Insufficient attention has been given to enterprise Identity and Access Management (IAM) as a process that needs to be carried out on a continuing basis in the presence of change and evolution. In particular, there is little formal support for how IAM can exploit experience the enterprise collects over time. This project is developing a lifecycle model of IAM called Experience Based Access Management (EBAM) that provides a set of models, techniques, and tools to reconcile differences between the "ideal" access model, as judged by high-level enterprise, professional, and legal standards, and the "enforced" access control, specific to the operational IAM system. The principal component of an EBAM support system is an "expected" access model that is used to represent differences between the ideal and enforced models based on information collected from access logs and other operational information. The project is developing and validating an approach to the expected model based on using probabilistic information to inform the design of access rules. The project focuses on EBAM for hospital information systems since these are an especially important class of enterprise systems that present diverse and interesting challenges but also provide potential insight into similar issues in other types of enterprise IAM systems. The team consists of specialists in cyber security, biomedical informatics, and a physician who serves as chief medical information officer within a major hospital system. The project will demonstrate how analysis of clinical experience can address gaps between ideal and enforced access control models in a representative hospital.