Continuous identity exposes the limits of point-in-time IAM

At a glance

What this is: This analysis argues that static IAM cannot keep pace with identities, permissions, and risk signals that change continuously across modern enterprise systems.

Why it matters: For IAM and NHI practitioners, it shows why access decisions, reviews, and revocation need to be event-driven instead of periodic.

👉 Read Simon Moffatt's analysis of continuous identity and stale access risk

Context

Continuous identity is the idea that access decisions should change as the underlying identity, device, business context, and risk posture change. The article argues that traditional IAM still relies on one-time onboarding, step-up authentication, and periodic access review, which is a poor fit for NHI governance as well as human identity management.

That gap matters because modern enterprises now depend on service accounts, API keys, workload identities, and AI agents that do not behave like static user accounts. In that environment, point-in-time controls quickly become stale, and manual review cycles cannot keep up. This is a typical failure mode for organisations that expanded IAM without redesigning it for continuous change.

Key questions

Q: How should security teams handle identity decisions when business context changes quickly?

A: Security teams should move from periodic checks to event-driven decisions. Access should be re-evaluated when roles, devices, locations, tickets, or workload states change, because the original authentication event no longer reflects current risk. That approach reduces stale trust and makes revocation part of normal operations rather than an exception.

Q: What is the difference between continuous identity and traditional IAM?

A: Traditional IAM makes access decisions at discrete points such as onboarding, login, or quarterly review. Continuous identity keeps reassessing identity state and risk as conditions change. The difference is operational, not cosmetic. Continuous identity assumes that permissions must remain justified over time, especially for NHIs and other runtime identities.

Q: Why do non-human identities need continuous governance?

A: Non-human identities often live in automation, pipelines, and service integrations where credentials can persist long after the task they support has changed. Continuous governance helps ensure those identities are still owned, still needed, and still constrained. Without it, forgotten keys and stale entitlements become standing access paths.

Q: Should organisations prioritise access review or lifecycle automation first?

A: Organisations should prioritise lifecycle automation first when review cycles cannot keep pace with change. Reviews can confirm policy, but automation removes stale access when the underlying event occurs. For high-volume NHIs, that is usually the only practical way to keep entitlements current enough to matter.

Technical breakdown

Why point-in-time identity decisions fail in dynamic environments

Traditional IAM treats identity assurance as a sequence of discrete checkpoints: create the account, authenticate once, grant access, then review later. That model assumes identity attributes, device state, and business context stay stable long enough for the decision to remain valid. In practice, those signals decay quickly. Long sessions, weak device binding, delayed provisioning, and slow revocation all widen the gap between the last decision and current reality. For NHIs, that gap is worse because credentials can be copied, embedded, or reused outside normal human workflows. The technical problem is not authentication alone. It is the lack of continuous re-evaluation across the identity lifecycle.

Practical implication: Practitioners should treat identity state as time-sensitive and re-check access when context changes, not only at login.

How continuous identity changes authorization and lifecycle control

Continuous identity extends beyond authentication into authorization, provisioning, and policy enforcement. It uses signals from ticketing, device posture, configuration data, and risk systems to update permissions before stale access can be exploited. That requires integration across identity data, runtime enforcement, and lifecycle events such as joiner-mover-leaver processes, secret rotation, and entitlement removal. The architectural shift is from isolated controls to a control fabric that can respond to changes in near real time. For NHI governance, this is especially relevant because workload permissions and tokens often outlive the task they were created for.

Practical implication: Teams should connect access policy to lifecycle events so privileges can shrink automatically when the underlying task, risk, or system changes.

Why hygiene and interoperability matter more than point tools

The article correctly points to a common IAM failure pattern: multiple platforms, weak interoperability, and incomplete identity data. When IAM, IGA, MFA, PAM, and downstream systems do not share state, each tool makes decisions with partial context. That creates duplicate identities, inaccurate entitlements, and inconsistent enforcement. Continuous identity is therefore less about a new product category and more about closing the data and runtime gaps between tools. For NHI environments, this means the quality of secrets inventory, ownership, and propagation logic becomes part of the security control itself.

Practical implication: Practitioners should focus on shared identity state and event propagation before adding more point solutions.

Threat narrative

Attacker objective: The attacker aims to preserve usable access long enough to move through systems that assume identity decisions are still current.

1. Entry occurs when stale credentials, outdated entitlements, or weakly governed sessions remain valid after the business context has changed.
2. Escalation follows when missing lifecycle signals prevent timely privilege reduction, allowing the attacker or misbehaving workload to retain access beyond intent.
3. Impact comes from prolonged access to applications, data, and integrated systems that continue trusting an identity after its risk posture has changed.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Continuous identity is an identity governance problem, not just an IAM efficiency problem. The article is right to reject the idea that onboarding and periodic review are enough in a world where identities, devices, and permissions change continuously. For NHI governance, the same logic applies to tokens, service accounts, and AI agents that can change state without a human re-authenticating. The practical conclusion is that identity governance must move from calendar-based review to event-based control.

Stale access creates an identity blast radius that conventional IAM rarely measures well. Once permissions remain valid after the original business context has changed, every connected system inherits that stale trust. That problem is amplified in hybrid estates where identity data is duplicated across tools and provisioning paths. Practitioners should treat stale access as a measurable exposure surface, not a routine housekeeping issue.

Continuous Identity is the right framing for NHI lifecycle management. NHIs do not age gracefully through monthly or quarterly review cycles, and many are created for short-lived tasks but left active far longer than intended. This article highlights the gap between static lifecycle design and dynamic operational reality. The field should move toward continuous ownership, automatic expiration, and context-aware revocation.

Identity systems now sit inside the security control plane, so lag becomes risk. Network, endpoint, and data security tools increasingly assume identity data is current and actionable. When identity platforms lag behind changes in risk, business state, or workload behavior, the rest of the stack starts making bad assumptions. Practitioners should re-evaluate identity as a runtime control plane, not a back-office directory function.

Security outcomes improve when access decisions are tied to current evidence, not policy memory. The article’s strongest contribution is its insistence that risk is dynamic, so governance must be dynamic too. That is a useful corrective for organisations that still rely on static entitlements, manual attestation, and slow ticket-driven updates. Teams should use that framing to redesign controls around live evidence and revocation triggers.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, which leaves long-lived credentials exposed to misuse and reuse.
• For a broader control view, the NHI Lifecycle Management Guide explains how provisioning, rotation, and offboarding should work together.

What this signals

Continuous Identity will only work if organisations treat lifecycle automation as a control, not an admin convenience. The biggest programme risk is assuming that better dashboards or more review meetings can compensate for stale entitlements. For practitioners, that means building event-driven offboarding, entitlement reduction, and risk-triggered policy changes into the operating model, not leaving them as future improvements.

With 91.6% of secrets still valid five days after notification, the operational problem is speed, not awareness. That figure shows why change detection and revocation need to be coupled. Teams should review whether IAM, PAM, and secrets workflows can actually act before stale access becomes useful to an attacker.

Identity teams should align continuous identity with the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10, because both favour current, measurable control states over static assurance. The practical shift is toward live ownership, enforceable expiration, and provable revocation across human and non-human identities alike.

For practitioners

• Implement event-driven access reviews Trigger access review and revocation when business context changes, not only on a quarterly schedule. Tie reviews to role changes, device posture, ticket closure, and workload lifecycle events so stale access is removed before it can be reused.
• Connect identity decisions to runtime signals Feed device state, location, risk scoring, and ticketing data into authorization decisions so access reflects current conditions. This reduces the lag between a change in risk and a change in privilege.
• Shorten the lifetime of non-human credentials Set explicit expiry for service accounts, API keys, certificates, and agent credentials, then automate rotation and offboarding. Short-lived credentials reduce the window in which stale access can be abused.
• Eliminate orphaned identity state across tools Reconcile IAM, IGA, PAM, and downstream application records so entitlements, ownership, and policy changes propagate consistently. Duplicate or stale records undermine every downstream control decision.

Key takeaways

• Static identity decisions break down when business context, device state, and workload behaviour change faster than review cycles can react.
• Non-human identities make the problem sharper because stale secrets and orphaned entitlements can persist outside normal human control paths.
• The right response is continuous governance with automated lifecycle events, current risk signals, and fast revocation.

Key terms

• Continuous Identity: A governance model in which identity state is continuously re-evaluated as conditions change. Instead of relying on a single onboarding or login decision, the control plane updates access using current signals such as device posture, business context, and risk. This is especially relevant where NHIs and agents operate at runtime.
• Identity Blast Radius: The amount of access, systems, and data that can be affected when an identity is misused or compromised. In NHI and IAM environments, blast radius grows when privileges persist after the original business need has changed. Reducing it means shortening credential lifetime and tightening entitlement scope.
• Event-Driven Access Control: An access model that changes permissions when a relevant event occurs, such as a role change, ticket closure, or credential compromise. It replaces calendar-based governance with immediate response to identity lifecycle signals. This approach helps keep both human and non-human access aligned to current risk.
• Identity Data Hygiene: The quality of identity records, entitlements, and ownership data across connected systems. Poor hygiene creates duplicates, stale permissions, and inconsistent enforcement between IAM, IGA, PAM, and downstream applications. For NHI governance, it is a security issue because inaccurate records become trusted control inputs.

Deepen your knowledge

Continuous identity and NHI lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance model for dynamic identities and stale access, it is worth exploring.

This post draws on content published by Simon Moffatt covering continuous identity and stale access risk. Read the original.