Google and Opal show why identity governance can stay composable

At a glance

What this is: This is Opal Security’s argument that many organisations can keep Google Workspace as their IdP while adding governance controls for authorization, JIT access, and lifecycle reviews.

Why it matters: It matters because identity programmes often waste effort on IdP replacement when the sharper control gap is access governance across human, NHI, and AI agent identities.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.

👉 Read Opal Security's analysis of composable identity governance without an IdP migration

Context

Identity programmes often fail when teams treat authentication and authorization as the same problem. Authentication proves who signed in; authorization decides what that identity can access, when it can access it, and for how long. In practice, the governance gap is usually in the second half of the model, not in the login flow.

For many startups, a full IdP migration adds operational risk without fixing the underlying access-control problem. The more useful question is whether the existing identity stack can support least privilege, audit trails, JIT access, and lifecycle governance across human users, service accounts, and AI agents.

That framing is especially relevant when organisations are trying to reduce standing privilege and improve accountability without rebuilding every login path. A composable model can be the right fit, but only if governance decisions are truly policy-driven and consistently enforced.

Key questions

Q: How should security teams separate IdP functions from access governance?

A: Treat the IdP as the authentication layer and the governance stack as the authorization layer. The IdP proves identity, while governance decides access scope, duration, and approval conditions. That separation keeps teams from overestimating control because a user can sign in successfully while still having excessive or stale access.

Q: When does JIT access create more work than security value?

A: JIT access loses value when approvals are slow, exceptions become permanent, or revocation is manual. In those cases, the organisation keeps the complexity of temporary access without the blast-radius reduction. The right test is whether access actually disappears at task end and whether exceptions are auditable.

Q: How do organisations know whether composable identity governance is working?

A: Look for evidence that access decisions are tied to real lifecycle events, approvals are recorded, and entitlement drift declines over time. If reviews are still manual, exceptions are common, or expired access persists, the stack is not governing identity. Governance maturity shows up in lower persistence, not more tooling.

Q: What is the difference between authentication and authorization in identity security?

A: Authentication answers whether an identity is who it claims to be. Authorization answers what that identity can do, on which resources, for how long, and under what policy. Many identity failures start when teams solve login well but leave access decisions weak, inconsistent, or poorly evidenced.

Technical breakdown

Authentication and authorization are different control layers

An identity provider establishes whether a user or system can authenticate, but it does not by itself govern entitlement scope, approval logic, or access duration. That distinction matters because many organisations buy more IdP functionality when the real deficiency is governance. Authorization needs policy, review, and auditability across the access lifecycle, especially when identity subjects are service accounts or AI agents as well as humans. When teams collapse the two layers, they overestimate control maturity and underinvest in access governance.

Practical implication: map authentication and authorization to separate control owners and separate success criteria.

JIT access reduces standing privilege but only if approvals and revocation are enforced

Just-in-time access changes the default from persistent entitlement to task-scoped privilege. The control value comes from shortening the exposure window and ensuring access disappears when the task ends. But JIT is not a label, it is an operating model. If approvals are bypassed, revocation is delayed, or access is granted too broadly, the blast-radius benefit collapses and the programme still behaves like standing access with extra steps.

Practical implication: verify that JIT access is actually time-bound, approval-backed, and revoked automatically.

Composable identity stacks depend on lifecycle governance, not platform consolidation

A composable stack separates IdP, authorization, ticketing, HR triggers, and audit evidence so each layer can do one job well. That architecture can work cleanly when entitlements are driven by real lifecycle events such as joiner, mover, or leaver changes. The weakness is coordination: if lifecycle signals are stale, reviews are manual, or policy exceptions accumulate, the stack still produces drift. Composability is a governance choice as much as a technical one.

Practical implication: connect HR, ticketing, and access review processes before treating the stack as mature.

NHI Mgmt Group analysis

Authentication is not the governance problem; authorization is. The article is right to separate sign-in from access decisioning because most identity failures occur after the user has authenticated. That separation matters equally for human users, NHI credentials, and AI agents that must be constrained after initial trust is established. The practitioner lesson is to stop using IdP capability as a proxy for governance maturity.

Composable identity architectures are becoming the default operating model for fast-moving organisations. The pressure is not just cost avoidance, it is control placement. Teams increasingly want to preserve a working IdP while adding policy, review, and lifecycle enforcement around it, which aligns with modern NIST CSF and zero trust thinking. The implication is that platform consolidation is no longer the only path to governance.

Zero standing privilege is the real differentiator, not a new login experience. The article’s strongest point is that migration pain often distracts from the security outcome teams actually want, which is to reduce persistent access. JIT access, if enforced correctly, is a governance pattern that applies across humans, service accounts, and autonomous workflows. Practitioners should measure access duration and entitlement persistence, not the elegance of the sign-in flow.

Access governance will keep converging across human and machine identities. The post gestures at a broader reality: the same approval, audit, and lifecycle logic is increasingly being asked to cover employees, workloads, and AI systems. That convergence is where identity programmes either become coherent or fragment into special cases. The implication is that IAM, IGA, and NHI teams need shared policy language, not separate control myths.

Composability creates accountability only when policy decisions remain explainable. A modular stack can hide as much as it reveals if organizations cannot trace who approved what, under which policy, and for how long. That is a governance problem, not a UI problem. The practitioner takeaway is to demand clear evidence paths across the full authorization lifecycle.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
• That scale makes lifecycle governance and access decisioning central to identity programmes, which is why practitioners should also review Ultimate Guide to NHIs for the control model behind the risk.

What this signals

Composable governance is becoming the practical answer to identity sprawl. Teams do not need a single monolithic platform to improve control, but they do need a consistent policy layer that spans human accounts, service accounts, and AI-driven access requests. The programme signal is clear: if access decisions cannot be traced end to end, the identity stack is still fragmented. For practitioners aligning to baseline control expectations, NIST Cybersecurity Framework 2.0 remains a useful anchor for govern, identify, protect, detect, respond, and recover.

Standing privilege is the control debt that keeps accumulating across identities. Even when a team keeps its existing IdP, unmanaged entitlement duration can quietly recreate the same exposure that a migration was supposed to eliminate. The point is not platform replacement, it is reducing the time access stays valid after the business need has ended. That is the operational gap most identity programmes still under-measure.

The identity stack is moving toward policy-driven orchestration rather than platform consolidation. If that shift is managed well, teams can improve auditability without forcing users through disruptive login changes. If it is managed badly, the organisation ends up with more components but no better control, which is why lifecycle evidence and access telemetry need to be treated as first-class governance signals.

For practitioners

• Separate IdP and governance ownership Assign authentication controls to the IdP team and authorization controls to the governance team, then define clear handoffs for approvals, revocation, and evidence capture. This prevents platform capability from being mistaken for access governance maturity.
• Validate JIT access against real expiry behavior Test whether temporary access actually expires automatically, whether approvals are recorded, and whether emergency exceptions are removed after use. Review the blast radius of any exception path, not just the normal workflow.
• Connect lifecycle signals to entitlement changes Tie HR events, service desk requests, and role changes to access policy so movers and leavers trigger entitlement updates without manual cleanup. Treat stale lifecycle data as an access-control defect, not an administrative delay.
• Track privilege persistence as a governance metric Measure how many accounts retain access after the task, project, or employment condition that justified them has ended. Persistent access is the signal that governance is lagging behind the operating model.

Key takeaways

• Many organisations are solving the wrong identity problem when they focus on IdP migration instead of access governance.
• JIT access only improves security when approvals, expiry, and revocation behave as designed across the full lifecycle.
• Composable identity stacks work when policy, lifecycle events, and audit evidence stay tightly connected.

Key terms

• Authentication: Authentication is the process of proving that an identity is who or what it claims to be. In identity programmes it answers the login question, but it does not decide whether the subject should receive a specific permission or how long that permission should last.
• Authorization: Authorization is the control layer that decides what an authenticated identity may access, under what conditions, and for how long. It is where policy, approvals, lifecycle events, and evidence collection turn identity from a login event into governed access.
• Just-in-time access: Just-in-time access is a privilege model that grants access only when a task requires it and removes it when the task ends. For humans, service accounts, and AI-driven workflows, the security value depends on automated expiry, recorded approval, and minimal exposure time.
• Composable identity stack: A composable identity stack splits authentication, authorization, HR triggers, ticketing, and audit functions into separate components. The model can improve flexibility and speed, but only if policy and lifecycle signals stay connected enough to prevent entitlement drift.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Opal Security: Skip the IdP Migration: Scale Identity Security Without the Overhead. Read the original.