By NHI Mgmt Group Editorial TeamPublished 2026-07-02Domain: Governance & RiskSource: Zluri

TL;DR: Point-in-time access audits certify yesterday’s state, but access drift, orphaned accounts and privilege creep return the next day, according to Zluri. Continuous compliance keeps the right access state live, so evidence, revocation and review become operating conditions rather than audit-season recovery work.


At a glance

What this is: This is a Zluri analysis arguing that point-in-time audits cannot keep pace with access drift and that continuous compliance is the only sustainable model for access governance.

Why it matters: It matters because IAM, NHI, and human access programmes all fail when entitlements are reviewed too late, revoked too slowly, or evidenced only after drift has already widened the blast radius.

By the numbers:

👉 Read Zluri's analysis of continuous access compliance versus point-in-time audits


Context

Access governance is the discipline of keeping entitlements aligned with role, time, and business purpose. In this article, Zluri argues that point-in-time audits only prove access was correct on the day of review, while the environment keeps changing through joiners, movers, leavers, contractors, and non-human identities.

That gap matters across human IAM and NHI governance because revocation delay, orphaned access, and privilege creep all expand the same attack surface. Continuous compliance treats the right access state as an always-on operating condition, not a quarterly recovery exercise.


Key questions

Q: What breaks when access governance relies on point-in-time audits?

A: Point-in-time audits break when the environment keeps changing after the audit closes. Access drift, privilege creep, delayed offboarding, and orphaned accounts can all appear between review cycles, leaving a certified snapshot that no longer matches reality. The result is weak assurance, wider blast radius, and evidence that is already stale when it is needed.

Q: Why do continuous compliance programs matter for IAM and NHI governance?

A: They matter because human identities, contractors, service accounts, and API credentials all change state continuously. When revocation, review, and proof are built into the operating model, governance keeps up with lifecycle changes instead of chasing them after the fact. That is the difference between active control and retrospective reporting.

Q: How do you know if access reviews are actually working?

A: Access reviews are working when they confirm a current state rather than discovering months of accumulated drift. The strongest signals are fewer overdue reviews, fewer manual per-app fixes, faster revocation, and audit evidence that is generated automatically as the control runs. If cleanup still depends on spreadsheets, the process is compensating for control failure.

Q: Who is accountable when access persists after an employee or contractor leaves?

A: Accountability sits with the identity governance and application owners who own the offboarding and revocation process, not only with the auditor who later finds the gap. In regulated environments, the control expectation is that access is removed promptly and evidence is retained. If access persists, the lifecycle process failed before the audit began.


Technical breakdown

Why point-in-time audits decay between review cycles

Point-in-time auditing captures a snapshot of identities, entitlements, approvals, and revocations at one moment. The problem is that access environments are dynamic: role changes, temporary elevation, contractor offboarding, and new app provisioning keep moving the baseline after the audit closes. If the control model assumes the environment stays stable until the next review, the model is already wrong. That is why the certificate and the live environment diverge so quickly. The operational issue is not the absence of evidence. It is evidence that stops matching reality the moment the next access event occurs.

Practical implication: treat every review cycle as a verification check, not as the control itself.

How continuous compliance monitoring works for access governance

Continuous compliance monitoring is a live observation layer that keeps tracking who has access to what, how that access is used, and where drift appears. It depends on integrations across identity systems, applications, and entitlement sources so policy gaps, dormant accounts, and excess privilege surface while they are still actionable. For NHI and human identity programmes alike, the value is in seeing the current state, not reconstructing it after the fact. Monitoring on its own does not fix anything, but it changes access governance from retrospective reporting to active control.

Practical implication: build a live entitlement view that flags drift before the next certification window opens.

Why automation changes the evidence problem

Access automation changes compliance from a labour-intensive reporting exercise into a byproduct of enforcement. When provisioning, deprovisioning, review workflows, and remediation steps run through policy and logged playbooks, the evidence trail is created at the same time as the control action. That matters because audit readiness depends on proving what happened, when it happened, and why it happened. Manual processes struggle here because they separate control execution from proof generation. Automation closes that gap by making the evidence native to the process instead of reconstructed after the cycle ends.

Practical implication: automate revocation, certification, and logging together so proof is produced with the control action.


Threat narrative

Attacker objective: The objective is to exploit stale access and hidden privilege so sensitive systems remain reachable long after controls appear to have been satisfied.

  1. Entry begins when access is provisioned correctly but then drifts through role changes, temporary grants, or unfinished offboarding.
  2. Escalation occurs when standing privileges, orphaned accounts, or over-entitled access remain active long after they were justified.
  3. Impact follows when attackers or insiders inherit a wider blast radius than the audit record suggests, allowing abuse to persist between review cycles.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Continuous compliance is a control model, not a reporting layer. Point-in-time audits answer whether access was correct on one date, but they do not preserve correctness after the audit window closes. That makes them unsuitable as the primary control for environments where access changes daily across human users and non-human identities. The practitioner conclusion is straightforward: compliance evidence cannot be separated from continuous enforcement.

Access governance fails when revocation is treated as an event instead of a lifecycle state. The article correctly shows that joiners, movers, leavers, contractors, and NHIs all create ongoing entitlement churn. That is why offboarding, expiry, and review cannot be seasonal activities. The practitioner conclusion is that governance must follow identity lifecycle change continuously, not periodically.

Identity drift is the real control gap behind audit findings and breach blast radius. Once a user, contractor, or service account keeps access longer than intended, the control failure is no longer theoretical. The same drift that produces audit exceptions also expands attacker reach. The practitioner conclusion is that reducing drift is the primary access-governance objective, not a secondary hygiene task.

Right state plus proof at the point of action is the only defensible access model. Continuous compliance works because it couples enforcement and evidence. That pairing matters for IAM, PAM, and NHI governance alike, since each depends on knowing who had what access, when it changed, and whether revocation actually executed. The practitioner conclusion is to design controls that log themselves as they operate.

Access review cadences should confirm a live state, not compensate for a stale one. The article exposes the weakness of treating review cycles as the place where access control finally happens. In mature programmes, reviews verify a state that automation has already maintained. The practitioner conclusion is that review operations should be narrowed to exception handling and assurance, not bulk correction.

From our research:

  • 68% of organisations do not know how to fully address NHI risks, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
  • For lifecycle controls, see NHI Lifecycle Management Guide for provisioning, rotation, offboarding, and visibility.

What this signals

Continuous compliance will increasingly become the baseline expectation for identity programmes. The market is moving away from periodic certification as the primary assurance mechanism because access no longer behaves like a quarterly event. Programmes that still rely on snapshot evidence will keep discovering drift after the fact, which is too late for both audit confidence and containment discipline.

Identity blast radius is now a governance metric, not just an incident metric. When access persists longer than intended, the organisation inherits a larger reachable surface than its records suggest. That is why the live state of entitlements matters as much as the existence of a policy, especially in environments where human access and NHI access coexist.

Access governance needs a lifecycle lens across people, machines, and delegated credentials. The same operational failure shows up when a leaver keeps a SaaS entitlement, when a service account is left active, or when a temporary grant never expires. Teams that align review, revocation, and evidence around lifecycle events will reduce both audit friction and latent exposure.


For practitioners

  • Move access reviews from correction to confirmation Use certifications to validate a state that automated provisioning and revocation have already maintained. Keep reviewers focused on exceptions, dormant entitlements, and policy violations rather than bulk cleanup.
  • Automate offboarding across all connected applications Trigger deprovisioning from joiner-mover-leaver events so leavers, contractors, and temporary users lose access everywhere at the same time. Include SaaS and admin paths that manual workflows often miss.
  • Capture business justification at grant time Record requester, approver, and purpose when access is approved so the reason for access is preserved before context is lost. This reduces retroactive evidence gathering during audit preparation.
  • Track drift continuously across human and non-human identities Monitor for dormant accounts, excess privilege, unrevoked contractor access, and stale service accounts in the same control plane. Access drift is a shared governance problem, not a separate human-only issue.
  • Tie remediation playbooks to entitlement events Make revocation, re-certification, and escalation actions execute from policy triggers rather than manual tickets. That keeps the proof trail attached to the control action and shortens the time to containment.

Key takeaways

  • Point-in-time audits cannot hold access in the right state once the business environment keeps changing.
  • Continuous compliance reduces drift, shortens remediation cycles, and creates evidence as a byproduct of control execution.
  • The practical priority is lifecycle-linked access governance across joiners, movers, leavers, and non-human identities.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Access provisioning and lifecycle control are central to continuous compliance.
OWASP Non-Human Identity Top 10NHI-03Standing access and stale credentials are recurring non-human identity risks.
NIST CSF 2.0GV.RM-01Governance requires evidence that access controls operate over time, not once.

Continuously validate who has access and revoke entitlements when business need changes.


Key terms

  • Continuous compliance: A control model that keeps access, evidence, and remediation aligned as a permanent operating state. Instead of checking whether controls were correct on a single date, the programme enforces the right access state every day and produces audit evidence as the system runs.
  • Point-in-time audit: A compliance check that certifies whether access controls were correct at one specific moment. It can prove historical state, but it does not preserve correctness after the review closes, which is why drift and hidden privilege often reappear before the next cycle.
  • Identity drift: The gradual mismatch between approved access and real access over time. It includes role creep, orphaned accounts, stale entitlements, and forgotten temporary grants. In mature programmes, drift is the operational signal that governance is slipping behind the live environment.
  • Non-human identity: A machine or software identity such as a service account, API key, token, certificate, workload, or AI agent. These identities act without human pacing, so lifecycle, visibility, and revocation discipline must be explicit rather than assumed.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • The review and remediation workflow design for continuous access compliance across applications and identity sources.
  • The mechanics of policy-driven provisioning, deprovisioning, and time-bound access enforcement in live environments.
  • The evidence-generation workflow that turns access actions into audit-ready records without manual compilation.
  • The product-oriented access management and posture monitoring capabilities that support continuous compliance at scale.

👉 Zluri's full article covers the access-state model, evidence workflow, and monitoring approach in more implementation detail.

Deepen your knowledge

NHI governance, agentic AI identity, machine identity security, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org