planning, and user-policy alignment. In a production-grade environment, 162 identity administrators were randomly assigned to a control group (no agent) or treatment group (agent-assisted) and asked to perform these tasks. Agent access produced substantial gains: accuracy improved by 48% and task completion time decreased by 43% while holding accuracy constant. The largest benefits emerged on cognitively demanding tasks such as baseline gap detection. These findings demonstrate that purpose-built AI agents can significantly enhance both speed and accuracy in identity administration.