AI-driven identity governance exposes the limits of manual IGA

At a glance

What this is: This article argues that AI and automation are reshaping identity governance by moving it from manual, quarterly review cycles toward continuous, risk-based control.

Why it matters: It matters because IAM, NHI, and autonomous identity programmes all rely on the same governance primitives, and those primitives break when access changes faster than humans can review it.

👉 Read SecurEnds' analysis of AI-driven identity governance and automation

Context

Identity governance is the discipline of deciding who or what gets access, then proving that access stays appropriate as systems change. In this article's framing, the core problem is that manual IGA processes were built for slower environments, while modern enterprises now manage employees, vendors, bots, and temporary users across cloud and legacy systems. That mismatch is why identity governance becomes a continuous-control problem rather than a periodic review exercise.

The key governance gap is not lack of policy, but lack of speed and visibility. Quarterly access reviews, email approvals, and delayed deprovisioning create orphan accounts, excess permissions, and stale entitlements before anyone can correct them. For teams managing human, NHI, and autonomous access together, the practical question is how to preserve accountability when access decisions have to keep pace with operational change.

Key questions

Q: How should security teams automate identity governance without losing control?

A: Start by automating the highest-volume, lowest-risk identity changes first, then keep human review for exceptions and policy breaches. Connect provisioning, certification, and revocation to authoritative sources so decisions are based on current identity state, not stale spreadsheets. The goal is faster governance with better traceability, not blind automation.

Q: Why do quarterly access reviews fail in modern enterprises?

A: Quarterly reviews fail because the entitlement picture changes long before the review cycle ends. By the time managers approve or reject access, users, roles, and applications may already have changed again. That makes the review a lagging compliance exercise rather than an effective control, especially in cloud-heavy and hybrid environments.

Q: What do teams get wrong about AI in identity governance?

A: Teams often assume AI can fix governance without improving the underlying data and policy model. In reality, machine learning only works well when identity sources are authoritative, roles are rational, and lifecycle events are current. Otherwise, the automation accelerates bad decisions instead of reducing governance risk.

Q: How do organisations know if autonomous governance is actually working?

A: Look for shorter decision cycles, fewer stale entitlements, and an audit trail that records every grant, revoke, and exception in real time. If the programme still relies on quarterly cleanup to find obvious drift, it is not autonomous governance. It is still manual governance with faster tooling.

Technical breakdown

Why manual access reviews fail in hybrid identity estates

Manual certification campaigns depend on humans reading, validating, and approving entitlements after the fact. That model breaks when access is distributed across SaaS, cloud, on-prem, and temporary workflows, because the entitlement picture is already stale by the time reviewers act. Risk-based governance tries to narrow the workload by prioritising unusual combinations of access, but it still depends on clean identity data and timely lifecycle events. The underlying failure mode is not only review fatigue. It is that the control plane moves slower than the identity estate it is supposed to govern.

Practical implication: move high-risk reviews into automated prioritisation and shorten the time between entitlement change and governance action.

How AI changes provisioning, certification, and revocation

AI in IGA is used to classify patterns, predict likely changes, and reduce repetitive approval work. In practice, that means models can recommend who should review what, flag suspicious entitlements, and identify access that is likely stale or excessive. The technology does not replace governance logic, but it changes where humans spend attention. Provisioning and revocation become more responsive when AI is paired with authoritative HR, directory, and application data. The architecture only works when the model is trained on trustworthy entitlement history and the organization is willing to automate the low-risk tail.

Practical implication: connect AI-assisted decisions to authoritative identity sources before automating review routing or revocation.

What autonomous identity governance changes in the control model

The article's autonomous governance framing goes beyond workflow automation. It describes systems that monitor, adjust, and enforce access with minimal human oversight, using behavioural signals to tighten or remove entitlements as conditions change. That changes governance from periodic certification to continuous policy enforcement, where the system is expected to react before the next audit cycle. The important distinction is that autonomy adds decisioning and timing independence. Once the control plane starts making access adjustments on its own, the governance model must account for explainability, exception handling, and ownership of machine-issued decisions.

Practical implication: define which access decisions may be automated, which require exception handling, and who owns machine-issued changes.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Manual IGA is no longer a scale model for modern identity estates. Quarterly reviews, spreadsheet reconciliation, and email-based approvals were designed for slower access change and smaller application sets. That assumption fails when enterprises manage thousands of users, vendors, bots, and cloud entitlements at once. The implication is that governance programmes must stop treating delay as a tolerable inconvenience and start treating it as a structural control defect.

AI-assisted governance is valuable only when it reduces review noise without weakening accountability. Machine learning can rank risk, predict change, and automate routine approvals, but it also concentrates trust in the quality of identity data and policy logic. If source data is fragmented or stale, automation simply makes the wrong decision faster. Practitioners should judge AI governance by whether it compresses decision cycles while preserving traceability.

Autonomous identity governance introduces a new governance premise: access decisions can be made continuously, not just reviewed continuously. That premise matters because lifecycle control, certification, and revocation all change when the system is allowed to act in motion rather than in batches. The field should stop describing this as a productivity upgrade and start treating it as a different operating model for identity control.

Access review cadence is the named concept that this article exposes as obsolete. The article shows a control environment where the cadence of review is slower than the cadence of change, so the review itself becomes a lagging signal rather than a governance mechanism. The practitioner conclusion is straightforward: identity programmes built around periodic checkpoints need continuous signals, or they will certify yesterday's reality.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to GitGuardian & CyberArk's research.
• For a wider view of how secret sprawl becomes governance debt, see 52 NHI Breaches Analysis and the patterns it documents across exposed credentials.

What this signals

Access review cadence has become a programme design issue, not an operational nuisance. If identity governance still depends on quarterly cleanup, the organisation is choosing delayed assurance over timely control. The practical signal is to rework certification, revocation, and exception handling so that identity changes are governed at the speed of the estate, not the speed of the committee.

With 6 distinct secrets manager instances on average across organisations, fragmentation is already the norm, not the exception. That kind of dispersion makes policy consistency and lifecycle traceability much harder, especially when cloud, legacy, and NHI controls all feed the same governance stack. Teams should expect the next phase of IGA to look more like continuous control orchestration than periodic access review.

Autonomous identity governance should be evaluated against the same core question the NIST Cybersecurity Framework asks of every control domain: can you identify, protect, detect, respond, and recover with enough fidelity to keep pace with change? For teams building this out, the priority is not adding more review checkpoints but tightening the chain from identity event to enforceable action.

For practitioners

• Map where manual approvals still gate high-volume access changes Identify the applications, roles, and identity populations that still depend on spreadsheet-based review or email approval. Those flows should be the first candidates for risk-based routing and automation because they create the most delay and the least reliable audit evidence.
• Automate provisioning and deprovisioning around authoritative lifecycle events Tie joiner, mover, and leaver events to HR, directory, and application sources so access changes happen from a single trusted trigger. That reduces orphan accounts and closes the gap between a person or workload changing state and the entitlements that should follow.
• Separate low-risk auto-approval from exception handling Define the criteria that allow routine requests to pass automatically, then require human review only when the request exceeds policy or risk thresholds. This keeps analysts focused on the cases that matter while preserving traceability for auditors.
• Instrument continuous compliance evidence at the point of change Log every grant, revoke, and certification decision as it occurs so audit evidence is produced continuously instead of reconstructed at quarter-end. That shifts compliance from a fire drill into an operational control.

Key takeaways

• Manual identity governance breaks when access changes faster than reviewers can certify it, making delay itself a control weakness.
• AI can reduce access-review noise, but only if identity data, lifecycle events, and policy logic are already trustworthy.
• Autonomous governance shifts the question from periodic approval to continuous enforcement, which requires clearer ownership of machine-issued decisions.

Key terms

• Identity Governance and Administration: Identity Governance and Administration is the set of processes used to grant, review, certify, and remove access across an enterprise. It combines policy, workflow, and evidence so organisations can show that access remains appropriate as users, systems, and entitlements change.
• Access Certification: Access certification is the periodic validation that an entitlement is still justified. In practice, it is a control for reviewing who still needs access, but its value falls when review cycles are slower than the rate of identity change.
• Autonomous Identity Governance: Autonomous identity governance is a model where governance systems monitor conditions, make routine access decisions, and enforce policy with minimal human intervention. The model depends on trustworthy data, clear exception rules, and ownership for machine-issued actions.
• Risk-Based Governance: Risk-based governance prioritises identity decisions according to the likelihood and impact of access misuse. It reduces review noise by focusing attention on entitlements, combinations, and behaviours that are more likely to create security or compliance exposure.

Deepen your knowledge

Identity governance automation and autonomous identity governance are central themes in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising a governance model that still depends on quarterly reviews, it is worth exploring.

This post draws on content published by SecurEnds: AI-driven identity governance and the shift from manual reviews to autonomous controls. Read the original.