Shape the future of IBM watsonx Orchestrate

Start by searching and reviewing ideas others have posted, and add a comment (private if needed), vote, or subscribe to updates on them if they matter to you.

If you can't find what you are looking for, create a new idea:

  1. stick to one feature enhancement per idea

  2. add as much detail as possible, including use-case, examples & screenshots (put anything confidential in Hidden details field or a private comment)

  3. Explain business impact and timeline of project being affected

[For IBMers] Add customer/project name, details & timeline in Hidden details field or a private comment (only visible to you and the IBM product team).

This all helps to scope and prioritize your idea among many other good ones. Thank you for your feedback!

Specific links you will want to bookmark for future use
Learn more about IBM watsonx Orchestrate - Use this site to find out additional information and details about the product.
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add idea Subscribe
Status Delivered
Created by Guest
Created on Apr 17, 2025

RELATED IDEAS

Agent Access Control: JIT(Just-in-time) JEA( Just-enough-access)

In regulated domains like Talent (HR systems) or Finance (ERP, banking platforms), granting AI agents standing access to sensitive data and systems poses significant security and compliance risks.

Just‑In‑Time (JIT) and Just‑Enough‑Access (JEA) are critical because they enforce the principle of least privilege—granting AI agents (or users) only the permissions they need, only when they need them, and only for as long as they need them.

  • agent requests elevated privileges only when it needs to perform a specific task (e.g., fetching candidate

  • the system dynamically scopes permissions to the minimal set of actions and data fields required (e.g., “read-only access to payroll records for employee ID X”)

  • each access request is checked against an attribute‑based policy engine (e.g., OPA, Azure PIM), which evaluates real‑time context such as time of day, agent identity, task type, and risk level policies incorporate risk factors—unusual access patterns or high‑value transactions trigger additional approvals or deny access.

  • upon task completion or expiration of the JIT window, credentials are automatically revoked, and access tokens are invalidated to prevent privilege creep ephemeral keys or certificates are rotated after each session to eliminate reuse risks.

  • every JIT/JEA grant and revoke event is logged with full context (who, what, when, why), ensuring traceability for audits and investigations a central monitoring system watches for policy violations or anomalies and can trigger alerts

Idea priority High
  • Post comment
  • Admin
    Laurent Tillette de Clermont-Tonnerre
    May 8, 2025

    Thank you for your feedback, wouldn't that covered by personal credentials (https://watson-orchestrate.ideas.ibm.com/ideas/LSABER-I-906) which means each user uses their own credentials for a given 3rd party app the tool connects to on their behalf and therefore only gets the user access to the permission/data they have in that system?

    Reply

By clicking the "Post Comment" or "Add Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not include IBM confidential, company confidential, or personal information in any field.
Having problems accessing this portal? Describe the problems in an email to ideasibm@us.ibm.com.