Subscribe to the Non-Human & AI Identity Journal

What breaks when IGA only tracks assigned access instead of reachable access?

You lose sight of how far a compromised identity can move through nested roles, inherited permissions, and chained accounts. That means the governance view can look clean while the actual blast radius remains wide. Security teams should prioritize relationship-aware modelling that shows reachable systems, not just entitlement records.

Why This Matters for Security Teams

IGA that records only assigned access creates a false sense of control. The entitlement catalog may look clean, yet it can miss what an identity can actually reach through inherited roles, nested groups, shadow admin paths, delegated permissions, and chained service accounts. That gap matters because attackers and misconfigurations exploit reachability, not policy labels.

For non-human identities, the problem is sharper. NHIs often operate with broad privileges and long-lived secrets, and NHI Mgmt Group notes that 97% of NHIs carry excessive privileges in modern enterprises, making blast-radius analysis a governance issue, not just a detection problem. The challenge is consistent with the Ultimate Guide to NHIs and with the OWASP Non-Human Identity Top 10, both of which emphasize visibility into real-world identity risk rather than static records.

In practice, many security teams discover the reachable path only after a service account has already moved laterally into systems that were never obvious from the access review.

How It Works in Practice

Assigned access answers a narrow question: what did someone approve, and for which account or role? Reachable access answers a harder one: what systems, data, APIs, and privileges can that identity actually touch after inheritance, delegation, and runtime chaining are accounted for? That is the level required for meaningful governance of NHIs and agents.

Practically, this means modelling relationships, not just entitlements. Current guidance suggests building identity graphs that connect users, service accounts, workloads, roles, groups, secrets, tokens, and downstream trust paths. For NHIs, a service account with a single approved role may still inherit access through CI/CD integrations, vault policies, cloud role chaining, or workload federation. That is why relationship-aware analysis should sit alongside IGA records and periodic certification.

  • Map direct, inherited, and delegated permissions into one reachable-path view.
  • Include service accounts, API keys, certificates, and cloud workload identities in the same graph.
  • Recompute blast radius when roles, trust policies, or secrets change.
  • Flag chained access where one identity can mint or assume another identity.

The operational goal is not to replace IGA, but to correct its blind spot. NHI Mgmt Group’s Ultimate Guide to NHIs highlights how poor visibility and excessive privilege combine to widen exposure, while NIST’s zero trust model reinforces that access must be evaluated from context, not assumed from an assigned label. A useful implementation pattern is to pair IGA exports with graph-based analysis and policy checks that surface the actual paths an identity can take.

These controls tend to break down in hybrid estates with multiple cloud tenants and ad hoc service-to-service trust, because inherited permissions and transitive assumptions are difficult to model consistently across platforms.

Common Variations and Edge Cases

Tighter reachability analysis often increases modelling and maintenance overhead, requiring organisations to balance better blast-radius insight against slower review cycles and more data integration work. That tradeoff is real, but it is usually preferable to approving access that appears harmless on paper and is dangerous in execution.

There is no universal standard for reachable-access modelling yet. Some teams treat it as a security analytics layer, while others fold it into IGA, PAM, or zero trust programs. The right choice depends on environment complexity. In mature cloud estates, cloud IAM inheritance and workload identities often drive the biggest gaps. In legacy environments, nested groups, shared service accounts, and domain admin sprawl are more common failure points.

Edge cases also matter. A low-risk assigned role may become high-risk when paired with a secret stored in code, a federated trust relationship, or a privileged token that can be minted on demand. For autonomous workloads and agents, the issue is even more acute because runtime behavior can change faster than certification cycles can catch up. That is why the 52 NHI Breaches Analysis is useful: it shows how identity exposure often emerges through paths that were not obvious in entitlement spreadsheets. In current guidance, reachable-access analysis should be treated as a control objective, not a one-time report.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Reachable-access gaps hide overprivileged NHIs and chained trust paths.
NIST CSF 2.0 PR.AC-4 Access should reflect effective permissions, not only approved assignments.
NIST AI RMF Governance must assess actual risk exposure from identity behavior and context.

Model NHI relationships and privilege paths, then reduce any identity that can reach sensitive systems.