Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-12 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter.
Independent claim 1 is directed towards a “system.” This is clearly not a process, manufacture, or composition of matter. However it also does not appear to be a machine. Despite being claimed as a system, no hardware elements – such as a processor and memory – are claimed. Each of the objects disclosed in points a)-e) appear to be software elements. Because there is no claimed hardware and the system cannot be a machine and because the claims do not fit within any other statutory category, the claims are rejected under 35 USC 101 as being directed towards non-statutory subject matter. Dependent claims 2-12 are similarly rejected as being directed towards a system without hardware, and thus non-statutory subject matter.
Claims 1-22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a mental process without significantly more.
Representative claim 1 recites:
A system for managing non-personal accounts (NPAs) within a hybrid IT environment comprising:
a) an orchestration engine configured to coordinate and control the overall NPA management process;
b) a cross-platform discovery engine configured to extract NPA data and attributes from diverse platforms within the hybrid IT environment, utilizing environment-specific methods;
c) an extract, transform, load (ETL) pipeline configured to securely transfer the extracted NPA data and platform data transformations;
d) a centralized data warehouse configured to store and normalize the NPA data from disparate sources, employ de-duplication logic, and integrate with external data sources;
e) an AI-powered insights engine configured to analyze the normalized NPA data and generate insights, recommendations, and compliance guidelines; and
f) a visualization layer configured to present the generated insights and recommendations in a user-friendly format.”
Independent Claims 13 and 22 recite similar subject matter.
This is a mental process because the variously claimed engines appear to be claimed as generic software objects that performs functions of data analyses, management, and transformation. A human being equipped with a generic machine is capable of performing each of functions, such as “extracting NPA data and attributes,” “transforming extracted NPA data,” “normalizing the NPA data,” and “analyzing the normalized NPA data.” The claimed “engines” appear to merely be software “engines” to perform mental processes.
The claims contain additional elements beyond the mental process in the form of a hybrid IT environment, transferring the extracted NPA data, storing the NPA data, and presenting the generated insights. Claim 22 additionally contains a “non-transitory computer-readable medium” as an additional element.
This judicial exception is not integrated into a practical application because the claimed additional elements do not appear to improve the processing of a computer, require the use of a specific machine, effect a transformation or reduction of a particular article to a different state or thing, or provide a technological solution to a technological problem.
The hybrid IT environment and “non-transitory computer-readable medium” are recited at a high level of generality. They appear to be generic computing hardware elements. The recitation of generic hardware is little more than using a computer to perform an abstract idea, see MPEP 2106.05(f)(2). “Transferring the extracted NPA data” appears to be a data gathering step, and is thus mere pre-solution insignificant activity (see MPEP 2106.05(g). Storing the NPA data is similarly insignificant extra-solution activity and is well-known (see MPEP 2106.05(d)(II) and MPEP 2106.05(g)). Presenting an output of a data analysis is insignificant post-solution activity (see MPEP 2106.05(g)(3)).
It is noted that none of the additional elements appear to improve the processing of a computer, require the use of a specific machine, effect a transformation or reduction of a particular article to a different state or thing, or provide a technological solution to a technological problem. As such, none of the additional elements appear to integrate the judicial exception into a practical application.
None of the additional elements are sufficient to amount to significantly more than the judicial exception, in part or in whole.
The recitation of the hybrid IT environment and “non-transitory computer-readable medium” are little more than using a computer to perform an abstract idea, see MPEP 2106.05(f)(2). The additional element of “transferring the extracted NPA data” is merely extra-solution activity data gathering and is well understood, routine, and conventional (see MPEP 2106.05(g)). Storing the NPA data is nothing more than storing data in a memory, which is recognized as well-understood, routine, and conventional (see MPEP 2106.05(d)(II)). Presenting data insights is insignificant extra-solution activity and is well known (see MPEP 2106.05(g)((3).
None of the additional elements, in part or in whole, appear to improve the processing of a computer, require the use of a particular machine, effect a transformation or reduction of a particular article to a different state or thing, or add a specific limitation other than what is well understood, routine, or conventional. As such, none of the additional elements appears to be, in part or in whole, significantly more than the judicial exception.
Dependent claims 2-12 and 14-21 are merely directed towards additional limitations that further define data types, data analyses, data transfer techniques, and details of an LLM model, all at a high level of abstraction that appear to either be mental process steps of further data analysis or insignificant extra solution activity. It is noted that the dependent claims do not include additional elements that incorporate the claimed subject matter into a practical application. The dependent claims also do not include additional elements that, in part or in whole, appear to be significantly more than the abstract idea.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1, 12-13, and 21-22 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
The term “user-friendly” in claims 1, 13, and 22 is a relative term which renders the claim indefinite. The term “user-friendly” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.
The use of the pronoun “their” in claims 12 and 21 renders the claims unclear because it is not certain exactly which claim elements are being referred to by the term “their.”
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 5, 7-8, 10-14, 17, 19, and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Rogynskyy et al. (US Pre-Grant Publication 2023/0053049) in view of Belgi et al. (US Pre-Grant Publication 2025/0260707).
As to claim 1, Rogynskyy teaches a system for managing non-personal accounts (NPAs) within a hybrid IT environment comprising:
a) an orchestration engine configured to coordinate and control the overall NPA management process (see Rogynskyy paragraphs [0413]-[0422] generally. Rogynskyy describes a system for discovering, coordinating, and centralizing data about different companies. Paragraph [0416] discusses how data may be extracted from multiple different data source providers to identify company account record objects. “Company accounts” are NPAs);
b) a cross-platform discovery engine configured to extract NPA data and attributes from diverse platforms within the hybrid IT environment … (see Rogynskyy paragraph [0416]. Rogynskyy extracts data from “different data source providers (for example, enterprises)”. Paragraph [0064] discusses the generation of a “node graph,” as described in paragraphs [0416]-[0422], and states how there are a plurality of data sources. Paragraphs [0053], [0073], and [0078] indicate that the plurality of data sources can include multiple distinct servers and multiple entities. Thus, Rogynskyy shows NPA data that is extracted from “diverse platforms” (multiple servers) within a hybrid IT environment);
c) an extract, transform, load (ETL) pipeline configured to securely transfer the extracted NPA data and platform data transformations (see Rogynskyy paragraphs [0077] for formatting ingested values included in the fields. This is performing “platform data transformations.” It is noted that the enterprise node generation described in [0413]-[0422] uses techniques “similar to how member node profiles are generated and updated as described above”) ;
d) a centralized data warehouse configured to store and normalize the NPA data from disparate sources, employ de-duplication logic, and integrate with external data sources (see Rogynskyy paragraphs [0077] and [0087]. Rogynskyy normalizes NPA data and stores the data in a standardized node graph with data from the external data sources, see [0413]-[0422]. As noted in [0202] and [0389], Rogynskyy performs deduplication on node data);
e) an AI-powered insights engine configured to analyze the normalized NPA data and generate insights, recommendations, and compliance guidelines (see paragraph [0129]. A tagging engine may generate insights associated with confidence scores. It is noted that the tagging engine may rely on machine learning models, or be “AI-powered,” see [0327]. The system may identify compliance, see [0164]. Additionally, the system of Rogynskyy contains a recommendation engine (see [0427]) that relies on a machine learning model, see [0433]).
Rogynskyy does not explicitly show:
[Extracting data] utilizing environment-specific methods;
f) a visualization layer configured to present the generated insights and recommendations in a user-friendly format.
Belgi teaches:
[Extracting data] utilizing environment-specific methods (see Belgi paragraph [0034]. Incident reports are generated and delivered to a user. The incident reports contain lists of insight information and recommendations, such as corrective, mitigation, or remedial actions regarding incidents. It is noted that an LLM is used to generate the incident report, see paragraphs [0037]-[0038]);
f) a visualization layer configured to present the generated insights and recommendations in a user-friendly format (see Belgi paragraph [0053]. The incident reports may be output to a user. As noted above, the incident reports contain data and descriptions. As noted in paragraph [0014], the incident reports are designed to be written in a way that a user can understand, and are thus user-friendly).
It would have been obvious to one of ordinary skill in the art before the earliest filing date of the invention to have modified Rogynskyy by the teachings of Belgi because both references are directed towards analyzing organizational data and producing reports of the analyzed data. The teachings of Belgi provide to a user of Rogynskyy the ability to monitor for threats at an organization and suggest ways to confront and mitigate those threats, which will improve the security of the organizations monitored in Rogynskyy.
As to claim 2, Rogynskyy as modified teaches the system of claim 1, wherein the orchestration engine is further configured to schedule and execute the discovery processes, data transformations, and insights generation (see Rogynskyy paragraph [0073] and [0078] and [0420] for scheduling discovery and transformations. See Rogynskyy paragraph [0129] for scheduling insights made with data tagging).
As to claim 5, Rogynskyy as modified teaches the system of claim 1, wherein the centralized data warehouse is further configured to integrate with a configuration management database to enrich NPA profiles with contextual information (see Rogynskyy paragraph [0417]).
As to claim 7, Rogynskyy as modified by Belgi teaches the system of claim 1, wherein the AI-powered insights engine is further configured to employ a large language model (LLM) to analyze the normalized NPA data and generate insights (see Belgi paragraphs [0037]-[0038] and [0051]. LLMs are employed to analyze organizational data and present incident reports containing insights to a user).
As to claim 8, Rogynskyy as modified by Belgi teaches the system of claim 7, wherein the AI-powered insights engine is further configured to generate security risk assessments by identifying misconfigured or vulnerable NPAs based on the organization's risk tolerance and security policies (see Belgi paragraph [0059]. The analysis conducted on an organization may be configured based on the type of organization to identify security risks relevant to the organization. This identifies vulnerabilities in the organizational accounts based on the organization specific risks and security policies).
As to claim 10, Rogynskyy as modified by Belgi teaches the system of claim 7, wherein the AI-powered insights engine is further configured to provide compliance optimization guidance by analyzing the NPA data in the context of relevant security regulations and standards (see Belgi paragraph [0059]. The type of organization affects the security regulations and standards relevant to that organization. Belgi helps a user to identify risks and comply with organizational security standards).
As to claim 11, Rogynskyy as modified by Belgi teaches the system of claim 7, wherein the AI-powered insights engine is further configured to perform root cause analysis of non-compliance or security incidents by identifying underlying patterns and issues contributing to the observed issues (see Belgi paragraph [0034]. Incidents may be analyzed for non-compliance. Belgi also identifies causes and ways to mitigate security issues).
As to claim 12, Rogynskyy as modified teaches the system of claim 1, wherein the visualization layer is further configured to integrate with existing identity and lifecycle management (ILM) tools, extending their functionality to encompass NPA management (see Rogynskyy paragraph [0415]. The NPA management system works alongside member node profile systems, which is an existing identity and lifecycle management tool in Rogynskyy).
As to claims 13 and 22, see the rejection of claim 1.
As to claim 14, see the rejection of claim 2.
As to claim 17, see the rejection of claim 5.
As to claim 19, see the rejection of claim 7.
As to claim 21, see the rejection of claim 12.
Claims 3-4 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Rogynskyy et al. (US Pre-Grant Publication 2023/0053049) in view of Belgi et al. (US Pre-Grant Publication 2025/0260707), and further in view of Cheng et al. (US Pre-Grant Publication 2024/0054488).
As to claim 3, Rogynskyy as modified teaches the system of claim 1, wherein the cross-platform discovery engine is further configured to utilize OS-specific scripts, platform connectors … from diverse environments, including on-premise systems, cloud providers, and legacy environments (see Rogynskyy paragraphs [0062]-[0063] and [0078] for platform connectors and receiving data from diverse environments. See Belgi paragraph [0026] for receiving OS-specific reports.
Rogynskyy does not teach to use APIs to extract NPA data and mandatory attributes.
Cheng teaches wherein the cross-platform discovery engine is further configured to utilize platform connectors and APIs to extract NPA data and mandatory attributes from diverse environments (see Cheng paragraphs [0018] and [0039]. Paragraph [0018] shows how an extraction system may connect to platforms and use APIs to extract data from organizations).
It would have been obvious to one of ordinary skill in the art before the earliest filing date of the invention to have modified Rogynskyy by the teachings of Cheng because both references are directed towards extracting organizational data. The teachings of Cheng provide to a user of Rogynskyy additional ways to extract enterprise data, which will improve the flexibility of Rogynskyy in connecting to different data sources.
As to claim 4, Rogynskyy as modified teaches the system of claim 1.
Rogynskyy does not teach wherein the ETL pipeline is further configured to employ secure protocols and encryption methods to safeguard the transfer of NPA data from source environments to the centralized data warehouse.
Cheng teaches wherein the ETL pipeline is further configured to employ secure protocols and encryption methods to safeguard the transfer of NPA data from source environments to the centralized data warehouse (see paragraph [0067]).
It would have been obvious to one of ordinary skill in the art before the earliest filing date of the invention to have modified Rogynskyy by the teachings of Cheng because both references are directed towards extracting organizational data. The teachings of Cheng provide to a user of Rogynskyy additional ways to extract enterprise data, which will improve the flexibility of Rogynskyy in connecting to different data sources.
As to claim 15, see the rejection of claim 3.
As to claim 16, see the rejection of claim 4.
Claims 6 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Rogynskyy et al. (US Pre-Grant Publication 2023/0053049) in view of Belgi et al. (US Pre-Grant Publication 2025/0260707), and further in view of Ly et al. (US Patent 11,159,576).
As to claim 6, Rogynskyy as modified teaches the system of claim 1.
Rogynskyy does not teach wherein the centralized data warehouse is further configured to integrate with one or more vault solutions to enhance NPA profiles with relevant secret management data.
Ly teaches wherein the centralized data warehouse is further configured to integrate with one or more vault solutions to enhance NPA profiles with relevant secret management data (see Ly 8:30-58. The system of Ly enhances profiles by storing secret and non-public management data related to the entity).
It would have been obvious to one of ordinary skill in the art before the earliest filing date of the invention to have modified Rogynskyy by the teachings of Ly because both references are directed towards storing organizational data. The teachings of Ly provide to a user of Rogynskyy additional types of data to store and manage, which will improve the ability of Rogynskyy to maintain accurate and useful profiles for an enterprise.
As to claim 18, see the rejection of claim 6.
Claims 9 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Rogynskyy et al. (US Pre-Grant Publication 2023/0053049) in view of Belgi et al. (US Pre-Grant Publication 2025/0260707), and further in view of Berko et al. (US Patent 12,026,204).
As to claim 9, Rogynskyy as modified teaches the system of claim 7.
Rogynskyy does not teach wherein the AI-powered insights engine is further configured to generate proactive recommendations for account management, including account configurations, access controls, and vaulting strategies tailored to the organization's specific environment.
Berko teaches wherein the AI-powered insights engine is further configured to generate proactive recommendations for account management, including account configurations, access controls, and vaulting strategies tailored to the organization's specific environment (see Berko 3:55-61 and 4:40-53. Berko shows an automated incident dispatcher that monitors incidents on a system (3:55-61), wherein the AID makes recommendations for account management, such as access restriction (“access controls”), user account deactivation (“account configurations”), and capturing and saving events (“vaulting strategies) (4:40-53). It is noted that these recommendations rely on AI in the form of neural networks (4:40-53) and are specific to the system environment (see 3:55-61)).
It would have been obvious to one of ordinary skill in the art before the earliest filing date of the invention to have further modified Rogynskyy by the teachings of Berko because both references are directed towards monitoring organizational data. The teachings of Berko provide to a user of Rogynskyy additional ways to monitor enterprise data and report anomalies, which will improve the utility of Rogynskyy in reporting the status of an enterprise.
As to claim 20, Rogynskyy as modified teaches the method of claim 1, wherein generating insights comprises:
a) generating security risk assessments by identifying misconfigured or vulnerable NPAs based on the organization's risk tolerance and security policies (see Belgi paragraph [0059]. The analysis conducted on an organization may be configured based on the type of organization to identify security risks relevant to the organization. This identifies vulnerabilities in the organizational accounts based on the organization specific risks and security policies);
…
c) providing compliance optimization guidance by analyzing the NPA data in the context of relevant security regulations and standards (see Belgi paragraph [0059]. The type of organization affects the security regulations and standards relevant to that organization. Belgi helps a user to identify risks and comply with organizational security standards); and
d) performing root cause analysis of non-compliance or security incidents by identifying underlying patterns and issues contributing to the observed issues (see Belgi paragraph [0034]. Incidents may be analyzed for non-compliance. Belgi also identifies causes and ways to mitigate security issues).
Rogynskyy as modified does not teach:
b) generating proactive recommendations for account management, including account configurations, access controls, and vaulting strategies tailored to the organization's specific environment (see Berko 3:55-61 and 4:40-53. Berko shows an automated incident dispatcher that monitors incidents on a system (3:55-61), wherein the AID makes recommendations for account management, such as access restriction (“access controls”), user account deactivation (“account configurations”), and capturing and saving events (“vaulting strategies) (4:40-53). It is noted that these recommendations rely on AI in the form of neural networks (4:40-53) and are specific to the system environment (see 3:55-61)).
It would have been obvious to one of ordinary skill in the art before the earliest filing date of the invention to have further modified Rogynskyy by the teachings of Berko because both references are directed towards monitoring organizational data. The teachings of Berko provide to a user of Rogynskyy additional ways to monitor enterprise data and report anomalies, which will improve the utility of Rogynskyy in reporting the status of an enterprise.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHARLES D ADAMS whose telephone number is (571)272-3938. The examiner can normally be reached M-F, 9-5:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neveen Abel-Jalil can be reached at 571-270-0474. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHARLES D ADAMS/ Primary Examiner, Art Unit 2152