They should treat shared IAM as a federated governance model with one policy standard and clearly assigned local ownership. Access approvals, review evidence, and deprovisioning rules need to be consistent across trusts so clinicians can move between sites without creating unmanaged entitlement drift. Shared care only works when accountability is mapped before rollout.
Why This Matters for Security Teams
Shared IAM across NHS trusts is not just a convenience problem. It creates a federated trust boundary where one organisation’s approvals, revocations, and audit evidence can affect another organisation’s clinical access and operational risk. If each trust interprets policy differently, entitlement drift appears quickly, especially when staff rotate across sites or access is inherited through shared platforms. NIST’s Cybersecurity Framework 2.0 is useful here because it reinforces governance, accountability, and continuous control validation, not just initial provisioning.
The practical challenge is that shared care often moves faster than control design. One trust may approve access based on local onboarding, while another expects a fresh review, and a third may rely on legacy group membership that no one fully owns. NHIMG research shows that 88.5% of organisations acknowledge their non-human IAM practices lag behind or are merely on par with human IAM, which is a warning sign for shared identity estates too, especially where service accounts, automation, and integration credentials cross organisational lines. See Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and Top 10 NHI Issues for the lifecycle and governance implications.
In practice, many security teams encounter unmanaged entitlement drift only after a clinician changes role, an access review fails to reconcile between trusts, or a shared account survives longer than the approving manager expected.
How It Works in Practice
The safest operating model is federated governance with local execution. That means a single policy standard for identity proofing, access approval, review cadence, logging, and deprovisioning, while each trust retains named owners for its own users, groups, applications, and exceptions. The policy standard should define what is mandatory everywhere and what can vary by site, so shared access does not become shared ambiguity.
In operational terms, this usually means aligning on one joiner-mover-leaver workflow, one evidence format for access reviews, and one revocation SLA. Shared IAM also needs clear delegation rules: who can approve cross-trust access, who can recertify it, and who is accountable when a downstream system still grants access after the central directory is updated. Current guidance suggests treating the identity platform as the coordination layer, not the source of truth for accountability.
- Use one common entitlement model so equivalent clinical roles map to the same access logic across trusts.
- Separate approval authority from technical administration so local help desks cannot silently expand privilege.
- Record local ownership for every shared role, application, and privileged group.
- Require periodic attestation that compares central identity state with site-level access actually in force.
- Automate deprovisioning wherever possible, and confirm downstream revocation, not just directory removal.
Where this becomes difficult is with legacy EPR integrations, departmental shadow IT, and joint ventures that rely on directory sync but still enforce local exceptions, because reconciliation breaks when each organisation keeps different naming, review, and revocation rules.
Common Variations and Edge Cases
Tighter shared-IAM control often increases operational overhead, so organisations must balance standardisation against clinical responsiveness. That tradeoff is real in emergency access, bank staff onboarding, and cross-site rota cover, where rigid approval chains can slow care. The best practice is evolving, and there is no universal standard for this yet, but the direction is consistent: shared access should be time-bound, auditable, and explicitly owned.
One common edge case is delegated administration for specialist services that span multiple trusts. Another is where a single platform serves several organisations but each trust has different retention, review, or privileged-access requirements. In those cases, a shared control framework should define the minimum baseline, then let each trust layer stricter controls on top. For governance evidence, the Ultimate Guide to NHIs — Regulatory and Audit Perspectives is relevant because auditors will expect traceable ownership and revocation evidence, not just a central directory export.
For high-risk access paths, such as shared admin roles or automation credentials, the same logic should be applied to non-human identities as well as people. The lesson from Top 10 NHI Issues is that distributed environments fail when identity governance is assumed to be uniform but enforcement is actually local.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC, PR.AA, PR.AC | Shared IAM across trusts needs governance, accountability, and access control consistency. |
| NIST SP 800-63 | Federated identity assurance and authentication underpin cross-organisation access decisions. | |
| NIST Zero Trust (SP 800-207) | Zero Trust requires explicit, continuous verification across organisational boundaries. |
Define one shared governance model, then enforce common access rules and named ownership at each trust.
Related resources from NHI Mgmt Group
- How should organisations govern access when shared workflows span multiple trusts or sites?
- How should organisations govern machine identities across multiple regions?
- How should health systems govern shared care record access across multiple sites?
- How should organisations govern reusable digital identity across multiple services?
