IAM data quality is becoming the real access control problem

At a glance

What this is: This article argues that IAM is fundamentally a data quality problem, and that access structures degrade over time unless organisations govern the underlying identity, entitlement, and policy data continuously.

Why it matters: It matters because IAM, NHI, and autonomous access programmes all fail when the data behind decisions becomes stale, inconsistent, or incomplete, even if the platform itself is well designed.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.

👉 Read Nexis's analysis of IAM data quality and long-term access governance

Context

IAM data quality is the condition of the identity, entitlement, role, and policy data that access decisions depend on. When that data is stale or inconsistent, access models drift away from the business reality they are meant to enforce, and the result is over-provisioning, conflicting rules, and review fatigue. For teams running IAM, NHI, and delegated machine access, the issue is not only whether a policy exists, but whether the data behind it is still trustworthy.

Nexis frames this as a long-term governance problem rather than a one-time design problem. That framing matches what many IAM programmes experience in practice: clean initial models, followed by accumulating exceptions, organisational change, and declining review quality. The important question is no longer how to build access control once, but how to preserve its accuracy as identities, entitlements, and business context keep changing.

Key questions

Q: How should organisations stop IAM roles from drifting out of date?

A: Organisations should treat role drift as a governance issue, not a periodic clean-up task. That means assigning owners, monitoring redundancy and conflicts, and reviewing whether each role still reflects a real business function. The most effective programmes track change continuously rather than waiting for annual recertification to expose problems.

Q: Why do access reviews often fail to reduce real risk?

A: Access reviews fail when reviewers lack enough context to judge whether access is still appropriate. In large environments, people approve inherited access, focus on obvious outliers, and miss structural problems such as redundant roles or stale entitlements. A review process only reduces risk when it measures decision quality, not just completion.

Q: What is the best signal that IAM controls are degrading?

A: The strongest signals are rising exceptions, repeated conflicts, growing redundancy, and increasing effort spent explaining access rather than governing it. When teams spend more time reconciling data than improving policy structure, the control system is drifting away from business reality and becoming less reliable.

Q: How should teams govern NHI access data alongside human IAM?

A: Teams should use the same data-quality discipline across humans and non-human identities, but with tighter lifecycle controls for machine identities. Service accounts, tokens, and workload identities need ownership, expiry tracking, and entitlement validation because their sprawl can outpace manual review. The NHI Lifecycle Management Guide is the right reference point for that work.

Technical breakdown

Why IAM policy quality decays over time

IAM policy quality decays because the inputs behind it change faster than the governance process that maintains it. Roles accumulate exceptions, organisational structures shift, and entitlement definitions lose alignment with actual job functions. The result is not a single broken control, but a slow mismatch between policy intent and operational reality. In mature environments, this shows up as redundant roles, conflicting rules, and access reviews that confirm inherited mistakes instead of correcting them. Data quality is the control plane beneath the control plane: if identity and entitlement data is wrong, authorization logic becomes unreliable no matter how sophisticated the platform is.

Practical implication: treat role and entitlement data as governed assets with ownership, quality checks, and drift monitoring.

How transaction logs improve access quality assessment

Transaction logs provide the process context that static IAM models usually miss. A role definition can look correct on paper while the logs show repeated exceptions, delayed removals, or inconsistent provisioning patterns. By analysing those events, teams can infer where access state has drifted and where policy structure no longer reflects actual business flows. This is especially useful when there is no perfect ground truth for correct access, which is common in large enterprises. The key insight is that quality assessment should combine structural metrics, such as redundancy and complexity, with behavioural evidence from how identities and access rights actually evolve.

Practical implication: use logs to validate whether access structures still match real business processes.

Why access reviews become compliance exercises

Access reviews often degrade because reviewers are asked to judge too much, too fast, with too little context. In that environment, approval bias is predictable, and the review process becomes a completion exercise rather than a meaningful control. The article's research points to a better model: decision quality needs measurement, contextual prompts, and support that helps reviewers notice risk patterns instead of simply ticking boxes. That aligns with broader governance practice across human IAM and NHI lifecycle management, where the control is only as strong as the quality of the review signal.

Practical implication: redesign review workflows to surface context and measure decision quality, not just completion rates.

Threat narrative

Attacker objective: The end state is broader and less accountable access than the organisation intended, with governance controls too degraded to prevent or explain it.

1. Entry occurs when identity, entitlement, or policy data is created with gaps, stale attributes, or inconsistent role definitions that later shape access decisions.
2. Escalation follows as exceptions, redundant roles, and weak review outcomes accumulate, giving users or service identities broader access than intended.
3. Impact is reduced authorization reliability, with excessive privilege, governance noise, and operational disruption becoming persistent rather than exceptional.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IAM data quality is the hidden control surface of identity governance. The article is right to separate IAM effectiveness from tooling maturity, because access control outcomes depend on the freshness, consistency, and completeness of the underlying identity data. When role, entitlement, and policy data decay, the programme does not merely become harder to run, it becomes less trustworthy. For practitioners, that means governance has to treat data quality as an operational control, not an implementation detail.

Continuous governance matters more than initial model design. Static role engineering creates the illusion of order at go-live, but organisations, systems, and regulatory expectations keep changing after deployment. That is why exception creep and policy redundancy are not side effects, they are the predictable outcome of unmanaged drift. The practical conclusion is that effective IAM is measured by how well it survives change, not by how elegant it looks at launch.

Access reviews fail when the review subject is stale data instead of live risk. Reviews that rely on incomplete context produce compliance theatre, not assurance, because reviewers approve what they cannot validate. The named failure mode here is review-quality decay, where the control exists but the input signal is too poor to support a meaningful decision. Practitioners should treat review quality as a control objective in its own right.

Non-human identity programmes inherit the same data-quality problem, but at higher speed. Machine identities, service accounts, and automation accounts amplify the consequences of weak identity data because their lifecycle is faster and their sprawl is harder to observe manually. That makes lifecycle governance, entitlement hygiene, and attribute accuracy foundational across IAM and NHI programmes alike. The lesson is that identity governance collapses when the data model cannot keep pace with runtime reality.

Identity drift debt: the accumulation of stale identity, entitlement, and policy records creates a hidden liability that grows until access control becomes reactive. This is not just a maintenance issue, it is the mechanism by which good IAM designs lose fidelity over time. Once drift debt is large enough, teams spend more effort explaining exceptions than preventing them. Practitioners should manage drift as a measurable governance risk, not an inevitable background condition.

From our research:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
• Our research also shows that the average estimated time to remediate a leaked secret is 27 days, even though 75% of organisations express strong confidence in their secrets management capabilities.
• For teams extending IAM discipline into machine identity, the NHI Lifecycle Management Guide shows how ownership, expiry, and offboarding controls need to be kept current.

What this signals

Identity drift debt: the next IAM maturity problem is not policy design, it is the accumulated cost of stale identity data, redundant roles, and unresolved exceptions. Organisations that cannot quantify that debt will keep mistaking process activity for control effectiveness.

The practical signal for readers is that access governance needs to become more measurement-driven, especially where human and non-human identities intersect. If review cycles are approving stale access faster than teams can remove it, the programme is optimising compliance throughput rather than reducing exposure.

Machine identities make the same governance gap more visible because their lifecycle changes faster than manual oversight can follow. That is why NHI programmes should be judged on data freshness, ownership clarity, and lifecycle accuracy rather than on inventory counts alone.

For practitioners

• Establish data owners for identity and entitlement records Assign explicit ownership for role, attribute, and entitlement data so that stale records have a clear remediation path. Tie ownership to change management and require periodic quality checks on the inputs that drive access decisions.
• Measure policy drift with structural quality indicators Track redundancy, conflicts, complexity, and excessive access as recurring quality signals rather than one-off clean-up tasks. Use those indicators to prioritise which roles and entitlements need redesign before review cycles.
• Use transaction logs to validate access state Compare provisioning, movement, and removal events against the current authorization model to find mismatches that static review alone will miss. Logs should confirm whether the live environment still matches the intended policy.
• Treat access reviews as decision-quality controls Add context prompts, risk highlighting, and reviewer performance checks so reviews assess correctness, not just completion. For high-volume programmes, focus human review on high-risk exceptions and automate the low-risk baseline.
• Extend the same governance model to NHI lifecycle data Apply the same discipline to service accounts, tokens, and workload identities by tracking their attributes, owners, and expiry conditions. If the identity data is wrong, lifecycle controls will drift just as quickly as human IAM controls.

Key takeaways

• IAM effectiveness depends on the quality of the identity and entitlement data underneath the platform, not just the platform itself.
• Access reviews lose security value when reviewers are asked to validate stale or incomplete access data at scale.
• Continuous governance, data ownership, and log-driven validation are the practical controls that keep IAM and NHI programmes aligned with reality.

Key terms

• Identity drift debt: The accumulated gap between intended access policy and the messy reality of changing identities, roles, and entitlements. It grows when exceptions, stale data, and organisational change are left to build up, making access control less accurate and more expensive to maintain over time.
• Authorization structure: The set of roles, policies, entitlements, and segregation-of-duties rules that determines who or what can access what. In practice, it is the operational shape of IAM decision-making, and it only works when the data underneath it is current and internally consistent.
• Review quality: The degree to which access reviewers make accurate, risk-aware decisions rather than simply completing a recertification task. High review quality depends on contextual information, clear decision criteria, and enough signal to detect stale, excessive, or anomalous access.
• Identity data quality: The freshness, completeness, consistency, and accuracy of the identity and entitlement data that IAM systems rely on. When identity data quality is weak, even well-designed access models produce unreliable outcomes because the control logic is only as good as its inputs.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Nexis: IAM Data Quality in Identity and Access Management: From Research to Practice. Read the original.