The AI-Native Reasoning Layer for Identity Security

Nikhil Sharma Head of Advanced Products & TOTAL
Sohil Apte Head of TOTAL Engineering
April 2026

Abstract

TOTAL is the first AI reasoning engine identity security has ever had. Where the industry reduces an identity to static attributes and a threat to an opaque score, TOTAL is AI-native end to end: it discovers and contextualizes the enterprise through agentic workflows, clusters every human and non-human identity into a behavioral shadow org chart, trains a generative Persona that forecasts each identity's next action, and reasons over latent intent to predict threats before they occur. This paper details the reasoning layer end to end, and the models and objectives behind each stage.


IContext Layer

Agentic onboarding on day one. A business context that never stops growing.

Connecting a new data source normally takes weeks of hand-mapping every field. TOTAL Data Discovery deploys an agentic workflow that spawns a fleet of subagents to traverse the environment, profile every schema, and resolve each source into a canonical event model in a single autonomous run, crawling active directories, event logs, and auth systems simultaneously, inside the network and never reaching out. Each subagent interrogates field distributions, detects semantic drift across tenants, and stress-tests its own proposed mappings against held-out data before committing. TOTAL will not ship a mapping it cannot prove. Each agent maps with full environmental context rather than isolated field samples, so the resulting model understands not just what a field is, but what it means inside your environment.

Then it never stops learning. Generic systems know historic attack patterns but nothing about you: not your initiatives, your processes, or your lexicon. So TOTAL builds that context itself, a dynamic, vectorized RAG layer that converts raw business context into application-tuned embeddings the reasoning agents act on. It is a data flywheel: the corpus compounds with every interaction until the system understands the business as deeply as anyone inside it.

logs events IAM HR SaaS EDR VPN TOTAL agent fleet · data discovery orchestrator schema profiler validator held-out proof canonicalevent model vectorizedRAG corpus Context Layer data mappings org context threat vectors

Fig. 1 — Raw, unstructured enterprise signal funnels into the TOTAL agent fleet, which profiles every source into a canonical model and a vectorized corpus. The corpus compounds with use, a data flywheel reasoning agents draw on.

IIBehavioral Clustering

A shadow org chart of every identity, human and machine, built from what they actually do.

The org chart is fiction. Behavioral Clustering models how the enterprise actually works. It assembles a multi-layer knowledge graph of identity, access, communication, and behavioral signal, then runs an agentic clustering workflow over it: reasoning agents hypothesize candidate clusters, interrogate the graph to confirm or reject each, and refine them coarse-to-fine across the full behavioral record. Every identity lands in the cluster its behavior places it in, by routine, function, initiative, and risk, and clusters re-form as behavior shifts.

The result is a shadow org chart: the real structure of how the enterprise operates, and the baseline every decision is measured against. A behavior is only suspicious relative to its peer group, and TOTAL derives those peer groups from behavior, not the directory.

directory hierarchy exec eng sales ops TOTAL agent fleet · clustering knowledge graph cluster agents hypothesize, verify, refine, prune critic shadow org chart launch task force month-end finance off-hours ops M&A workstream

Fig. 2 — The directory's rigid hierarchy goes in; the TOTAL agent fleet hypothesizes, verifies, and prunes clusters over a knowledge graph; out comes the shadow org chart, behavioral cohorts that cut clean across the org tree.

IIIGenerative Personas

A behavioral foundation model for every identity, at the core of every risk decision.

Identity, as the industry defines it, is static: a title, a department, a group, frozen the day it was written. TOTAL's Generative Persona AI does the opposite. For every identity it trains a behavioral foundation model that fuses entitlement graphs, access traces, device and network posture, and communication semantics into one representation, learned self-supervised over the identity's own event stream and encoded with state-space sequence models.

Because it is trained on a next-action prediction objective, it does not merely describe behavior, it forecasts it, anticipating the next step and flagging the instant a trajectory bends the wrong way.

A behavioral baseline tells you what already happened. A Persona predicts an identity's next move before they make it.

entitlements access comms device TOTAL Generative Persona AI Persona agentqueries live signal behavioral event stream eₜ state-space encoder h₋ hₜ h₊ generative head observed now predicted next move

Fig. 3 — A Persona agent queries live enterprise signal; a state-space encoder tracks the resulting event stream over time; a generative head predicts the identity's next move, flagging the instant it bends wrong.

IVNon-Human Personas

A behavioral model for every machine identity, and a stewardship graph of who owns what.

Non-human identities now outnumber humans and multiply at machine speed: agents acquire permissions at runtime, spawn sub-agents, and mint ephemeral credentials faster than any team can track. TOTAL's Non-Human Persona AI analyzes the whole population at machine speed. Graph agents continuously discover every service account, workload identity, bot, and AI agent, resolve them through entity resolution into a unified identity graph, and reconstruct each delegation chain, from a subagent's spec to the accounts it spawns back to the human principal who authorized it.

The result is a stewardship graph: every non-human identity mapped to its human owner. For each machine identity TOTAL learns a behavioral embedding and clusters it against its peers; graph neural reasoning then monitors the population continuously, so the moment one drifts off its embedding, a service account reaching past its scope or an agent calling outside its mandate, the anomaly propagates across the graph and surfaces in real time.

cloud SaaS CI/CD directory TOTAL discovery agents · scan agentic, machine speed NHIs stewardship graph owners access directory graph data store control plane human owner machine identity (NHI) TOTAL NHI analysis AI · drift monitor behavioral embedding · peer baseline peer cluster drift

Fig. 4 — Discovery agents scan the environment and surface every non-human identity at machine speed; entity resolution maps each one to its human owner and its access in a stewardship graph; and an analysis AI learns each identity's behavioral embedding, flagging the one that drifts off its peer baseline.

VHuman-Machine Intent

Inferring the latent intent behind every human-machine interaction.

The intent behind a non-human identity is a black box. You can see that a service account ran or an agent fired, but never why. And that blind spot is getting harder to ignore. The old security model was built on a simple assumption: one human, one identity, one scope of harm. Monitoring the person was enough because the person was the boundary. That assumption is gone. A single employee today can own dozens of AI agents, each of which can spawn subagents of their own, chain tool calls across systems, and take actions at a scale and speed no human could supervise in real time. The human is no longer the atomic unit of risk. The intent graph they sit at the top of is.

Threat models that haven't caught up are measuring the wrong thing. Watching what a service account does tells you nothing if you don't know who controls it, what they intended it for, and whether that intent has changed. The stewardship relationship is where the risk actually lives, and it is invisible to every tool that treats non-human identities as infrastructure rather than extensions of human will.

TOTAL closes that gap. Rather than alerting on behavior in isolation, it infers the latent intent behind every identity's actions, reasoning jointly across personas and the stewardship graph that binds them. That inference is held as a probabilistic belief, not a threshold trigger. Every new event arrives as evidence, shifting the posterior, tightening or loosening suspicion in proportion to what the data actually supports. The result is a live belief graph across every human and non-human actor in the environment. It surfaces what no log query can: a credential quietly operating outside its mandate, a steward abusing the identity they own, an agent whose behavior has drifted from the purpose it was deployed to serve. When intent becomes legible, the threats that hide inside normal-looking activity stop being invisible.

human persona behavioral pathways machine persona behavioral pathways stewardship graph joint reasoner human machine joint state infers latent intent benign misuse steward abuse rogue agent

Fig. 5 — A human and a machine persona, bound by the stewardship graph, are jointly reasoned over by cross-attention; the reasoner infers the latent intent behind their interaction, surfacing the misuse, steward abuse, or rogue behavior no single signal reveals.

VIPersona-Based Reasoning Engine

It reasons about why, not just what.

Every other tool reduces a threat to a number: a risk score between 0 and 100, quantitative and unexplained. TOTAL's Judge Agent reasons like a court, weighing the evidence against the identity's Persona and its drift to reach a qualitative verdict on the one thing a score can never capture: intent. The same action is ordinary or the opening move of an attack depending entirely on why it was taken, and by whom.

Underneath, the agent dispatches connector-specific subagents that interrogate the live environment in parallel, then grounds what they surface through dense, lexical, and graph retrieval over a proprietary attack-vector corpus. A mixture-of-experts router hands each case to the experts post-trained for its threat family, and the agent scales test-time compute across the assembled evidence until it can defend a conclusion.

Intent is detectable before the act, while it is still forming, long before a file moves. Everyone else detects the breach after it lands. TOTAL detects the intent before it becomes one.

live environment connector subagents dense · lexical · graphretrieval embedding space attack-vector corpus MoE router expert · insider expert · ATO expert · collusion Judge ↻ test-time compute verdict · intent

Fig. 6 — The reasoning engine. Connector subagents gather evidence, retrieval grounds it against an attack-vector corpus, and a mixture-of-experts router scales test-time compute to a defensible verdict on intent.

VIIAI-Based Preventative Action

Most insider risk is not malice. It is a good person about to make a mistake.

Most insider incidents are honest mistakes: a file shared with the wrong person, data pasted into the wrong tool. The unwitting insider means no harm, which is why blunt controls fail: block everything and you stop the work, block nothing and you miss the moment that matters.

TOTAL Enforce AI works that moment differently. It runs a persona-conditioned intervention policy that treats every risky action as a contextual-bandit decision: grounded in behavioral psychology, it selects in real time the optimal response along a graduated response ladder, and for most people a single prompt to self-police is enough. When the signal reads deliberate intent rather than honest error, the policy escalates: honeypotting, then lockdown.

The whole loop is closed and self-improving: every SOC adjudication becomes a verifiable reward, and the policy is post-trained from it through preference optimization, so it converges on your team's judgment and autonomously remediates routine cases over time.

risky action persona-conditioned policycontextual bandit graduatedresponse self-police honeypot lockdown drift corrected by self-policing safe zone drift self-police corrected every adjudication → verifiable reward → the policy improves

Fig. 7 — A persona-conditioned policy picks the lightest sufficient response on a graduated ladder; most often a single prompt to self-police is enough to pull a drifting identity back into its safe zone. Every adjudication returns as a verifiable reward that post-trains the policy.