Activity insights expose the access gap in identity governance

At a glance

What this is: This is SailPoint’s explanation of Activity Insights, a capability that adds usage and activity context to identity governance decisions.

Why it matters: It matters because IAM teams often certify access on entitlement data alone, while usage evidence can change revocation, role design, and license decisions across NHI, autonomous, and human identity programmes.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read SailPoint's blog on Activity Insights for identity access decisions

Context

Access governance gets weaker when reviewers can see entitlements but not actual use. Activity data closes part of that gap by showing whether access is being exercised, how patterns compare with peers, and whether a permission looks stale enough to remove. For IAM and IGA teams, the core question is not whether data exists, but whether it changes decisions at the point of certification.

SailPoint’s framing is fundamentally about identity governance, not analytics for its own sake. The value lies in moving access review from static entitlement checks toward evidence-based decisions that can support least privilege, reduce excess access, and surface dormant permissions before they become persistent risk.

Key questions

Q: How should IAM teams use activity data in access reviews?

A: IAM teams should treat activity data as a decision support signal, not an automatic approval or denial rule. Use last-use dates, login frequency, and peer comparisons to validate whether access is still needed, then document the business reason when an entitlement remains despite low use. That makes certifications more defensible and less dependent on assumption.

Q: When does dormant access become a governance problem?

A: Dormant access becomes a governance problem when reviewers cannot explain why it still exists or when it survives multiple certification cycles without meaningful use. At that point, the entitlement is no longer tied to a clear business outcome and should move into exception handling, investigation, or removal.

Q: What do security teams get wrong about usage-based access decisions?

A: Teams often confuse technical assignment with actual need. An entitlement can be present because of a role, group, or inherited permission even if nobody uses it. If review processes do not check real activity, they preserve access based on structure rather than evidence, which weakens least privilege.

Q: Should access modelling rely on entitlement data alone?

A: No. Entitlement data is useful for understanding how access is structured, but it can overstate demand and hide unused permissions. Activity context helps teams separate what is assigned from what is exercised, which improves role design, cleanup decisions, and long-term governance quality.

Technical breakdown

Activity data in access certifications

Activity data augments certification workflows by adding observed use to entitlement ownership. Instead of asking only whether a user technically has access, reviewers can see how often the resource has been used, whether the pattern is consistent with peer behaviour, and whether the entitlement appears inactive. This matters because certifications based only on entitlement lists often preserve access that is no longer operationally needed. Activity evidence does not replace ownership or business justification, but it gives reviewers a stronger basis for revoke, retain, or investigate decisions.

Practical implication: use usage evidence as a second control signal during certification, not as a standalone approval rule.

Access history and entitlement usage trends

Access history turns point-in-time reviews into a behavioural record across entitlements, roles, and application use. That allows identity teams to ask whether access was used after grant, whether activity declines over time, and whether patterns are cyclical or anomalous. The technical value is forensic context. If access was granted for a project but never exercised, or if usage falls off after a role change, the history becomes a signal for cleanup. This is especially useful in large environments where recertification without usage context becomes a compliance exercise rather than a governance control.

Practical implication: retain historical usage evidence long enough to support recertification, audit, and role rationalisation decisions.

Access modeling with activity signals

Traditional role mining and access modeling often rely on entitlement co-occurrence, which can overfit to what people were assigned rather than what they actually used. Activity Insights adds another dimension by showing source-level usage frequency, helping administrators distinguish assigned access from exercised access. That improves role design because inactive entitlements can be removed from candidate roles and heavily used access can be retained where business need is demonstrated. The mechanism is still governance, but the evidence base is operational behaviour rather than assignment history alone.

Practical implication: recalibrate role mining and entitlement cleanup using usage frequency, not entitlement prevalence alone.

NHI Mgmt Group analysis

Activity evidence turns access review from assertion to verification. Identity programmes routinely ask business owners to certify access they cannot actually observe in use. That assumption fails when permissions are granted in bulk, inherited through roles, or left untouched after the original project ends. The implication is not more review volume, but a different evidence model for governance decisions.

Least privilege is only defensible when access can be evaluated against actual behaviour. Entitlement data tells you what could happen, not what is happening. When activity context is missing, dormant access looks the same as active access and reviewers are forced to approve from incomplete evidence. Practitioners should treat usage context as part of the governance baseline, not an optional enrichment.

Activity Insights creates an identity blast radius lens for human access governance. The real governance gain is not just revocation of stale access, but earlier visibility into over-assigned access that never becomes operationally justified. That makes certification, access history, and role maintenance part of the same control chain rather than separate administrative tasks.

Usage staleness: This is the gap between entitlement ownership and observed use, and it is where unnecessary access tends to persist. Activity Insights highlights that staleness can be measured rather than guessed. When access has not been used for long periods, the governance question changes from approval to business necessity, which is a better standard for IAM teams.

From our research:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
• The average estimated time to remediate a leaked secret is 27 days, even though 75% of organisations express strong confidence in their secrets management capabilities.
• For a broader governance view, compare this pattern with Ultimate Guide to NHIs for lifecycle controls and review discipline.

What this signals

Usage-based governance is becoming the missing layer between entitlement approval and actual privilege control. As identity estates grow, certification quality increasingly depends on whether reviewers can see evidence of use, not just evidence of assignment. That is why activity context is now part of the operational baseline for mature IAM and IGA programmes.

The same pattern shows up across secrets, workload identity, and human access governance: static ownership tells only part of the story. When teams cannot measure actual use, they tend to preserve stale access, stale roles, and stale exceptions. For readers building governance maturity, the next step is to align certification, role maintenance, and exception handling around observed behaviour.

A useful comparator is the Ultimate Guide to NHIs, especially where lifecycle discipline and access review timing intersect with machine and workload identities.

For practitioners

• Use activity data as a revocation trigger Require reviewers to check last-use dates and usage frequency before certifying access. If an entitlement shows no meaningful activity, route it for investigation or removal rather than default approval.
• Rebuild access reviews around evidence quality Separate entitlements that are technically assigned from those that are actively exercised. Give application owners clear rules for when inactivity justifies removal, exception handling, or a follow-up business review.
• Tune role models with usage patterns Feed activity trends into role maintenance so access models reflect how applications are actually used. Remove unused entitlements from role candidates and investigate cyclical or inconsistent use that suggests role drift.
• Keep historical activity long enough for governance Retain access history across certification cycles so reviewers can compare current use with prior behaviour. Without that history, teams lose the evidence needed to defend revocation decisions and clean up stale access.

Key takeaways

• Activity Insights shifts access governance from entitlement checking to evidence-based review.
• The main value is not more data, but better decisions about whether access is still operationally justified.
• IAM teams should use usage history to tighten certifications, clean up roles, and remove access that no longer serves a business need.

Key terms

• Activity Insights: Activity Insights is identity governance functionality that adds observed usage information to access decisions. It helps reviewers see whether access is actually being used, how often it is used, and whether patterns suggest that a permission should be retained, investigated, or removed.
• Access Certification: Access certification is the governance process where an owner reviews whether a user should keep an entitlement, role, or application permission. It is meant to confirm business need, but it becomes stronger when review decisions are informed by actual usage evidence instead of assignment history alone.
• Access History: Access history is the record of how identity entitlements, roles, and related access items have been used over time. It provides forensic and governance context, allowing teams to compare current use with past behaviour and detect access that no longer has a clear operational purpose.
• Role Modeling: Role modeling is the process of designing and maintaining roles based on how access is structured and used. When activity evidence is included, it can reduce role drift by showing which entitlements are actually exercised and which ones should not remain embedded in a role.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Reduce risk and improve security with Activity Insights. Read the original.