TL;DR: A survey of 1,000 financial and fintech professionals found 88.4% are very confident they would pass a surprise audit, yet 64% of financial services companies have received an identity-related audit citation in the past two years and 49.3% still spend 10 to 25 hours a month preparing audit data, according to StrongDM. The gap is not confidence but provability: compliance programmes that cannot produce timely access evidence are already behind.
At a glance
What this is: This survey shows a sharp gap between self-reported audit confidence and the operational effort needed to prove identity controls in financial institutions.
Why it matters: IAM teams have to manage privileged access, access reviews, and audit evidence across NHI, autonomous, and human identities, and this report shows the governance burden still sits on manual proof.
By the numbers:
- 88.4% are “very confident” in passing a surprise compliance audit.
- 64% of financial services companies have received an identity-related audit citation in the past two years.
- 49.3% spend 10–25 hours monthly preparing audit data.
👉 Read StrongDM’s report on compliance in financial institutions
Context
Compliance in financial institutions depends on being able to prove who or what had access, when it changed, and whether the access was still justified at the point of review. In practice, that means audit readiness is really an identity governance problem, not just a reporting problem.
The report suggests many teams still rely on manual evidence gathering, partial automation, and inconsistent visibility into access revocation. That is a familiar pattern in both human IAM and NHI governance, because the harder part is not granting access but continuously proving the access lifecycle.
Key questions
Q: How should security teams reduce manual effort in audit evidence collection?
A: They should automate the connection between identity events, access changes, and logging so evidence is produced as a by-product of normal operations. The goal is not just faster reporting. It is to ensure that approvals, revocations, and privilege changes are already defensible when auditors ask for proof. Start with the highest-risk systems and expand from there.
Q: Why do privileged access reviews often fail to satisfy auditors?
A: They fail when the review checks whether access exists but cannot prove how long it existed or whether it was removed everywhere it mattered. Auditors care about evidence, not intent. If revocation timing, owner approval, and entitlement history are incomplete, the review may look acceptable while still leaving an exposure window.
Q: What do financial institutions get wrong about compliance automation?
A: Many teams automate reporting before they automate the underlying identity data quality. That produces faster output, but not better proof. Automation only reduces audit burden when it captures access events, entitlement changes, and revocation status in a complete chain that can be reviewed without manual cleanup.
Q: How should organisations govern third-party access in regulated environments?
A: They should review third-party access as a separate governance stream with its own owners, expiry rules, and evidence trail. Third-party entitlements often outlive the business need that created them, which makes them harder to defend in audit and harder to contain when the relationship changes.
Technical breakdown
Audit readiness depends on access evidence, not confidence
In regulated environments, audit readiness is the ability to produce defensible evidence of access decisions, not a belief that controls exist. That evidence usually includes who approved access, how quickly it was revoked, whether the entitlement matched the role, and whether logs are complete enough to reconstruct events. When those proofs live in tickets, spreadsheets, and manually assembled reports, the control may exist but the governance signal is weak. For financial institutions, the issue is especially acute where privileged access and third-party access create a larger review surface than normal user access.
Practical implication: Treat audit preparation as a control-quality test and measure whether access evidence can be produced without manual assembly.
Privileged access management breaks when revocation is not visible
Privileged access management is not only about restricting elevation. It also depends on knowing how long high-risk access persists and whether revocation actually completed across all systems. The report’s 2.1% with no visibility into revocation timing is small but material because even a short exposure window can matter in high-value financial systems. In identity terms, the failure mode is not just over-privilege, but unmeasured privilege duration. That creates audit friction and increases investigation difficulty when controls are tested after the fact.
Practical implication: Track revocation latency as a governance metric and escalate any system where access removal cannot be verified.
Compliance automation matters because evidence collection is the bottleneck
The survey shows a split between partial and extensive automation, which is typical of programmes that have automated fragments of reporting but not the full evidence chain. Real-time logs, automated access controls, and identity lifecycle tooling solve different parts of the same problem, but none of them help if the data is inconsistent or incomplete. For financial institutions, the technical challenge is integrating identity events, access logs, and policy records into a single reviewable trail. Without that, compliance teams still spend their time stitching together proof instead of governing risk.
Practical implication: Prioritise systems that create continuous, reviewable evidence trails across access changes, logs, and approvals.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Compliance confidence is not a control outcome, it is a perception metric. The report shows a programme can feel audit-ready while still consuming substantial labour to prove basic access facts. That gap matters because identity governance is measured by evidentiary reliability, not by self-assurance. Practitioners should treat confidence scores as weak signals unless they are backed by provable access history.
Privileged access remains the pressure point where audit, PAM, and lifecycle governance collide. The survey’s focus on high-risk systems, manual approval, and delayed revocation shows that PAM is still being judged by process completion rather than proof of completion. When revocation timing is invisible, the organisation cannot show whether privilege existed longer than policy intended. The practitioner conclusion is that access duration has become a governance control, not just an operational detail.
Identity lifecycle management is now a compliance mechanism, not an administrative task. The fact that teams still spend 10 to 25 hours a month assembling audit data shows the lifecycle problem is not only who gets access, but how reliably access changes are captured over time. That applies across human users and non-human identities alike, because auditors care about entitlement history regardless of actor type. The practical implication is that lifecycle data quality is part of the control environment.
Third-party access is a structural audit risk because it expands the identity perimeter beyond employee IAM. Financial institutions that lack clear visibility into external access will continue to struggle with least privilege enforcement and evidence production. This is where human IAM assumptions break down, because vendors, service accounts, and other non-human identities often bypass the same review discipline applied to employees. Practitioners need to govern the whole access chain, not the employee segment alone.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- That confidence gap is why access reviews, lifecycle offboarding, and third-party OAuth governance need to be treated as one control problem, not three separate ones, as discussed in Ultimate Guide to NHIs.
What this signals
Audit-confidence programmes should be rebuilt around evidence latency, not survey confidence. When teams spend 10 to 25 hours a month preparing audit data, the real control question is how quickly the identity system can prove a change, not whether a team feels ready. That makes identity event capture, revocation visibility, and log completeness the practical indicators worth tracking.
The structural issue is wider than employee IAM. Third-party access debt is the growing gap between who is allowed in and who can be audited cleanly, especially where OAuth-connected vendors and service accounts sit outside normal recertification routines. The Ultimate Guide to NHIs is useful here because the same evidence problem repeats across human, NHI, and delegated access.
Financial institutions should expect auditors to ask not only whether access exists, but whether the organisation can reconstruct its lifecycle quickly and consistently. That pushes IAM teams toward continuous controls monitoring, stronger access lineage, and tighter alignment between PAM, compliance reporting, and third-party governance.
For practitioners
- Measure access revocation latency across all high-risk systems Record how long it takes to remove access after role change or exit, then compare that timing across privileged systems, directories, and downstream dependencies. If any system cannot produce a revocation timestamp, treat it as a governance gap rather than a reporting issue.
- Replace manual audit packs with continuous evidence pipelines Connect access approvals, entitlement changes, and system logs so audit evidence is generated continuously instead of assembled after the fact. Prioritise the systems that account for the largest share of high-risk access and audit citations.
- Tighten least-privilege review for third-party and non-human access Separate employee access reviews from vendor, service account, and API credential reviews so external access is not hidden inside human recertification workflows. Use the same access-owner and expiry discipline for non-human identities that you expect for staff accounts.
- Map compliance reporting to identity lifecycle events Make joiner, mover, and leaver events the backbone of audit evidence collection, then verify that each event produces a complete record of access change, approval, and removal. This reduces the risk that audit preparation depends on manual reconstruction.
Key takeaways
- The report shows a familiar compliance pattern: confidence is high, but the evidence needed to prove access control is still costly to assemble.
- Privileged access revocation, third-party visibility, and audit log completeness are the controls most likely to determine whether financial institutions can defend their identity posture.
- Teams that connect lifecycle events to continuous evidence generation will reduce both audit labour and governance blind spots.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access control are central to the survey's compliance findings. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential rotation and lifecycle control are linked to the audit and revocation issues discussed here. |
| NIST CSF 2.0 | DE.CM-7 | Continuous monitoring supports the real-time logging and audit evidence gaps highlighted in the report. |
Review non-human credential lifecycle controls and ensure revocation and rotation evidence is continuously captured.
Key terms
- Audit Evidence: Audit evidence is the set of records that proves a control actually operated as intended. In identity programmes, that usually means approvals, entitlement changes, logs, revocations, and ownership records that can be reconstructed without manual guesswork.
- Privileged Access Management: Privileged Access Management is the governance and control layer for high-risk access such as admin rights, break-glass accounts, and elevated system permissions. In practice, it is only effective when elevation, approval, logging, and revocation are all visible and testable.
- Identity Lifecycle Management: Identity Lifecycle Management is the process of creating, changing, reviewing, and removing access as roles and relationships change. For regulated environments, the key measure is not whether lifecycle steps exist, but whether every change leaves a complete and auditable trace.
- Third-Party Access: Third-party access is any entitlement granted to external vendors, contractors, or connected systems outside the core employee population. It becomes a governance risk when ownership, expiry, and revocation are weaker than internal access controls, leaving evidence gaps during audits.
Deepen your knowledge
Audit evidence, privileged access review, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a compliance programme that must stand up to regulated audit pressure, it is worth exploring.
This post draws on content published by StrongDM: The State of Compliance in Financial Institutions Report. Read the original.
Published by the NHIMG editorial team on 2025-08-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
