Confidence in identity governance is high, but execution evidence is thin

At a glance

What this is: Omada’s identity governance blog argues that organisations are confident in their programmes, but still lack the evidence needed to prove they are reducing identity risk in practice.

Why it matters: IAM teams need measurable execution because human, NHI, and autonomous identity programmes are converging on the same governance layer, and confidence without evidence does not scale.

By the numbers:

• More than 80% of leaders report concern about every major identity threat category.

👉 Read Omada Identity's analysis of the identity governance execution gap

Context

Identity governance is supposed to prove who can access what, why that access exists, and whether it stays justified. This blog argues that many enterprises can report activity, but still cannot demonstrate reduced risk with the same confidence, especially as identity programmes absorb Zero Trust, automation, and AI-driven decision-making.

The pressure point is the move from periodic, human-paced governance to continuous, machine-paced execution. Once non-human identities and AI agents become part of the access model, fragmented ownership and dashboard metrics focused on throughput stop being enough for IAM, IGA, and security leaders.

Non-human identity sprawl: is now colliding with shared ownership and inconsistent reporting, which makes governance harder to prove even when leaders believe the programme is working.

Key questions

Q: How should organisations prove identity governance is reducing risk, not just activity?

A: They should measure whether access decisions change exposure, not just whether workflows complete. That means tracking risky entitlement removal, orphaned account reduction, privileged access coverage, and the time it takes to revoke access after it is no longer justified. If the metrics only show volume and speed, the programme may be busy without being effective.

Q: Why do non-human identities make identity governance harder to measure?

A: Non-human identities multiply faster than human accounts, often across teams and platforms that do not share a single source of accountability. That fragmentation makes it harder to prove ownership, lifecycle state, and access justification. The more distributed the estate becomes, the more likely leaders are to see activity metrics without a reliable picture of risk.

Q: What do security teams get wrong about Zero Trust and identity governance?

A: They often treat Zero Trust as an integration label rather than a continuous operating requirement. If identity signals are inconsistent across tools, the organisation may enforce local checks while still lacking enterprise-wide assurance. The mistake is assuming adoption equals execution when the data model and control surfaces do not line up.

Q: Who should own non-human identity governance in a distributed environment?

A: Ownership should sit with a clearly accountable function, even if administration is shared across security, IAM, DevOps, and platform teams. Without a named owner for the full estate, access reviews, lifecycle actions, and risk reporting become fragmented. Clear accountability is the only way to make machine identities governable at scale.

Technical breakdown

Why identity governance shifts from reporting to control evidence

Identity governance has traditionally been measured by operational outputs such as provisioning speed, deprovisioning speed, and audit completion. That works when access decisions are human-paced and visible. It breaks when automation makes decisions faster than review cycles and when identity data is fragmented across platforms. In that environment, throughput tells you work happened, but not whether risk fell. The technical issue is not a lack of dashboards. It is that many dashboards measure process completion, not decision quality or entitlement drift. Practical implication: leaders need evidence that governance decisions are verifiably reducing exposure, not just being processed quickly.

Practical implication: Shift executive reporting from activity counts to controls that show whether access decisions are actually lowering risk.

Zero Trust adoption without shared identity data

Zero Trust depends on continuous verification, but continuous verification is only as strong as the data and integrations beneath it. If APIs are inconsistent, documentation is weak, or systems exchange identity signals differently, the organisation can adopt Zero Trust language without achieving Zero Trust execution. That creates a gap between local policy enforcement and enterprise-wide assurance. The architecture may be correct in one platform and incomplete in the overall operating model. Practical implication: treat integration quality and identity signal consistency as part of the control, not as implementation details.

Practical implication: Validate that identity signals are consistent across systems before claiming Zero Trust execution.

Why machine-paced governance needs shared ownership

As non-human identities outnumber human identities, governance becomes harder when no single team owns the full set of credentials, access paths, and lifecycle events. Shared accountability across security, IAM, DevOps, and platform teams often means no one sees the whole estate. For AI agents, the problem deepens because the identity can act at machine speed while governance remains split across tools and teams. That is an operational design problem, not just an organisational one. Practical implication: identity governance must be designed as a cross-platform control surface with clear ownership and traceable decision authority.

Practical implication: Assign ownership for the complete non-human estate and make governance traceable across the full access path.

Threat narrative

Attacker objective: The objective is to exploit governance blind spots so access persists without clear accountability or timely proof of control.

1. Entry occurs when access decisions are made faster than the governance layer can prove them, leaving risky entitlements embedded in routine workflows.
2. Escalation happens when fragmented identity data and shared ownership prevent teams from seeing standing privilege, orphaned accounts, or non-human access drift.
3. Impact follows when leaders cannot explain or defend who and what was allowed to act inside the enterprise, weakening incident response and audit defensibility.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Confidence is not evidence, and identity governance programmes that cannot prove execution are already behind. The report shows high belief in capability, but belief does not tell a board whether risky access was actually detected, constrained, or removed in time. That distinction matters because identity risk becomes more dynamic as automation expands. Leaders should treat confidence as a sentiment and execution evidence as the real control signal.

Activity reporting is a weak proxy for risk reduction. Provisioning timeliness and deprovisioning counts matter, but they do not show whether privilege sprawl, orphaned access, or unmanaged non-human identities are shrinking. A programme can look operationally healthy while still leaving the highest-risk entitlements untouched. That is why executive reporting must be judged by what it can prove, not by what it can count.

Zero Trust integration fails when identity data is fragmented across tools and teams. Zero Trust is not just a policy layer. It depends on identity signals being coherent enough to support continuous evaluation across the environment, and that coherence is missing when APIs, documentation, and shared standards are inconsistent. Practitioners should read this as an operating-model gap, not a dashboard problem.

Non-human identity ownership is now a governance fault line. The article describes a familiar pattern: non-human identities are growing faster than accountability structures. Shared ownership across security, IAM, DevOps, and platform teams means the estate is governed in pieces rather than as a complete access system. Practitioners need to recognise that no single team is currently seeing the full blast radius of machine identity.

Machine-paced governance is becoming the baseline, not the exception. The most important shift in the post is structural. Identity governance is moving from periodic review to continuous operation because automation and AI are now making access decisions at runtime. That change widens the gap between programmes built for review cycles and environments that require real-time proof of control. The implication is a different governance model, not just more reporting.

From our research:

• Three quarters of respondents strongly agree that identity security is central to their cybersecurity strategy, according to the 2024 ESG Report: Managing Non-Human Identities.
• From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A practical next step is to compare that visibility gap with lifecycle governance using Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Non-human identity ownership is becoming the clearest signal of whether identity governance can survive machine-paced operations. When access is distributed across security, IAM, DevOps, and platform teams, the programme may still function locally but fails globally. That is why the control question is no longer whether identity matters, but whether the organisation can prove who owns the full access estate at runtime.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the governance challenge is already larger than most executive reports show, according to The State of Non-Human Identity Security. The same blind spot will intensify as AI agents inherit delegated access paths that look operationally normal until they are not.

Execution evidence is becoming the new programme maturity test: leaders should expect boards and auditors to ask not just what was done, but what was provably reduced. That shifts the centre of gravity from reporting cadence to control assurance, and it makes continuous lifecycle governance the default expectation for human, non-human, and autonomous identities.

For practitioners

• Rebuild executive reporting around risk evidence Replace throughput-first dashboards with measures that show whether risky access, orphaned accounts, and privilege drift are being reduced over time.
• Map ownership for the full non-human identity estate Assign a single accountable owner for each service account, token, certificate, and AI agent identity, even when administration is operationally distributed.
• Validate Zero Trust signal consistency Test whether identity, security, and governance tools exchange the same access state before relying on Zero Trust claims in leadership reporting.
• Extend lifecycle governance to machine-paced identities Apply joiner-mover-leaver, recertification, and offboarding discipline to non-human identities so access changes are traceable across the full lifecycle.

Key takeaways

• Identity governance confidence is not enough when teams cannot show that access decisions are reducing risk in practice.
• Activity dashboards can look healthy while the highest-risk entitlements, orphaned accounts, and ownership gaps remain unresolved.
• As identity environments become machine-paced, continuous evidence of control matters more than periodic proof of workflow completion.

Key terms

• Identity governance: Identity governance is the discipline of controlling, reviewing, and proving who or what has access to systems and data. In practice, it combines policy, lifecycle processes, and evidence so security and compliance teams can show that access is justified and being managed over time.
• Non-human identity: A non-human identity is any digital identity used by a machine, service, workload, token, certificate, or AI system. These identities often act at machine speed, so governance must cover ownership, lifecycle state, and privilege scope as rigorously as it does for people.
• Execution evidence: Execution evidence is the proof that a governance control worked in practice, not just that a workflow ran. It includes measurable signals such as risky access removal, revocation timing, and reduced entitlement drift, which are more useful than activity counts alone when environments are dynamic.
• Continuous control surface: A continuous control surface is a governance model that operates in real time rather than at periodic review intervals. For identity programmes, it means access, ownership, and lifecycle evidence are evaluated continuously across systems, including human, non-human, and autonomous identities.

Deepen your knowledge

Identity governance evidence, non-human ownership, and lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for human, non-human, and AI agent identities together, it is worth exploring.

This post draws on content published by Omada Identity: Confidence In Identity Governance is High. Evidence of Execution is Not. Read the original.