Digital Worker Identity Playbook

This playbook is a collaboration between the Identity, Credential, and Access Management Subcommittee of the Federal Chief Information Security Officer (CISO) Council and the General Services Administration Office of Government-wide Policy identity Assurance and Trusted Access Division

Executive Summary

The Digital Worker Identity Playbook is a practical guide to manage digital worker identities. This playbook helps federal agency ICAM programs as well as CIO and CISO offices define the risk of and a process for digital worker identity management. A digital worker is an automated, software-based tool, application, or agent that performs a business task or process similar to a human user and uses Artificial Intelligence (AI) or other autonomous decision-making capabilities. Office of Management and Budget (OMB) Memorandum M-19-17 requires agencies to ensure the digital identity of automated technologies are “distinguishable, auditable, and consistently managed.” However, agencies face implementation challenges when establishing identities for digital workers. Most often, they attempt to use human worker processes, which can hinder digital worker creation or access.

Common challenges include:

• Human worker identity attributes may not apply to a digital worker. For example, some agencies create ad hoc digital worker identity attributes based on requirements for human users, some of which do not apply (e.g., work station location). Conversely, the scope of identity attributes required for human users may not include some attributes that are needed for digital workers (e.g., custodian names).
• Lack of ability to provision individual user accounts to a digital worker. Some agencies allow digital workers to run on service, system, or group accounts. This practice arises because implementation teams are either unable or not authorized to have individual user accounts assigned to a digital worker. However, digital workers are less distinguishable from other non-person entity types when they use service, system, or group accounts rather than user accounts.

Agencies should tailor this playbook to fit their mission, business, technology, and security needs and integrate into enterprise identity management policies.

Federal agencies use digital workers to automate processes, increase efficiencies, and discover insights from large volumes of data. Digital workers may interact with or use sensitive information to perform unattended, high-risk tasks that may critically impact an agency’s mission. Agencies usually leverage existing, human-based processes to create a digital worker identity, but doing so may hinder a digital worker’s access or success. This playbook addresses the challenges in determining digital worker risk and outlines a process to establish a digital worker identity.

This playbook is iterative, and agencies are encouraged to collaborate, share best practices, and share lessons learned. Federal employees may consider joining a relevant committee or community of practice to learn and engage in digital worker identity management.

• Identity, Credential, and Access Management subcommittee (ICAMSC)

Key Terms

This document uses the following key terms:

• Digital Worker  - An automated, software-based tool, application, or agent that performs a business task or process similar to a human user and uses AI or other autonomous decision-making capabilities.¹

The list below includes the most common types of digital workers.

• Artificial Intelligence (AI) - A computer system’s ability to make autonomous decisions or perform tasks, traditionally requiring human intelligence.
• Chatbot  - A software tool that interacts with a human user to provide a service, such as retrieving data, answering a question, or directing the user to a resource.
• Machine Learning (ML) - The process of teaching computers to learn from data and perform tasks with minimal direct instruction or programming on how to achieve the desired outcome.

Disclaimer

The General Services Administration Office of Government-wide Policy developed this playbook with input from federal IT practitioners. This document should not be interpreted as official policy or mandated action, and it does not provide authoritative definitions for IT terms. Instead, this playbook supplements existing federal IT policies and builds on OMB Memorandum M-19-17², Enabling Mission Delivery Through Improved Identity, Credential, and Access Management and existing federal identity guidance and playbooks. Subject areas with intersecting scope, such as the ethical use and development of digital workers, are considered only to the extent that they relate to digital identity management and credentialing for digital workers. Specific security control implementations are outside the scope of this playbook, as are any elements of data protection requirements and the suitability process for a digital worker sponsor and custodian.

A Four-Step Process for Digital Worker Identity Management

The four-step process depicted in Figure 1 is a structured, iterative approach with discrete actions to create a digital worker identity management process. CIO and CISO offices, the intended audience of this playbook, should use its contents to write, update, or enhance existing enterprise identity management policies. Agencies are encouraged to tailor these steps to meet their organizational structures, unique requirements, and mission needs.

Figure 1: A Four-Step Process for Digital Worker Identity Management

Step 1. Determine the Impact: Consider the potential impacts, if any, when deciding whether to establish a digital worker identity. Much like a human worker, a digital worker should undergo a vetting process before being granted network or application access. Not all digital workers may require a unique identity. Work with the agency’s Identity, Credential, and Access Management (ICAM) governance structure to:

• Create or expand the agency ICAM governance structure and policies for digital worker identity management oversight.
• Score risk using the Digital Worker Impact Assessment.
• Identify a digital worker adverse impact level.³

The Digital Worker Impact Evaluation Matrix (Table 1) is a scoring tool. It uses six factors to score the risk of a digital worker’s scope and access. Agencies can use the risk score to determine an overall adverse impact level.

Step 2. Create an Identity: Ensure the created identity complies with agency ICAM policies. Assign the digital worker a sponsor and a custodian who maintain the digital worker processes. The sponsorship process creates and assigns digital worker oversight roles and responsibilities for a sponsor and a custodian. After appointing a sponsor and a custodian, follow security best practices when validating a digital worker level of access. Best practices include employing least privilege, separation of duties, and regular access recertification, similar to human workers.

Step 3. Provision an Identity: Assign the digital worker an identity in the agency enterprise identity management systems. After appointing both a sponsor and custodian and validating access, capture the appropriate data elements in the digital worker identity record. These data elements enable the agency to appropriately catalog and monitor digital workers throughout the identity lifecycle.

Step 4. Maintain and Deprovision Identity: Continuously manage the digital worker’s identity by ensuring up-to-date record-keeping and adherence to ICAM governance policies throughout its lifecycle. Regularly review and update the digital worker’s access levels to align with their role and to maintain security standards, including the principle of least privilege. Conduct periodic recertifications to verify whether the assigned access is still necessary and identify any potential discrepancies. In the event a digital worker’s function is no longer required, follow the proper procedures to deprovision its identity, ensuring that all access is completely revoked, and the identity is appropriately archived. This process safeguards the integrity and security of the agency’s network and applications by preventing unauthorized access through obsolete digital identities. Properly maintaining and deprovisioning digital worker identities help mitigate risks and ensure compliance with the agency’s security policies.

This playbook should aid agencies in integrating digital worker identity management processes into existing enterprise identity management policies.

Step 1. Determine the Impact

Figure 2: Step 1 - Determine the Impact

Ensure digital worker identity management has proper governance, score the function of the digital worker across six categories, and then use the risk score to arrive at an adverse impact level. For this step, use the Digital Worker Impact Evaluation Matrix presented in Table 1.

1.1 Ensure Proper Oversight

The ICAM governance structure ensures enterprise identity management policies are updated to include digital worker management and use. For ICAM oversight and program management examples, see the ICAM Program Management Playbook.

Update the agency enterprise identity management policies to include digital worker identity management.

1.2 Score Risk Impact

Risk impact requires calculation of a risk score across six factors, based on worker autonomy, content handled, type of access, and privileges required.

Each factor has an associated score, and the sum of these six-factor scores is the overall impact score. If multiple criteria within a factor apply to a digital worker, agencies should select the criterion with the highest score.

Table 1: Digital Worker Impact Evaluation Matrix ⁴

1.3 Determine Adverse Impact Level

The adverse impact level is the potential magnitude of harm a digital worker can cause to the organization, assets, individuals, other organizations, and U.S. economic and national security interests. Specific impacts include:

• Unauthorized disclosure
• Change or destruction of information
• Harm or endangerment of human life
• Loss of access to information systems
• Damage to high-value assets

The four adverse impact levels represent a different scale of harm a digital worker may cause.

1. Low
2. Moderate
3. High
4. Critical

Table 2: Potential Adverse Impact Levels

Step 2. Create an Identity

Figure 3: Step 2 - Create an Identity

Once your agency has determined the digital worker’s level of potential adverse impact, a digital worker identity is created, if needed. The identity process includes sponsorship and validation activities based on the adverse impact level from Step 1.

2.1 Assign a Sponsor and Custodian

The sponsorship process allows agencies to assign specific roles and responsibilities for oversight of digital workers. The agency’s ICAM governance structure ensures the sponsorship process actions are completed; however, it is up to the individual agencies to define how to assign a sponsor and custodian.

Table 3. Sponsor and Custodian Responsibilities

Industry Best Practice

Agencies should periodically assess recertification or access reviews if access privileges are still needed to complete a task and a minimum recommendation is required to verify and validate access. Table 4 presents recommended intervals for sponsor and custodian acknowledgment. They represent minimum acceptable standards.

Agencies may adjust recertification frequency, but should meet or exceed the recommended intervals. When certifying human access to IT platforms, specific systems and applications may impact the frequency of necessary certifications. Agencies should assess the platforms that digital workers access and use this knowledge to help evaluate certification frequency.

Table 4: Sponsorship (SP) Process

2.2 Validate Worker Access

Validation actions record the activities to ensure the digital worker continues to behave as expected throughout the lifecycle. The agency’s ICAM governance structure should ensure completion and tracking of validation process actions, but individual agencies must define a process that fits their mission needs and requirements. The following factors provide a starting point for validation. Agencies may include other mission-specific review factors as needed.

1. Employ least privilege (VD-1). Like a human worker, a digital worker should have the lowest access required to complete a task. The sponsor should review the use of an elevated account before initially granting it or upgrading an account already in use.

2. Separation of duties (VD-2) is a principle that prevents any single person or entity from completing all the functions in a critical or sensitive process in order to prevent fraud, theft, and errors. The sponsor should review the digital worker role to ensure it does not create a separation-of-duty conflict. If there is a conflict, the sponsor should document the exception.

3. Code review (VD-3). Digital worker code may include worker logic and decision-making processes. Include design or other system documentation as part of code review for reasoning and decision-making intent.

4. Ethics and bias review (VD-4 and VD-5). While government-wide standards for ethics and bias are in development, agencies should define their own ethics standards or collaborate with other agencies that align with the agency mission.

5. Recertification acknowledgment (VD-6 and VD-7). Recertification is the act of reviewing access on a periodic basis. It should occur on an annual or biannual schedule based on the adverse impact level.

Table 5: Validation (VD) Process

Step 3. Provision an Identity

Figure 4: Step 3 - Provision an Identity

Capture the appropriate digital worker data elements and store these attributes in the agency Identity Management System (IDMS) or other systems.

3.1 Capture and Store Identity Management Data Elements

Identity management system data elements are identification and sponsorship elements. They include information to uniquely identify a digital worker or contact information when in need of more details. Agencies usually store identity management data elements in an IDMS or directory. Agencies should require data element storage for any digital worker with a unique identity regardless of adverse impact level. Table 6 provides guidance and recommended data fields for capturing the necessary digital worker identity elements.

Table 6: Identity Management System Data Fields

3.2 Capture and Store Identity Governance Data Elements

Identity governance data elements validate and recertify access. They include information used to report on digital worker access and include information on:

• Acknowledgment date
• Recertification date
• Adverse impact level
• Other completion or acknowledgment dates

Agencies may store and track identity governance data elements in an existing system like an identity governance or directory management tool. The agency should develop an appropriate method or process to track these elements if one does not exist.

Table 7: Identity Governance Data Elements

Step 4. Maintain and Deprovision Identity

Figure 5: Step 4 - Maintain and Deprovision Identity

4.1 Continuous Behavioral Monitoring

Continuous behavioral monitoring ensures that digital workers operate within expected parameters and do not deviate from their intended functions, potentially causing adverse impacts. It involves regular assessment and review of activities to detect any anomalies or unauthorized behaviors. Below are the necessary actions and key points for continuous monitoring:

Regular Monitoring:

• Establish continuous monitoring procedures for the digital worker to ensure it behaves as expected.
• Use automated monitoring tools that provide real-time alerts for unusual activities or deviations from normal operations.
• Ensure that these tools log and audit digital worker activities to identify security incidents or compliance issues.

Event and Incident Response:

• Develop a clear incident response plan that includes steps for addressing and mitigating incidents involving digital workers.
• Define roles and responsibilities for responding to incidents, including notifying relevant personnel and stakeholders.
• Conduct regular drills and exercises to prepare for potential incidents involving digital workers.

Periodic Reviews:

• Schedule regular reviews of the digital worker’s performance and compliance with set policies.
• Include checks for code integrity, ethics, and bias as specified by validation actions such as VD-3 (code review), VD-4 (ethics review), and VD-5 (bias review).
• Ensure that the digital worker’s access levels and roles are reviewed periodically (VD-1 and VD-2) to maintain least privilege and appropriate separation of duties.

Recertification:

• Recertify sponsor and custodian acknowledgments at intervals specified earlier: annually for Moderate and High levels, and every six months for Critical levels (VD-6 and VD-7).
• Validate that the sponsor and custodian adhere to their responsibilities and that their recertification dates are tracked and up-to-date (DF-8, DF-9, DF-11, DF-12).

Table 8: Continuous Monitoring Process

4.2 Deprovision Digital Worker

When a digital worker is no longer required or is being replaced, it should be deprovisioned to prevent unauthorized access and eliminate any potential security risks. Below are the steps for safe and effective deprovisioning:

Assessment of Need:

• Assess the ongoing need for the digital worker periodically. If the business need no longer exists or the digital worker is being updated/replaced, initiate the deprovisioning process (SP-1).

Data Backup & Archival:

• Backup critical data and configurations associated with the digital worker before deprovisioning.
• Ensure archiving of relevant logs, configurations, operational data, and access records in compliance with agency data retention policies.

Deactivation of Access:

• Remove the digital worker’s access to all systems and networks to prevent any further activity.
• Ensure that all associated system accounts are disabled or removed (depending on policy).

Removal from Identity Management Systems:

• Update the Identity Management System (IDMS) to reflect the deactivation of the digital worker.
• Ensure that all identity and governance data elements related to the digital worker are updated to indicate deprovisioning.

Notification of Stakeholders:

• Notify all relevant stakeholders (sponsor, custodian, IT staff, and other impacted parties) of the deprovisioning action.
• Document the deprovisioning process and maintain logs for auditing and reporting purposes.

Table 9: Deprovisioning Process

Digital Worker Identity Management Checklist

Step 1: Determine the Impact

• ☐ 1.1 Ensure Proper Oversight
  • Update enterprise identity management policies to include digital worker management.
  • Collaborate with Information System Security Officers on digital worker identity management.
    • ☐ Verify security and non-functional requirements.
    • ☐ Conduct security and privacy assessments.
    • ☐ Perform executable and vulnerability scans.
    • ☐ Review digital worker logic and decision-making design documents.
• ☐ 1.2 Score Risk Impact
  • Use the Digital Worker Impact Evaluation Matrix to score the six factors of risk:
    • ☐ Is the digital worker attended or unattended?
    • ☐ What is the highest level of data access?
    • ☐ Does the digital worker have internal and/or external network access?
    • ☐ What is the impact of the digital worker output?
    • ☐ What type of system account privileges does the digital worker require?
    • ☐ Does the digital worker act on its own insights?

(Reference - Table 1. Digital Worker Impact Evaluation Matrix)

• ☐ 1.3 Determine Adverse Impact Level
  • Calculate the total risk score to determine the adverse impact level:
    • ☐ Low (0-35)
    • ☐ Moderate (36-55)
    • ☐ High (56-90)
    • ☐ Critical (91+)

(Reference - Table 2. Potential Adverse Impact Levels)

Step 2: Create an Identity

• ☐ 2.1 Assign a Sponsor and Custodian
  • ☐ Assign a sponsor responsible for digital worker compliance.
  • ☐ Assign a custodian for day-to-day operational management.
  • ☐ Acknowledge responsibilities of sponsor and custodian initially and on a routine basis (annually or every six months depending on impact level).

(Reference - Table 4. Sponsorship (SP) Process)

• ☐ 2.2 Validate Worker Access
  • ☐ Employ least privilege principle.
  • ☐ Ensure no separation-of-duty conflicts.
  • ☐ Conduct code reviews initially and after changes.
  • ☐ Complete ethics and bias reviews based on government standards.
  • ☐ Recertify acknowledgement of responsibilities for sponsor and custodian.

(Reference - Table 5. Validation (VD) Process)

Step 3: Provision an Identity

• ☐ 3.1 Capture and Store Identity Management Data Elements
  • Store identification and sponsorship elements in the Identity Management System (IDMS):
    • ☐ Digital Worker (Boolean)
    • ☐ Agency Unique User ID
    • ☐ First Name and Last Name
    • ☐ Digital Worker Sponsor Name
    • ☐ Digital Worker Custodian Name
    • ☐ Digital Worker Description
    • ☐ Responsible Organization

(Reference - Table 6. Identity Management System Data Fields)

• ☐ 3.2 Capture and Store Identity Governance Data Elements
  • Store the following data elements for governance:
    • ☐ Sponsor Date of Last Acknowledgment
    • ☐ Sponsor Acknowledgment Recertification Date
    • ☐ Level of Potential Adverse Impact
    • ☐ Custodian Date of Last Acknowledgment
    • ☐ Custodian Acknowledgment Recertification Date
    • ☐ Approved Source IP Address Range (for High and Critical levels)
    • ☐ Code Review Completion Date
    • ☐ Ethics Review Completion Date
    • ☐ Next Ethics Review Date
    • ☐ Bias Review Completion Date
    • ☐ Next Bias Review Date

(Reference - Table 7. Identity Governance Data Elements)

Step 4: Maintain and Deprovision Identity

• ☐ 4.1 Continuous Behavioral Monitoring
  • ☐ Establish continuous monitoring procedures.
  • ☐ Use automated tools for real-time alerts.
  • ☐ Develop an incident response plan.
  • ☐ Define roles and responsibilities for incident response.
  • ☐ Conduct regular drills and exercises.
  • ☐ Perform regular reviews of performance, compliance, and access levels.
  • ☐ Recertify sponsor and custodian acknowledgments at the required intervals.

(Reference - Table 8: Continuous Monitoring Process)

• ☐ 4.2 Deprovision Digital Worker
  • ☐ Assess the need for the digital worker.
  • ☐ Backup critical data and configurations.
  • ☐ Archive relevant logs, configurations, operational data, and access records.
  • ☐ Remove the digital worker’s access to all systems and networks.
  • ☐ Disable or remove associated system accounts.
  • ☐ Update the Identity Management System to indicate deactivation.
  • ☐ Notify relevant stakeholders of deprovisioning.
  • ☐ Document the deprovisioning process and maintain logs.

(Reference - Table 9: Deprovisioning Process)

Conclusion

Digital worker identity management requires new government-wide policies and guidance tailored to digital workers’ unique functional and security considerations. Adoption and implementation of this playbook provide agencies distinct ways to manage and maintain their digital workforce.

• Step 1: The Digital Worker Impact Evaluation Matrix helps agencies determine whether to establish an identity for a digital worker based on its potential level of adverse impact.

• Step 2: New sponsorship and validation processes establish digital worker accountability and confirm the digital worker will only act as programmed.

• Step 3: New identity management and identity governance data elements support an agency’s ability to manage and monitor throughout the identity lifecycle.

• Step 4: Continuous Monitoring and Deprovisioning processes provide agencies with guidelines to follow when monitoring a digital worker’s identity. These processes also outline the steps to take when an agency needs to retire a digital worker’s identity because it is no longer needed.

This playbook is iterative, and agencies are encouraged to collaborate, share best practices, and share lessons learned. Consider joining a federal committee and community of practice to learn and engage in digital worker identity management.

Appendix A. Digital Worker Impact Evaluation Factors

This section provides a detailed breakdown of the information contained in Table 1, the Digital Worker Impact Evaluation Matrix. Tables 8 through 13 individually provide criteria details for Factors 1 through 6, respectively.

Factor 1 – Is the digital worker attended or unattended?
This factor assesses whether the digital worker is attended and overseen by a human worker when completing its operations.

Table 10: Factor 1 Criteria Details

Factor 2 – What is the highest level of data access by the digital worker?
This factor assesses the impact-based sensitivity of data accessed by the digital worker to determine the potential adverse impact related to unauthorized disclosure of information and changing or destroying information.

Table 11: Factor 2 Criteria Details

Factor 3 – Does the digital worker have access to internal and/or external networks?
This factor assesses what type of networks the digital worker accesses. There are different levels of potential impact depending on whether access is granted to internal networks, external networks, or both.

Table 12: Factor 3 Criteria Details

Factor 4 – What is the impact of the output generated by the digital worker?
This factor assesses the potential worst-case scenario impact of the output the digital worker generates on different stakeholder groups: internal organizational impact; external organizational impact; and critical, pervasive impacts across organizations, government, or society.

Table 13: Factor 4 Criteria Details

Factor 5 – What type of system account privileges does the digital worker require?
This factor assesses the type and level of system account access that the digital worker requires to complete its tasks. Privileged access, especially for multiple systems, creates higher potential adverse impact than standard user accounts or no account use at all.

Table 14: Factor 5 Criteria Details

Factor 6 – Does the digital worker act on its own insights?
This factor assesses the extent to which a human is involved in approving the decisions of digital workers. Digital workers that generate insights and then use those insights to make decisions or complete actions have a greater potential adverse impact compared to digital workers that only generate insights or that generate insights but have a human review an action before its completion.

Table 15: Factor 6 Criteria Details

Appendix B. Critical Case Study

A government hospital uses a digital worker to diagnose patients.

• The digital worker uses an unattended machine learning algorithm on internal networks.
• It works with the patient’s medical history, diagnostic test results, and thousands of previous patient outcome data sets containing PHI
• The digital worker develops a diagnosis and recommends a treatment.
• The digital worker uses only a standard user account during its tasks.

Table 14 illustrates computation of the impact score for this digital worker using the Digital Worker Impact Evaluation Matrix.

Table 16: Critical Case Study Digital Worker Impact Evaluation Matrix

This digital worker impact level is Critical. It has the potential to cause severe or catastrophic impact. The overarching risk in this case study derives from the digital worker recommendation impacting an individual’s health and safety and its access to PHI.

The hospital digital worker in this case study has a Critical adverse impact level. Table 15 delineates the actions associated with assigning a sponsor and a custodian as well as validating digital worker access and process.

Table 17: Critical Case Study Sponsorship and Validation

After the sponsorship and validation activities are complete and documented, the hospital digital worker identity was created and provisioned. Table 16 shows the data fields captured. Identity management data fields are captured in the directory service while identity governance data fields are captured in an agency security assessment tool.

Table 18: Critical Case Study Data Fields

Appendix C. Low Case Study

A digital worker helps the General Services Administration gather data on COVID-19.

• The digital worker is unattended, uses a standard system account, and has internal and external network access.

• The digital worker pulls data from public state government websites to aggregate and populate a Geographic Information System map.

• The output is not decision critical and provides insights with no actions.

Table 17 presents the Impact Evaluation Matrix for this digital worker.

Table 19: Low Case Study Digital Worker Impact Evaluation Matrix

This digital worker impact level is Low. The effect of an error or accident is minimal, resulting in negligible impacts. Thus, the digital worker does not require a unique identity. The impact level is documented and a reminder is set to reassess the impact level with any code change.

Footnotes