They fail because no single platform can enforce accurate decisions if its view of entitlement state is incomplete or stale. When HR, directories, SaaS apps, and manual processes all hold different versions of access truth, reviews become inconsistent and revocation lags. The control gap is usually reconciliation, not authentication.
Why This Matters for Security Teams
Access governance fails fastest when identity truth is fragmented. If HR says a user left, the directory still shows active group membership, a SaaS app keeps a local entitlement copy, and a manual exception lives in email, no review workflow can produce a reliable decision. That is why identity governance becomes a reconciliation problem before it is an access-control problem. For non-human identities, the stakes are higher because service accounts and API keys often exist outside normal joiner-mover-leaver processes, which is why the Ultimate Guide to NHIs stresses that visibility and lifecycle control are foundational, not optional.
Industry guidance points in the same direction. The NIST Cybersecurity Framework 2.0 treats identity governance as an ongoing function, not a periodic audit event, while the OWASP Non-Human Identity Top 10 highlights how stale secrets, orphaned identities, and inconsistent ownership create exploitable gaps. NHIMG research shows only 5.7% of organisations have full visibility into their service accounts, which is exactly the kind of blind spot that causes access reviews to miss real exposure. In practice, many security teams encounter revocation failures only after a breach or audit finding has already exposed the drift.
How It Works in Practice
Access governance tools depend on authoritative inputs. They can only certify, certify, or revoke what they can see and reconcile. When identity data is spread across HR systems, LDAP or cloud directories, SaaS admin consoles, ticketing workflows, and spreadsheets, the tool becomes a reporting layer over conflicting records rather than a source of truth. The practical issue is not authentication strength; it is whether the system can reconcile entitlement state quickly enough to support a defensible decision.
Effective programmes usually combine three controls:
- Authoritative sources for identity status, ownership, and lifecycle events, with clear precedence rules.
- Continuous reconciliation across directories, apps, and secret stores so stale entitlements are detected between reviews.
- Automated revocation or quarantine when ownership is unknown, the source is missing, or the last sync is stale.
For NHIs, this often means tracking workload identities, API keys, certificates, and service accounts separately from human users. NHIMG guidance on Lifecycle Processes for Managing NHIs emphasizes that offboarding and rotation must be tied to system events, not annual review cycles. Standards bodies are aligned on the direction of travel: the NIST Cybersecurity Framework 2.0 expects ongoing asset and access governance, while OWASP’s NHI guidance pushes teams toward ownership, rotation, and visibility controls. Current guidance suggests the best result comes from making one system authoritative for each identity attribute and using reconciliation to resolve conflicts before certification runs.
These controls tend to break down when business units create local identities and privileges faster than central governance can ingest them, because the access tool only sees the stale record, not the live entitlement path.
Common Variations and Edge Cases
Tighter governance often increases operational overhead, so organisations have to balance speed of provisioning against the cost of more frequent reconciliation. That tradeoff becomes visible in M&A environments, multi-cloud estates, and SaaS-heavy businesses where each platform maintains its own entitlement model.
There is no universal standard for this yet, but several patterns are emerging. First, identity governance tools work better when they are fed event-driven updates from source systems instead of periodic batch exports. Second, orphan detection matters as much as access review because identities without owners tend to bypass revocation workflows. Third, exceptions need expiry dates; otherwise, manual approvals become permanent shadow access.
NHIMG’s research shows the scale of the problem: only 20% of organisations have formal processes for offboarding and revoking API keys, and 91.6% of secrets remain valid five days after notification. That is why the Top 10 NHI Issues and the 52 NHI Breaches Analysis both reinforce the same lesson: when identity truth is fragmented, governance degrades into after-the-fact cleanup rather than preventive control. In highly distributed environments, that gap is most visible during emergency deprovisioning, when speed matters more than perfect record keeping.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity records must be accurate and reconciled for access decisions. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Fragmented NHI ownership and visibility drive stale access and orphaned secrets. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale credentials and delayed revocation are common when identity data is spread out. |
Define authoritative identity sources and reconcile entitlements before certification or revocation.
Related resources from NHI Mgmt Group
- How should security teams prepare data access governance before enabling GenAI tools?
- Who should own access decisions when identity controls are spread across multiple platforms?
- Why do data access governance tools matter for IAM programmes?
- Why do ticketing systems fail as access governance controls?
