Because they depend on proprietary integrations, manual updates, and periodic syncs that cannot keep pace with SaaS expansion and rapid role change. By the time access is reviewed, the identity picture may already be stale. That makes blind spots a data freshness problem as much as a policy problem.
Why This Matters for Security Teams
Legacy IGA platforms were built for slower identity cycles, not cloud estates where SaaS apps, service accounts, and machine credentials appear and disappear continuously. The governance gap is not only about missing connectors. It is about stale identity state, delayed certifications, and policies that assume access changes can be reviewed after the fact. NIST Cybersecurity Framework 2.0 treats identity governance as an ongoing protection function, which is closer to cloud reality than periodic review workflows. NIST Cybersecurity Framework 2.0
NHIMG’s research shows the operational consequence clearly: in The 2024 Non-Human Identity Security Report, 88.5% of organisations said their non-human IAM practices lag behind or merely match their human IAM efforts. That gap matters because cloud governance failures usually begin with incomplete visibility, then spread into overprovisioned access, orphaned accounts, and approvals that no longer reflect active workloads. In practice, many security teams discover the blind spot only after a cloud role has already outlived the business process that created it.
How It Works in Practice
Legacy IGA tools usually depend on periodic scans, predefined system connectors, and workflow approvals tied to human role change events. In cloud environments, that model breaks because identity is no longer a static record. A single business service can include SaaS admin users, API tokens, CI/CD runners, ephemeral containers, and delegated permissions across multiple tenants. If the platform cannot ingest those identities quickly and normalize them consistently, the governance view becomes a snapshot rather than a control surface.
Current best practice is to treat IGA as one input to continuous identity governance, not the whole answer. Teams increasingly pair IGA with workload identity telemetry, cloud-native entitlement discovery, and policy-as-code so access decisions are evaluated from current context rather than a monthly certification cycle. That aligns with the identity lifecycle emphasis in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and the broader control concerns captured in Top 10 NHI Issues.
- Use continuous discovery for cloud entitlements, not only scheduled imports.
- Classify human and non-human identities separately, because their risk and lifecycle differ.
- Automate deprovisioning for cloud roles, secrets, and service accounts when workloads retire.
- Feed access reviews with runtime evidence, not just directory records.
Where this guidance breaks down is in heavily federated multi-cloud environments with fragmented ownership, because connector coverage, naming drift, and shared platform admin roles can prevent a single authoritative identity view from being assembled in time.
Common Variations and Edge Cases
Tighter governance usually increases integration overhead, so security teams must balance coverage against operational friction. That tradeoff becomes most visible when cloud access is created outside the IGA process, such as through infrastructure-as-code, app marketplace grants, or developer self-service. In those cases, the platform may be “working” while still missing the most dangerous permissions.
Best practice is evolving, and there is no universal standard for how much governance should live in IGA versus cloud-native controls. For some organisations, the right answer is to let IGA remain the system of record for human access while delegating machine and workload governance to purpose-built controls with shorter refresh cycles. For others, IGA still matters for attestations and audit evidence, but only if it is fed by near-real-time identity inventory and entitlement data. The governance challenge is especially visible in the breach patterns discussed in Snowflake breach and Azure Key Vault privilege escalation exposure, where access visibility and secret handling were part of the problem space.
In cloud-native estates with fast ephemeral workloads, federated SaaS sprawl, and delegated admin rights, legacy IGA tends to miss the identities that change fastest because its control model was never designed for runtime-scale governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Addresses access permissions governance and least privilege in changing cloud estates. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Relevant to stale or overlong non-human access credentials that IGA may miss. |
| NIST AI RMF | Useful for governance of dynamic, automated identity decisions in cloud operations. |
Continuously reconcile cloud entitlements to PR.AC-4 instead of relying on periodic certification alone.
Related resources from NHI Mgmt Group
- Why do legacy directories create governance problems in cloud environments?
- How should security teams handle identity governance when full IGA still leaves blind spots?
- Why do CASB tools still leave governance gaps in cloud environments?
- Why do cloud and hybrid environments make IAM governance harder?
