By NHI Mgmt Group Editorial TeamPublished 2026-04-01Domain: Governance & RiskSource: Zluri

TL;DR: Modern IGA platforms govern what they can see, but most organisations still miss a large share of their real application and access footprint, according to Zluri's analysis of visibility-first access management. The governance case is no longer about better workflows alone; it is about discovering the full scope before automation and reviews can be trusted.


At a glance

What this is: This analysis argues that access visibility, not governance workflow automation, is the missing foundation of effective identity governance and access management.

Why it matters: It matters because IAM, NHI, and lifecycle programmes can only provision, review, and revoke access across the systems they can actually discover.

By the numbers:

👉 Read Zluri's analysis of why visibility-first access management beats governance-first


Context

Access visibility is the ability to see what applications exist, which identities can reach them, and how that access is being used. Zluri's argument is that governance-first IAM fails when the inventory is incomplete, because reviews, provisioning, deprovisioning, and compliance all depend on an accurate access map.

The broader identity governance problem is not that teams lack policy or workflow tools. It is that shadow applications, unmanaged SaaS adoption, and invisible access paths leave large portions of the environment outside the scope of those tools. That creates a structural gap between what the programme controls and what the business actually uses.


Key questions

Q: What breaks when identity governance starts before access visibility?

A: Governance breaks at the scope layer. Access reviews, provisioning, and offboarding can only operate on systems already in the inventory, so unknown applications and hidden accounts remain outside control. The result is a programme that looks mature on paper but leaves material access risk untouched.

Q: Why do SaaS environments make access governance harder than traditional directories?

A: SaaS adoption happens outside central control through direct signups, free tiers, departmental purchases, and personal accounts used for work. That fragments the access picture across multiple systems and makes any single source, including SSO, incomplete. Governance becomes harder because the environment changes faster than manual inventory methods can keep up.

Q: How do teams know whether access visibility is actually working?

A: They can answer who has access to what across the full environment, including shadow applications, dormant accounts, service accounts, and privileged users. If the team still has to guess when asked for a complete access footprint, visibility is still partial and the governance programme is still operating on incomplete data.

Q: Who is accountable when hidden applications remain outside governance scope?

A: Accountability sits with the programme owners who accepted partial scope as if it were complete. IAM, IGA, security, and compliance leaders all share responsibility for proving that discovery covers the full estate before they certify access controls or sign off on audits.


Technical breakdown

Why governance-first IAM breaks without discovery

Governance-first IAM assumes the application inventory is already accurate, then applies provisioning, review, and deprovisioning workflows to that known set. In modern SaaS environments, that assumption fails because employees can adopt tools directly, bypass procurement, or use free tiers that never enter central records. The result is an identity programme that automates scope control for known systems while leaving unknown systems unmanaged. Access visibility changes the sequence by discovering applications and access relationships before governance logic is applied.

Practical implication: Treat discovery as the control boundary, not a pre-check. If the application is not visible, it is not governable.

Why SSO, procurement, and surveys each miss different access paths

Single sign-on logs only show activity that flows through the identity provider, procurement records only show purchased software, and employee surveys depend on memory and honesty. None of those sources can fully represent direct signups, personal accounts used for work, dormant accounts, or service accounts. That is why visibility built from one telemetry source tends to produce false confidence. The technical requirement is to correlate multiple signals into a single access graph, rather than treating any one source as complete.

Practical implication: Correlate identity provider, finance, endpoint, and application telemetry before you certify scope or automate offboarding.

Complete access mapping exposes the hidden governance surface

Complete access mapping links each identity to each application, permission level, grant source, and usage pattern. That matters because governance failures often hide in relationships, not in single accounts. A user may look compliant in one system while retaining dormant admin access in another. The same pattern appears in NHI estates when service accounts or API keys persist without a clear owner or usage signal. Visibility-first programmes turn those hidden relationships into reviewable, revocable evidence.

Practical implication: Build access reviews around identity-to-application relationships, not isolated account lists.



NHI Mgmt Group analysis

Access visibility is not an enhancement to identity governance. It is the prerequisite that determines whether governance is real or performative. A programme that can only review known applications is not governing the environment, only the subset it has mapped. That distinction matters across human access, service accounts, and workload identities because the same blind spot lets dormant privilege persist in every actor class. Practitioners should treat incomplete visibility as a scope failure, not a workflow issue.

Visibility-first changes the identity operating model because governance can no longer start from policy alone. Modern SaaS and AI-adjacent adoption patterns mean access can appear outside procurement, outside SSO, and outside formal provisioning. That forces IAM and IGA teams to reframe inventory as a live control surface, not a periodic reconciliation exercise. The implication is clear: scope definition now has to be evidence-led, or the programme will always lag reality.

Access visibility creates the only trustworthy basis for lifecycle governance across human and non-human identities. Joiner-mover-leaver processes, access reviews, and offboarding all fail when the environment is only partially known. This is especially visible with service accounts and other NHIs, where ownership and usage signals are often weaker than for people. The practitioner conclusion is that lifecycle controls must be built on continuous discovery, not assumed completeness.

Identity blast radius becomes measurable only after the hidden application estate is surfaced. Once teams can see every app and every access path, they can separate high-risk systems from low-value shadow tools and prioritise governance accordingly. That is the point where access management stops being administrative hygiene and starts becoming risk reduction. Practitioners should use visibility to rank remediation by exposure, not by ticket order.

Shadow IT is now an identity governance problem as much as a procurement problem. The article shows that unmanaged SaaS adoption undermines access reviews, offboarding, and compliance scope at the same time. The field should stop treating unknown applications as edge cases and start treating them as the normal operating condition in distributed environments. Practitioners should expect the majority of access risk to sit outside the systems they thought they controlled.

From our research:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
  • For a lifecycle view, see NHI Lifecycle Management Guide for how discovery, ownership, and offboarding fit into a continuous governance model.

What this signals

Access visibility is becoming the control plane for lifecycle governance. Teams that still rely on quarterly reviews will keep missing the applications and identities that never enter the review queue, especially where SaaS and shadow IT expand faster than manual inventory. For a broader control baseline, align programme design with the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 where non-human access is involved.

Shadow applications should now be treated as identity evidence, not procurement noise. Once teams connect finance, identity, and endpoint telemetry, they can expose dormant access and unknown systems before an audit or incident forces the issue. The practical shift is toward continuous discovery, because the access footprint is now too dynamic for static certification cycles.

Identity blast radius becomes manageable only after visibility makes the hidden estate measurable. That is where governance moves from generic hygiene to risk-based prioritisation, with high-sensitivity systems and privileged access reviewed first. Organisations that do not build this view will keep automating the wrong slice of their environment.


For practitioners


Key takeaways

  • Access governance fails when the application inventory is incomplete, because controls cannot be applied to systems the programme has not discovered.
  • Visibility gaps are not minor inefficiencies, they are the reason shadow applications, dormant accounts, and unmanaged access persist across SaaS-heavy environments.
  • Teams should build lifecycle and governance processes on continuous discovery so reviews, offboarding, and prioritisation reflect the real estate, not a partial snapshot.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access permissions management depends on knowing the full application estate.
OWASP Non-Human Identity Top 10NHI-01Visibility gaps expose unknown NHIs and unmanaged access paths.
NIST Zero Trust (SP 800-207)Zero Trust depends on continuous verification across every access path.

Use continuous discovery so access decisions are based on current evidence, not partial inventory.


Key terms

  • Access Visibility: Access visibility is the ability to see the full set of applications, identities, permissions, and usage patterns across an environment. In practice, it is the discovery layer that tells IAM and IGA teams what actually exists before they try to govern or revoke access.
  • Shadow Application: A shadow application is a tool adopted outside central IT or governance processes, often through direct signup, departmental purchase, or a free-tier account. These applications create hidden access paths that standard provisioning, review, and offboarding workflows do not reliably cover.
  • Complete Access Mapping: Complete access mapping is the process of linking each identity to its applications, permissions, access source, and usage state. It turns isolated account records into a governance view that can reveal dormant access, excessive privilege, orphaned accounts, and hidden risk.

What's in the full article

Zluri's full analysis covers the operational detail this post intentionally leaves for the source:

  • A phased 30-day visibility implementation timeline across identity, finance, endpoint, and API sources
  • Practical discovery methods for shadow SaaS, including SSO gaps, direct signups, and free-tier tools
  • Examples of how access visibility changes provisioning, deprovisioning, and access review scope
  • Metrics for measuring application sprawl, dormant access, and governance coverage after discovery

👉 Zluri's full post covers the discovery model, control gaps, and 30-day implementation approach

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org