Compliance theater to active defense in identity governance

At a glance

What this is: RSA argues that annual or quarterly access reviews create a widening gap between documented identity governance and real-time enforcement.

Why it matters: That matters because IAM, NHI, and autonomous identity programmes need controls that prove enforcement at the moment access changes, not only at audit time.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read RSA Security's report on active defense governance and identity reviews

Context

Identity governance fails when control evidence exists only on paper. RSA frames the core problem as a gap between annual or quarterly attestation cycles and the reality that human and non-human identities can change, drift, and be abused far faster than any review campaign can react.

That gap is especially consequential for NHI governance, where service accounts, API tokens, machine identities, and AI agents often carry elevated access with weak review coverage. The right question is not whether a policy exists, but whether the organisation can prove enforcement at the moment access changed.

For practitioners, this is the same structural issue NHIMG has described across lifecycle, privilege, and review disciplines. The difference is that continuous control now has to be treated as an operational security requirement, not as an audit afterthought.

Key questions

Q: How should organisations move from periodic access reviews to continuous identity governance?

A: Start by treating certification campaigns as validation, not detection. Then connect entitlement changes, exceptions, and revocations to real-time policy checks so the programme can prove enforcement at the moment access changes. That shift matters most where service accounts, tokens, and privileged roles can drift faster than a review cadence.

Q: Why do non-human identities make traditional IGA review cycles less effective?

A: Non-human identities often carry elevated privileges, change outside human workflows, and are rarely visible in manager-led reviews. That combination creates long gaps between access drift and governance action. When the identities that matter most are outside the review path, the programme can look compliant while remaining exposed.

Q: What breaks when access reviews are the primary identity control?

A: The control breaks because access can change, be abused, and disappear between review cycles. Review-based governance produces documentation, but not continuous enforcement. In practice, that means investigators can find clean records even when the environment had excessive access at the exact moment the incident occurred.

Q: Who is accountable when identity governance fails during a breach?

A: Accountability shifts to whether the organisation can show that access controls were operating when the incident happened, not whether policies were written. Regulators, auditors, and litigators will ask for evidence of enforcement, revocation, and exception handling. If that evidence is missing, the governance programme becomes part of the liability story.

Technical breakdown

Why periodic access reviews create audit decay

Periodic access reviews are snapshots, not enforcement. The moment a certification campaign closes, permissions begin drifting as roles change, contractors leave, integrations expand, and service accounts accumulate scope. RSA calls this the Negligence Gap, and the underlying mechanism is simple: governance evidence ages faster than identity state. In environments with many non-human identities, a quarterly or annual cadence leaves long periods in which access can be excessive, orphaned, or exploited without triggering governance action. That is why a clean audit does not equal a secure identity posture.

Practical implication: treat review cycles as evidence collection, not as the primary access control.

How active defense governance changes the control plane

Active Defense Governance shifts identity governance from a periodic attestation process to a continuous control plane. Instead of asking who had access at last review, the model asks why access exists now, whether policy still supports it, and whether the risk posture has changed. That requires real-time policy evaluation, event-driven triggers, and automated remediation paths that do not wait for human review cycles. In practice, this turns governance into a security capability with telemetry, logs, and revocation outcomes that can be audited immediately.

Practical implication: connect entitlement changes to continuous policy checks and automated enforcement.

Why just-in-time access matters for standing privilege

Standing privilege is the structural weakness that lets identity risk persist between review cycles. Just-in-time access reduces that exposure by making high-risk access time-bound and task-scoped rather than permanently assigned. RSA positions this as a core ADG capability because permanent access is the default condition that attackers exploit for lateral movement and privilege escalation. The mechanism is not just shorter duration. It is the removal of assumptions that privileges remain valid until someone remembers to revoke them.

Practical implication: reserve standing access for low-risk use cases and force time-bounded grants for elevated access.

Threat narrative

Attacker objective: The attacker seeks durable access that outlives governance review cycles and can be used to move laterally, persist, or create defensible ambiguity after the incident.

1. Entry occurs when excessive or stale identity permissions remain active between governance cycles, allowing an attacker or insider path into the environment before review catches the change.
2. Escalation happens when standing privilege, dormant entitlements, or unmonitored non-human identities provide broader access than the organisation’s documented policy intended.
3. Impact follows when the organisation cannot prove real-time enforcement, leaving breach response, audit defence, and legal accountability exposed at the same time.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

The Negligence Gap is not a process flaw, it is an exposure model. Static policy documentation was designed for environments where access changes slowly enough to be reviewed on a schedule. That assumption fails when identities are modified continuously and exploitation happens between campaigns. The implication is that governance maturity must be measured by enforcement latency, not by the existence of an attestation calendar.

Identity governance that cannot see non-human identities is structurally incomplete. Service accounts, API tokens, machine identities, and AI agents often carry the access that matters most, yet they are the least likely to be meaningfully reviewed. A governance programme that only certifies human entitlements is leaving the highest-risk identity class outside its control boundary. Practitioners should treat NHI coverage as a baseline condition for any defensible governance model.

Continuous enforcement is now a legal and operational control, not a reporting enhancement. RSA’s framing is correct to move the conversation from audit cleanliness to evidentiary defensibility. When access can change faster than a review cycle, the question regulators and litigators will ask is whether the organisation could prove policy enforcement at the moment of impact. That changes identity governance from compliance theatre into incident-ready control.

Just-in-time access only solves part of the problem if governance remains episodic. JIT reduces standing privilege, but it does not eliminate the need for real-time evaluation of why access exists, whether it still matches policy, and how quickly it can be revoked. The field should stop treating point-in-time review and continuous control as interchangeable. They are not, and programmes that confuse them will keep producing audit artefacts instead of security outcomes.

Active Defense Governance names the right destination, but the real shift is accountability for live identity state. The practical test is whether an organisation can explain, in real time, why a human or non-human identity has access, who approved it, and what would happen if that access became invalid now. That is the governance standard practitioners should use when redesigning IAM, IGA, and NHI oversight.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• If the governance model cannot keep pace with live identity state, start with the NHI Lifecycle Management Guide and then map the gap against the OWASP Non-Human Identity Top 10.

What this signals

Audit decay is now a programme design problem, not a reporting problem: identity teams should assume that any review-based control loses fidelity the moment the campaign closes. The practical response is to shift budget and telemetry toward continuous enforcement, exception ageing, and revocation latency rather than only toward certification completion rates.

With 72% of organisations saying they have experienced or suspect an NHI breach, the control gap is no longer limited to privileged human accounts. Governance teams should expect service accounts, tokens, and machine identities to appear more often in breach narratives and should align their oversight models accordingly.

The next maturity step is to make governance evidence machine-readable and immediately usable by security operations. When access decisions can be inspected in real time, the identity programme stops being a compliance back office and starts operating as part of the active defence stack.

For practitioners

• Replace calendar-based reviews with continuous entitlement monitoring Instrument identity changes so that provisioning, scope changes, and exception approvals are evaluated as they happen. Use review campaigns to confirm what continuous monitoring has already detected, not to discover drift for the first time.
• Prioritise non-human identity coverage in governance scope Map service accounts, API keys, tokens, certificates, and machine identities into the same governance inventory as human users. If those identities are missing from review queues, your audit evidence will not match your actual attack surface.
• Measure time to revocation as a control metric Track how long excessive access remains active after a role change, exception expiration, or compromise signal. If revocation takes hours or days, the governance programme is documenting risk instead of reducing it.
• Use just-in-time access for elevated privileges Reserve standing access for low-risk functions and require task-scoped grants for privileged roles, especially where access can be abused for lateral movement. Pair this with approval logs that show why the access existed at the moment it was granted.

Key takeaways

• Periodic access reviews are too slow to describe or control identity state in modern environments.
• The scale of NHI compromise means governance gaps now create both security exposure and defensibility risk.
• Continuous enforcement, revocation measurement, and NHI coverage are the controls that change the outcome.

Key terms

• Negligence Gap: The Negligence Gap is the distance between what identity governance documentation says should be true and what live systems are actually doing between review cycles. It grows when access changes faster than the programme can verify and enforce policy, creating both security exposure and legal vulnerability.
• Audit Decay: Audit Decay is the gradual loss of validity in access review evidence after a certification campaign closes. As identities change, the reviewed state becomes stale, which means a clean audit can coexist with excessive or risky access in production.
• Active Defense Governance: Active Defense Governance is a continuous identity governance model that evaluates access in real time instead of relying mainly on periodic attestations. It treats governance as an operational security capability, with monitoring, policy enforcement, and revocation working together on live identity state.
• Time To Revocation: Time To Revocation is the elapsed time between a risk signal, access change, or policy breach and the removal of affected entitlements. It is a practical measure of whether governance is reducing exposure quickly enough to matter in modern attack timelines.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by RSA Security: From Compliance Theater to Active Defense, Rethinking Identity Governance for a World That Does Not Wait for Annual Reviews. Read the original.