ITGC, or information technology general controls, are the foundational controls that support reliable systems, access management, change management, and evidence integrity. They matter because financial reporting controls depend on the underlying technology environment behaving predictably and proving that behaviour through traceable records.
Expanded Definition
ITGC, or information technology general controls, are the baseline controls that make accounting systems and other critical platforms dependable. In practice, they govern who can access systems, how changes are approved and tested, how backups and recovery work, and whether logs and evidence remain trustworthy. For finance and audit teams, ITGCs are the control layer that helps ensure application-level controls operate in a stable environment.
In NHI and IAM programs, ITGCs increasingly extend beyond human user access to service accounts, API keys, automation pipelines, and other non-human identities. That matters because a privileged service account can bypass workflow controls, alter records, or generate misleading evidence if its access is not reviewed. The same logic appears in NIST Cybersecurity Framework 2.0, which treats access, change, and resilience as core governance concerns. Definitions vary across vendors when ITGC is mapped into cloud, SaaS, and agentic AI environments, so organisations should distinguish core ITGCs from application controls and from broader security controls. The most common misapplication is treating a successful login or approved ticket as sufficient proof that the underlying system change, access grant, or evidence record was actually controlled.
Examples and Use Cases
Implementing ITGCs rigorously often introduces process overhead, requiring organisations to weigh stronger evidence and lower audit risk against slower operational throughput.
- Access to the ERP production environment is limited to named admins, with quarterly recertification covering both human administrators and service accounts used by integrations.
- Change management requires ticket approval, testing evidence, and segregation of duties before code is promoted into production, especially for finance-facing reports.
- Backup and recovery controls are tested on a schedule so that financial data can be restored without data loss, corruption, or unexplained gaps in logs.
- Log retention and time synchronisation are enforced so that evidence used in audit trails remains complete, searchable, and defensible during review.
- For identity-heavy environments, NHI governance is folded into ITGC design because weak secrets handling can undermine the trustworthiness of every downstream control, as discussed in the Ultimate Guide to NHIs and in the NIST Cybersecurity Framework 2.0.
In cloud and automation-heavy estates, ITGC evidence often comes from configuration states, pipeline approvals, and privileged access records rather than paper-based sign-offs. That shift makes traceability more important, not less.
Why It Matters in NHI Security
ITGC failures create the conditions for hidden privilege, undocumented changes, and unreliable evidence, which is especially dangerous when the control surface includes service accounts, secrets, and AI agents. NHI Management Group reports that 97% of NHIs carry excessive privileges, and 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, underscoring how weak general controls can become a security and audit problem at the same time.
That is why ITGCs now intersect with identity governance, secrets hygiene, and traceable automation. If a privileged token is stored in code, or if a deployment path can change production without clear approval, the financial control environment may still appear intact while the technical basis for trust has already failed. The concept also aligns with the NIST Cybersecurity Framework 2.0, where governance, protection, and recovery depend on repeatable control behavior. Organisations typically encounter ITGC as a priority only after a failed audit, unexplained production change, or compromised service account exposes that the evidence trail was not reliable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC | ITGCs enforce access governance that supports trustworthy system operation and evidence. |
| NIST CSF 2.0 | PR.IP | Change management and controlled procedures are central to ITGC definitions. |
| OWASP Non-Human Identity Top 10 | NHI-02 | Secret management gaps in ITGCs directly affect NHI trust and privilege control. |
Restrict privileged access, review entitlements, and retain proof of access decisions.
