AI Awards Finalist: Evolveum and AI for secure identity management

This year’s AI Awards finalists include Evolveum, a Slovak company that develops and maintains midPoint, a leading open source platform in the field of identity governance and administration. The company is built on the principles of open collaboration, technological independence, and a 100% European ownership structure without external investors. We spoke with Martin Mareš, Senior Product Manager, and Anton Tkáčik, Backend Technical Lead and Developer at Evolveum.

Today, up to 80% of cyberattacks exploit vulnerabilities related to user identities. Our open source platform midPoint naturally addresses this problem as a software for identity governance and administration (IGA). However, one of the most critical bottlenecks in deploying IGA solutions remains the onboarding of enterprise systems. Organizations often need to connect hundreds of applications and, for some of them, even develop custom communication interfaces – so-called connectors. This process tends to be both time-consuming and costly, and can significantly extend the implementation of the entire project.

MidPilot, midPoint’s AI assistant, brings a significant acceleration to this process while also reducing the need for deep technical expertise. Organizations thus gain a greater chance of successfully implementing an IGA solution, more efficient identity management, and an overall strengthening of security. The potential of our AI initiative is further confirmed by support from the European Union through Slovakia’s Recovery and Resilience Plan.

One of the main challenges of our solution is the trustworthiness of the AI service provider. What data is being shared? What happens to it after processing? Where does the entire system run? We operate in the field of cybersecurity, where these questions are even more sensitive and important than in a standard IT environment. That is why we involved our Chief Information Security Officer as well as the compliance department in the processes from the very beginning of the project.

We focused on three key pillars. The first is full transparency: the entire solution, including the default configuration, prompts, documentation, and guides, is published publicly as open source. We hide nothing, and the customer has complete visibility into how the system works. The second is data control, the user interface clearly displays, before each use of AI, what type of data will be sent for processing. The user has the option not to use the AI functionality, and a complete audit of submitted data is available, stored locally on the midPoint side. The third pillar is geopolitical and technological independence, the customer chooses their own architecture and the LLM models they use. The solution can run fully on-premise, it is possible to use our AI service on private servers in the EU, or to integrate other platforms and cloud services according to the organization’s security requirements. There is no vendor lock-in that would restrict the customer. Evolveum itself is a fully European company, built and owned within the EU, which supports adherence to European standards and ethical principles and strengthens technological sovereignty.

Blind trust in an AI model does not work, hallucinations are a risk, as are targeted attacks such as remote code poisoning. To prevent these risks, we built connector generation on three security principles.

The first is strict guardrails, we do not let artificial intelligence generate arbitrary executable code. Instead, we created a special connector framework, a firmly defined and manually designed foundation into which AI only fills in the specifications of the system being connected. The second is declarative output, the result is not an unpredictable script, but a purely declarative connector. The model does not create program logic, it only describes the parameters and what is to be executed, which significantly reduces the space for introducing vulnerabilities. The third principle is human control. The entire process is designed to be iterative and interactive. The AI assistant gradually generates individual parts, from finding documentation to proposing tests, while the administrator immediately reviews, adjusts, or rejects each step. This reduces cognitive load while keeping full control always on the human side. We have thus turned unpredictable code generation into a secure, managed, and auditable assistance where the human is always in the control loop.

We see the greatest societal challenge in AI as the question of trust, control, and accountability for decisions that AI systems influence. AI is increasingly entering sensitive areas such as identity management, security, and access to systems, which is why it is crucial that these technologies remain transparent, auditable, and under full human control. At Evolveum, we want to play the role of a provider of open and trustworthy solutions that do not deploy AI as a “black box”, but as a controlled assistant within identity management. With our AI assistant midPilot, we bring an approach where AI helps accelerate and simplify complex processes, but decisions, control, and accountability always remain on the human side. At the same time, we build on the principles of open source, transparency, and EU technological sovereignty, so that organizations are not dependent on closed ecosystems and retain full control over their data and infrastructure.

We see the future of our AI assistant midPilot not as a replacement for people, but as a natural extension of their capabilities in the area of identity governance and administration across systems. We see development moving toward an even closer collaboration between humans and technology, where AI will act as an intelligent guide in complex processes — helping with analysis, configuration proposals, system onboarding, and data interpretation, but always in a mode where the human remains in the decision-making and control position. We also expect a shift from one-off “AI features” toward continuous assistance directly within the lifecycle of processes. This will give rise to an artificial intelligence that understands the context of an organization, its policies and history of decisions, and is able to propose consistent and secure steps on that basis.

What remains key for us, however, is that such a solution not be based on blind automation, but on transparency, explainability, and auditability. We see the future in a “human-in-the-loop by design” model, where AI speeds up and simplifies work, but the human retains full control and responsibility. Our goal is for technology to become a trustworthy partner that reduces complexity safely and transparently.