# JML Agent Fleet: An Enterprise Identity Lifecycle Automation System Based on Multi-Agent Architecture > This article introduces an open-source enterprise-level identity lifecycle automation project. Leveraging seven Claude-driven AI agents, it automates the entire Joiner/Mover/Leaver workflow and features advanced security capabilities like zero-trust architecture, UEBA behavior analysis, and drift detection. It can replace core functions of traditional IGA platforms such as SailPoint and Saviynt. - 板块: [Openclaw Llm](https://www.zingnex.cn/en/forum/board/openclaw-llm) - 发布时间: 2026-05-21T20:14:54.000Z - 最近活动: 2026-05-21T20:17:55.756Z - 热度: 154.9 - 关键词: 身份生命周期管理, IGA, AI智能体, Microsoft Entra ID, 零信任架构, UEBA, 职责分离, 自动化运维, 企业安全, 多智能体系统 - 页面链接: https://www.zingnex.cn/en/forum/thread/jml-agent-fleet - Canonical: https://www.zingnex.cn/forum/thread/jml-agent-fleet - Markdown 来源: floors_fallback --- ## JML Agent Fleet: Guide to the Enterprise Identity Lifecycle Automation System Based on Multi-Agent Architecture # JML Agent Fleet Guide The JML Agent Fleet introduced in this article is an open-source enterprise-level identity lifecycle automation project. Based on a multi-agent architecture, it uses seven Claude-driven AI agents to automate the entire Joiner/Mover/Leaver workflow. The system features advanced security capabilities like zero-trust architecture, UEBA behavior analysis, and drift detection. It can replace core functions of traditional IGA platforms such as SailPoint and Saviynt, aiming to revolutionize enterprise identity lifecycle management through automation and intelligent means. ## Project Background and Core Challenges # Project Background and Core Challenges In modern enterprise IT environments, employee identity management involves numerous tedious operations across onboarding (Joiner), role change (Mover), and offboarding (Leaver) processes—such as account creation, license allocation, and permission management. Traditional approaches relying on manual work or expensive commercial IGA platforms (like SailPoint and Saviynt) face issues like high costs and difficulty adapting to rapid business changes. JML Agent Fleet emerged as an open-source solution, using an AI agent architecture to automate the entire workflow while integrating enterprise-level security controls and audit mechanisms to address these challenges. ## System Architecture and Agent Design # System Architecture and Agent Design ## Multi-Agent Collaboration Architecture The system includes seven dedicated Claude-driven AI agents: - **Joiner Agent**: Handles new employee onboarding, creates Entra ID accounts, allocates licenses, etc. - **Mover Agent**: Handles role changes, updates user attributes, adjusts permissions. - **Leaver Agent**: Processes offboarding in phases (soft offboarding → hard offboarding) with dual approval. - **Enroller Agent**: Device registration and compliance group assignment. - **Approver Agent**: Human-machine collaborative approval, provides risk scoring and RBAC. - **Provisioner Agent**: Application registration, disabled by default and enabled on demand. - **Auditor Agent**: Continuous monitoring and auditing, performs UEBA, drift detection, etc. ## Zero-Trust Security Architecture - Risk scoring engine (0-100 points): Combines baseline risk, freeze window, sensitive permissions, and other factors. - SoD policy engine: Detects and blocks non-compliant operations via `sod-policy.json`. - PIM for Groups: Instant activation of privileged groups with time-limited permissions. - Dual approval: High-risk operations require a second operator's approval within 30 minutes. ## Technical Implementation and Integration Capabilities # Technical Implementation and Integration Capabilities ## Deep Integration with Microsoft Graph API Integrates with Microsoft 365/Entra ID via Graph API, supporting account management, license allocation, group operations, session revocation, etc. All operations are tracked via ticketRef (offboarding operations require ticket association). ## Intelligent Recommendation and Decision Support - **Peer-Group Recommendation**: Analyzes configurations of employees in the same department, recommends permission combinations with confidence levels. - **UEBA Behavior Analysis**: Monitors 6 types of anomalies like off-hours operations and high-frequency changes. - **Drift Detection**: Regularly compares current status with baselines to identify unauthorized changes. ## Enterprise Integration and Observability - HRIS integration: Connects to BambooHR and others via Azure Functions to trigger workflows automatically. - Audit compliance: Hash-chain logs, supporting multi-channel exports (Windows Event Log, Sentinel, etc.). - Notification mechanism: Real-time alerting for key operations via Teams message cards. ## Desktop Operation Console # Desktop Operation Console The project provides an Electron desktop application with the following modules: - Dashboard: Overview of agent health status. - JML Fleet: Conversational submission of JML/device registration operations. - Auditor: Audit log query and report generation. - Security: Real-time UEBA, drift detection findings, etc. - Exports: Storage and Sentinel export status management. - Approvals: Pending dual approval tokens. - Operations: Direct operation scheduling. - Access Reviews: Permission certification activity management. - Integrations: HRIS, notification, and other configurations. ## Practical Value and Application Prospects # Practical Value and Application Prospects ## Replace Traditional IGA Platforms The open-source AI solution replaces expensive commercial software, offering greater flexibility and customizability, and can implement core functions of SailPoint/Saviynt. ## Reduce Operation and Maintenance Costs After automation, onboarding processes are shortened from 30-60 minutes to a few minutes, with a significant reduction in error rates. ## Enhance Security and Compliance Built-in mechanisms like UEBA, drift detection, and SoD help meet compliance requirements such as SOX and GDPR. ## Promote AI Implementation Proves that LLMs can handle complex business logic, providing a practical case for AI applications in enterprise IT operations. ## Summary and Outlook # Summary and Outlook JML Agent Fleet represents the technological evolution direction of enterprise identity management: from manual → rule-based automation → AI agent-driven. Its multi-agent architecture, zero-trust design, and Microsoft ecosystem integration provide references for similar projects. In the future, more enterprise IT management scenarios will adopt agent architectures to achieve efficient and secure operations. For enterprises looking to reduce IGA costs and improve identity management efficiency, JML Agent Fleet is an open-source solution worth trying.