Continuous identity management is the missing control plane

At a glance

What this is: This is an argument for treating identity security as a continuous control, with over-provisioning and audit gaps as the main failure modes.

Why it matters: It matters because IAM, NHI, and human access programmes all fail when access is only reviewed after the risk window has already opened.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.

👉 Read Opal Security's analysis of continuous identity management and access review gaps

Context

Identity security fails when organisations treat access as a point-in-time compliance exercise instead of a continuously managed security control. The primary issue is not the existence of reviews, but the assumption that quarterly or yearly access checks can keep up with privilege drift, over-provisioning, and changing usage patterns across human users, service accounts, and machine identities.

That gap matters across the full identity stack. If access is not monitored continuously, organisations can carry unnecessary privilege for months, miss inactive but dangerous entitlements, and learn about exposure only after an audit or incident reveals it. NHI governance, IAM, and PAM all depend on the same basic premise: access state must be visible while it is still actionable.

Key questions

Q: How should security teams move from access reviews to continuous identity governance?

A: Start by treating review results as evidence, not as the control itself. Add continuous monitoring for entitlement drift, unused privilege, and high-risk access changes so exposure is visible between review cycles. Then use access reviews to validate exceptions and business need, not to discover problems for the first time.

Q: When does just-in-time access reduce risk instead of adding process overhead?

A: JIT reduces risk when the resource is sensitive, the task is time-bounded, and expiry is enforced automatically. It adds overhead when teams use it for low-risk access, when approvals are slow, or when temporary access is repeatedly reissued without evidence that the original need still exists.

Q: What do organisations get wrong about over-provisioned access?

A: They often treat it as an inventory problem instead of an exposure problem. Over-provisioned access matters because every unnecessary entitlement expands blast radius, complicates incident response, and creates hidden pathways for misuse that may never appear in a quarterly review.

Q: How can IAM teams tell whether access governance is actually working?

A: Look for declining unused privilege, fewer exceptions carried across review cycles, and faster removal of access that no longer matches actual work. If the organisation can only prove access is reviewed, but cannot show that excess access is shrinking, the programme is not yet effective.

Technical breakdown

Why point-in-time access reviews miss real risk

User access reviews are designed to confirm whether access is still justified at a specific moment. They do not observe how privileges behave between review cycles, which is where over-provisioning, dormant access, and privilege creep accumulate. In practice, a review can be clean even while a user, service account, or token remains over-entitled for most of the quarter. That is why compliance evidence and operational security often diverge. A control that only checks snapshots cannot detect continuous exposure.

Practical implication: pair recertification with continuous entitlement monitoring so privilege drift is visible before the next review cycle.

Over-provisioning and birthright access create hidden blast radius

Over-provisioning happens when access is granted by role assumption rather than observed need. Birthright access is the most common version of that pattern, because it treats job title or team membership as a proxy for operational necessity. The result is a large population of identities that technically have access but rarely use it. That expands blast radius, complicates incident response, and makes least privilege look stronger on paper than it is in practice.

Practical implication: validate access against actual system usage and remove entitlements that are granted by assumption rather than evidence.

Why just-in-time access changes the governance model

Just-in-time access is not only a tighter permission pattern, it changes the governance model from persistent entitlement to temporary authorization. Instead of assuming standing access is acceptable until the next review, JIT limits the duration and scope of privilege to a specific task window. That reduces standing exposure, but only if request, approval, issuance, and expiry are enforced consistently. Without those mechanics, JIT becomes a label rather than a control.

Practical implication: define time-bound access policies with enforced expiry and traceable approval paths for high-risk resources.

NHI Mgmt Group analysis

Continuous identity governance is now a security requirement, not a compliance convenience. The article is right to separate identity management from audit cadence because point-in-time review was designed for evidence collection, not active defence. That assumption fails when privilege can be abused between reviews, especially in environments where identities, entitlements, and workloads change daily. The implication is that identity programmes must be judged by exposure window, not audit completion.

Over-provisioning is the central identity risk because it creates invisible excess privilege at scale. Birthright access turns identity governance into a guessing exercise, because the original grant is based on role expectation rather than observed use. That is a governance failure, not just an operational oversight. Practitioners should treat unused access as latent attack surface, especially where service accounts, shared entitlements, or inherited permissions are involved.

Time-bound access should be viewed as a control pattern for shrinking standing privilege, not as a standalone answer. JIT helps only when the full issuance lifecycle is governed, including request context, approval evidence, expiry enforcement, and post-use revocation. Without that chain, temporary access can still become repeated de facto standing privilege. The practitioner conclusion is simple: measure whether access truly disappears when the task ends.

Identity blast radius: the real metric is not how much access exists, but how much unnecessary access can be exploited before anyone notices. That concept captures the article’s core warning better than a generic least-privilege slogan. Continuous monitoring, usage validation, and fast entitlement removal are the controls that matter because they reduce the amount of exposed privilege available to an attacker or an insider. IAM teams should therefore manage identity by reachable impact, not by review completion.

Lifecycle governance must be continuous across human, NHI, and automated access. The same basic problem appears whenever an identity can keep privileges longer than its business need. Whether the actor is a person, a service account, or an automation flow, the governance failure is stale authority that outlives purpose. Practitioners should align lifecycle controls to actual use duration, not to organisational habit.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• For a broader control lens, see NHI Lifecycle Management Guide for how visibility, rotation, and offboarding fit into one lifecycle.

What this signals

The governance signal here is that identity programmes need to move from scheduled assurance to continuous control if they want to reduce exposure windows. When access state changes faster than certification cadence, the programme is measuring paperwork rather than security.

Identity blast radius: the practical challenge is to find and remove unnecessary privilege before it becomes exploitable. Teams that can connect usage telemetry to entitlement decisions will have a much clearer view of where risk is actually accumulating, especially when paired with the NIST Cybersecurity Framework 2.0.

The reader takeaway is to align access governance with lifecycle reality. Review cycles, JIT issuance, and revocation workflows should be treated as one system, not separate tasks, and the NIST SP 800-207 Zero Trust Architecture model remains relevant because it assumes continuous verification rather than static trust.

For practitioners

• Replace calendar-based reviews with continuous entitlement monitoring Track privileged access changes between UAR cycles and alert when access remains unused, excessive, or newly risky. This is especially important where quarterly certification would otherwise hide exposure for months.
• Validate access against actual system usage Compare granted entitlements with observed activity to identify birthright access and permissions that exist only because of role assumptions. Remove access that has no documented operational need.
• Time-box high-risk access with enforced expiry Use just-in-time access for sensitive resources so privileges are issued for a specific task and revoked automatically when the task ends. Make expiry a hard control, not a reminder.
• Create an identity security council with ownership for drift reduction Assign clear business and security accountability for over-provisioning, privileged access, and lifecycle exceptions. Governance needs an owner who can approve removal decisions and track follow-through.

Key takeaways

• Identity governance built around quarterly or yearly reviews leaves exposure gaps that can persist long enough to matter.
• Over-provisioned access and birthright permissions are the main drivers of unnecessary identity blast radius.
• Continuous monitoring, time-bound access, and enforced expiry are the controls that turn identity management into active defence.

Key terms

• Continuous identity governance: A security operating model that checks access continuously instead of only at audit time. It uses usage telemetry, entitlement monitoring, and risk signals to identify privilege drift while it is still actionable, rather than after the next scheduled review.
• Over-provisioning: The condition where an identity has more access than it actually needs to do its work. In practice, this creates unnecessary blast radius, increases misuse potential, and makes access reviews look compliant even when the live environment is carrying excess privilege.
• Just-in-time access: A temporary access pattern that grants privilege only when a specific task requires it and removes that privilege when the task ends. It is most effective when request, approval, issuance, and expiry are enforced as one lifecycle, not treated as separate steps.
• Identity blast radius: The amount of damage that can result when excessive or stale identity privileges are abused. The concept focuses practitioners on the reachable impact of unnecessary access, which is more useful than counting entitlements alone.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Opal Security: If It’s Not Continuous, It’s Not Secure: Reimagining Identity Management. Read the original.