TL;DR: NIS2, ENS and ISO 27001 increasingly demand demonstrable, continuous control over access, not just policy documentation or periodic reviews, according to Soffid. The governance gap is that many IAM programmes still certify access on a schedule while regulators and auditors expect evidence that permissions are current, justified and enforceable.
At a glance
What this is: This is an IAM compliance piece arguing that NIS2, ENS and ISO 27001 require continuous access control, not static documentation.
Why it matters: It matters because identity, governance and PAM teams need evidence that access decisions are current, auditable and tied to regulatory obligations across human and non-human identities.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities , 46% confirmed, 26% suspected.
👉 Read Soffid’s article on IAM compliance for NIS2 and ENS
Context
Compliance-driven IAM has moved from periodic checking to continuous proof. In practice, that means organisations need to show who has access, why they have it, and whether that access is still justified across cloud, legacy and hybrid environments.
The article frames NIS2, ENS and ISO 27001 as drivers for this shift, with IAM and IGA acting as the control layer that can create auditable evidence. For most organisations, the gap is not policy intent but the ability to demonstrate ongoing access control at scale.
Key questions
Q: How should organisations prove continuous IAM compliance for NIS2 and ENS?
A: They should tie access approvals, recertification, revocation and logging to a single evidence model that can be reproduced on demand. The key is not documenting that controls exist, but proving they ran, captured the right decision history and resulted in current entitlements across all relevant systems.
Q: Why do periodic access reviews often fail compliance expectations?
A: Periodic reviews often fail because they certify stale data, not live access reality. If entitlement records are fragmented, delayed or incomplete, the review becomes a record-keeping exercise rather than a governance control that can prove least privilege and justified access at the time of inspection.
Q: What breaks when identity governance is disconnected from audit evidence?
A: The organisation loses the ability to show who approved access, when it changed and whether removal actually happened. That breaks accountability and makes compliance claims hard to defend, especially in hybrid environments where the same identity can exist across several control planes.
Q: Which frameworks make continuous access control more important?
A: NIS2, ENS and ISO 27001 all increase pressure to demonstrate that access decisions are controlled, traceable and current. In practice, that means IAM teams need evidence that policies are enforced continuously, not just checked during reviews or internal audits.
Technical breakdown
Why continuous access control matters for IAM compliance
Continuous access control means the organisation can verify entitlement, activity and policy alignment without waiting for a quarterly review or an audit event. In regulated environments, this matters because access is only defensible when it can be shown to remain appropriate over time. IAM, IGA and PAM become evidence-producing controls, not just administrative workflows. For NIS2, ENS and ISO 27001, that evidence is what turns a written policy into an operational control set that stands up in review.
Practical implication: treat access recertification, logging and entitlement checks as always-on controls rather than audit-period tasks.
How IGA supports regulatory evidence across hybrid environments
IGA automates joiner, mover and leaver processes, but its deeper value in compliance is consistency. When identities span SaaS, on-premises systems and cloud services, the same entitlement can appear in multiple control planes, which makes manual oversight unreliable. IGA helps normalise identity data, enforce approval paths and retain decision history. That matters for regulated organisations because auditors do not just ask whether a control exists, but whether it produces repeatable evidence across all environments where access is granted.
Practical implication: centralise identity governance so entitlement decisions and approval history are traceable across legacy, cloud and hybrid systems.
The role of recertification in proving least privilege
Recertification is the formal checkpoint that shows access is still needed, but it only works if the review cycle is tied to real risk and current business context. In many organisations, access reviews degrade into checklist exercises because the underlying entitlement data is incomplete or stale. For compliance, that weakens least privilege because the organisation can no longer prove that dormant, excessive or inherited access has been removed. The control is not the review alone, but the quality of the entitlement data and the enforcement that follows.
Practical implication: make recertification dependent on accurate entitlement data and enforce removal of unapproved access immediately after review.
NHI Mgmt Group analysis
Continuous control is the real compliance test, not policy possession. The article correctly shifts the discussion away from documentation and toward demonstrable control over access. That is the core compliance problem in modern IAM: regulators and auditors need evidence that permissions are current, justified and enforceable, not merely described in a policy pack. Practitioners should treat this as an operations problem, not a paperwork problem.
IAM compliance only becomes credible when governance, access and audit data are unified. The article points to a common failure mode in regulated environments, where identity data lives in disconnected systems and control evidence must be assembled after the fact. That breaks the continuity regulators expect under frameworks such as NIS2, ENS and ISO 27001. The practitioner conclusion is simple: fragmented identity records weaken every downstream compliance assertion.
Standard review cycles are too slow for modern entitlement drift. The article’s emphasis on continuous control reflects a broader shift in identity governance. Access changes faster than most organisations can certify it, especially in hybrid estates where permissions can be inherited, duplicated or left behind. That means the meaningful question is not whether a review exists, but whether the governance model can keep pace with the rate of change.
IAM compliance is converging with operational resilience. NIS2 and ENS do not just raise documentation expectations, they increase the pressure to prove that access can be governed during normal operations, not only during audit preparation. That changes the role of IAM teams: they are no longer supporting compliance from the side, they are providing the control evidence that makes resilience claims believable. Practitioners should plan for compliance and control assurance as one discipline, not two.
Identity risk becomes a regulatory issue as soon as access evidence cannot be reproduced. When organisations cannot explain who approved access, when it was last reviewed, or whether it was revoked after role change, compliance stops being a governance exercise and becomes an assurance gap. That gap is especially visible in environments with mixed legacy and cloud estates. The implication is that continuous identity evidence is now part of the compliance baseline.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, according to The 2024 Non-Human Identity Security Report.
- For a broader governance lens, Ultimate Guide to NHIs , Regulatory and Audit Perspectives explains how identity evidence maps to audit and compliance expectations.
What this signals
Identity governance teams should expect continuous control evidence to become a baseline requirement rather than an advanced capability. NIS2 and ENS are pushing organisations toward repeatable proof of access oversight, which means audit-ready identity data must be available throughout the year, not assembled in a scramble. The compliance programme that cannot produce live entitlement evidence will increasingly look incomplete.
Control fragmentation is now a compliance risk in its own right. When approvals, recertification and revocation evidence are spread across tools, teams cannot consistently answer simple auditor questions about access lineage. The practical response is to align IAM, IGA and PAM around one evidence model and one authoritative identity record.
88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to the 2024 Non-Human Identity Security Report. That gap matters because compliance programmes built for human access do not automatically translate to service accounts, tokens and workloads.
For practitioners
- Map continuous-control evidence to each regulatory obligation Identify which access, approval, logging and recertification records you must be able to reproduce for NIS2, ENS and ISO 27001. Build a control matrix that links each obligation to a specific IAM, IGA or PAM evidence source.
- Centralise entitlement history across hybrid systems Unify identity records from legacy, cloud and SaaS platforms so audit evidence can be assembled from one governed source of truth. Without this, reviews and certifications become manual reconstructions rather than reliable controls.
- Shorten review cycles where entitlement drift is fastest Use higher-frequency recertification for privileged, shared or fast-changing access paths, especially where users or service accounts move between systems. Pair each review with enforced removal, not just attestation.
- Use automation to preserve audit trails Automate evidence capture for approvals, changes, revocations and exceptions so audit readiness is built into the control process. The goal is to prevent compliance from depending on manual screenshots or after-the-fact exports.
Key takeaways
- The central issue is not whether organisations have IAM policies, but whether they can prove continuous control over access.
- Regulatory pressure from NIS2, ENS and ISO 27001 makes audit-ready identity evidence a core operational requirement, not a documentation task.
- Teams should unify identity governance, recertification and audit logging so access decisions remain current, traceable and enforceable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and NIS2 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Continuous access control and review align with identity access governance. |
| NIST SP 800-53 Rev 5 | AC-2 | Account management underpins lifecycle control and auditability in regulated IAM. |
| ISO/IEC 27001:2022 | A.5.15 | Access control is central to demonstrating compliance and control continuity. |
| NIS2 | NIS2 drives the compliance and control-continuity requirements discussed in the article. |
Align identity evidence and access controls with NIS2 risk management and reporting obligations.
Key terms
- Continuous access control: Continuous access control is the practice of proving that access remains valid, justified and enforceable throughout its lifecycle. It goes beyond periodic review by tying approvals, entitlement data, logging and revocation together so security and audit teams can verify current state at any time.
- Identity governance and administration: Identity governance and administration is the control layer that manages joiner, mover and leaver processes, entitlement approvals and access certification. In regulated environments, it becomes the mechanism that turns identity policy into reproducible evidence for auditors and compliance teams.
- Recertification: Recertification is a formal access review in which an owner confirms whether an entitlement is still needed and appropriate. Its value depends on data quality and enforcement, because a review that cannot remove excess access or prove change history does not provide meaningful assurance.
- Compliance evidence: Compliance evidence is the record set used to demonstrate that a security control operated as intended. For IAM, this usually includes approvals, review outcomes, revocations, logs and exception handling, all of which must be current enough to satisfy audit and regulatory scrutiny.
What's in the full article
Soffid's full article covers the operational detail this post intentionally leaves for the source:
- How Soffid positions its IAM, IGA and PAM architecture for compliance-driven control continuity
- How automated recertification and audit exports are described for regulated environments
- How the platform maps to legacy, cloud and hybrid operating models without reimplementation
- How Soffid frames ENS certification and Common Criteria in its compliance narrative
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org