Productivity usually flattens because each new admin spends more time reconciling tools, exceptions, and fragmented policy surfaces. At that point, adding people increases coordination overhead faster than it adds control. The practical response is to simplify the operating model first, then automate the repeatable work that remains. A good starting point is the identity blast radius across directories and device stacks.
Why This Matters for Security Teams
When identity and device management grow faster than IT headcount, the issue is not just staff shortage. It is operational drift: more directories, more endpoint stacks, more exceptions, and more policy surfaces to reconcile by hand. That combination pushes teams away from consistent control and toward reactive administration, which is exactly where misconfigurations, access creep, and delayed offboarding tend to appear.
This matters because identity now sits inside almost every control plane. As NIST Cybersecurity Framework 2.0 emphasizes, governance and asset visibility are not separate from protection; they are prerequisites for it. NHIMG research shows the scale of the problem: Ultimate Guide to NHIs reports that only 5.7% of organisations have full visibility into their service accounts. In practice, that means the team can add administrators and still lose control of the underlying identity estate.
Security teams usually underestimate how quickly manual review becomes the bottleneck once device fleets, cloud tenants, and service accounts all expand at once. In practice, many security teams encounter privilege sprawl only after an audit, incident, or platform migration has already exposed it.
How It Works in Practice
The practical failure mode is predictable: each new identity platform, MDM layer, and directory integration creates a new place where policy can diverge. When headcount grows slower than the estate, administrators spend less time improving controls and more time reconciling exceptions, approvals, and broken joins between systems. The result is not simply delay. It is inconsistent identity proofing, slow revocation, and unmanaged device trust.
Current guidance suggests simplifying the operating model before adding more process on top. That usually means fewer authoritative sources, clearer ownership, and automation for repeatable tasks such as joiner-mover-leaver events, credential rotation, device enrollment, and conditional access updates. NHIMG’s Top 10 NHI Issues and NHI Lifecycle Management Guide both point to the same operational truth: visibility, lifecycle control, and offboarding matter more than one-off cleanup campaigns.
- Consolidate identity sources so access decisions are made from one policy baseline, not multiple competing records.
- Automate low-risk workflows first, especially account provisioning, device posture checks, and scheduled access review reminders.
- Use risk-based escalation for exceptions so humans only handle cases that truly need judgment.
- Measure backlog, revocation lag, and exception volume, not just ticket closure rates.
This is where zero trust thinking helps: trust should be continuously evaluated, not assumed because a device was once enrolled or a user once approved. The operational goal is to make identity and device state machine-readable enough that small teams can govern large estates without depending on constant manual reconciliation. These controls tend to break down when multiple mergers, legacy directories, and unmanaged endpoints all remain active at the same time because the system has too many sources of truth.
Common Variations and Edge Cases
Tighter identity control often increases short-term administrative overhead, requiring organisations to balance stronger governance against migration effort and user disruption. That tradeoff is real, especially in environments with legacy applications, shared accounts, air-gapped devices, or regulated operational technology.
Best practice is evolving, but the general pattern is clear. In highly distributed environments, device management and identity management cannot be treated as separate domains because each amplifies the other. If device trust is weak, identity controls inherit that weakness. If identity governance is fragmented, device enrollment and recovery workflows become inconsistent. The same issue appears with third-party administrators, contractors, and service accounts, where standard joiner-mover-leaver processes often do not fit cleanly.
For teams facing rapid scale, the right response is usually to reduce the number of places where humans must manually approve routine actions, then reserve human review for high-impact exceptions. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now underscores why this matters across both human and non-human estates: once identities outpace governance, control loss becomes structural rather than temporary.
The exception is environments where regulatory constraints force explicit approval at each step. In those cases, automation still helps, but the design must preserve auditability and segregation of duties rather than chasing speed alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-01 | Identity sprawl is a governance and scope problem before it is a tooling problem. |
| NIST CSF 2.0 | PR.AA-01 | Access assurance weakens when identity and device management outpace manual review capacity. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Manual control fails when non-human and machine identities grow faster than administration. |
Define identity and device ownership clearly, then align scale decisions to governance boundaries.
