Healthcare
AI & ML
Data Governance
Healthcare

AI-Powered Permissioning: From One Week to One Hour for Healthcare Data Access

How AI agents replaced a fragmented access control system with continuous, HIPAA-compliant permissioning

TZ

Tony Zeljkovic

2026-04-27

Timeline
  • Industry: Healthcare
  • Duration: ~1 quarter
  • Team: Narona Data consultants
  • Stack: Snowflake, AI agents, Slack, Linear, Microsoft Entra ID (identity governance), infrastructure-as-code
  • Key Results: Credentialing time from 1 week → 1 hour | 80% reduction in overprovisioning | 75% Snowflake requests auto-approved

Executive Summary

A healthcare company's data platform was expanding rapidly — more users, more assets, more AI-powered use cases — but its permissioning system couldn't keep pace. Access requests traveled through Slack, Linear, legal review, and a brittle infrastructure-as-code pipeline that took a week to resolve. Nobody could confidently answer who had access to what, or whether that access was still justified.

Narona Data replaced this fragmented process with a fully AI-powered permissioning system in one quarter. Agentic scanners continuously classified PHI across thousands of assets while automated credentialing — backed by Microsoft Entra ID for identity governance — reduced access provisioning from one week to one hour. Overprovisioning dropped 80%, and 75% of Snowflake access requests became auto-approved — strengthening HIPAA compliance and aligning the organization with NIST zero-trust and least-privilege principles.

Situation

A healthcare company was scaling its data platform aggressively. Hundreds of users — data engineers, analysts, service accounts, and business users building AI-powered applications — needed access to thousands of data assets across warehouses, dashboards, external reports, and data products.

The existing access control infrastructure had grown organically through several generations:

  • Credentialing happened via Slack messages to the data platform team
  • Authorization decisions were tracked in Linear tickets routed through legal review
  • Provisioning was executed through a complex infrastructure-as-code system

Each step required manual intervention. A new user or service account took approximately one week from request to working access.

Complication

Three forces made the status quo unsustainable:

Rapid expansion of AI use cases. The data platform team was supporting a wave of agentic projects for business users alongside traditional software development. Every new project meant new service accounts, new data access patterns, and new compliance questions.

HIPAA exposure from stale permissions. With no automated way to track what users and service accounts were actually querying, permissions accumulated — violating the principle of least privilege central to both HIPAA's access-control requirements and NIST SP 800-53 (AC-6). Former project members retained access indefinitely. Service accounts from completed initiatives stayed provisioned. The blast radius of a credential compromise grew wider each month.

Manual processes that couldn't scale. The platform team was spending disproportionate time on access administration rather than building. Legal review created bottlenecks. The infrastructure-as-code provisioning layer was slow, error-prone, and opaque to the requesters waiting on it.

Resolution

Narona Data delivered an end-to-end AI-powered permissioning system across one quarter, replacing every manual step with automated, policy-driven workflows.

1. PHI Classification Engine

The foundation was a comprehensive scanning system that continuously classified data sensitivity across the entire estate:

  • Scope: Thousands of assets and hundreds of thousands of columns across data warehouses, data products, communications, dashboards, external reports, and metadata
  • Method: A fully BAA/HIPAA-compliant agentic system that reads data and metadata, labeling PHI and potential PHI automatically
  • Policy: Strict, code-defined rules for what constitutes HIPAA-protected data — legal policy definitions lived in version-controlled code, not in tribal knowledge, creating the auditable control baseline that HIPAA and SOC 2 auditors expect

The scanner ran continuously, keeping classification in sync as new tables, columns, and data products appeared.

2. Automated Credentialing and Provisioning

With classification in place, the system could make access decisions automatically:

  • Business rules as code: Role-based access policies defined which roles, teams, and project types qualified for which sensitivity tiers — enforcing NIST-aligned, role-based access control (RBAC)
  • Identity governance: Integrated with Microsoft Entra ID to map users, service accounts, and groups to their organizational context, leveraging Entra's lifecycle automation for joiner-mover-leaver events
  • Automated ticketing: Requests flowed through Slack and Linear without manual routing — the system determined approval paths based on data classification and requester credentials
  • Auto-approval: Requests that met policy criteria were approved and provisioned without human intervention — moving Snowflake auto-approval from 0% to 75%

3. Continuous Least-Privilege Enforcement

The system didn't just grant access — it actively pruned it, operationalizing the zero-trust principle of "never trust, always verify" (NIST SP 800-207):

  • Usage monitoring agents: AI agents continuously analyzed what service accounts and users were actively querying, identifying dormant permissions — including machine identities, which NIST SP 800-53 AC-6 explicitly scopes into least-privilege requirements
  • Automated deprovisioning: Unused access was flagged and revoked according to policy, replacing quarterly manual reviews with continuous enforcement
  • Continuous reconciliation: As teams shifted, projects ended, and roles changed, permissions automatically adjusted — maintaining the auditable access lifecycle that HIPAA and SOC 2 controls require

Results

MetricBeforeAfterImpact
Credentialing time~1 week1 hourPlatform team unblocked from access administration
OverprovisioningUnchecked accumulation80% reductionHIPAA blast radius dramatically reduced
Snowflake auto-approval0%75%Most requests resolved without human intervention
Asset scanning coverageManual, incompleteThousands of assets, hundreds of thousands of columnsComplete visibility into PHI exposure
Policy definitionTribal knowledge + legal reviewLegal policies defined in codeAuditable, version-controlled — aligned with SOC 2 and HIPAA control requirements

What the System Replaced

The permissioning system eliminated an entire category of manual work:

  • No more Slack-based access requests requiring platform team triage
  • No more Linear ticket routing through legal for standard cases
  • No more waiting for infrastructure-as-code deployments to propagate
  • No more quarterly access reviews discovering months of permission drift

Primary Users

The data platform team — responsible for supporting rapid agentic projects for business users and traditional software developers — went from spending significant time on access administration to operating a self-healing system that required intervention only for edge cases.

Ready to Talk?

Struggling with data access that can't keep up with your team's growth? Narona Data builds AI-powered governance systems that scale with you — not against you.

Get in touch →