AI Assistant Overview¶
Section: AI Assistant | Article 27
Audience: System Administrators, All Users
Last Updated: 2026-04-07
Overview¶
The RP-PAM AI Assistant is an optional module that adds natural-language interaction, intelligent risk scoring, and anomaly detection to your privileged access management workflow. It is available with Enterprise and MSP licence tiers.
What the AI Assistant Does¶
Natural-Language Access Requests¶
Instead of navigating menus, users can type requests in plain language:
"I need access to the production database for 2 hours to investigate the slow query reported in JIRA-4521."
The AI parses the request, identifies the resource, duration, and justification, and submits a structured access request on the user's behalf. The user confirms before submission.
Risk Scoring¶
When an access request is submitted, the AI evaluates it against historical patterns and assigns a risk score:
| Score | Level | Meaning |
|---|---|---|
| 0-30 | Low | Request matches normal patterns for this user and resource |
| 31-60 | Medium | Some deviation from normal -- approver should review carefully |
| 61-80 | High | Significant deviation -- request may be unusual for this user |
| 81-100 | Critical | Highly anomalous -- possible compromised account or policy violation |
Risk scores are displayed in the approval queue to help approvers make informed decisions.
Anomaly Detection¶
The AI continuously analyses access patterns and flags anomalies:
- A user requesting access to a resource they have never accessed before
- Requests at unusual times (e.g., 3 AM for a user who normally works 9-5)
- Sudden increase in request frequency
- Requests for higher-privilege resources than the user's normal pattern
Anomalies appear as alerts on the admin dashboard.
Conversational Queries¶
Administrators can ask the AI questions about the system:
"Show me all access requests by jsmith in the last 30 days."
"Which users have the most denied requests this month?"
"Are there any unusual access patterns this week?"
Supported AI Providers¶
RP-PAM supports four AI providers. You can use one provider or combine them.
| Provider | Embedding Support | Completion Support | Data Leaves Network? | Setup Guide |
|---|---|---|---|---|
| OpenAI | Yes | Yes | Yes (cloud API) | Article 28 |
| Anthropic | No | Yes | Yes (cloud API) | Article 29 |
| xAI | Yes | Yes | Yes (cloud API) | Article 30 |
| Ollama | Yes | Yes | No (self-hosted) | Article 31 |
Embedding vs. Completion¶
| Capability | Purpose | Required For |
|---|---|---|
| Embedding | Converts text into numerical vectors for similarity search (RAG) | Anomaly detection, conversational queries, risk scoring |
| Completion | Generates natural-language responses | Natural-language requests, conversational queries |
Note: Anthropic does not offer a standalone embedding API. If you use Anthropic for completions, pair it with Ollama or OpenAI for embeddings.
Licence Requirement¶
| Licence Tier | AI Available? |
|---|---|
| Standard | No |
| Enterprise | Yes |
| MSP | Yes |
If you have a Standard licence, the AI Assistant menu items are hidden in the portal and the AI API endpoints return 403 Forbidden.
Privacy Considerations¶
Cloud Providers (OpenAI, Anthropic, xAI)¶
When using a cloud provider: - Access request text, justifications, and user metadata are sent to the provider's API for processing. - No vault credentials, passwords, or encryption keys are ever sent. - Data is sent over TLS-encrypted connections. - Review the provider's data retention and privacy policies.
Self-Hosted (Ollama)¶
When using Ollama: - No data leaves your network. All AI processing happens on your own hardware. - Ollama runs the model locally; there are no external API calls. - This is the recommended choice for air-gapped or highly regulated environments.
Architecture¶
User ──► RP-PAM Portal ──► AI Module ──► Provider (OpenAI / Anthropic / xAI / Ollama)
│
├─ Embedding: text → vector (stored in local vector DB)
└─ Completion: prompt → response (streamed to user)
The AI module: 1. Receives requests from the portal or API. 2. Constructs a prompt including relevant context (user history, resource metadata, policy rules). 3. Sends the prompt to the configured provider. 4. Returns the response to the user. 5. For embeddings, stores the resulting vectors locally in the RP-PAM database for future similarity queries.
Configuration Summary¶
The ai section in rppam.config controls the AI module:
{
"ai": {
"enabled": true,
"provider": "openai",
"apiKeyVaultKey": "ai-api-key",
"embeddingModel": "text-embedding-3-small",
"completionModel": "gpt-4o",
"embeddingDimension": 1536,
"maxTokens": 4096,
"temperature": 0.3,
"riskScoring": {
"enabled": true,
"threshold": 60
},
"anomalyDetection": {
"enabled": true,
"lookbackDays": 90
}
}
}
For provider-specific setup, see the dedicated articles: - OpenAI Setup - Anthropic Setup - xAI Setup - Ollama Setup
Troubleshooting¶
| Problem | Cause | Solution |
|---|---|---|
| AI menu not visible in portal | Standard licence or ai.enabled is false |
Verify Enterprise/MSP licence; set ai.enabled to true |
| "AI module unhealthy" in dashboard | Cannot reach the AI provider | Check network connectivity, API key validity, and provider status |
| Risk scores always show 0 | Not enough historical data | Risk scoring improves over time; allow 2-4 weeks of data collection |
| Slow AI responses | Large model or slow network to cloud provider | Use a smaller model, or switch to Ollama for local processing |
| "Embedding model not configured" | Provider does not support embeddings (Anthropic) | Add a secondary provider for embeddings (Ollama or OpenAI) |
| Anomaly alerts too frequent | Threshold too sensitive | Increase riskScoring.threshold or adjust anomalyDetection.lookbackDays |
Next Steps¶
- AI Setup with OpenAI -- Configure OpenAI as your AI provider
- AI Setup with Anthropic -- Configure Anthropic (Claude)
- AI Setup with xAI -- Configure xAI (Grok)
- AI Setup with Ollama -- Self-hosted AI with no data leaving your network
RP-PAM v1.0.0 -- Copyright 2026 Ravenphyre. All rights reserved.