adesso and Omada deepen access governance for digital sovereignty

At a glance

What this is: This is a partner announcement about adesso and Omada deepening collaboration around IAM and access governance for regulated organisations.

Why it matters: It matters because IAM teams must connect governance, compliance, and operational delivery across human, NHI, and cloud identities, not treat access control as a standalone tool problem.

👉 Read Omada Identity's article on the adesso partnership and identity governance

Context

Digital sovereignty in identity management means an organisation can control who and what gets access, prove that control to auditors, and adjust it as business conditions change. In practice, that is harder than it sounds because identity sprawl, hybrid platforms, and regulatory pressure all pull governance in different directions, especially for enterprise and public-sector programmes in the DACH region.

The article frames IAM and IGA as strategic infrastructure rather than back-office administration. That is the right lens for teams dealing with human users, service accounts, and cloud workloads at the same time, because access governance only works when process, policy, and delivery are aligned from the start.

Key questions

Q: How should teams govern access across human and machine identities?

A: Teams should use one governance model for all identity types, then adjust controls for how each identity is created, used, and retired. Human users need joiner-mover-leaver discipline, while service accounts and tokens need ownership, expiry, rotation, and revocation controls. The key is consistent accountability across the lifecycle, not separate exceptions for each identity class.

Q: Why do orphaned and overprivileged accounts remain such a security risk?

A: They remain risky because they create access that no one actively owns and that may exceed the current business need. That combination makes revocation slow, audit evidence weak, and compromise more valuable to attackers. In regulated environments, this is a governance failure as much as a technical one because the organisation cannot prove who should have had access.

Q: How do identity programmes support digital sovereignty in practice?

A: They support digital sovereignty by proving the organisation can control, explain, and change access across systems without depending on ad hoc workarounds. That requires governance workflows, documentation, and lifecycle controls that operate across cloud, on-prem, and third-party environments. Without those capabilities, sovereignty becomes a statement rather than an operating model.

Q: What should organisations prioritise first in IAM and IGA modernisation?

A: They should prioritise entitlement ownership, lifecycle revocation, and recertification before expanding feature scope. Those controls reduce immediate exposure from stale access and give the organisation a reliable base for cloud and AI adoption. Once ownership and revocation are dependable, more advanced automation becomes safer to introduce.

Technical breakdown

Why access governance becomes a sovereignty control

Access governance is the layer that turns identity administration into accountable control. It links joiner-mover-leaver processes, approvals, recertification, and privileged access oversight to a documented policy model so that access can be justified, reviewed, and revoked. In regulated environments, this matters because the security problem is not only whether access exists, but whether the organisation can explain why it exists and whether that explanation survives audit, incident response, and business change. The article points to exactly that operational burden: not identity existence, but identity control at scale.

Practical implication: map governance workflows to the systems that create and remove access, not just to the identity store.

Why overprivileged and orphaned access remains the core failure mode

Overprivileged accounts and unowned access persist because many identity programmes still treat entitlement cleanup as periodic housekeeping rather than continuous control. In hybrid estates, those gaps spread across employees, contractors, and non-human identities, which makes ownership unclear and remediation slow. The result is not just excess access, but weak accountability when something goes wrong. The article’s emphasis on removing risk from orphaned and overprivileged accounts reflects a familiar IAM failure pattern: access that outlives the business need that created it.

Practical implication: tie entitlement reviews to ownership, recertification, and offboarding events, not calendar-only review cycles.

How identity foundations accelerate cloud and AI programmes

Cloud and AI initiatives often stall when identity is added late instead of designed in as a prerequisite. A sovereign identity foundation shortens delivery time because it reduces the rework caused by inconsistent access models, fragmented approvals, and missing lifecycle controls. For AI and cloud programmes, that also means treating workload identities, tokens, and service access as part of the same governance surface as human access. The article’s point is not that identity is a minor dependency, but that it is the control plane that determines whether modern initiatives can scale safely.

Practical implication: require identity architecture review before cloud or AI rollout, not after access exceptions begin accumulating.

Threat narrative

Attacker objective: The attacker seeks durable access that survives normal governance checks and gives them room to operate without immediate detection or revocation.

1. Entry occurs when an organisation provisions identity access faster than it can govern the resulting entitlements, leaving new accounts, tokens, or service permissions in place without clear ownership.
2. Escalation follows when those entitlements are overprivileged or orphaned, allowing access to spread across systems and create a larger blast radius than the business intended.
3. Impact arrives when a compromised or abandoned identity is used to move laterally, bypass accountability, or expose regulated data and systems without a clear audit trail.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Access governance is now a sovereignty control, not a back-office workflow. The article is right to place identity at the centre of digital sovereignty because access is where policy becomes operational reality. When identity controls are weak, the organisation may still be compliant on paper but lacks practical control over data, systems, and change. For IAM and IGA teams, the programme objective is therefore control assurance, not just administration.

Orphaned and overprivileged access are not separate problems. They are the same governance failure expressed at different points in the lifecycle. If access is granted without a reliable owner, it is likely to remain after the business need changes. That is why lifecycle discipline, recertification, and revocation logic matter as a single control system. The practitioner takeaway is to treat entitlement ownership as a governance dependency, not a reporting field.

Identity foundations are becoming the gating factor for cloud and AI adoption. The article correctly links better identity governance to faster time-to-value for cloud and AI initiatives because these programmes fail when access design is an afterthought. This is especially true when human and non-human identities coexist in the same operating model. Teams that separate “innovation” from “identity control” will keep paying for rework later.

Digital sovereignty creates a stronger procurement test for IAM programmes. Enterprises and public-sector organisations in regulated regions increasingly need identity platforms and implementation partners that can prove traceability, auditability, and lifecycle control across hybrid estates. That raises the bar for architecture decisions and implementation discipline. The practical conclusion is that sovereign identity is a programme capability, not a branding claim.

Identity governance must now be measured by containment speed, not only policy coverage. Coverage metrics tell you whether reviews and controls exist. Containment metrics tell you whether access can be reduced quickly enough when business needs change or credentials are abused. That shift matters because modern estates fail through delayed revocation, not just missing policy language. Practitioners should measure how fast access can be removed across human and machine identities.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• For lifecycle control and offboarding, NHI Lifecycle Management Guide helps teams turn governance into revocation discipline.

What this signals

Identity sovereignty will increasingly be judged by how quickly access can be explained and removed. In hybrid estates, the weakest point is rarely authentication alone. It is the lag between a business change and the revocation of obsolete access, which is why lifecycle process design is becoming a board-level control topic.

Orphaned access is now a structural risk, not an edge case. When only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs, teams cannot rely on annual reviews to surface the full problem. The programme signal to watch is whether ownership data is complete enough to drive action.

Access governance will converge with cloud and AI readiness planning. Organisations that cannot control identity cleanly will keep slowing delivery with manual exceptions and emergency fixes. The practical response is to treat identity design as a prerequisite for platform modernisation, not as a cleanup task after rollout.

For practitioners

• Rebuild entitlement ownership around lifecycle events Link provisioning, movers, leavers, and periodic recertification to named business owners so access cannot survive without accountability. Use the same ownership model for employees, contractors, and service accounts.
• Prioritise orphaned and overprivileged account cleanup Inventory accounts with no clear owner, stale access, or privileges that exceed task scope. Start with systems that hold regulated data or act as gateways into cloud environments.
• Insert identity architecture reviews before cloud and AI delivery Require IAM, IGA, and privileged access design to be signed off before new cloud or AI programmes go live, especially where tokens, workload identities, or delegated access will be used.
• Measure revocation speed as a governance KPI Track how quickly access can be removed after role changes, contract ends, or security events. Slow revocation is often the first sign that governance exists in policy but not in execution.

Key takeaways

• Digital sovereignty depends on verifiable access control, not just policy language or platform ownership.
• Orphaned and overprivileged identities remain a persistent governance failure because access often outlives the business need that created it.
• IAM and IGA teams should measure revocation speed and ownership quality before expanding cloud or AI initiatives.

Key terms

• Access Governance: Access governance is the set of policies, workflows, and controls used to decide who or what should have access, who approves it, and when it must be removed. In mature programmes, it also produces audit evidence and lifecycle accountability across human and non-human identities.
• Digital Sovereignty: Digital sovereignty is an organisation's practical ability to control its digital assets, data, and identity decisions without losing oversight to fragmented tools or unmanaged dependencies. In identity programmes, it depends on traceable access, enforceable lifecycle controls, and defensible auditability.
• Orphaned Account: An orphaned account is an identity that still exists and may still have access, but no longer has a clearly accountable owner or business purpose. These accounts are dangerous because they are hard to review, easy to forget, and often persist long after the need for them has disappeared.
• Overprivileged Access: Overprivileged access is permission that exceeds what an identity needs to perform its task. It increases blast radius, complicates recertification, and often turns ordinary credentials into high-value targets, especially when ownership and revocation controls are weak.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance, it is worth exploring.

This post draws on content published by Omada Identity: adesso and Omada deepen access governance for digital sovereignty. Read the original.