Auto-generating response policy from incident signal is now within reach. So is locking the CFO out at 2am when the policy is 95% right.

The conventional read is that the model is the constraint. Can an LLM translate incident signal into a correct conditional access, sign-in risk, or authorization policy? It can. Generate the rule, push it to Entra or Okta, dwell time shrinks, IR toil drops, every investigation becomes a durable control.

The model is the easy part.

The failure modes are all operational:

• Correctness: validate a generated rule against the real identity graph before it ships, not after
• Blast radius: a control scoped to one identity is fine to auto-apply; tenant-wide controls never are
• Rollback: every auto-shipped policy needs a TTL and a self-revert when false positives spike
• Approval line: narrow reversible controls can run alone; break-glass and admin role assignments stay human forever

A model writes the policy in five seconds. Designing the harness that makes you willing to ship it is the year of work.

Validating a candidate policy before it auto-applies requires a model of what normal looks like for the identity, the access pattern, the service principal. PeopleBase tracks how every identity behaves across systems: what they touch, when, how often. That's the substrate that lets you shadow-evaluate a generated rule against the last thirty days of sign-ins. The same baseline that flags the anomaly tells you which legitimate users the candidate rule would have broken.

Automated response is only as safe as the baseline that validates it. Build that first, automate second.

See the latest from Abnormal's product and engineering teams.