selecting an identity set from an identity pool of an identity management service, wherein the identity set includes only identities in the identity pool that have greater than a threshold quantity of unnecessary permissions in relation to each individual existing managed policy provided by the identity management service;

clustering the identity set into a plurality of identity clusters, wherein the clustering is performed based at least in part on a plurality of services accessed by the identity set, and wherein the clustering comprises executing a clustering algorithm that estimates a probability that each service of the plurality of services and each identity of the identity set is associated with each identity cluster of the plurality of identity clusters;

generating a plurality of candidate policies, wherein the generating of the plurality of candidate policies comprises generating, for each identity cluster of the plurality of identity clusters, based at least in part on a plurality of policy generation rules, a respective candidate policy; and

selecting at least one candidate policy of the plurality of candidate policies as a new managed policy that is provided by the identity management service to users of the identity management service.