Compliance needs identity governance, not later-stage clean-up

At a glance

What this is: A compliance-focused analysis showing how data quality, change control, audit logs, and access control shape regulatory readiness and incident response.

Why it matters: It matters because IAM, NHI, and human access programmes all fail compliance in the same way when identity data is stale, changes are uncontrolled, and evidence is missing.

By the numbers:

• £183 million after a 2018 data breach for
• Capital One was ordered to pay an $80 million penalty after a breach that exposed 106 million customer records.

👉 Read Cerbos' guide on compliance, audit logs, and authorization control

Context

Compliance is not a documentation exercise. It is the operational proof that identity data, authorization decisions, change control, and audit evidence are accurate enough for regulators, auditors, and incident responders to trust. In this article, the key issue is how compliance breaks when identity and access management is treated as a downstream activity instead of an architectural control.

That framing matters across human IAM, NHI governance, and workload access because the same failure pattern repeats: stale records drive wrong access decisions, uncontrolled change creates policy drift, and weak logs prevent reconstruction after an incident. The result is not only regulatory exposure, but also a programme that cannot prove it is operating as designed.

Key questions

Q: What breaks when identity data is stale in a compliance programme?

A: When identity data is stale, access control, reporting, and audit evidence all start reflecting an outdated reality. That can leave former employees, partners, or service accounts with access they should no longer have, and it can also make certification results unreliable. Compliance breaks because the organisation can no longer prove that its controls match actual access conditions.

Q: Why do audit logs matter so much for regulatory compliance?

A: Audit logs matter because they are the evidence trail regulators use to verify that access controls, approvals, and changes actually happened as claimed. They also help investigators reconstruct misuse after an incident. Without logs, an organisation may be unable to prove control operation, detect abnormal access early, or explain how a breach unfolded.

Q: What do security teams get wrong about change management and access control?

A: They often treat access-affecting changes as routine engineering work instead of control events with compliance consequences. That mistake lets policy drift, hidden exceptions, and untested updates create real exposure. The safer approach is to test policy changes, review them before release, and keep rollback options ready when access is involved.

Q: How should organisations prove compliance across human and machine identities?

A: They should use one governance model that can show who or what has access, why it was granted, when it changed, and whether it was reviewed. That means accurate source data, controlled change, and durable logs across employees, service accounts, and workloads. Separate tooling for each identity type usually creates gaps auditors can see.

Technical breakdown

Data quality as a compliance control surface

Data quality is the condition that makes authorization and reporting trustworthy. If identity attributes are incomplete, inconsistent, or stale, policy decisions inherit those defects. In compliance terms, the problem is not just bad data entry. It is that access reviews, segmentation rules, and audit evidence all depend on current truth about who or what an identity is, what role it holds, and whether it should still have access. When HR or directory data drifts from reality, the policy engine can only enforce the wrong answer with confidence.

Practical implication: verify that identity source data is accurate before relying on it for access decisions or audit evidence.

Change advisory boards and authorization drift

A change advisory board exists to make sure policy, configuration, and deployment changes are reviewed before they create compliance gaps. In authorization systems, change is not just software release management. It includes permission model edits, policy exceptions, vendor onboarding, and environment-specific overrides. Without review and rollback discipline, a small configuration change can widen access, disable enforcement, or break segregation of duties. Compliance frameworks care about this because uncontrolled change makes control evidence unreliable and turns documented policy into a fiction.

Practical implication: require review, testing, and rollback for every change that can alter access outcomes.

Audit logs as compliance evidence and investigation memory

Audit logs are the memory of an identity programme. They show who requested access, who approved it, what was granted, and what changed afterward. That matters for compliance because regulators do not only ask whether a control existed. They ask whether it was operating, whether it was reviewed, and whether the organisation could reconstruct events after a breach or misuse. If logs are missing, incomplete, or not reviewed, the programme loses both evidentiary value and early detection capability. Logging without retention and review is only partial control.

Practical implication: centralise logs, protect them from tampering, and review them often enough to detect misuse before it spreads.

Threat narrative

Attacker objective: The objective is to keep unauthorised access invisible long enough to extract data, evade accountability, and trigger a costly compliance failure.

1. Entry occurs when weak governance lets outdated identity data or third-party credentials remain trusted after the real-world relationship has changed.
2. Escalation happens when uncontrolled change or poor review lets the attacker or insider preserve access long enough to reach sensitive records or systems.
3. Impact lands when missing audit evidence and weak control testing prevent early detection, increase regulatory exposure, and expand the cost of remediation.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Compliance fails first as an identity problem, not a policy problem. The article’s examples show that fines and settlements follow when identity records, approval flows, and access evidence no longer reflect reality. Data quality and auditability are the control plane beneath regulatory readiness, because compliance cannot be demonstrated from broken source data. Practitioners should treat identity accuracy as a compliance dependency, not an administrative cleanup task.

Change control is where authorization drift becomes regulatory drift. The article is right to connect CAB discipline with compliance because unreviewed changes can silently alter who can do what. That failure mode is especially dangerous in access systems, where a small exception or deployment shortcut can defeat segregation of duties or policy enforcement. Practitioners should view every access-affecting change as a control event, not just an engineering task.

Audit logs are only useful when they preserve both proof and timing. The Memorial Healthcare example shows how stale credentials plus unreviewed logs create a long-dwell compliance failure. The point is not simply that logging matters, but that logging without systematic review leaves organisations unable to prove control operation or reconstruct misuse quickly enough to limit impact. Practitioners should treat log review as part of the control itself.

Externalized authorization can strengthen compliance only if its evidence layer is trusted. Cerbos’ emphasis on testable, human-readable, centrally managed policy reflects a broader market direction: teams want policy to be auditable as code, not scattered across applications. That approach helps where regulators need repeatability and where engineers need fewer hidden exceptions. Practitioners should judge authorization tooling by its evidentiary quality as much as by enforcement capability.

Compliance is converging across human IAM, NHI governance, and workload identity. The same three failure patterns keep recurring: inaccurate identity data, uncontrolled change, and incomplete audit trails. That means access governance cannot be siloed by identity type if the organisation wants defensible controls. Practitioners should build one governance model that spans people, service accounts, and machine access.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to our 2024 ESG report on managing non-human identities.
• For the governance side of the problem, NHI Lifecycle Management Guide is the next resource to review when compliance depends on provisioning, rotation, and offboarding discipline.

What this signals

Insufficiently secured identity sprawl is now a compliance issue as much as a security issue. When more than 1 in 5 non-human identities are believed to be undersecured, the audit question changes from whether a policy exists to whether the programme can actually enumerate and govern the identities it owns. That is why lifecycle control and evidence quality now sit at the centre of compliance design.

The practical signal for teams is that access governance has to become measurable across human users, service accounts, and workload identities. If policy cannot show who approved access, what changed, and whether the resulting state was reviewed, the organisation will struggle in both incident response and regulatory review.

Compliance maturity is increasingly expressed through identity evidence, not policy language. Teams that want stronger assurance should connect governance operations to the NHI Lifecycle Management Guide and align controls to the NIST Cybersecurity Framework 2.0 where access evidence, monitoring, and response need to be defensible in the same operating model.

For practitioners

• Validate identity source data before policy enforcement Reconcile HR, directory, and application records so access rules evaluate against current role, status, and entitlement data. Prioritise stale leaver records, duplicate accounts, and mismatched attributes that can produce incorrect grants.
• Treat access-affecting changes as controlled compliance events Require review, testing, and rollback planning for policy edits, permission exceptions, vendor access changes, and deployment updates that can alter authorization outcomes. Keep the approval trail attached to the change record.
• Centralise audit logs and prove they are reviewed Send authorization, admin, and data-access events to tamper-resistant storage, retain them for the applicable regulatory window, and assign a routine review process that can surface misuse before it becomes a reportable incident.
• Test policy behavior before production release Use repeatable authorization tests to confirm that roles, attributes, exceptions, and denial paths behave as intended in pre-production. Include test cases for edge conditions that could create overbroad access or break segregation of duties.

Key takeaways

• Compliance fails when identity data, change control, and audit evidence stop matching operational reality.
• The regulatory cost of weak governance is not marginal. It compounds into fines, remediation, and trust loss.
• Teams that want defensible compliance need one access governance model that spans people, machines, and service accounts.

Key terms

• Audit Log: A record of security-relevant actions such as access grants, policy changes, and administrative activity. In compliance programmes, audit logs are the evidence trail that shows whether controls operated as intended and whether investigators can reconstruct events after misuse or a breach.
• Change Advisory Board: A formal review process that evaluates proposed system or policy changes before they reach production. In identity and access environments, it helps prevent hidden access drift by requiring testing, approval, and rollback planning for changes that could affect who can access what.
• Data Quality: The degree to which identity and business records are accurate, complete, timely, consistent, unique, and detailed enough for their intended use. Compliance depends on data quality because access controls, certification decisions, and reports are only as trustworthy as the source data behind them.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Cerbos: compliance, data quality, change management, and audit logs. Read the original.