TL;DR: Sustainability, cyber resilience, and workforce continuity should be treated as connected pillars of operational stability, with materiality updates, energy-efficient facilities, and cybersecurity governance shaping long-term resilience, according to Commvault’s FY25 Sustainability Report. The identity lesson is that resilience programmes now extend into data, access, and governance decisions, not just environmental reporting.
At a glance
What this is: This is Commvault’s FY25 Sustainability Report, which frames sustainability as a resilience and continuity strategy tied to operations, cybersecurity, and workforce stability.
Why it matters: It matters because identity, access, and governance teams increasingly have to align resilience controls across human, NHI, and technology operations rather than treating sustainability and security as separate programmes.
👉 Read Commvault’s FY25 Sustainability Report on resilience and continuity
Context
The core governance gap here is not whether a company publishes sustainability reporting, but whether resilience is managed as an operating discipline across facilities, suppliers, people, and digital controls. That matters to identity teams because continuity breaks in the same places privilege, access, and lifecycle governance break: when ownership is unclear, controls are static, or dependencies are not continuously reviewed.
Commvault’s report positions sustainability as a business resilience mechanism rather than a side programme. For IAM and security leaders, that signals a broader shift toward governance models that connect operational continuity, cyber preparedness, and workforce stability into one management view instead of isolated policy tracks.
Key questions
Q: How should organisations connect resilience programmes to identity governance?
A: They should map continuity dependencies to the identities, credentials, and approval paths that support them. That means joining resilience planning with access reviews, supplier offboarding, and privileged access control so the organisation can see which operations fail if a key identity is unavailable or mismanaged.
Q: Why do sustainability and cyber resilience programmes overlap for IAM teams?
A: Both programmes depend on disciplined ownership, current evidence, and response readiness. For IAM teams, that overlap becomes practical when business continuity relies on human access, service accounts, or third-party credentials that must be reviewed and revoked at the right time.
Q: What do security teams get wrong about resilience governance?
A: They often treat resilience as a reporting exercise instead of a control system. That mistake leaves access, supplier, and recovery dependencies outside the same governance model even though those dependencies are what determine whether continuity plans actually work under pressure.
Q: How can teams tell whether a resilience council is working?
A: Look for measurable control changes, not just meeting outputs. A working council changes access policy, clarifies ownership for recovery paths, and closes specific operational gaps. If it only produces discussion, the governance signal is weak.
Technical breakdown
Why sustainability reporting now intersects with identity governance
Sustainability reports increasingly describe continuity controls, supplier discipline, and operational resilience in the same language that security teams use for governance. That overlap matters because access management, workforce continuity, and service reliability are all lifecycle problems: they depend on clear ownership, current evidence, and timely remediation. When a report treats resilience as a living operating model, it is implicitly describing governance processes that identity teams already know well. The practical issue is not environmental reporting itself, but whether the organisation can maintain control when conditions change across staff, systems, and third parties.
Practical implication: map sustainability-linked resilience claims to the same ownership, review, and lifecycle controls used in IAM and NHI governance.
How cyber resilience councils fit into modern risk governance
A cyber resilience council is a governance mechanism, not a technical control. Its purpose is to combine external perspective with internal decision-making so that threat response and preparedness are not trapped inside one team or one data set. In identity terms, that is relevant because access risk rarely sits in a single programme. It crosses security, operations, compliance, and business continuity. Councils can improve decision quality, but only if they are connected to enforceable policy, not just advisory discussion. The mechanism is useful when it shortens the path from risk signal to control change.
Practical implication: tie cross-functional resilience councils to identity control changes, ownership updates, and measurable review cycles.
Why data proliferation and resource efficiency matter to NHI sprawl
Commvault links product design to less data proliferation, lower transfer overhead, and more efficient resource use. That is relevant to NHI governance because sprawl is rarely only a security problem. It is also an operational efficiency problem, where unnecessary data movement, duplicated credentials, and unmanaged service paths create more places for failure and more work for remediation. The same discipline that reduces waste can also reduce exposed paths, duplicate access, and untracked dependencies. For identity programmes, the architectural question is whether the platform limits unnecessary movement and reduces the number of credentials that need to be managed at all.
Practical implication: reduce credential and data sprawl together by reviewing system designs that create redundant access paths.
NHI Mgmt Group analysis
Resilience is becoming an identity governance issue, not just a sustainability issue. Once organisations describe continuity as dependent on operations, suppliers, and cyber readiness, they are describing a governance model that identity teams already own. The useful insight is that lifecycle discipline, ownership clarity, and review cadence now matter outside the IAM team as much as inside it. Practitioners should treat resilience language as a signal to align access governance with broader continuity controls.
Continuous materiality review is the right model for governance, but only if it reaches access decisions. Commvault describes materiality as responsive to stakeholder input, regulation, and environmental events rather than a fixed annual exercise. That is a strong governance pattern, because static review cycles fail when the environment changes faster than the policy calendar. The same logic applies to access reviews, supplier access, and privileged service accounts. Practitioners should re-evaluate where their review cadence is still too slow for the rate of operational change.
Data proliferation is a governance problem because excess data paths usually mean excess identity paths. When a platform limits data movement and optimises resource use, it also has the potential to reduce the number of identities, tokens, and integrations that must be governed. That is the named concept here: identity-linked data proliferation. This is the point at which operational efficiency and security control converge. Practitioners should look for architectures that reduce unnecessary identities as part of resilience engineering.
Cyber resilience councils only matter if they produce enforceable identity outcomes. A multi-stakeholder council can improve visibility across risk domains, but advisory structure alone does not reduce exposure. The governance value appears when council decisions change controls, ownership, and escalation paths. For identity programmes, that means the council must translate into access policy changes, lifecycle reviews, and accountable remediation. Practitioners should judge these bodies by control movement, not by meeting cadence.
Workforce resilience and identity resilience are the same continuity problem viewed from different angles. The report’s workforce continuity themes, including benefits, upskilling, and flexible work, point to retention and operational stability. Identity leaders should read that as a reminder that people risk is governance risk, especially where privileged access depends on role clarity and timely offboarding. Practitioners should connect workforce policy to joiner-mover-leaver discipline and access certification outcomes.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, according to The 2026 Infrastructure Identity Survey.
- For a broader lifecycle lens, the NHI Lifecycle Management Guide explains how provisioning, rotation, and offboarding reduce governance drift.
What this signals
The practical signal for identity teams is that resilience language is expanding the governance surface. If business continuity, supplier management, and cyber readiness are being discussed together, then access ownership and lifecycle evidence need to be measurable across those same boundaries.
Identity-linked data proliferation: when systems move less data and depend on fewer integrations, they usually create fewer credentials to govern and fewer failure points to recover. That is why operational efficiency and access governance are converging in the same programme design conversation.
For teams formalising this shift, the Top 10 NHI Issues is the right internal reference point for sprawl, ownership, and control drift, while NIST Cybersecurity Framework 2.0 helps map resilience work into govern, identify, protect, detect, respond, and recover outcomes.
For practitioners
- Align resilience reviews with access governance cycles Use the same review calendar for continuity planning, supplier oversight, and access recertification where operational dependencies overlap. That prevents resilience findings from staying in a separate reporting track while identity risk remains unchanged.
- Map continuity dependencies to privileged and third-party access Identify which business continuity assumptions depend on vendor accounts, service credentials, or recovery tooling. Then document who can approve, revoke, and validate those accesses during disruption.
- Reduce redundant identity paths in systems that move data heavily Review architectures that create duplicate integrations, repeated data transfers, or multiple service accounts for the same workflow. Fewer paths usually mean fewer credentials to govern and fewer recovery exceptions to manage.
- Treat cyber governance councils as control owners, not advisers Require any cross-functional resilience body to produce specific identity actions, such as entitlement cleanup, supplier access review, or privileged access escalation rules. If it cannot change controls, it is only reporting risk.
Key takeaways
- Commvault frames sustainability as a continuity discipline, which pushes identity teams to think beyond narrow access control and into operational resilience.
- The report’s governance model suggests that review cadence, ownership clarity, and supplier discipline matter as much to security outcomes as they do to environmental reporting.
- For practitioners, the main lesson is to align resilience programmes with identity lifecycle controls so continuity assumptions are actually enforceable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-03 | The report ties resilience oversight to cross-functional governance and continuous review. |
| NIST SP 800-53 Rev 5 | AC-2 | Lifecycle control is central where continuity depends on owned access and offboarding. |
| NIST Zero Trust (SP 800-207) | Resilience depends on continuous verification across operational dependencies and trust boundaries. |
Map resilience councils to CSF governance outcomes and require identity-related control actions.
Key terms
- Cyber resilience: The ability to maintain or restore critical operations when conditions change, systems fail, or threats materialise. In identity programmes, resilience depends on knowing which accounts, approvals, and recovery paths are essential and being able to govern them without delay.
- Materiality assessment: A process for deciding which issues matter enough to influence strategy, reporting, and control priorities. In this context, it is useful when it is refreshed by current risk signals rather than treated as a fixed annual exercise.
- Identity-linked data proliferation: The expansion of identities, tokens, integrations, and access paths that happens when systems move data inefficiently or duplicate workflows. It increases governance overhead because more accounts and dependencies must be owned, reviewed, and recovered during disruption.
- Cyber resilience council: A cross-functional governance group that brings external and internal perspectives into resilience decision-making. It only adds value when its recommendations change controls, ownership, and escalation paths rather than remaining advisory.
What's in the full article
Commvault's full report covers the operational detail this post intentionally leaves for the source:
- Specific sustainability metrics behind the company’s environmental efficiency claims, including office and data centre optimisation.
- Detailed descriptions of the Cyber Resilience Council’s composition and how external expertise informs internal decision-making.
- Examples of product design choices that reduce data proliferation and support customer sustainability outcomes.
- Workforce continuity initiatives, including benefits, upskilling, and flexible work practices that support retention.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-07-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org