Access management identity governance: why MFA and SSO fall short

At a glance

What this is: This is an analysis of why MFA and SSO are only authentication layers, and why identity governance is needed to manage access lifecycle, visibility, and accountability.

Why it matters: It matters because IAM teams cannot treat successful login as successful governance when NHI, human, and third-party access still needs review, revocation, and proof.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Zluri's analysis of why MFA and SSO stop short of access governance

Context

MFA and SSO are authentication controls, not governance controls. They can confirm who is logging in and simplify access routing, but they do not determine whether access is still appropriate, whether it has been reviewed, or whether it should already have been removed. In access management identity governance, that distinction is the difference between a secure login and a controlled identity programme.

The problem shows up in joiner-mover-leaver flows, contractor access, shadow SaaS, and privileged accounts that linger long after their business purpose has changed. For IAM teams, the gap is not a lack of authentication strength. It is a missing governance layer for who should have access, what they can do, and how that entitlement is proved over time.

That is why lifecycle controls, app discovery, access certification, and entitlement-level oversight matter more than simply adding another login control. The article’s core claim is that modern identity programmes fail when they stop at authentication and never govern post-login access behaviour.

Key questions

Q: What breaks when MFA and SSO are treated as full identity governance?

A: Governance breaks at the post-login stage. MFA and SSO can confirm identity and simplify access, but they do not prove that access is still appropriate, owned, or reviewed. That leaves privilege creep, shadow SaaS, and stale accounts outside control even when authentication looks strong.

Q: Why do access reviews matter if MFA is already in place?

A: MFA reduces login risk, but it does not answer whether the account should retain its permissions. Access reviews matter because they test entitlement validity, ownership, and business need. Without them, organisations can keep legitimate credentials attached to access that no longer belongs there.

Q: How do security teams know whether identity governance is actually working?

A: They should look for evidence that access changes when business context changes. If movers lose old rights, leavers are deprovisioned everywhere, and hidden apps are discovered and certified, governance is working. If reviews produce no removals or no enforcement, the programme is only recording risk.

Q: Who is accountable when access remains active after a role change or exit?

A: Accountability should sit with the system owner, app owner, and governance process, not with authentication alone. If access remains active after a role change or exit, the failure is lifecycle ownership. That is why governance frameworks must define who approves, who certifies, and who remediates.

Technical breakdown

Why MFA and SSO stop at the front door

MFA answers a narrow identity question: is this the right user at login time? SSO answers a routing question: how does that verified user reach connected applications with less credential friction? Neither control measures entitlement scope, ownership, segregation of duties, or ongoing need. That is why organisations can have mature authentication and still carry unmanaged privileged access, direct app logins, and invisible SaaS usage. Identity governance adds the policy and lifecycle layer that sits after authentication, where access decisions actually become risky over time.

Practical implication: treat MFA and SSO as entry controls, then govern entitlements separately with reviews, provisioning rules, and deprovisioning workflows.

Identity governance in joiner-mover-leaver workflows

Joiner-mover-leaver governance is where access becomes operational. A joiner needs role-based provisioning, a mover needs old access removed and new access added, and a leaver needs revocation across every connected system. Without that lifecycle layer, organisations accumulate privilege creep, orphaned access, and inconsistent ownership. In the article’s framing, governance is not a dashboard on top of authentication. It is the control plane that keeps access aligned with business state as people change roles, leave, or interact through external systems.

Practical implication: automate joiner-mover-leaver flows across HR, IAM, and SaaS systems so access changes when the business relationship changes.

Shadow SaaS and entitlement visibility beyond the IdP

Identity providers only govern what they can see, and many SaaS tools never pass fully through the central SSO path. That creates a long tail of direct URLs, ad hoc apps, and unmanaged entitlements that authentication controls cannot expose. Governance tools close that visibility gap by discovering apps, mapping roles inside them, and showing not just access to an app but the powers inside it. For IAM teams, that distinction matters because app connectivity alone does not equal entitlement control.

Practical implication: discover apps outside the IdP first, then map who can do what inside them before relying on access reviews.

Threat narrative

Attacker objective: The attacker objective is to exploit valid but poorly governed access to move through systems with credentials that still look legitimate to authentication controls.

1. Entry occurs through legitimate authentication using MFA and SSO, which establishes identity but does not validate whether access should exist.
2. Escalation happens when stale entitlements, contractor accounts, or shadow SaaS access persist after role changes or offboarding, allowing overprivileged use of valid accounts.
3. Impact is realized through unmanaged access to business-critical systems, audit exposure, and increased blast radius when revoked access never happened or was never visible.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authentication without governance is an incomplete security model. MFA and SSO reduce credential abuse, but they do not answer whether access is still justified, who owns it, or when it should be removed. That is why organisations can look mature at the login layer while remaining weak in access control outcomes. The implication is straightforward: authentication strength cannot be mistaken for governance maturity.

Identity governance is the control layer that closes the post-login gap. The article correctly separates who can sign in from who should keep access, and that is the right boundary for the discipline. Joiner-mover-leaver flows, certification, and entitlement visibility are the mechanisms that keep identity state aligned with business state. For practitioners, the issue is not adding another login tool but governing access after authentication has already succeeded.

Shadow SaaS reveals the limits of IdP-centred thinking. If an application sits outside the SSO path, access is still happening, just without the governance visibility teams assume they have. That creates policy drift, audit gaps, and unmanaged entitlement sprawl across the identity estate. The practical conclusion is that app discovery must extend beyond the directory and into the actual entitlement surface.

Access reviews fail when they are not backed by lifecycle enforcement. A certification process that cannot revoke, downgrade, or reassign access only records risk rather than reducing it. The article points in the right direction by linking reviews to remediation and ownership. For IAM programmes, the lesson is that review without enforcement is documentation, not governance.

Lifecycle awareness is the missing discipline in identity-first architecture. MFA, SSO, and IGA only work as a complete stack when each layer has a distinct job and a handoff that is actually enforced. That is what separates a controlled identity programme from a collection of isolated controls. Practitioners should evaluate their stack on whether it can prove access validity across the full lifecycle, not just at login.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That gap is why the NHI Lifecycle Management Guide is the right next resource for teams that need lifecycle enforcement, not just authentication.

What this signals

Lifecycle governance is now the differentiator between secure login and secure access. Organisations that stop at MFA and SSO will continue to miss stale entitlements, shadow SaaS, and unused privileged access because the control failure happens after authentication. The practical signal for IAM leaders is whether they can prove removal, not just access issuance, across the full estate.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to our Ultimate Guide to NHIs, identity programmes that do not extend beyond the IdP are already behind the threat surface.

Identity visibility debt: as access environments grow, the question shifts from whether users can log in to whether anyone can still explain why they have access. That is the governance burden this article surfaces, and it will increasingly drive audit pressure, access review failures, and remediation backlog for IAM teams.

For practitioners

• Map governance gaps after authentication Identify where MFA and SSO end and where no system currently owns entitlement review, ownership, or removal across SaaS and internal applications.
• Automate joiner-mover-leaver changes Connect HR, IAM, and SaaS workflows so role changes and exits trigger access updates automatically instead of waiting on tickets or manual cleanup.
• Discover apps outside the IdP Inventory direct-login apps, shadow SaaS, and contractor-managed tools that never enter the SSO path, then bring them into governance coverage.
• Tie certifications to enforcement Require every access review to end in a revocation, downgrade, or reapproval action so certification produces control, not just evidence.

Key takeaways

• MFA and SSO improve authentication, but they do not govern entitlement validity, ownership, or lifecycle removal.
• The operational risk is not login failure, it is stale access, shadow SaaS, and privilege creep that remain after login succeeds.
• IAM teams need governance that can discover, review, and enforce access changes across the full lifecycle, not just at the front door.

Key terms

• Identity Governance: Identity governance is the discipline of controlling who should have access, what they can do, and how long that access should remain valid. It extends beyond authentication by adding lifecycle controls, approvals, certification, and remediation so access remains aligned to business need and audit expectations.
• Joiner-Mover-Leaver: Joiner-Mover-Leaver is the lifecycle model used to manage access when people are hired, change roles, or leave. In practice, it ensures new access is provisioned correctly, old access is removed promptly, and entitlement drift does not accumulate across systems or applications.
• Shadow SaaS: Shadow SaaS is software used outside approved IT and identity controls, often without full visibility in the directory or SSO layer. It creates governance blind spots because access may exist, but the organisation cannot easily certify ownership, enforce policy, or prove removal.
• Access Certification: Access certification is the periodic review of entitlements to confirm whether access is still justified. It becomes meaningful only when review decisions can trigger removal, downgrade, or reapproval, otherwise it produces evidence without reducing risk.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Access Management Identity Governance and why MFA and SSO are not enough. Read the original.