AI-first identity governance exposes the limits of legacy IGA

At a glance

What this is: This is Zluri's argument that AI-first enterprises are outgrowing legacy IGA because machine identities, shadow IT, and dynamic entitlements have outpaced static governance models.

Why it matters: It matters because IAM, IGA, PAM, and NHI programmes now need usage-based visibility across human and non-human access, not just directory-driven certification.

By the numbers:

• 60% of IT resources in a typical organization, ation now exist as either unmanaged or shadow IT.

👉 Read Zluri's analysis of AI-first identity governance and next-gen IGA

Context

AI-first identity governance is the shift from static directory-centred access control to governance that reflects how identities, applications, and entitlements actually behave in cloud environments. The problem is not just more users or more apps. It is that machine identities, shadow IT, and dynamic permission models have made the old question, who has access to what, much harder to answer with confidence.

Zluri's core claim is that traditional IGA was built for a slower, more standardised application world, while modern enterprises now need discovery-led visibility and usage-based intelligence. That matters for NHI, human IAM, and emerging AI agent governance because the same governance failure shows up across all three: access is assigned, but not continuously understood, verified, or retired.

Key questions

Q: How should security teams govern access when identity inventories are incomplete?

A: They should treat discovery as the prerequisite control. If the organisation cannot reliably see SaaS, shadow IT, service accounts, and AI-linked access paths, certification and role modelling will only cover a partial reality. Governance should start with coverage metrics, then use telemetry to decide what should be reviewed, removed, or formally owned.

Q: Why do static access reviews fail in fast-changing cloud environments?

A: Static reviews fail because they certify a snapshot rather than the live entitlement state. Cloud permissions, nested groups, and usage patterns change faster than many review cycles, so approvers are forced to decide without behavioural evidence. The result is often rubber-stamping, especially when access is difficult to assess safely.

Q: What do IAM teams get wrong about shadow IT and entitlement sprawl?

A: They often treat shadow IT as a separate inventory issue instead of a governance problem. Unmanaged applications create orphaned permissions, inconsistent ownership, and a larger certification burden. The real risk is that access persists outside normal lifecycle controls, which leaves dormant but still valid entitlements in place.

Q: How do machine identities change the IGA operating model?

A: Machine identities expand IGA beyond human joiner-mover-leaver workflows. Service accounts, keys, tokens, and certificates need ownership, review, and retirement logic that matches their shorter lifecycle and higher churn. Teams should align NHI lifecycle controls with IGA rather than bolting them on as a separate security project.

Technical breakdown

Why static access profiles fail in cloud entitlement models

Traditional IGA assumes access can be modelled in advance with predefined roles and approval flows. That works poorly when applications use nested groups, contextual permissions, dynamic entitlements, and API-driven access paths that change faster than review cycles. In that environment, fixed access profiles become a lossy approximation of reality, and governance teams end up certifying a representation of access rather than actual access. The technical problem is not just scale. It is entropy in the entitlement model itself, where the governance layer is too rigid for the application layer it is meant to control.

Practical implication: map where entitlement structures change too quickly for static role engineering and move those applications into usage-aware governance treatment.

Why activity data changes access certification outcomes

Certification quality depends on context. If reviewers only see a user and an application pair, they lack the signals needed to decide whether an entitlement is active, dormant, or anomalous. Activity telemetry adds last-used date, frequency, peer comparison, and behavioural evidence, which turns certification from a box-ticking exercise into a risk decision. Without that data, review campaigns tend to preserve unnecessary access because approvers cannot safely distinguish real need from inherited privilege. The failure mode is not lack of intent. It is lack of evidence at decision time.

Practical implication: feed activity data into recertification so reviewers can revoke dormant access with evidence instead of relying on memory.

How discovery engines address shadow IT and orphaned entitlements

Discovery-led governance starts with finding identities, applications, and connections that traditional inventory processes miss. In practice, that means uncovering unmanaged SaaS, hidden integrations, and accounts left behind when tools are adopted and abandoned quickly. Once discovered, those artefacts can be tied back to entitlements, usage, and ownership, which is what allows governance to move from assumption to verification. This is especially important where AI tools are introduced through experimental budgets, because short-lived applications often create lingering access that no one remembers to remove.

Practical implication: prioritise discovery for applications and identities outside the normal provisioning path before you redesign approval workflows.

Threat narrative

Attacker objective: The objective is to preserve access paths that defenders no longer understand, then use that hidden privilege to move through cloud applications and data flows.

1. Entry occurs through unmanaged SaaS adoption, shadow IT, or an AI tool that is introduced faster than governance can inventory it.
2. Credential access or abuse follows when orphaned entitlements and dormant access remain valid after role changes or application abandonment.
3. Impact comes from a governance gap rather than a single exploit, because reviewers are certifying stale access while the real entitlement landscape keeps changing.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Static IGA has become an assumption problem, not just a tooling problem. The older model assumes access can be represented accurately at provisioning time and then confirmed later through review. That assumption breaks when applications change continuously, machine identities outnumber humans, and usage patterns move faster than recertification cadence. The implication is that governance has to be built around observed behaviour, not directory artefacts.

Visibility is now the control plane for identity governance. When over 60% of IT resources are unmanaged or shadow IT, the first failure is not excessive privilege, but incomplete discovery. Traditional IGA cannot govern what it cannot see, and that blind spot spans human accounts, service identities, and AI-adjacent tools alike. Practitioners should treat discovery coverage as a governance metric, not an inventory exercise.

Usage-based governance is the new threshold for credible certification. Reviewers cannot make sound decisions from static entitlements alone when a mid-sized enterprise may manage tens of thousands of unique entitlements across hundreds of applications. Activity evidence changes the meaning of review from compliance theatre to access validation. For IAM and IGA teams, the practical conclusion is that certification quality now depends on telemetry quality.

AI-first identity governance exposes the entitlement drift gap: access assignments persist after the operational reason for them has disappeared. That gap is visible in shadow IT, dormant permissions, and AI-driven application churn, where ownership and usage separate quickly. It is a field-level signal that lifecycle governance, discovery, and access review can no longer be run as separate workstreams. Practitioners need one governance model that tracks entitlement life after assignment.

Machine identities are no longer a side category inside IGA. They are now part of the core governance surface because the same review, ownership, and retirement failures that affect human access also affect keys, tokens, certificates, and agent-linked credentials. The difference is scale and speed, not the nature of the governance problem. Security leaders should therefore align NHI governance and IGA operating models instead of treating them as separate programmes.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Use Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs to connect discovery, rotation, and offboarding into one control loop.

What this signals

Entitlement drift will become the dominant governance signal. Teams that still measure IGA success by completion of review campaigns will miss the larger problem: access is changing faster than certification can capture it. The practical shift is toward continuous visibility, where dormant access and ownership gaps are treated as operating data rather than exceptions.

The security programme impact is cross-domain. NHI governance, human access governance, and emerging agentic workflows all depend on the same evidence chain: discovery, telemetry, ownership, and lifecycle closure. That makes identity architecture a control system, not a list of accounts.

With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, the next governance phase is not more certification. It is better entitlement reduction before the review even starts.

For practitioners

• Inventory unmanaged identities and applications first Start with discovery across SaaS, shadow IT, and machine identities so access governance is based on actual environment coverage rather than directory assumptions.
• Feed activity telemetry into recertification Use last access, frequency, and peer usage data to help reviewers distinguish active entitlements from dormant access before approvals are rubber-stamped.
• Separate dormant access from active business need Create a workflow that flags unused entitlements for removal while preserving genuinely active privileges with documented business ownership.
• Align NHI and IGA lifecycle controls Apply the same ownership, review, and offboarding discipline to service accounts, tokens, and AI-linked identities that you already expect for human access.

Key takeaways

• Legacy IGA breaks down when entitlement structures change faster than static access models can represent them.
• The scale problem is already visible in shadow IT, machine identities, and tens of thousands of entitlements per organisation.
• Practitioners should move to discovery-led, usage-aware governance so certification and offboarding are grounded in evidence.

Key terms

• Entitlement drift: Entitlement drift is the gap between access that was approved at one point in time and the access that is actually needed now. In modern cloud and SaaS environments, roles, groups, and application permissions change quickly, so governance must compare current usage against assigned rights.
• Shadow IT: Shadow IT is software, services, or integrations used without formal visibility or approval from the central identity or security programme. It creates governance risk because access, ownership, and offboarding are often outside normal controls, leaving orphaned permissions and untracked entitlements behind.
• Usage-based governance: Usage-based governance is an access management approach that uses activity evidence, such as last use, frequency, and peer patterns, to decide whether entitlements should remain in place. It replaces assumption-based review with a more accurate view of whether access is still justified.
• Discovery-led governance: Discovery-led governance starts by identifying identities, applications, and connections that are not already in the authoritative inventory. It is essential when the environment includes shadow IT, machine identities, and fast-changing SaaS because governance cannot work reliably on incomplete visibility.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: All Manifesto for a New Era: Identity Governance for an AI-First World. Read the original.