Start by centralising request, approval, provisioning, and removal into one governed process so every entitlement has a clear owner and audit trail. Use policy to decide who can approve which access, then automate the lifecycle steps so human review is reserved for exceptions and high-risk access rather than every routine request.
Why This Matters for Security Teams
Manual access requests create delay, inconsistent approval paths, and weak evidence for audit and incident response. In identity governance and administration, the real failure is not the request form itself but the lack of policy-backed workflow behind it. When entitlements are approved ad hoc, teams lose visibility into who approved what, why it was granted, and when it should be removed.
For NHI-heavy environments, that problem compounds quickly because service accounts, API keys, and integration tokens often outnumber human identities. NHI Mgmt Group’s Ultimate Guide to NHIs notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, which makes manual handling unsustainable. This is also where the access layer should align with the broader control expectations in NIST Cybersecurity Framework 2.0 and the identity failure patterns described in the OWASP Non-Human Identity Top 10.
In practice, many security teams discover overprovisioned access only after a review, outage, or leak has already exposed how much was being approved outside governance.
How It Works in Practice
A governed IGA workflow replaces email chains and ticket-only approvals with a controlled lifecycle: request, policy evaluation, approval, provisioning, certification, and removal. The key change is that the workflow decides whether a request is routine enough to automate or risky enough to route for human review. That is where policy-as-code becomes essential, because access decisions should be based on role, resource sensitivity, business context, and separation-of-duties rules rather than individual judgment.
For human identities, this means mapping entitlements to approved access packages and using RBAC where it fits. For NHIs, the same workflow should bind access to workload purpose and ownership, then ensure the credential or entitlement is time-bound and reviewable. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because lifecycle control matters as much as initial approval. NHI Mgmt Group also highlights that only 20% of organisations have formal offboarding and revocation processes for API keys, so removal must be designed into the workflow, not treated as a separate cleanup task.
- Define access packages that group common entitlements by job, system, or workload.
- Use policy to determine who can approve which request, and under what conditions.
- Automate provisioning and deprovisioning through connected systems of record.
- Trigger recertification on a fixed cadence for privileged or sensitive access.
- Escalate only exceptions, high-risk requests, or SoD conflicts to manual review.
Best practice is to keep the approval path simple for low-risk access and strict for privileged access, while preserving a full audit trail from request through removal. These controls tend to break down when entitlement catalogs are incomplete or application owners do not maintain authoritative data, because the workflow then automates bad decisions faster than a manual process would.
Common Variations and Edge Cases
Tighter workflow control often increases friction for users and approvers, so organisations need to balance speed against assurance. That tradeoff is especially visible when access is temporary, emergency, or tied to production support, where waiting for a multi-step approval chain can create operational risk of its own.
Current guidance suggests handling these cases with narrow exceptions rather than weakening the standard process. For example, emergency access can be time-boxed, fully logged, and subject to post-event review. Similarly, routine access for low-risk systems can be auto-approved if the requester meets policy conditions, while privileged access still requires stronger review. The Top 10 NHI Issues is a useful reminder that mismanaged privileges and poor lifecycle discipline remain common failure modes, not edge cases.
There is no universal standard for this yet, but teams generally get better outcomes when they treat IGA as a governed control plane rather than a request queue. That is also the right lens for audit readiness under the Ultimate Guide to NHIs — Regulatory and Audit Perspectives, where evidence quality matters as much as access outcome. If the workflow cannot explain who approved access, on what basis, and when it will be removed, it is not governed enough.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Access is granted only through governed approvals and policy checks. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle and revocation control are central to replacing manual access handling. |
| OWASP Non-Human Identity Top 10 | NHI-05 | Weak entitlement visibility is a core reason manual IGA requests fail. |
Route every access request through a policy-backed workflow with documented approval criteria.
Related resources from NHI Mgmt Group
- How should security teams run access reviews for non-human identities?
- How should security teams govern non-human identities that have persistent access?
- How should security teams govern API keys used for generative AI access?
- How should security teams govern access requests in service desk workflows?
