![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg"><g d="M 4.5 0 L 4.5 9.334 M 0 4.5 L 4.667 9.167 L 9.334 4.5" fill="transparent" height="9.334000000000003px" id="wVLQb2Yt7" transform="translate(2.5 2.5)" width="9.333999999999946px"><path d="M 0 0 L 0 9.334" fill="transparent" height="9.334000000000003px" id="Ho_4eUERn" stroke-dasharray="" stroke-linecap="butt" stroke-linejoin="round" stroke-width="1.2" stroke="rgb(35, 41, 51)" transform="translate(4.5 0)" width="1px"/><path d="M 0 0 L 4.667 4.667 L 9.334 0" fill="transparent" height="4.667000000000002px" id="q4SooRAjE" stroke-dasharray="" stroke-linecap="square" stroke-linejoin="round" stroke-width="1.2" stroke="rgb(35, 41, 51)" transform="translate(0 4.5)" width="9.333999999999946px"/></g></svg>)
by Jayna Wu, Product Manager, Opal Security
The AI does the heavy lifting and recommends clearing the routine grants, while a human signs off where it matters.
The hard part of a review at scale is not effort, it is attention. Reviewers are handed far more to certify than anyone can weigh with care, so the routine grants and the dangerous ones get the same glance, and the review quietly becomes a rubber stamp. We hear it from reviewers and admins alike, and the gap stays invisible until an audit or a breach asks you to prove who had access to what.
Here at Opal, we don't believe you should have to choose between speed and scrutiny.
Today we're launching AI-guided access reviews, so you can complete them faster while every grant still gets the same scrutiny.
Review faster, with AI that shows its work
Most grants in a campaign are low risk, yet a manual review spends the same attention on every one. Paladin, Opal's access agent, surfaces the low-risk grants along with the exact signals it used to assess them — resource sensitivity, requester risk, and temporal context — so you can clear what it recommends in a single click. That frees your attention for the grants that could actually hurt you.
Nothing happens in a black box. Every recommendation, and every approval you make on it, is logged with the reasoning and is fully auditable, so your compliance team can always see what was decided and on what basis.
Visual: Paladin showing risk buckets, recommendations, and rationale.
A dial, not a switch
Paladin's autonomy is something you control, not an on-or-off choice. At the conservative end, a human approves every grant, just far faster, because Paladin has already done the prep and recommended the low-risk ones for one-click approval. Dial it up only where you are comfortable and your compliance program allows. However high you set it, the risky calls always reach a person. Paladin flags and explains the critical and elevated items, and you make the final decision.
Visual: autonomy control and the risk-bucketing view where Paladin flags and explains.
Launch a campaign in minutes
No more manual campaign setup. Define exactly what to review with natural language, and scope by the relationship between each principal and asset, so reviewers only see what matters. Opal assigns the right reviewers automatically and prevents self-review, and you can set campaigns to recur on the schedule you choose, so certification stops being a once-a-quarter fire drill.
Visual: OpalQuery scoping into the campaign builder.
Built for how reviews actually run
Reviewers get a unified view with rich access context, plus the controls to group, filter, and prioritize, so patterns are obvious and similar grants get decided together. Bulk actions clear the repetitive calls in one move, and you can delegate or reassign any item to the person who actually knows the answer. Faster decisions, not shallower ones.
Visual: grouping, filtering, and bulk reviews.
Stay on track and audit-ready
Launching is only half the work. Keep reviews moving with automated reminders, bulk communications, and real-time progress tracking, so campaigns finish on schedule. Every decision, recommendation, and reassignment is captured in a complete history, so you get a defensible audit trail without assembling evidence by hand.
Visual: campaign progress dashboard and decision history.
Tune the AI to your policy
Policy looks different at every company, and it keeps changing. With Paladin you articulate your own policy into its recommendations, add guardrails, and set the confidence each recommendation has to clear before it acts. Flexible where you need it, interpretable where it counts.
In practice
Mercari governs more than 5,000 Okta entitlements through automated reviews on Opal, the kind of scale no quarterly cycle clears by hand. Teams like Databricks, Notion, and Superhuman run their access on the same platform.
The bigger picture
AI-guided access reviews are one piece of a larger shift in how access gets governed once it outgrows human scale. For where this is going across requests, policy, and investigation, read our CPO Sameer Mehta's blog.
To dive deeper, join our upcoming AI-guided access reviews webinar, or schedule a demo with our team.
About Opal: Opal is the AI-native access security platform, for real-time visibility, expressive policy-as-code, and direct control over every identity — from employees to service accounts to AI agents. We are based in San Francisco, recently named to Notable Capital's Rising in Cyber 2026 list as selected by 150 leading CISOs, used by leading companies like Databricks, Notion, Cloudflare, Scale AI, CoreWeave, SpaceXAI, and Superhuman, and backed by Greylock, Battery Ventures, Silicon Valley CISO Investments (SVCI), and Cambium Capital.
