TL;DR: Identity stacks manage policy and intent well, but they still miss the authority pathways created by inheritance, delegated access, and cross-system relationships, according to Gathid. The structural gap is now the real identity risk, because review tools cannot see what authority has accumulated across the environment.
At a glance
What this is: This is an analysis of why mature IAM stacks still fail to reveal the full authority that exists across complex enterprises.
Why it matters: It matters because IAM, IGA, PAM, NHI governance, and workload identity programmes all depend on seeing actual authority, not just intended policy.
👉 Read Gathid's analysis of authority pathways and identity stack blind spots
Context
Modern identity programmes are good at defining intended access, but they still struggle to show what authority actually exists after roles, groups, delegation, and cross-system trust relationships combine. That gap matters across human IAM, NHI governance, and privileged access because operational control often emerges from the relationships between systems, not from any one entitlement review.
For identity teams, the problem is not simply stale access or weak provisioning. It is that current governance models are largely system-local, while authority is networked. In complex environments, a temporary automation account, a nested group, or a downstream role can create effective control that no single platform will surface on its own.
Key questions
Q: What is the difference between approved access and effective authority in IAM?
A: Approved access is what policy says an identity should have. Effective authority is what that identity can actually do after groups, roles, trusts, and delegated permissions are combined across systems. In mature environments, those two are often different. Security teams need both the entitlement record and the relationship graph to understand real risk.
Q: Why do access reviews miss hidden privilege paths?
A: Access reviews usually examine entitlements one system at a time, which means they can miss how separate permissions combine into control across platforms. A nested group, inherited role, or surviving automation credential may look acceptable in isolation but create dangerous authority in aggregate. That is why relationship-aware analysis is necessary.
Q: How should security teams govern non-human identities that have persistent access?
A: Security teams should treat every non-human identity as a managed asset with an owner, an explicit purpose, a scoped privilege set, and a defined offboarding path. Persistent access should be replaced with time-bound or task-bound access wherever possible, and every credential should be traceable to the system or workflow it supports.
Q: What should teams do when identity tools do not show the full control path?
A: Assume the blind spot is structural, not a dashboard problem. Add an authority model that spans directory, cloud, SaaS, PAM, and non-human identities, then use it to identify where access accumulates across systems. If the path is invisible, the governance decision is incomplete.
Technical breakdown
Authority pathways in enterprise identity graphs
Authority pathways are the chains created when identities connect to groups, roles, credentials, and systems across multiple platforms. A directory group may inherit a role, that role may grant permissions in a cloud account, and a credential may enable delegated execution in production. The result is not just access, but compounded authority that emerges from relationships. Traditional IAM tools usually report entitlements in isolation, which means they can validate policy without exposing the operational control that those relationships create.
Practical implication: Map identity relationships across platforms, not just isolated entitlements, so inherited control paths become visible before they are exploited.
Why access reviews miss accumulated authority
Access reviews are designed to confirm whether an individual entitlement should still exist. They are much weaker at identifying combinations of permissions that become dangerous only when linked together. A service account can look legitimate in one system while holding inherited control in another, and no single review will flag the combined effect. This is why identity-driven incidents often survive audits: the audit confirms policy intent, while the attack path is formed by relationships the audit never models.
Practical implication: Treat access reviews as one input to authority analysis, not as proof that effective control has been contained.
Machine identities and automation accounts add hidden control surfaces
Non-human identities often sit outside human lifecycle processes even though they can hold production privileges, cross-account trust, and persistent credentials. That makes them especially prone to authority accumulation, because project-based accounts and automation tokens outlive the work they were created for. When those identities are chained into human-managed roles or cloud delegation paths, the operational reach can exceed what any local policy review suggests. The governance issue is not only overprivilege, but invisible persistence.
Practical implication: Include service accounts, automation identities, and delegated tokens in the same authority model as human access.
Threat narrative
Attacker objective: The objective is to exploit hidden authority paths to gain real operational control that IAM policy reviews failed to reveal.
- Entry occurs when an attacker or insider reaches a legitimate identity path that already exists in the environment, such as a service account, delegated role, or nested group relationship.
- Escalation follows when inherited permissions, cross-account trust, or chained entitlements combine into effective control that no single platform review identified.
- Impact occurs when that accumulated authority is used to reach production systems, modify controls, or maintain access beyond the lifecycle of the original project or owner.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Authority visibility, not policy completeness, is the missing layer in modern identity security. The article is right to separate intended access from actual authority. IAM, IGA, and PAM tools can confirm policy, but they cannot reliably expose the control that emerges when roles, groups, credentials, and trust relationships combine across systems. Practitioners should treat authority mapping as a distinct governance problem, not a feature request inside existing identity tooling.
Authority pathways are the identity equivalent of blast radius. Once a role inherits into another system and a credential survives past the original project, the environment has already created exposure that reviews may never reconstruct. That is why structural analysis matters more than point-in-time approval. The practical conclusion is that security teams need a model of how control accumulates, not just who was granted access.
Identity graph drift: the environment changes faster than governance records can explain it. That drift is what makes cross-system authority invisible. A control can be valid in one console and dangerous in aggregate, because the real risk sits in the relationships between systems. Practitioners should assume that any programme relying only on local platform views is already under-observing its authority surface.
Non-human identities make the gap harder to ignore because they are often outside human lifecycle assumptions. Automation accounts, service identities, and delegated credentials do not pass through the same review rhythms as human users, yet they can hold deeper production reach. The article correctly points to this structural mismatch. Security teams should therefore govern machine and human identities through the same authority lens, even if the lifecycle mechanics differ.
Structural risk management is becoming the new centre of identity governance. The next maturity step is not more approvals, but a deterministic view of how authority forms and persists across the enterprise. That reframes identity governance from proving intent to proving effective control. Practitioners should be measuring accumulated authority as a first-class security signal.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- For deeper lifecycle context, NHI Lifecycle Management Guide shows why authority without ownership becomes a persistence problem.
What this signals
Identity graph drift: the practical challenge for programmes is that authority changes faster than review cadences can capture it. That means the governance model has to move from periodic validation to relationship-aware analysis that can explain how access accumulates between reviews.
The operational implication is that teams should expect more of their hidden risk to sit in non-human identities, delegated trust, and cross-system inheritance than in raw authentication failures. That is why the control conversation is shifting toward visibility, ownership, and lifecycle closure rather than another layer of approval.
With 85% of organisations lacking full visibility into OAuth-connected third-party access, the current gap is not theoretical. It is a programme design issue that affects [OWASP Non-Human Identity Top 10](https://owasp.org/www-project-non-human-identities-top-10/) style secret sprawl, lifecycle governance, and downstream blast radius.
For practitioners
- Map authority paths across systems Build an identity graph that traces groups, roles, credentials, trusts, and delegated permissions across cloud and SaaS platforms. Focus on combinations that create production reach even when no single entitlement looks risky.
- Review non-human identities alongside human accounts Put service accounts, automation accounts, and delegated tokens into the same governance process as user access so lifecycle gaps do not hide persistent control.
- Validate effective control, not just approved access Test whether a role can actually modify, impersonate, or escalate in downstream systems after inheritance and cross-account trust are applied.
- Rebuild access reviews around relationship risk Use review cycles to examine inherited pathways, nested groups, and cross-system delegation rather than asking only whether a permission was originally approved.
Key takeaways
- Modern IAM stacks still miss effective authority because they see policy objects, not the relationship graph that creates real control.
- The evidence points to a structural visibility problem, especially where non-human identities, delegation, and inherited permissions overlap.
- Practitioners need authority analysis, lifecycle closure, and relationship-aware reviews if they want governance to match reality.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Authority sprawl and hidden access paths align with non-human identity governance gaps. |
| NIST CSF 2.0 | PR.AC-4 | The article centres on least-privilege failure across identity relationships. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege control is directly challenged by accumulated authority. |
| NIST Zero Trust (SP 800-207) | Zero trust requires continuous verification of effective authority across paths. |
Continuously verify access decisions across identity relationships rather than trusting local policy views.
Key terms
- Authority Pathway: An authority pathway is the chain of relationships that turns separate identities, roles, credentials, and systems into effective control. It is the practical route by which permission accumulates across platforms, often without any single system showing the full picture. In governance terms, it is the real access surface, not the approved one.
- Identity Graph: An identity graph is a relationship map that connects identities, assets, data, and permissions so teams can see how access actually flows. In NHI programmes, it helps explain which agent is related to which owner, which system, and which policy boundary.
- Effective Authority: Effective authority is the control an identity can actually exercise after all inheritance, delegation, and cross-system relationships are applied. It can be broader than the permissions listed in a single console, which is why local reviews often understate risk. Security teams need to measure effective authority, not only assigned access.
- Identity Graph Drift: Identity graph drift is the gap between how identity relationships are changing in the environment and how quickly governance records can explain them. It happens when roles, groups, credentials, and trusts change faster than reviews, ownership, or documentation. The result is authority that exists without current visibility or accountability.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- How authority pathways can be reconstructed from directory, cloud, PAM, and SaaS relationships.
- The specific examples of inherited roles, nested groups, and cross-account trust that create hidden control.
- Why traditional access reviews miss accumulated authority across multiple systems.
- The argument for a daily, deterministic model of enterprise authority that can be recomputed from source state.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org