ABAC and autonomous governance reshape identity reviews in 2025

At a glance

What this is: This year-in-review argues that attribute-based access control and lifecycle automation reduced manual identity governance work at scale while improving review and provisioning throughput.

Why it matters: For IAM and NHI practitioners, it reinforces that static roles and ticket-driven workflows cannot keep up with modern access sprawl, including non-human identities and nested entitlements.

By the numbers:

• Clarity Security says teams completed 674 user access reviews and examined 10,615,269 review items in 2025.

👉 Read Clarity Security's 2025 year-in-review on ABAC and identity automation

Context

Identity governance breaks down when access decisions depend on manual review, static roles, and disconnected systems. In that model, every joiner, mover, leaver, and access review adds latency and creates room for over-entitlement, especially when organisations also have to govern non-human identities, nested groups, and application-specific exceptions.

This post is best read as a governance signal, not a product showcase. The central question is whether ABAC and workflow automation can reduce operational drag without weakening auditability or lifecycle control. For practitioners, the relevant benchmark is not feature breadth but whether access can be justified, changed, and revoked at the pace of business.

For teams working through identity lifecycle and entitlement sprawl, the Ultimate Guide to NHIs provides the broader governance lens for service accounts, tokens, and other machine identities.

Key questions

Q: How should organisations decide whether ABAC is ready for production IAM use?

A: Organisations should move to ABAC only when their attribute sources are authoritative, their policy logic is testable, and their audit trail can explain every access decision. ABAC improves precision, but it also magnifies bad data if source systems are inconsistent. Start with lower-risk use cases, then expand once policy outcomes are repeatable and reviewable.

Q: Why do nested entitlements create so much IAM risk?

A: Nested entitlements create risk because access is inherited indirectly, which makes it hard to see the full privilege path in a single review. A user or workload can appear limited while still receiving broad downstream access through group chains and linked application roles. Teams should map those relationships explicitly and review them as dependencies.

Q: What is the difference between ABAC and RBAC for access governance?

A: RBAC assigns access through fixed roles, while ABAC decides access from attributes and policy conditions at request time. RBAC is easier to understand but tends to accumulate role bloat. ABAC can be more precise, but only if attribute quality, policy design, and enforcement are consistent across systems.

Q: How can IAM teams reduce manual work without weakening controls?

A: They should automate lifecycle events, connect access decisions to authoritative data, and measure actual remediation rather than ticket closure. The goal is not fewer controls, but fewer manual handoffs that delay provisioning and revocation. Strong automation should shorten exposure windows while preserving traceability.

Technical breakdown

How ABAC changes access decisioning for identity governance

Attribute-based access control, or ABAC, evaluates real-time attributes such as user role, device state, location, application context, and policy conditions before granting access. That differs from RBAC, which assigns permissions through static roles that tend to accumulate exceptions and drift. In practice, ABAC reduces role explosion by moving the decision point from membership alone to policy evaluation. The governance trade-off is that the attribute sources must be trustworthy, current, and consistently enforced across systems. If attributes are stale or fragmented, ABAC simply automates bad decisions faster.

Practical implication: organisations should validate attribute quality and policy consistency before using ABAC for high-risk access.

Why lifecycle automation matters for joiners, movers, and leavers

Lifecycle automation covers onboarding, role changes, and deprovisioning without requiring a person to manually open and close tickets at each step. The security value is not just efficiency. Faster provisioning reduces delay for approved access, while faster revocation reduces the window in which stale entitlements remain active after a job change or termination. This matters because identity risk often comes from delayed cleanup rather than initial grant decisions. For NHI governance, the same principle applies to service accounts, tokens, and application bindings that need timely rotation or removal when their purpose ends.

Practical implication: connect provisioning and revocation workflows to authoritative lifecycle events, not periodic cleanup.

Why nested entitlements create hidden access paths

Nested groups and linked entitlements create indirect access paths that are hard to see in a standard access review. A user may appear to have one role, but inherit many more through group membership, application dependency, or upstream directory relationships. That makes entitlement analysis a graph problem as much as an IAM problem. The operational risk is phantom access, where no single reviewer can easily explain why a privilege exists. For NHI programs, the same pattern appears when automation, service accounts, and application roles inherit permissions through chained dependencies.

Practical implication: model inherited access paths explicitly and review them as dependencies, not as isolated permissions.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

ABAC is not a replacement for governance, but it does expose how weak most role models are. Static RBAC works until role counts, exceptions, and exception handling outgrow the original structure. ABAC shifts the decision to context, which can improve precision, but only if the organisation can prove that the attributes driving access are trustworthy and current. The practical conclusion is that ABAC should be treated as a control layer, not a governance shortcut.

Lifecycle automation is now a board-relevant identity control, not an efficiency feature. When joiners, movers, and leavers are still handled manually, the organisation is paying twice: once in labour and again in residual access risk. That becomes even more material when the environment includes machine identities, service accounts, and application credentials that never enter a traditional HR workflow. The conclusion for practitioners is to align lifecycle controls across human and non-human identities.

Identity blast radius: the real problem is not whether access is granted quickly, but how far that access can spread through nested entitlements and indirect dependencies. The article's nested access and linked provisioning details point to a governance reality many teams still miss: a single entitlement can fan out into many downstream permissions. That makes entitlement mapping, dependency tracking, and review evidence central to IAM design. The conclusion is to govern inherited access as aggressively as direct access.

Operational telemetry matters because access review quality is still the weak link in many programmes. Review counts, remediation counts, and workflow completion volumes matter less than whether they translate into durable entitlement cleanup. The best governance programmes tie review evidence to actual remediation and measure stale access reduction over time. The conclusion is to treat review performance as a control outcome, not a checkbox metric.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how slowly many environments remove stale access and credentials.
• Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs gives a practical lens for aligning provisioning, rotation, and offboarding with automated identity governance.

What this signals

Identity programmes are moving from ticket throughput to control quality. The organisations that benefit most from ABAC and automation will be the ones that can prove access decisions, not just execute them quickly. That means tracking attribute integrity, remediation rates, and inheritance exposure as part of the control plane, not as separate reporting.

With 1.5 out of 10 organisations highly confident in securing NHIs, per the State of Non-Human Identity Security, the governance pattern is clear: identity teams still lack confidence in machine-scale access control. That gap will widen if human lifecycle workflows are copied onto service accounts, API keys, and agent credentials without redesign.

Identity blast radius: the next control debate will centre on how far an entitlement can propagate through linked systems and nested dependencies. As environments become more interconnected, the practical question is no longer whether access exists, but whether anyone can explain its full downstream reach. Teams should prepare for entitlement graph analysis to become a core IAM competency.

For practitioners

• Map attribute sources before expanding ABAC Inventory every system feeding access policy decisions, then verify which attributes are authoritative, current, and auditable before moving high-risk entitlements to policy evaluation.
• Automate joiner, mover, and leaver events end to end Trigger provisioning and revocation from HR and directory events so access changes happen at the lifecycle source rather than in manual ticket queues.
• Review inherited access as a graph Trace nested groups, linked entitlements, and upstream dependencies to expose phantom access that a flat review screen will miss.
• Measure remediation, not just review completion Track how many entitlements were actually removed or corrected after review, because closed tickets without cleanup leave the same exposure in place.

Key takeaways

• ABAC can reduce role bloat, but only when attribute sources and policy logic are trustworthy.
• Manual joiner, mover, and leaver handling remains a major source of residual access risk and operational drag.
• Inherited access through nested entitlements is still a blind spot, so review programmes must follow the dependency graph.

Key terms

• Attribute-Based Access Control: Attribute-Based Access Control is a policy model that grants or denies access using attributes such as user role, device state, location, and application context. It replaces purely static role assignment with a decision process that can adapt to current conditions, provided the underlying attributes are trustworthy and well-governed.
• Identity Blast Radius: Identity blast radius is the downstream spread of privilege that occurs when a single entitlement reaches many systems through nested groups, linked roles, or inherited access paths. The concept helps teams judge not only whether access exists, but how far it can propagate if misused or left in place.
• Lifecycle Automation: Lifecycle automation is the use of workflows to provision, update, and revoke access when identity events occur, such as onboarding, role changes, or termination. In mature programmes, it reduces manual handling, shortens exposure windows, and creates a clearer audit trail for both human and non-human identities.

What's in the full article

Clarity Security's full post covers the product and customer implementation details this analysis intentionally leaves at a higher level:

• How the ABAC engine evaluates roles, device state, location, and other attributes at decision time
• Connector and webhook details for integrating provisioning workflows with downstream systems
• Operational examples of nested access intelligence and Tier 0 to Tier 2 tagging in the product UI
• The customer-facing accounting method used to estimate 438,255 hours saved

👉 Clarity Security's full post covers the product details, customer metrics, and implementation examples behind the 2025 results.

Deepen your knowledge

ABAC and lifecycle automation are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building an identity governance programme that must handle both human and non-human access, it is worth exploring.