TL;DR: Oleria says its Adaptive Identity Governance platform can deploy in under an hour and uses continuous identity, entitlement, and activity data to replace static role models and infrequent review cycles, while the company positions the approach for environments spanning SaaS, machine identities, and AI agents. The underlying shift is that governance based on periodic certification is now too slow for mixed identity estates.
At a glance
What this is: Oleria's announcement argues that identity governance should shift from periodic review cycles to continuous, data-first decisioning across human and non-human identities.
Why it matters: That matters because IAM teams now have to govern access across people, workloads, and AI systems with one control model, not separate review processes that drift out of sync.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
👉 Read Oleria Security's announcement on adaptive identity governance
Context
Adaptive identity governance is the idea that access decisions should reflect current identity, entitlement, and activity data rather than static roles or infrequent review cycles. In Oleria's framing, that shift is meant to help teams manage human users, machine identities, and AI agents in the same operating model, which is exactly where legacy IGA tends to fragment.
The governance gap is not just operational overhead. When entitlement data is siloed and reviews happen on a schedule, security teams can certify stale access that no longer matches how work is actually executed, especially in SaaS-heavy environments with growing non-human identity populations.
Key questions
Q: How should security teams govern access when identity data changes faster than review cycles?
A: Security teams should move from periodic certification to continuous governance that correlates entitlements with live identity and activity data. That lets approvers see whether access is still justified at the moment of review, rather than certifying stale permissions based on a prior snapshot. The goal is defensible access decisions, not more review traffic.
Q: Why do static role models break down in SaaS-heavy identity environments?
A: Static role models break down because SaaS entitlements change more quickly than traditional IGA cycles can capture. When the same user, workload, or AI-driven process can gain and lose access across multiple applications in short order, role assignment stops being a reliable proxy for actual need. Activity context becomes necessary to explain entitlement.
Q: What do security teams get wrong about access reviews?
A: Teams often treat access reviews as proof of control, when they are really only a point-in-time check. If reviewers cannot see current activity and business context, they may approve access that is technically valid but operationally obsolete. The better test is whether the governance model can explain why access still exists.
Q: How do organisations reduce privilege creep across human and non-human identities?
A: Organisations reduce privilege creep by tying lifecycle events to access revalidation and by removing standing access that no longer has a live business justification. That applies across people, service accounts, and other non-human identities. Continuous evidence is what keeps privilege from accumulating silently between scheduled reviews.
How it works in practice
Continuous identity intelligence versus periodic certification
Traditional identity governance systems depend on snapshots. They collect entitlement data, route review workflows, and ask approvers to certify access at a point in time. That model works poorly when the underlying environment changes faster than the review cadence. A continuous identity intelligence layer instead correlates identity, entitlement, and activity data so that governance decisions can be evaluated against current usage patterns. The technical shift is from static evidence collection to ongoing context aggregation across cloud, SaaS, on-premises, and custom applications.
Practical implication: replace review-only governance with telemetry that can explain why access exists at the moment it is being used.
Why activity data changes the access decision
Activity data gives governance teams evidence of whether access is actually exercised, by whom, and under what business context. That matters because entitlement alone rarely shows whether access is justified, while activity alone can miss whether an entitlement is overbroad. Combined with peer insights, the decision model becomes more defensible because it compares access against observed usage patterns and role norms rather than against an abstract role catalog. This is especially relevant in mixed estates where human, workload, and AI-driven access patterns overlap.
Practical implication: use activity evidence to flag entitlements that are technically valid but operationally unjustified.
Adaptive governance for SaaS, machine identities, and AI agents
The article ties adaptive governance to a broad enterprise estate that includes SaaS applications, machine identities, and AI agents. That combination matters because each actor type creates different identity signals, but the governance question is the same: who has access to what, and is that access still justified. In practice, this pushes IAM programmes toward evidence-based policy enforcement rather than separate manual processes for each system class. The architecture described is less about replacing identity tools and more about unifying the governance layer above them.
Practical implication: design one governance plane that can interpret multiple identity types without relying on manual exception handling.
NHI Mgmt Group analysis
Continuous governance is becoming the control plane for mixed identity estates. Static role models and periodic reviews were built for slower identity change. As SaaS sprawl, machine identities, and AI agents expand the number of entitlements that can change between review cycles, the governance problem shifts from certification volume to evidence freshness. Practitioners should treat access justification as a continuous signal, not a quarterly event.
Legacy IGA breaks where entitlement evidence is detached from real activity. A review process that cannot see whether access is actually used cannot prove whether access is justified. That is why activity data is becoming central to governance design, especially when human, NHI, and AI-driven access all coexist in the same workflow. The implication is that access governance has to be measured against observed behaviour, not just assigned privilege.
Adaptive Identity Governance is a named concept for a broader market change. The real shift is not a new user interface or faster deployment, but the move from static certification to context-aware access judgment across multiple identity classes. That matters because IAM teams are being forced to reconcile operational speed with defensible governance in one model. The practitioner takeaway is to evaluate governance tools by how well they explain access in motion.
Lifecycle governance is no longer separable from access governance. The article links continuous least privilege with automated lifecycle governance, which reflects how joiner, mover, and leaver controls now affect both human and non-human identities. That matters because access drift is no longer confined to annual recertification. The implication is that lifecycle processes and access reviews need to be treated as one governance system, not two disconnected workflows.
AI agents widen the governance question beyond service accounts. When the estate includes AI agents, entitlement review alone is not enough because the actor can make runtime choices inside the identity boundary. The importance for the field is that governance models must be able to explain not only what access exists, but how an autonomous or semi-autonomous actor uses it. Practitioners should reassess whether current identity controls describe behaviour or only assignment.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one exposed identity can become a repeat problem.
- For a broader view of why identity lifecycle discipline matters, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the operational model behind provisioning, rotation, and offboarding.
What this signals
Adaptive Identity Governance is a signal that identity programmes are being reweighted toward evidence freshness. If entitlements and activity are not reconciled continuously, review outcomes will lag the environment they are meant to govern. Teams should expect pressure to shorten review loops, improve telemetry quality, and connect governance to real usage rather than static assignment.
The practical bar is rising for mixed estates that include SaaS, machine identities, and AI-assisted workflows. With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security, governance models that depend on manual discovery will continue to underperform.
Access justification debt: this is the accumulation of entitlements that cannot be explained by current activity or lifecycle state. The programme implication is that identity teams will need evidence-backed recertification, not just cleaner workflows, if they want to keep pace with fast-moving access sprawl.
For practitioners
- Map entitlement evidence to current activity data Correlate identity, entitlement, and activity logs before access reviews so certifiers can judge whether privileges are still justified. Start with applications that have the highest access churn and the weakest review evidence.
- Collapse fragmented review workflows into one governance view Unify human and non-human access review processes where the same application estate is supporting both. This reduces duplicate approvals, makes exceptions easier to trace, and improves the defensibility of recertification outcomes.
- Treat lifecycle events as governance triggers Use joiner, mover, and leaver changes to prompt reassessment of standing access, especially where machine identities or AI-assisted workflows inherit entitlements indirectly. That helps catch privilege drift before the next scheduled review.
- Require an explanation for every high-risk entitlement Document why elevated access exists, which business activity justified it, and what evidence will be used to revalidate it. For additional context on lifecycle governance, see the Ultimate Guide to NHIs and the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
Key takeaways
- Identity governance is moving from scheduled certification to continuous justification because static reviews cannot keep pace with modern access change.
- Activity data is becoming a core governance input because entitlement alone rarely proves whether access is still warranted.
- IAM teams should evaluate controls by their ability to explain access in motion across people, workloads, and AI-assisted processes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Continuous access justification maps to ongoing identity assurance and access governance. |
| OWASP Non-Human Identity Top 10 | NHI-05 | The article focuses on lifecycle and entitlement governance for non-human identities. |
| NIST Zero Trust (SP 800-207) | PR.AC | Adaptive governance supports least-privilege access decisions in zero-trust environments. |
Use context-aware access decisions to reduce standing privilege and improve verification discipline.
Key terms
- Adaptive identity governance: An identity governance model that continuously evaluates access using current identity, entitlement, and activity data. It replaces point-in-time certification with ongoing evidence so access decisions reflect what is actually happening in the environment, not what was true at the last review.
- Access justification: The evidence that explains why a user, workload, or AI-driven process should retain a permission. In modern IAM programmes, justification is stronger when it combines entitlement, business context, and observed activity instead of relying on role membership alone.
- Lifecycle governance: The set of identity controls that manage provisioning, changes, and removal of access over time. For non-human identities and AI-assisted workflows, lifecycle governance must account for faster change rates and indirect entitlement inheritance, not just human joiner-mover-leaver events.
- Continuous certification: A governance pattern that rechecks access using live telemetry instead of waiting for scheduled review cycles. It is most useful where entitlements change quickly and stale access can accumulate between manual checkpoints.
Deepen your knowledge
Adaptive identity governance and continuous access justification are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning lifecycle controls, review evidence, and non-human identity governance, it is worth exploring.
This post draws on content published by Oleria Security: Adaptive Identity Governance and the case against legacy IGA. Read the original.
Published by the NHIMG editorial team on 2026-03-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
