Subscribe to the Non-Human & AI Identity Journal

Why do legacy IGA tools struggle with business change?

Legacy IGA tools struggle because they were built for discrete review cycles, not for environments where roles, vendors, and acquisitions constantly change access. They can record entitlement snapshots, but they cannot keep pace with live policy drift, so risk accumulates between review windows. That creates audit effort without timely assurance.

Why This Matters for Security Teams

legacy iga tools were designed to prove who had access at a point in time, not to manage entitlement churn created by mergers, vendor onboarding, SaaS sprawl, and continuous role reshaping. That becomes a problem when access changes faster than review cycles. By the time a certification runs, the environment has already moved, so the tool may validate yesterday’s structure while today’s risk keeps growing. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs, which shows how hard it is to govern what cannot be continuously seen.

This is why business change exposes the limits of traditional IGA more than steady-state operations do. Acquisitions introduce duplicate identities, reorganisations break role assumptions, and third parties arrive with access that no longer matches the original approval. The result is not just audit noise; it is prolonged over-privilege, delayed revocation, and remediation work that happens after exposure instead of before it. In practice, many security teams encounter entitlement drift only after a business reorg or acquisition has already created persistent access gaps.

How It Works in Practice

Legacy IGA typically operates on scheduled access recertification, entitlement mapping, and approval workflows tied to HR or application directories. That model works reasonably well when jobs are stable and application ownership is clear. It struggles when access is shaped by multiple moving parts at once, especially where cloud platforms, contractors, and machine identities are added or removed outside formal HR events. Current guidance from the NIST Cybersecurity Framework 2.0 emphasises continuous governance outcomes rather than periodic proof alone, which is closer to how modern environments actually change.

In practice, teams need IGA to do more than reconcile records. It has to ingest near-real-time signals from joiner-mover-leaver events, cloud IAM, HR systems, procurement, and application logs. The operational question is not simply “who was approved?” but “does this identity still need this access right now?” That often means pairing IGA with policy-as-code, workflow automation, and stronger lifecycle controls such as entitlement expiration, owner attestation, and automatic deprovisioning when contracts or projects end. It also means recognising that some access is not human at all. As Ultimate Guide to NHIs shows, high NHI concentration and weak visibility make stale access a structural issue, not an exception.

  • Use continuous ingestion instead of waiting for the next certification window.
  • Link access decisions to business events such as role changes, acquisition cutovers, and vendor offboarding.
  • Track both human and non-human entitlements so service accounts are not left outside the review process.
  • Automate revocation where approvals have expired or ownership is no longer valid.

These controls tend to break down when identity data is fragmented across many apps and no system of record can reliably determine current ownership.

Common Variations and Edge Cases

Tighter review cadence often increases operational overhead, so organisations have to balance assurance against workflow fatigue and business disruption. That tradeoff becomes sharper during rapid change, when access recertification can slow migrations or produce approval bottlenecks that business teams work around informally. Best practice is evolving, but there is no universal standard for how often every entitlement should be reviewed in a fast-changing environment.

One common edge case is acquisition integration. The source company’s roles rarely map cleanly to the acquiring company’s structure, so a like-for-like entitlement translation can preserve excessive access for months. Another is third-party access, where contracts may end before system access is removed. A third is shared or inherited access in cloud platforms, where a small business change can cascade into permissions across multiple services. For that reason, teams should not rely on the IGA record alone. They should validate it against live IAM, ticketing, and application telemetry, then prioritise high-risk access first. The NIST Cybersecurity Framework 2.0 supports this kind of outcome-driven governance, while the NHI-focused controls in the Ultimate Guide to NHIs are especially relevant where service accounts and API keys change outside HR processes.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA-2 Business change needs continuous identity governance, not periodic snapshots.
OWASP Non-Human Identity Top 10 NHI-01 Stale service accounts and API keys are common drift sources during business change.
NIST AI RMF GOVERN Dynamic access governance requires accountable oversight and lifecycle controls.

Establish accountable ownership, escalation paths, and monitoring for changing identity risk.

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.