{ "id": "S0DqTtF7QQsluFfM", "name": "AI agent for IAM event governance with compliance routing and audit", "tags": [], "nodes": [ { "id": "f7e0a39e-40b2-432f-b801-423513af3b0e", "name": "Receive IAM Event", "type": "n8n-nodes-base.webhook", "position": [ 240, 576 ], "parameters": { "path": "iam-events", "options": {}, "httpMethod": "POST", "responseMode": "responseNode" }, "typeVersion": 2.1 }, { "id": "26355701-d643-4d5c-855d-2550f928ab8d", "name": "Governance Agent", "type": "@n8n/n8n-nodes-langchain.agent", "position": [ 1024, 576 ], "parameters": { "text": "={{ $json.body }}", "options": { "systemMessage": "You are a Governance Agent responsible for orchestrating IAM access approvals, revocations, and compliance reporting. You coordinate with the Access Signal Agent to validate events, then make decisions on approvals or revocations based on risk level, compliance policies, and organizational rules. For high-risk events, escalate for human approval. For routine events, auto-approve or auto-revoke. Generate compliance reports summarizing all actions taken." }, "promptType": "define", "hasOutputParser": true }, "typeVersion": 3.1 }, { "id": "1affc496-cb3e-452e-92fb-5f22687675ba", "name": "Governance Model", "type": "@n8n/n8n-nodes-langchain.lmChatOpenAi", "position": [ 464, 800 ], "parameters": { "model": { "__rl": true, "mode": "id", "value": "gpt-4o-mini" }, "options": { "temperature": 0.2 }, "builtInTools": {} }, "credentials": { "openAiApi": { "name": "" } }, "typeVersion": 1.3 }, { "id": "ba81b3a7-266c-4b0f-a6ab-809c4760e3db", "name": "Conversation Memory", "type": "@n8n/n8n-nodes-langchain.memoryBufferWindow", "position": [ 592, 800 ], "parameters": {}, "typeVersion": 1.3 }, { "id": "fc93a4b4-3603-42ed-b055-18357384a1bf", "name": "Access Signal Agent", "type": "@n8n/n8n-nodes-langchain.agentTool", "position": [ 720, 800 ], "parameters": { "text": "={{ $fromAI('iam_event', 'The IAM event data to validate') }}", "options": { "systemMessage": "You are an Access Signal Agent specialized in validating IAM events. Analyze the event structure, verify required fields (user_id, resource, action, timestamp), assess risk level (low/medium/high/critical), detect anomalies (unusual access patterns, privilege escalation, off-hours requests), and check compliance requirements. Return structured validation results." }, "hasOutputParser": true, "toolDescription": "Validates structured IAM events including user identity, resource access requests, permission changes, and security signals. Returns validation status, risk level, anomaly detection, and compliance flags." }, "typeVersion": 3 }, { "id": "0fba0275-4e87-46de-8f1d-2699f0ee08e8", "name": "Access Signal Model", "type": "@n8n/n8n-nodes-langchain.lmChatOpenAi", "position": [ 672, 1008 ], "parameters": { "model": { "__rl": true, "mode": "id", "value": "gpt-4o-mini" }, "options": { "temperature": 0.1 }, "builtInTools": {} }, "credentials": { "openAiApi": { "name": "" } }, "typeVersion": 1.3 }, { "id": "91ef5ab1-b9a5-4fbd-8918-c99ae37b1c72", "name": "Governance Output Parser", "type": "@n8n/n8n-nodes-langchain.outputParserStructured", "position": [ 1744, 800 ], "parameters": { "schemaType": "manual", "inputSchema": "{\n\t\"type\": \"object\",\n\t\"properties\": {\n\t\t\"decision\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"enum\": [\"approved\", \"revoked\", \"escalated\", \"pending\"]\n\t\t},\n\t\t\"risk_level\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"enum\": [\"low\", \"medium\", \"high\", \"critical\"]\n\t\t},\n\t\t\"action_taken\": {\n\t\t\t\"type\": \"string\"\n\t\t},\n\t\t\"compliance_status\": {\n\t\t\t\"type\": \"string\"\n\t\t},\n\t\t\"reasoning\": {\n\t\t\t\"type\": \"string\"\n\t\t},\n\t\t\"requires_human_review\": {\n\t\t\t\"type\": \"boolean\"\n\t\t}\n\t},\n\t\"required\": [\"decision\", \"risk_level\", \"action_taken\", \"reasoning\"]\n}" }, "typeVersion": 1.3 }, { "id": "ef038eaa-e54f-486e-9be3-60bc8953c5a7", "name": "Validation Output Parser", "type": "@n8n/n8n-nodes-langchain.outputParserStructured", "position": [ 864, 1008 ], "parameters": { "schemaType": "manual", "inputSchema": "{\n\t\"type\": \"object\",\n\t\"properties\": {\n\t\t\"is_valid\": {\n\t\t\t\"type\": \"boolean\"\n\t\t},\n\t\t\"risk_level\": {\n\t\t\t\"type\": \"string\",\n\t\t\t\"enum\": [\"low\", \"medium\", \"high\", \"critical\"]\n\t\t},\n\t\t\"anomalies_detected\": {\n\t\t\t\"type\": \"array\",\n\t\t\t\"items\": {\n\t\t\t\t\"type\": \"string\"\n\t\t\t}\n\t\t},\n\t\t\"compliance_flags\": {\n\t\t\t\"type\": \"array\",\n\t\t\t\"items\": {\n\t\t\t\t\"type\": \"string\"\n\t\t\t}\n\t\t},\n\t\t\"missing_fields\": {\n\t\t\t\"type\": \"array\",\n\t\t\t\"items\": {\n\t\t\t\t\"type\": \"string\"\n\t\t\t}\n\t\t},\n\t\t\"validation_message\": {\n\t\t\t\"type\": \"string\"\n\t\t}\n\t},\n\t\"required\": [\"is_valid\", \"risk_level\", \"validation_message\"]\n}" }, "typeVersion": 1.3 }, { "id": "676c7cd7-dd20-447e-b715-065c094c930f", "name": "forgeLLM API Tool", "type": "n8n-nodes-base.httpRequestTool", "position": [ 1040, 768 ], "parameters": { "url": "https://api.runpod.ai/v2/l39v5drmx0q5sc/runsync", "method": "POST", "options": {}, "jsonBody": "={\n \"input\": {\n \"prompt\": \"={{ $fromAI('prompt', 'The prompt to send to the fine-tuned LLM') }}\",\n \"client\": \"iam_governance_system\"\n }\n}", "sendBody": true, "sendHeaders": true, "specifyBody": "json", "authentication": "genericCredentialType", "genericAuthType": "httpHeaderAuth", "toolDescription": "Calls forgeLLM fine-tuned model API for specialized IAM analysis and cost-efficient inference on domain-specific tasks", "headerParameters": { "parameters": [ { "name": "Content-Type", "value": "application/json" } ] } }, "credentials": { "httpHeaderAuth": { "name": "" } }, "typeVersion": 4.4 }, { "id": "ec6f3988-e4d2-4652-aa4c-ed4e2f5798f7", "name": "Slack Notification Tool", "type": "n8n-nodes-base.slackTool", "position": [ 1136, 896 ], "parameters": { "text": "={{ $fromAI('message', 'The notification message to send') }}", "select": "channel", "channelId": { "__rl": true, "mode": "id", "value": "={{ $fromAI('channel', 'Slack channel name or ID', 'string', '#iam-approvals') }}" }, "otherOptions": {}, "authentication": "oAuth2", "descriptionType": "manual", "toolDescription": "Sends approval requests, escalation alerts, and compliance notifications to Slack channels for high-risk IAM events requiring human review" }, "credentials": { "slackOAuth2Api": { "name": "" } }, "typeVersion": 2.4 }, { "id": "94e72945-3dcd-4f02-8973-02a2eb806c36", "name": "Email Notification Tool", "type": "n8n-nodes-base.gmailTool", "position": [ 1280, 800 ], "parameters": { "sendTo": "={{ $fromAI('recipient', 'Email recipient address', 'string') }}", "message": "={{ $fromAI('body', 'Email message body') }}", "options": {}, "subject": "={{ $fromAI('subject', 'Email subject line', 'string') }}", "descriptionType": "manual", "toolDescription": "Sends email notifications for approvals, revocations, and compliance reports to stakeholders and security teams" }, "credentials": { "gmailOAuth2": { "name": "" } }, "typeVersion": 2.2 }, { "id": "a0bd5b97-ec29-423d-99f5-da1b637f9684", "name": "Audit Log Tool", "type": "n8n-nodes-base.dataTableTool", "position": [ 1408, 800 ], "parameters": { "columns": { "value": null, "mappingMode": "autoMapInputData" }, "options": {}, "dataTableId": { "__rl": true, "mode": "id", "value": "<__PLACEHOLDER_VALUE__iam_audit_log__>" }, "descriptionType": "manual", "toolDescription": "Stores IAM events, validation results, approval decisions, and actions taken in the audit log table for compliance tracking" }, "typeVersion": 1.1 }, { "id": "aca59098-e567-4736-84fe-22e3ef35952e", "name": "Compliance Query Tool", "type": "n8n-nodes-base.dataTableTool", "position": [ 1568, 800 ], "parameters": { "operation": "get", "dataTableId": { "__rl": true, "mode": "id", "value": "<__PLACEHOLDER_VALUE__iam_audit_log__>" }, "descriptionType": "manual", "toolDescription": "Queries historical IAM audit data for compliance reporting, trend analysis, and anomaly detection across time periods" }, "typeVersion": 1.1 }, { "id": "82137ccf-8b47-4c5d-a0b9-3ceae3eacc7c", "name": "Route by Decision", "type": "n8n-nodes-base.switch", "position": [ 1936, 640 ], "parameters": { "rules": { "values": [ { "conditions": { "options": { "leftValue": "", "caseSensitive": true }, "combinator": "and", "conditions": [ { "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.output.decision }}", "rightValue": "approved" } ] } }, { "conditions": { "options": { "leftValue": "", "caseSensitive": true }, "combinator": "and", "conditions": [ { "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.output.decision }}", "rightValue": "revoked" } ] } }, { "conditions": { "options": { "leftValue": "", "caseSensitive": true }, "combinator": "and", "conditions": [ { "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.output.decision }}", "rightValue": "escalated" } ] } }, { "conditions": { "options": { "leftValue": "", "caseSensitive": true }, "combinator": "and", "conditions": [ { "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.output.decision }}", "rightValue": "pending" } ] } } ] }, "options": {} }, "typeVersion": 3.4 }, { "id": "d4c10a49-f3dc-47eb-a167-865624a3015d", "name": "Store Approved Events", "type": "n8n-nodes-base.dataTable", "position": [ 2448, 528 ], "parameters": { "columns": { "value": null, "mappingMode": "autoMapInputData" }, "options": {}, "dataTableId": { "__rl": true, "mode": "id", "value": "<__PLACEHOLDER_VALUE__approved_events__>" } }, "typeVersion": 1.1 }, { "id": "12ae62c9-1891-408c-9c79-a6080c29190e", "name": "Store Revoked Events", "type": "n8n-nodes-base.dataTable", "position": [ 2448, 800 ], "parameters": { "columns": { "value": null, "mappingMode": "autoMapInputData" }, "options": {}, "dataTableId": { "__rl": true, "mode": "id", "value": "<__PLACEHOLDER_VALUE__revoked_events__>" } }, "typeVersion": 1.1 }, { "id": "7bd206cd-53c0-476d-8aa4-22a1ebe344ee", "name": "Store Escalated Events", "type": "n8n-nodes-base.dataTable", "position": [ 2448, 1088 ], "parameters": { "columns": { "value": null, "mappingMode": "autoMapInputData" }, "options": {}, "dataTableId": { "__rl": true, "mode": "id", "value": "<__PLACEHOLDER_VALUE__escalated_events__>" } }, "typeVersion": 1.1 }, { "id": "3c971b20-48d2-4aca-839d-d1dd457747b8", "name": "Return Response", "type": "n8n-nodes-base.respondToWebhook", "position": [ 2672, 800 ], "parameters": { "options": {}, "respondWith": "json", "responseBody": "={{ $json }}" }, "typeVersion": 1.5 }, { "id": "3adeae89-c376-4082-877e-dbd70105183f", "name": "Prepare Approved Data", "type": "n8n-nodes-base.set", "position": [ 2224, 560 ], "parameters": { "options": {}, "assignments": { "assignments": [ { "id": "id-1", "name": "event_id", "type": "string", "value": "={{ $json.body.event_id }}" }, { "id": "id-2", "name": "user_id", "type": "string", "value": "={{ $json.body.user_id }}" }, { "id": "id-3", "name": "resource", "type": "string", "value": "={{ $json.body.resource }}" }, { "id": "id-4", "name": "action", "type": "string", "value": "={{ $json.body.action }}" }, { "id": "id-5", "name": "decision", "type": "string", "value": "={{ $json.output.decision }}" }, { "id": "id-6", "name": "risk_level", "type": "string", "value": "={{ $json.output.risk_level }}" }, { "id": "id-7", "name": "action_taken", "type": "string", "value": "={{ $json.output.action_taken }}" }, { "id": "id-8", "name": "reasoning", "type": "string", "value": "={{ $json.output.reasoning }}" }, { "id": "id-9", "name": "timestamp", "type": "string", "value": "={{ $now }}" } ] } }, "typeVersion": 3.4 }, { "id": "215d2c50-dbb1-4682-ac23-1d6be5f9e96b", "name": "Prepare Revoked Data", "type": "n8n-nodes-base.set", "position": [ 2224, 720 ], "parameters": { "options": {}, "assignments": { "assignments": [ { "id": "id-1", "name": "event_id", "type": "string", "value": "={{ $json.body.event_id }}" }, { "id": "id-2", "name": "user_id", "type": "string", "value": "={{ $json.body.user_id }}" }, { "id": "id-3", "name": "resource", "type": "string", "value": "={{ $json.body.resource }}" }, { "id": "id-4", "name": "action", "type": "string", "value": "={{ $json.body.action }}" }, { "id": "id-5", "name": "decision", "type": "string", "value": "={{ $json.output.decision }}" }, { "id": "id-6", "name": "risk_level", "type": "string", "value": "={{ $json.output.risk_level }}" }, { "id": "id-7", "name": "action_taken", "type": "string", "value": "={{ $json.output.action_taken }}" }, { "id": "id-8", "name": "reasoning", "type": "string", "value": "={{ $json.output.reasoning }}" }, { "id": "id-9", "name": "timestamp", "type": "string", "value": "={{ $now }}" } ] } }, "typeVersion": 3.4 }, { "id": "7203c53a-b326-48dd-82b4-8e3797131c95", "name": "Prepare Escalated Data", "type": "n8n-nodes-base.set", "position": [ 2224, 1008 ], "parameters": { "options": {}, "assignments": { "assignments": [ { "id": "id-1", "name": "event_id", "type": "string", "value": "={{ $json.body.event_id }}" }, { "id": "id-2", "name": "user_id", "type": "string", "value": "={{ $json.body.user_id }}" }, { "id": "id-3", "name": "resource", "type": "string", "value": "={{ $json.body.resource }}" }, { "id": "id-4", "name": "action", "type": "string", "value": "={{ $json.body.action }}" }, { "id": "id-5", "name": "decision", "type": "string", "value": "={{ $json.output.decision }}" }, { "id": "id-6", "name": "risk_level", "type": "string", "value": "={{ $json.output.risk_level }}" }, { "id": "id-7", "name": "action_taken", "type": "string", "value": "={{ $json.output.action_taken }}" }, { "id": "id-8", "name": "reasoning", "type": "string", "value": "={{ $json.output.reasoning }}" }, { "id": "id-9", "name": "requires_human_review", "type": "boolean", "value": "={{ $json.output.requires_human_review }}" }, { "id": "id-10", "name": "timestamp", "type": "string", "value": "={{ $now }}" } ] } }, "typeVersion": 3.4 }, { "id": "4fd6004b-aec7-49ca-8a25-60849cb9c12a", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ 112, 16 ], "parameters": { "width": 592, "height": 352, "content": "## How It Works\nThis workflow automates Identity and Access Management (IAM) event governance using an AI agent, targeting security operations teams, compliance officers, and IT governance teams managing cloud or enterprise IAM systems. The core problem it solves is the manual, error-prone review of IAM events, such as permission grants, role changes, and access revocations, which are high-risk and require rapid, consistent decision-making at scale. When an IAM event is received via webhook (POST), a Governance Agent powered by an LLM evaluates it using contextual memory, an Access Signal Agent, and a forgeLLM API. It cross-references compliance rules via a Compliance Query Tool and logs findings through an Audit Log Tool. Notifications are dispatched via Email and Slack. Based on the agent's decision, a Rules-based Router directs the event into one of three branches, namely: Approved, Revoked, or Escalated, where event data is prepared and stored accordingly. A unified response is then returned to the caller, ensuring every IAM event is audited, classified, and actioned without human bottlenecks.\n" }, "typeVersion": 1 }, { "id": "df496e71-cffa-4e0c-a3ca-93417b835229", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ 816, 0 ], "parameters": { "width": 432, "height": 336, "content": "## Setup Steps\n1. Configure the Webhook node with your IAM event source endpoint.\n2. Add LLM credentials to the forgeLLM API Tool node.\n3. Set up Governance Model with your policy prompt and connect Conversation Memory.\n4. Configure Access Signal Agent with your access data source credentials.\n5. Connect Compliance Query Tool to your compliance database or API.\n6. Add Gmail/SMTP credentials to the Email Notification Tool.\n7. Add Slack Bot token to the Slack Notification Tool." }, "typeVersion": 1 }, { "id": "58111447-a957-44a0-a0dc-4c0dad4f6968", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [ 1328, -64 ], "parameters": { "color": 6, "width": 400, "height": 368, "content": "## Prerequisites\n- forgeLLM or compatible LLM API key\n- Slack Bot token\n- Gmail/SMTP credentials\n## Use Cases\n- Automatically approve or revoke IAM role assignments based on policy.\n## Customization\n- Swap forgeLLM for OpenAI or Anthropic models.\n## Benefits\n- Eliminates manual IAM review bottlenecks." }, "typeVersion": 1 }, { "id": "fe07e97f-41c4-4711-9142-45685aafb058", "name": "Sticky Note3", "type": "n8n-nodes-base.stickyNote", "position": [ 992, 432 ], "parameters": { "color": 7, "width": 880, "height": 704, "content": "## Compliance & Audit\n**What:** Queries compliance rules; logs event details to audit store.\n**Why:** Ensures regulatory traceability and policy alignment." }, "typeVersion": 1 }, { "id": "f39e60a8-945d-44b3-bfd5-f8db58060a83", "name": "Sticky Note4", "type": "n8n-nodes-base.stickyNote", "position": [ 1888, 432 ], "parameters": { "color": 7, "width": 496, "height": 848, "content": "\n## Route by Decision\n**What:** Rules engine splits events into Approved, Revoked, or Escalated paths.\n**Why:** Automates downstream handling based on AI verdict.\n" }, "typeVersion": 1 }, { "id": "c5cc2514-aa83-4fe9-bcca-f8f4e075854b", "name": "Sticky Note5", "type": "n8n-nodes-base.stickyNote", "position": [ 112, 432 ], "parameters": { "color": 7, "width": 864, "height": 832, "content": "## Receive & Evaluate IAM Event\n**What:** Webhook triggers on incoming IAM event payload; LLM agent immediately assesses it using memory.\n**Why:** Enables real-time, event-driven governance while applying consistent, context-aware policy judgement at scale without polling.\n" }, "typeVersion": 1 }, { "id": "c1d1a394-9256-4d37-95eb-eb6b82ce34ef", "name": "Sticky Note6", "type": "n8n-nodes-base.stickyNote", "position": [ 2400, 400 ], "parameters": { "color": 7, "width": 416, "height": 864, "content": "\n## Store & Respond\n**What:** Prepares and stores classified event data; returns response.\n**Why:** Maintains a structured audit trail and closes the governance loop." }, "typeVersion": 1 } ], "active": false, "settings": { "binaryMode": "separate", "executionOrder": "v1" }, "versionId": "8548c0e5-7470-4fa0-ba67-8947a09a818c", "connections": { "Audit Log Tool": { "ai_tool": [ [ { "node": "Governance Agent", "type": "ai_tool", "index": 0 } ] ] }, "Governance Agent": { "main": [ [ { "node": "Route by Decision", "type": "main", "index": 0 } ] ] }, "Governance Model": { "ai_languageModel": [ [ { "node": "Governance Agent", "type": "ai_languageModel", "index": 0 } ] ] }, "Receive IAM Event": { "main": [ [ { "node": "Governance Agent", "type": "main", "index": 0 } ] ] }, "Route by Decision": { "main": [ [ { "node": "Prepare Approved Data", "type": "main", "index": 0 } ], [ { "node": "Store Revoked Events", "type": "main", "index": 0 }, { "node": "Prepare Revoked Data", "type": "main", "index": 0 } ], [ { "node": "Store Escalated Events", "type": "main", "index": 0 }, { "node": "Prepare Escalated Data", "type": "main", "index": 0 } ] ] }, "forgeLLM API Tool": { "ai_tool": [ [ { "node": "Governance Agent", "type": "ai_tool", "index": 0 } ] ] }, "Access Signal Agent": { "ai_tool": [ [ { "node": "Governance Agent", "type": "ai_tool", "index": 0 } ] ] }, "Access Signal Model": { "ai_languageModel": [ [ { "node": "Access Signal Agent", "type": "ai_languageModel", "index": 0 } ] ] }, "Conversation Memory": { "ai_memory": [ [ { "node": "Governance Agent", "type": "ai_memory", "index": 0 } ] ] }, "Prepare Revoked Data": { "main": [ [ { "node": "Store Revoked Events", "type": "main", "index": 0 } ] ] }, "Store Revoked Events": { "main": [ [ { "node": "Return Response", "type": "main", "index": 0 } ] ] }, "Compliance Query Tool": { "ai_tool": [ [ { "node": "Governance Agent", "type": "ai_tool", "index": 0 } ] ] }, "Prepare Approved Data": { "main": [ [ { "node": "Store Approved Events", "type": "main", "index": 0 } ] ] }, "Store Approved Events": { "main": [ [ { "node": "Return Response", "type": "main", "index": 0 } ] ] }, "Prepare Escalated Data": { "main": [ [ { "node": "Store Escalated Events", "type": "main", "index": 0 } ] ] }, "Store Escalated Events": { "main": [ [ { "node": "Return Response", "type": "main", "index": 0 } ] ] }, "Email Notification Tool": { "ai_tool": [ [ { "node": "Governance Agent", "type": "ai_tool", "index": 0 } ] ] }, "Slack Notification Tool": { "ai_tool": [ [ { "node": "Governance Agent", "type": "ai_tool", "index": 0 } ] ] }, "Governance Output Parser": { "ai_outputParser": [ [ { "node": "Governance Agent", "type": "ai_outputParser", "index": 0 } ] ] }, "Validation Output Parser": { "ai_outputParser": [ [ { "node": "Access Signal Agent", "type": "ai_outputParser", "index": 0 } ] ] } } }