By NHI Mgmt Group Editorial TeamPublished 2026-03-31Domain: Governance & RiskSource: OpenIAM

TL;DR: Microsoft Entra provides strong enforcement for authentication, conditional access, PIM, and lifecycle provisioning, but OpenIAM’s analysis argues that enterprise governance still breaks across SaaS, ERP, legacy systems, and federated domains where access must be validated continuously. The real gap is not platform control, but governance scope.


At a glance

What this is: This is an analysis of where Microsoft Entra’s native identity controls stop short of enterprise-wide governance, especially across hybrid and multi-system environments.

Why it matters: It matters because IAM teams often mistake strong platform enforcement for complete governance, leaving cross-system entitlements, audit evidence, and access reviews outside the real control boundary.

👉 Read OpenIAM's analysis of Entra enterprise identity governance gaps


Context

Enterprise identity governance fails when access is managed only inside one control plane but reviewed as if it existed everywhere. In Entra-first environments, that mismatch becomes visible across SaaS, ERP, legacy systems, and federated domains, where entitlement ownership and validation are split across tools and teams.

The practical problem is not whether Entra can enforce access decisions. It can. The problem is whether the governance model tracks where access actually lives, how it changes, and how evidence is collected across platforms rather than inside a single directory.


Key questions

Q: How should security teams govern access across Entra and non-Microsoft systems?

A: They should treat Entra as one enforcement layer, not the full governance model. The governing question is whether every entitlement, owner, and remediation path is visible across SaaS, ERP, legacy, and federated systems. If not, access reviews and audit evidence will be incomplete even when Entra controls are strong.

Q: Why do access reviews fail in hybrid identity environments?

A: Access reviews fail when the review scope is narrower than the actual entitlement surface. In hybrid environments, roles and permissions are distributed across multiple systems with different ownership models, so a platform-only review becomes a snapshot rather than a real validation of continuing access.

Q: What is the difference between IAM enforcement and identity governance?

A: IAM enforcement decides whether access is allowed at the point of request. Identity governance decides whether that access should still exist over time, across systems, business roles, and changing risk conditions. One applies control. The other proves that control remains appropriate.

Q: Who is accountable when revocation is incomplete across systems?

A: Accountability sits with the governance owners who define scope, ownership, and validation requirements across the full identity landscape. If revocation succeeds in Entra but access remains elsewhere, the failure is not just technical. It is a governance design gap that leaves residual privilege in place.


Technical breakdown

Enforcement versus governance in Entra-first architectures

Enforcement answers whether an identity can get access at a point in time. Governance answers whether that access should still exist after roles, risk, and business context change. Entra is strong at applying policies, MFA, conditional access, and privileged elevation within its scope. That does not automatically create enterprise governance, because governance requires continuous validation across systems that Entra does not own. When the control plane and the access landscape diverge, security teams get a false sense of completeness.

Practical implication: map which access decisions are enforced in Entra and which entitlements require cross-system governance outside it.

Why hybrid identity creates access review blind spots

Hybrid identity environments mix Active Directory, Entra, SaaS platforms, ERP systems, and legacy IAM models. Each system stores entitlements differently, names roles differently, and exposes different evidence for reviewers. Access reviews then degrade into snapshot-based admin tasks if they only cover the identities and roles visible in one platform. The problem is not that reviews exist. The problem is that the review boundary is narrower than the access boundary, so reviewers cannot validate the full entitlement picture.

Practical implication: design access reviews around entitlements and business roles across systems, not just around platform-native user lists.

Cross-system entitlement drift and fragmented ownership

When access spans multiple systems, ownership fragments. A role may be approved in one platform, inherited in another, and never retired in a third. That creates entitlement drift, where the same user or workload accumulates inconsistent access states across tools. Entra can enforce lifecycle events inside its own domain, but enterprise governance has to reconcile the complete path of access. Without that reconciliation, remediation can be partial even when the underlying policy looks correct.

Practical implication: assign explicit owners for cross-system entitlements and verify that revocation removes access everywhere it was granted.


NHI Mgmt Group analysis

Governance breaks between systems, not inside them. Entra can enforce access decisions with discipline, but the article correctly identifies the failure point as the boundary between platforms. That boundary is where ownership fragments, reviewer context weakens, and entitlement state becomes inconsistent. Practitioners should treat cross-system governance as the primary control problem, not directory enforcement.

Access review cadence is not the same as access validation. A review control that only sees platform-native roles cannot validate access across SaaS, ERP, and legacy environments. The result is completion-driven governance that records activity without proving control. Security teams need to measure whether review scope matches the real entitlement surface, not whether the workflow finished.

Platform-boundary thinking creates a false sense of compliance. Audit readiness requires evidence that access remains appropriate across the enterprise, not just in Microsoft-managed services. That means ownership, remediation, and attestation must all be traceable across hybrid systems. If governance stops at the platform edge, compliance reporting can look complete while risk remains distributed.

Entra-first strategies succeed only when governance is architecture-aware. The article’s central lesson is that identity risk follows business relationships, not product boundaries. Organizations that align governance scope to systems instead of risk will continue to miss over-entitlement, stale access, and incomplete revocation. Practitioners should redefine governance coverage around where access exists, not where the directory ends.

From our research:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to the 2024 ESG Report: Managing Non-Human Identities.
  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
  • For broader lifecycle context, see NHI Lifecycle Management Guide for how entitlement sprawl, rotation, and offboarding should be governed across environments.

What this signals

Identity governance scope is becoming the differentiator. Entra-first programmes will keep underperforming if they measure success by directory coverage instead of enterprise entitlement coverage. The practical shift is toward governance models that reconcile access across SaaS, ERP, legacy, and federated systems before they are asked to prove compliance.

Cross-system entitlement drift is now a board-level governance signal. When access persists in one platform after removal in another, the organisation has not just a tooling problem but an evidence problem. That is why hybrid identity programmes need explicit controls for ownership, validation, and revocation across the whole access landscape.

Access review quality will matter more than review volume. A larger attestation cadence does not improve governance if reviewers cannot see the full entitlement picture. Teams should prioritise cross-system visibility and remediation proof over simply increasing the number of reviews completed.


For practitioners

  • Define the real governance boundary Inventory every system where entitlements exist, then separate Entra-enforced access from access that depends on other directories, SaaS platforms, ERP, or legacy IAM. Use that map to identify where governance currently ends before risk does.
  • Rebuild access reviews around entitlement scope Move reviews away from role lists alone and require reviewers to see fine-grained entitlements, inheritance paths, and business ownership across systems. A review should validate the access state, not just acknowledge that a workflow ran.
  • Verify revocation across all control planes Test whether deprovisioning in one platform actually removes access in every dependent system, including federated apps and legacy integrations. Treat incomplete revocation as a governance failure, not a provisioning nuisance.
  • Align governance evidence to audit expectations Build evidence packs that show current access states across the whole environment, not just within Entra. Link attestation, remediation, and ownership records so auditors can follow the full entitlement lifecycle.

Key takeaways

  • Entra can enforce access effectively, but enterprise governance still fails when identities, entitlements, and evidence are split across systems.
  • Hybrid environments turn access reviews into incomplete snapshots unless reviewers can validate fine-grained entitlements beyond the directory boundary.
  • Security teams should measure governance by cross-system visibility and verified revocation, not by how fully one platform is deployed.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Cross-system access management is central to the article's governance gap.
NIST Zero Trust (SP 800-207)Continuous verification is required when access spans multiple environments.
NIST SP 800-63Federation and identity assurance matter where Entra connects to other domains.

Verify federation trust, entitlement ownership, and lifecycle controls across identity domains.


Key terms

  • Identity Governance: Identity governance is the process of ensuring access remains appropriate over time, across systems, and against business need. It goes beyond initial permissioning by validating ownership, review, remediation, and audit evidence as environments change.
  • Access Review: An access review is a formal validation of whether an identity should keep its permissions. In hybrid environments, it must cover the full entitlement surface, not just what one directory or platform can see, or it becomes administrative rather than risk-based.
  • Entitlement Drift: Entitlement drift is the gradual divergence between intended access and actual access across systems. It happens when permissions are inherited, duplicated, or removed inconsistently, leaving identities with access states that no longer match business intent or governance records.
  • Enforcement Layer: An enforcement layer is the system that applies access decisions at the point of use. It can block or allow access accurately while still failing to prove whether access should continue elsewhere, which is why enforcement alone is not governance.

What's in the full article

OpenIAM's full article covers the operational detail this post intentionally leaves for the source:

  • A more detailed breakdown of where Entra-native access reviews lose context in hybrid environments.
  • Specific examples of platform-boundary gaps across SaaS, ERP, and legacy identity systems.
  • Guidance on aligning governance scope with business risk rather than directory structure.
  • The article's own FAQ framing for Entra-first environments and enterprise-wide governance.

👉 OpenIAM's full article covers the Entra access review limitations and hybrid governance blind spots in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-31.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org