JML Agent Fleet Guide

The JML Agent Fleet introduced in this article is an open-source enterprise-level identity lifecycle automation project. Based on a multi-agent architecture, it uses seven Claude-driven AI agents to automate the entire Joiner/Mover/Leaver workflow. The system features advanced security capabilities like zero-trust architecture, UEBA behavior analysis, and drift detection. It can replace core functions of traditional IGA platforms such as SailPoint and Saviynt, aiming to revolutionize enterprise identity lifecycle management through automation and intelligent means.

Project Background and Core Challenges

In modern enterprise IT environments, employee identity management involves numerous tedious operations across onboarding (Joiner), role change (Mover), and offboarding (Leaver) processes—such as account creation, license allocation, and permission management. Traditional approaches relying on manual work or expensive commercial IGA platforms (like SailPoint and Saviynt) face issues like high costs and difficulty adapting to rapid business changes.

JML Agent Fleet emerged as an open-source solution, using an AI agent architecture to automate the entire workflow while integrating enterprise-level security controls and audit mechanisms to address these challenges.

System Architecture and Agent Design

Multi-Agent Collaboration Architecture

The system includes seven dedicated Claude-driven AI agents:

• Joiner Agent: Handles new employee onboarding, creates Entra ID accounts, allocates licenses, etc.
• Mover Agent: Handles role changes, updates user attributes, adjusts permissions.
• Leaver Agent: Processes offboarding in phases (soft offboarding → hard offboarding) with dual approval.
• Enroller Agent: Device registration and compliance group assignment.
• Approver Agent: Human-machine collaborative approval, provides risk scoring and RBAC.
• Provisioner Agent: Application registration, disabled by default and enabled on demand.
• Auditor Agent: Continuous monitoring and auditing, performs UEBA, drift detection, etc.

Zero-Trust Security Architecture

• Risk scoring engine (0-100 points): Combines baseline risk, freeze window, sensitive permissions, and other factors.
• SoD policy engine: Detects and blocks non-compliant operations via sod-policy.json.
• PIM for Groups: Instant activation of privileged groups with time-limited permissions.
• Dual approval: High-risk operations require a second operator's approval within 30 minutes.

Technical Implementation and Integration Capabilities

Deep Integration with Microsoft Graph API

Integrates with Microsoft 365/Entra ID via Graph API, supporting account management, license allocation, group operations, session revocation, etc. All operations are tracked via ticketRef (offboarding operations require ticket association).

Intelligent Recommendation and Decision Support

• Peer-Group Recommendation: Analyzes configurations of employees in the same department, recommends permission combinations with confidence levels.
• UEBA Behavior Analysis: Monitors 6 types of anomalies like off-hours operations and high-frequency changes.
• Drift Detection: Regularly compares current status with baselines to identify unauthorized changes.

Enterprise Integration and Observability

• HRIS integration: Connects to BambooHR and others via Azure Functions to trigger workflows automatically.
• Audit compliance: Hash-chain logs, supporting multi-channel exports (Windows Event Log, Sentinel, etc.).
• Notification mechanism: Real-time alerting for key operations via Teams message cards.

Desktop Operation Console

The project provides an Electron desktop application with the following modules:

• Dashboard: Overview of agent health status.
• JML Fleet: Conversational submission of JML/device registration operations.
• Auditor: Audit log query and report generation.
• Security: Real-time UEBA, drift detection findings, etc.
• Exports: Storage and Sentinel export status management.
• Approvals: Pending dual approval tokens.
• Operations: Direct operation scheduling.
• Access Reviews: Permission certification activity management.
• Integrations: HRIS, notification, and other configurations.

Practical Value and Application Prospects

Replace Traditional IGA Platforms

The open-source AI solution replaces expensive commercial software, offering greater flexibility and customizability, and can implement core functions of SailPoint/Saviynt.

Reduce Operation and Maintenance Costs

After automation, onboarding processes are shortened from 30-60 minutes to a few minutes, with a significant reduction in error rates.

Enhance Security and Compliance

Built-in mechanisms like UEBA, drift detection, and SoD help meet compliance requirements such as SOX and GDPR.

Promote AI Implementation

Proves that LLMs can handle complex business logic, providing a practical case for AI applications in enterprise IT operations.

Summary and Outlook

JML Agent Fleet represents the technological evolution direction of enterprise identity management: from manual → rule-based automation → AI agent-driven. Its multi-agent architecture, zero-trust design, and Microsoft ecosystem integration provide references for similar projects.

In the future, more enterprise IT management scenarios will adopt agent architectures to achieve efficient and secure operations. For enterprises looking to reduce IGA costs and improve identity management efficiency, JML Agent Fleet is an open-source solution worth trying.