How do identity teams govern direct role changes made inside applications?

They need to reconcile in-app changes back into the identity source of record and require those changes to appear in certification, audit, and remediation workflows. If app-native assignments remain outside governance, the organisation is managing only the directory, not the real access model.

Why This Matters for Security Teams

Direct role changes made inside applications create a gap between what the directory says and what people can actually do. If identity teams only govern source-of-record assignments, app-native entitlements drift outside review, approval, and revocation workflows. That makes certification incomplete and audit evidence misleading, especially when privileged access is granted by business apps, SaaS platforms, or custom internal tools.

This is not just an access hygiene issue. NHI Management Group has highlighted that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs, which is a useful proxy for how often identity teams are managing partial truth rather than the real control plane. The same governance problem appears in app-native human access, where local assignment records, delegated admin paths, and shadow entitlements escape central oversight. Current guidance in the NIST Cybersecurity Framework 2.0 still points practitioners toward continuously knowing who has access, not merely who was granted access in the directory.

In practice, many security teams encounter toxic access and unrevoked privileges only after an audit exception, incident, or application owner dispute has already exposed the mismatch.

How It Works in Practice

The operational answer is to treat in-app changes as governed identity events, not as isolated application administration. When a role is granted, removed, or modified inside an application, that event should flow back into the identity source of record, be normalized to a governed entitlement model, and trigger downstream certification, approval, and remediation steps. Without that reconciliation loop, the organisation is certifying one system while production access lives elsewhere.

Identity teams usually need three controls working together. First, they need authoritative ingestion from the application, via connector, API, event stream, or scheduled reconciliation. Second, they need a canonical entitlement mapping so that local app roles are translated into business-recognisable access packages. Third, they need evidence-grade logging so auditors can see who changed what, when, and under whose approval. This is where the Regulatory and Audit Perspectives section of the Ultimate Guide to NHIs is especially relevant: governance only works when access changes are visible, reviewable, and revocable across the full lifecycle.

• Reconcile app-native roles against the identity source of record on a defined schedule, or in real time where the platform supports events.
• Map local application roles to approved enterprise entitlements so access reviews are understandable to reviewers.
• Require app owners to use approved admin paths, not direct database edits or hidden backdoor functions.
• Feed changes into certification and remediation workflows so orphaned access can be removed quickly.

For large estates, this is usually implemented alongside IGA, PAM, and application governance tooling, but the control objective remains the same: no role change should exist only inside the app if it materially affects access. The Lifecycle Processes for Managing NHIs section shows why lifecycle closure matters, even though the same principle applies to application-resident entitlements. These controls tend to break down when applications allow unconstrained local admin changes because there is no reliable event trail to reconcile back to the identity system.

Common Variations and Edge Cases

Tighter reconciliation often increases operational overhead, requiring organisations to balance governance accuracy against application team autonomy. That tradeoff becomes visible in hybrid estates, vendor SaaS platforms, and legacy applications that lack clean APIs or event hooks. Best practice is evolving, but current guidance suggests treating these systems as higher-risk and applying more frequent attestations, stronger admin segregation, or compensating controls until automated reconciliation is possible.

Some applications expose only coarse role groups, while others allow per-object permissions, temporary elevation, or delegated administration. In those cases, identity teams should classify the entitlement by risk rather than by name alone. A low-friction app role may still be high-impact if it grants export, impersonation, billing, or workflow approval rights. Conversely, some app-native changes are operational and do not warrant full certification if they do not expand access or alter control authority. That distinction should be documented in the entitlement model, not improvised during review.

Where local changes cannot be synchronised immediately, the governance fallback is to make the gap explicit: short review cycles, named compensating approvers, and exception expiry dates. The 52 NHI Breaches Analysis illustrates how often hidden access paths persist long after intended remediation, which is exactly why delayed reconciliation is risky. This guidance breaks down when application owners can bypass central logging entirely, because identity teams then lose the evidence needed to prove the access model is still under control.

Related resources from NHI Mgmt Group

• How should identity teams govern role changes in an IGA platform?
• How should security teams govern non-human identities at scale?
• How should security teams govern non-human identities for compliance?
• How should security teams govern non-human identities in Salesforce?