Article 8: Luna AI Suggestions
What Luna does in access reviews
Luna is Ploy's AI layer. In access reviews, Luna analyses the accounts assigned to a reviewer and generates a recommendation for each one — suggesting whether the access looks appropriate, should be removed, or needs closer attention.
The goal is to reduce the cognitive load on reviewers. In a large access review, it's impractical to scrutinise every single account equally — Luna helps reviewers quickly work through routine cases so they can focus their attention on the accounts that genuinely warrant a closer look.
When suggestions are generated
Luna generates suggestions automatically when a review cycle is created. There's nothing a reviewer or admin needs to do — within a few minutes of cycle generation, Luna's analysis is available alongside the accounts in the review.
If an account set is reassigned to a different reviewer mid-cycle, Ploy regenerates Luna's suggestions for the new reviewer's context.
How Luna makes recommendations
Luna analyses each account using all the information Ploy has about it:
The employee's profile (department, job title, tenure, manager)
The resource being reviewed (what kind of app it is, what the access level means)
Access history (when access was granted, when it was last used)
Entitlement details (what specific permissions the account holds)
Usage data (if available — how actively the account is used)
Based on this analysis, Luna places each account into one of three buckets:
Auto-approve
Accounts where the signals consistently suggest access is appropriate. Examples: employee actively uses the app, the access level matches their job function, they've been in the role for a reasonable time, no unusual patterns.
Luna provides a reasoning summary for each auto-approve suggestion — reviewers can read why Luna is recommending approval, not just what it's recommending.
Auto-reject
Accounts where the signals suggest access is not appropriate. Examples: account hasn't been used in many months, the access level appears elevated relative to the employee's role, access was granted a long time ago and there's no recent usage.
Again, Luna provides reasoning — reviewers can see the specific signals that triggered the recommendation.
Needs review
Accounts where Luna doesn't have high enough confidence to make a clear recommendation. These are flagged for the reviewer's attention — they may have conflicting signals, missing data, or involve unusual access patterns that require human judgment.
How reviewers interact with Luna suggestions
In the employee portal, Luna's recommendation appears next to each account in the review table. Reviewers can:
Accept the suggestion — apply Luna's recommendation as their decision with one click
Override the suggestion — choose a different outcome and record their own reasoning
Bulk-accept suggestions — select all accounts where Luna recommends auto-approve and apply them in one action, which is particularly useful for large reviews
Accepting a Luna suggestion doesn't mean bypassing the review — the reviewer's decision (informed by Luna) is still recorded, and the reviewer is still responsible for the decision. Luna is a recommendation, not an automation.
Luna's evidence analysis
Evidence files you upload to a review — PDFs, spreadsheets, screenshots — are stored and attached to the review record, and image-format evidence is embedded directly into the compliance certificate. However, Luna's recommendations are generated from structured account data (employment status, usage patterns, access levels, role alignment, entitlement details) rather than from reading uploaded document files. If you have specific access decisions that require document context, include your reasoning in the notes field alongside your decision — this becomes part of the permanent record.
What reviewers should know about accepting Luna suggestions
A few important points:
Accepting a suggestion is not bypassing the review. The reviewer's decision — whether they agreed with Luna or overrode it — is what gets recorded. Luna assists; the reviewer is responsible.
Luna can be wrong. The auto-approve bucket is Luna's best guess, not a guarantee. Reviewers should scan even the auto-approve list and override where their knowledge contradicts the signal.
Luna's reasoning is always visible. Before accepting or rejecting a suggestion, reviewers can read exactly what signals drove it. "Last accessed 11 months ago, access level exceeds job role" is more useful than just a "reject" label.
Needs-review accounts deserve attention. Luna deliberately withholds a recommendation when the signals are mixed or data is incomplete. These are the accounts most likely to contain genuine access problems or unusual situations.
For admins: Luna and reviewer accountability
Luna suggestions are generated per account set, which means each reviewer gets recommendations tailored to the specific accounts they're responsible for. Admins can see — in the review detail view — which accounts had Luna suggestions and how reviewers responded (accepted or overrode), giving visibility into where human judgment diverged from the AI's read.