AI Clearance for Jira Service Management
Audit-ready evidence for AI tool access decisions
AI Clearance turns JSM approvals into a defensible lifecycle record: who requested access to which AI tool, who approved it and under what policy, when it expires, when it was recertified, whether Okta or Microsoft Entra group membership still matches the approval, and whether the Governance Logs export can be checked for continuity.
Last updated: 2026-06-18
Marketplace handles install, trial, billing, and current terms. Bring one workflow for a teardown if you want design-partner help.
The post-approval problem
Approvals are the easy part. Jira Service Management can route a request, notify approvers, and record a decision. That is table stakes for AI tool access.
The harder question arrives later: who still has access, was continued need recertified, did the grant expire, and does the identity-provider group still match the approval record?
Security and GRC teams feel that pressure during audits, vendor reviews, and AI governance reviews. The European Commission public timeline says the AI Act became broadly applicable on 2 August 2026 with exceptions, and current Commission pages also note later timelines for some high-risk rules. Treat that as compliance-pressure context, not legal advice.
Sample - synthetic data
Evidence pack: expired grant, group mismatch, verified audit continuity
This sample is built around the post-approval failure buyers actually ask about: an AI access approval expired, review-before-expiry did not confirm continued need, and the configured Okta group still observed the user as a member. Governance Logs continuity checks pass over the retained sample events, while the access-removal finding remains open.
Recertification and drift
Recertification reviews (review-before-expiry) ask whether the approved user still needs the AI tool before the grant expires or continues. Scheduled recertification checks create recert issues for active grants entering the review window.
Drift checks answer a different question: does Okta or Microsoft Entra configured-group membership still match the approval record? That check is useful because a ticket can be correct while the group membership has changed.
Important scope limit
AI Clearance checks the configured group boundary only. IdP and app admins must make that group control the real app, license, role, or resource.
Where native JSM ends and AI Clearance begins
| Capability | Native JSM | AI Clearance |
|---|---|---|
| Intake and approval routing | Handles well with request types, forms, approver fields, and workflow approval steps. | Uses JSM intake and preserves the AI-specific lifecycle record after approval. |
| Requestable AI catalog | Buildable with Assets or custom fields, but upkeep is on the admin team. | Built-in approved AI tool catalog with risk, expiry defaults, guidance, and optional connector binding. |
| Duplicate-request blocking | Possible with custom automation and JQL, but not turnkey. | Blocks approval when a duplicate open grant exists for the same user and tool. |
| Timeboxed grants and expiry | Possible with custom date fields and automation. | Tracks grant duration, expiry labels, expiration jobs, extension limits, and revocation/deprovisioning state. |
| Recertification reviews | Possible as custom recurring/review issues. | Scheduled recertification checks can create review-before-expiry issues for grants entering the recertification window. |
| Evidence export as a pack | Requires custom export design beyond ordinary ticket history. | Exports request and grant data; Governance Logs include hash-chain integrity metadata such as prevHash and entryHash for export-verifiable audit continuity. |
| Okta/Entra reconciliation | Not native; requires manual checks or custom integration. | Optional connected mode can add, remove, or run drift checks for configured-group membership only. |
Read the full AI Clearance vs native Jira Service Management comparison.
Security, privacy, and egress
- Baseline app state is stored in Atlassian Forge storage.
- Connected mode is optional and requires explicit admin configuration.
- Connector credentials are stored through Forge secret storage.
- Connected-mode requests to ArdSaor Core are scoped to connector testing, tenant binding, identity matching, and configured-group add, remove, or check actions.
- IdP and app admins remain responsible for making the configured group control the real app, license, role, or resource.
- Admins can review privacy, security, SLA, and support documentation before rollout.
Design partner program
Three design-partner slots are available for teams that want to shape the hash-chained evidence-pack, recertification, and drift-check workflow before it hardens into the product.
The program is scoped to 8 weeks, includes direct access to the builder, and is offered at CA$20k for one real AI access process and buyer-specific evidence pack.
What the 8-week sprint includes
- AI Clearance product access during the sprint.
- Setup around one real JSM AI access workflow, including catalog, request, approval, policy, and expiry configuration.
- Working sessions with the JSM, IAM, security/GRC, or enterprise-app owners who touch the workflow.
- Okta or Microsoft Entra configured-group boundary mapping, or a manual evidence path when connected mode is not ready.
- One controlled request, approval, grant, expiry, review-before-expiry, and evidence scenario.
- Governance Logs export, continuity verification walkthrough, and buyer-specific evidence-pack handoff.
Best fit
JSM platform owners, GRC owners, or security teams that need verifiable audit-trail metadata, not screenshots, and have a concrete Okta or Entra configured-group boundary to test.
Scope limit
This is not a full IAM/IGA replacement, runtime AI monitor, or broad enterprise rollout. The sprint stays bounded to one AI access process and the evidence needed to prove it.
FAQ
What problem does AI Clearance solve?
AI Clearance focuses on lifecycle evidence after AI access is approved: active grants, expiry, recertification reviews, Okta or Entra match status, drift, and exportable access review proof.
Can native JSM handle intake and approval?
Yes. Native JSM can handle basic request intake and approval. AI Clearance is focused on the evidence layer after approval: recertification, expiry, identity-system match or mismatch, drift visibility, and audit exports.
Does AI Clearance change group membership automatically?
Only within the configured-group boundary. When Okta or Microsoft Entra connected mode is configured, AI Clearance can add, remove, or check the approved user in the configured group. IdP or app admins must make that group control the real app, license, role, or resource.
Does it monitor what users type into AI tools?
No. The product governs access requests, decisions, grants, expiry, and evidence. It does not inspect prompts, prove runtime AI usage, or replace IAM/IGA.
Where is app data stored?
Baseline app data is stored in Atlassian Forge storage. Optional connector operations use ArdSaor Core only when connected mode is explicitly configured.
Can native JSM plus Assets do this without an app?
Yes, for simple intake, approval, and a maintained catalog. The tradeoff is that your team owns the Assets schema, automation rules, recertification workflow, duplicate-open-grant checks, IdP reconciliation, and evidence export format.
What does an auditor actually receive?
The useful unit is an evidence pack: request context, approval decision, policy and risk context, grant duration and expiry, recertification review state, configured-group drift-check outcomes where connected mode is configured, and hash-chained Governance Logs with integrity metadata. The public sample evidence pack on this page uses fictional demo data to show the expected export-verifiable shape.
What happens at expiry?
Scheduled lifecycle automation expires overdue grants and creates review-before-expiry issues for grants entering the recertification window. Manual or connected deprovisioning follow-up depends on the configured fulfillment path.
Is this an IAM or IGA replacement?
No. AI Clearance is a JSM-centered evidence layer for AI access decisions. It does not replace IAM/IGA, does not prove runtime AI usage, and only checks configured Okta or Entra groups when connected mode is configured.
Buyer guides
Review your AI access evidence path
Bring one current AI access workflow and one evidence request. The teardown maps whether hash-chained Governance Logs and the sample evidence pack cover the proof your GRC/security team asks for.
No public scheduler URL is configured yet. Email Andrew with the workflow context and he will reply with available times.