Home About Contact LinkedIn
All work
Enterprise SaaS AI Workflow

Simplifying Enterprise Access Requests with AI

Getting tens of thousands of employees to trust an AI agent making access decisions on their behalf is a harder design problem than building the agent itself. This case study is about that design challenge — how we replaced a fragmented, manual access request process with an agentic workflow that felt trustworthy, transparent, and faster. The AI handles the research and synthesis. Humans retain the final call. And the experience was designed so users could tell the difference.

Role Lead Product Designer
Platform Enterprise Web
Tools Figma, FigJam, Paper
Scope Enterprise-scale

The App

Say what you need.
The AI handles the rest.

One conversation replaces a multi-day, multi-tool request process.

1
Describe intent
Plain language — "I need access to collaboration tools." No group names to guess.
2
AI synthesises
Matches policy, resolves the right group, and assesses risk automatically.
3
One decision
Approver gets a single synthesised card — approve or decline, with supporting research surfaced on demand.
Access granted
Provisioned as soon as it's approved — manual or automated — down from multi-day cycles.

Transforming the access experience at enterprise scale

Significant reduction

in effort across requesters and approvers

Hours reclaimed

per user, per week

Zero

Manual data-gathering steps — replaced by agent-led summaries


What is Active Directory Search?

Active Directory (AD) is the identity and access management system — controlling who can access which tools, systems, and environments. Before this project, getting access to anything required navigating a fragmented, manual process that consumed hours of engineering time every week.

The transformation shifted the system from technical searching to intent-based fulfilment: instead of users manually browsing security groups, an AI agent understands what access is needed and orchestrates the approval workflow automatically.


A global collaboration across disciplines

Engineering

Lead Engineer

Product

Product Managers

Risk & Governance

Risk Managers


Navigating the hard conversations

On security

The biggest challenge wasn't designing the AI — it was earning the right to ship it. Security stakeholders had a legitimate concern: what happens when the agent gets it wrong? What if access is granted to the wrong person, or an approver rubber-stamps a recommendation without scrutiny?

Rather than defending the AI, I designed around the fear. Every concern they raised became a design constraint — the Approval Card was built to make approver scrutiny easier, not optional. Human override wasn't a fallback; it was the centrepiece. By the end of the session, the design was answering their questions before they asked them.

On engineering prioritisation

Getting engineering commitment was a different problem. Senior leadership and engineering teams were misaligned on AI priorities, and this project was competing against existing delivery commitments. Rather than escalating the disagreement, I reframed the ask — instead of requesting engineering resource for a full build, I proposed a focused proof of concept on AD Search specifically. Something tangible, scoped, and demonstrable to the wider organisation.

It landed. Leadership saw the potential immediately. Engineering had enough confidence to commit. The security doubts didn't disappear — but they became design inputs rather than blockers.


The "Tax" on Innovation: Manual Governance at Scale

Every access request was a multi-step, manual process that created friction for requesters and approvers alike. The system wasn't just slow — it was broken in three compounding ways.

Fragmented Context

Approvers were forced to navigate multiple security dashboards to gather information needed to make a single access decision. Context lived everywhere — and nowhere.

Cognitive Overload

All requests were treated equally regardless of risk level. Low-risk routine requests received the same scrutiny as high-risk system access, creating unnecessary bottlenecks for everyone.

Deployment Friction

Access delays directly impacted user velocity. Multi-day waits for access approvals meant users couldn't ship. The people-tax on innovation was measurable and growing.


How might we create a seamless experience without compromising security?

The core design challenge: build an experience that feels effortless for users, while maintaining the rigorous security and regulatory standards requires. Speed and compliance aren't opposites — they just hadn't been designed together yet.

The Trust Gap

The legacy AD Search lacked modern design credibility. Users didn't trust the system to get it right, leading to manual verification loops that added even more time.

The Key Pain Point

Users were "guessing" through security groups, increasing error risk. Without intelligent search, finding the right access group was trial and error.

Validating Assumptions

Research revealed the 7-day delays stemmed from communication gaps, not technical limitations. The bottleneck was human coordination, not system capability.

Global brainstorming across regions globally surfaced many potential solutions. Through internal voting and structured ideation, conversational AI was identified as the highest-impact approach — shifting the burden from the user to the system.

Design decisions were validated at each stage through behavioural signals and productivity data — not just post-launch surveys. Prototype testing tracked intent interpretation and approver decision time, ensuring the AI agent was reducing cognitive load in practice, not just in principle.

Validation — indicative signals across design phases

Baseline · legacy system
Users frequently spent significant time navigating fragmented systems to complete a single access request.
Before Qualitative research
Prototype testing · design phase
Strong intent accuracy
Intent interpretation accuracy tested well in moderated sessions — participants described access needs in natural language and the agent consistently mapped to the correct group.

Fast decision time
Approver decision time dropped significantly in prototype sessions — the synthesised Approval Card eliminated the need to open external dashboards.
Prototype sessions Moderated testing
Post-launch · live system
Significant
Combined reduction in time spent by both requesters and approvers — the only hard metric formally captured at launch.

Hours saved
Reported time savings per user per week across the organisation.
After Launch metrics

Baseline and prototype signals are qualitative — drawn from user interviews across seniority levels and moderated testing sessions. Post-launch figures are the formally measured outcomes captured at time of delivery.


AI Agents replacing manual AD requests with intelligent orchestration

The core strategy: replace the legacy manual process with AI Agents operating under a "Human-in-the-loop" framework. Intelligence handles the research and synthesis; humans retain final approval authority. Security is maintained, but the cognitive burden shifts to the machine.

AI agent orchestration blueprint — hand-drawn sketch

To map where AI replaced human effort, I blueprinted the end-to-end workflow across all actors and stages.

Intent-Based Workflows

Shifted from form-filling to conversational interaction. Users describe what they need in natural language; the AI translates intent into the correct access request automatically.

Agentic Data Synthesis

AI agents proactively verify permissions and synthesise risk signals from multiple sources into a single "Approval Card" — giving approvers everything they need in one view.

User-Centric Guardrails

Transparent UX kept users informed of request status at every stage. Security wasn't hidden — it was made legible, building trust in the automated process.


AI interaction models considered

Before landing on a conversational AI agent, we pressure-tested three alternative directions. Each solved a surface-level problem but left the core intent gap — and approver burden — untouched.

Ruled out
Enhanced form with smart suggestions
Upgrade the existing AD Search form with autocomplete, inline recommendations, and a simplified field set.

Why we ruled it out
Still required users to know what they were searching for — the core problem remained
Autocomplete helps with known terms; users often didn't know the correct group names
Didn't reduce approver burden — decisions still required manual context gathering
Ruled out
Guided wizard flow
A multi-step wizard asking structured questions to route the user to the right access group via decision tree.

Why we ruled it out
Decision tree logic couldn't handle the complexity of thousands of security groups
High maintenance overhead — every new group or policy required wizard updates
Still required the user to understand their own access needs — the intent gap persisted
Ruled out
Self-service catalogue
A searchable catalogue of pre-approved access packages, allowing users to browse and self-select.

Why we ruled it out
Browsing thousands of groups was the original problem — a catalogue didn't solve discoverability
Pre-packaged bundles created shadow IT risk — users would over-request to avoid repeat requests
Approvers still lacked synthesised context — decision quality didn't improve
Chosen solution
Conversational AI with agentic data synthesis
Users describe what they need in natural language. An AI agent translates intent into the correct access request, proactively gathers risk context from multiple sources, and surfaces a single Approval Card — giving approvers everything they need in one view.
Why it won
Solves the intent gap — users describe a goal, not a group name
Shifts cognitive burden from human to agent — approvers decide, they don't research
Scales without maintenance — LLM handles new groups and policies without rule updates
Human-in-the-loop preserved — final approval always requires human sign-off

Designing for trust

The core design challenge wasn't conversational AI — it was making automated decision-making feel legible to the people affected by it. Three principles guided every interaction decision.

01
Explainability over efficiency
The AI agent could synthesise access decisions faster without showing its reasoning — but users needed to understand why a recommendation was made to trust it.

Design response
Every Approval Card surfaces the risk signals the agent evaluated — not just the conclusion. Approvers see what the AI saw before deciding.
02
Graceful human override
Any approval step could be escalated or rejected without friction. The design never trapped users inside an AI decision path — exits were always visible and always one step away.

Design response
Override actions were treated as first-class interactions, not edge cases. Escalate and reject sat beside Approve, not buried in menus.
03
Transparent failure states
When the agent lacked confidence or hit an edge case, it said so explicitly rather than presenting a low-confidence result as fact. Uncertainty was surfaced, not hidden.

Design response
"I'm not certain which group applies here — here are three options with confidence levels" was a designed state, not an error.
AI vs human responsibility boundary — by task type
AI handles autonomously
Human retains control
Intent interpretation — translating natural language to access group
Final approval or rejection of the access request
Risk data synthesis — aggregating signals from multiple security systems
Escalation decisions on high-risk or ambiguous requests
Status tracking — notifying requesters of progress at each stage
Policy exceptions and override justifications

From blank form to guided conversation

The legacy Active Directory search asked users to name a group they'd never heard of. The redesigned experience starts from intent — and hands approvers a synthesised summary instead of a raw string.

Requester experience

Before
1
Guess the exact group name
Had to know a directory string they'd never heard of — intent couldn't be described.
2
Fill a blank form
Access type and justification, with no guidance on what was valid.
3
Submit and wait
Multi-day delays from back-and-forth between requester and approver.
Needs prior knowledgeNo guidanceDays of waiting
After
1
Describe intent in plain language
"I need access to collaboration tools." No group names required.
2
AI resolves everything
Matches policy, finds the right group, and assesses risk automatically.
3
Confirm once
A single confirmation — access provisioned in ~2 hours.
Zero prior knowledgeGuidedSame-day

Approver experience

Before
1
Receives a raw string
A group code and a one-line justification — no synthesised context.
2
Opens three dashboards
Gathers risk and policy data manually across separate tools.
3
Decides with gaps
Approves on an incomplete picture, or stalls to chase more detail.
No synthesisManual researchSlow
After
1
Gets a synthesised Approval Card
Risk summary, policy match, and a recommended action in one place.
2
Nothing to gather
The AI has already done the research the approver used to do by hand.
3
One decision
Approve or decline — auto-routed, with a full audit trail.
Full contextOne click~2 hour turnaround

Transforming the access experience at enterprise scale

Significant reduction

in effort across requesters and approvers

Hours reclaimed

per user, per week

Zero

Manual data-gathering steps — replaced by agent-led summaries

By transforming a legacy bottleneck into a high-velocity technology backbone using governance-by-design principles, the access management process went from a week-long ordeal to a frictionless, AI-assisted workflow. Users spend their time building — not waiting.


Beyond the metrics — what it unlocked

A pattern, not just a product
The intent-based request flow and synthesised Request & Approval Card established by this project were designed as reusable components from the outset — not one-off solutions. The interaction model was documented as a reusable standard, intended to be adopted by other workflow teams without redesigning from scratch. At the time of handover, conversations were already underway to apply the same pattern to adjacent approval workflows.
Interaction model documented as a reusable standard
The conversational AI + Approval Card pattern was documented as a reusable component — giving other teams a defined starting point for agentic workflow design rather than solving the trust and transparency problem from scratch.
Design system contribution
Adjacent workflows identified for adoption
Software licence provisioning, environment access, and vendor onboarding were identified as natural candidates for the same pattern at time of project handover — with the access management case study as the reference implementation.
Identified at handover

Let's build great things together