TL;DR: IAM programmes still struggle with orphaned accounts, static permission models, and slow recertification cycles, while one CSS Insurance case study cited by Nexis shows role-based governance reducing recertification from five months to eight weeks. The lesson is that governance velocity now matters as much as governance coverage, especially where identities and entitlements keep changing.
At a glance
What this is: This Nexis issue highlights IAM hygiene, recertification, SaaS versus on-premises deployment, and integrated governance workflows, with a CSS Insurance case study showing faster role-based access reviews.
Why it matters: It matters because IAM teams need to decide how to reduce orphaned access, speed recertification, and align governance controls across human, NHI, and workload identity programmes.
By the numbers:
- As one of Switzerland’s largest health and accident insurers, CSS managed over 3,300 roles in its IAM landscape.
👉 Read Nexis's July 2025 issue on IAM hygiene, governance, and deployment choices
Context
IAM governance breaks down when role models drift, entitlements accumulate, and recertification becomes a quarterly burden instead of a continuous control. In practice, that means teams spend more time chasing approvals than proving that access is still justified, especially in environments with heterogeneous target systems and a growing number of exceptions.
The topic is relevant to identity programmes because the same governance discipline now has to span human users, service accounts, and other non-human identities. When review cycles are slow or static, they do not just create audit friction. They leave access changes unexamined long enough for privilege creep, orphaned accounts, and hidden risk to become the default state.
Key questions
Q: How should IAM teams reduce recertification backlogs without weakening governance?
A: They should reduce campaign scope, improve entitlement data quality, and remove roles that no longer match real access patterns. The goal is not just faster approvals. It is making each review cycle precise enough that certifiers can make a current, defensible decision about access.
Q: Why do static role models create governance problems in IAM programmes?
A: Static role models create problems when they stop reflecting how people and systems actually use access. As exceptions accumulate, reviews become harder to interpret and audit evidence becomes weaker. A role model should simplify governance, not force teams to manually reconcile outdated access structures.
Q: How do organisations know if their access review process is actually working?
A: They should look for shorter campaign duration, fewer unresolved exceptions, cleaner ownership data, and a smaller volume of stale entitlements after each cycle. If reviews take months or leave many items unreviewed, the process is signalling backlog rather than control strength.
Q: What should security teams do when IAM governance spans human and machine identities?
A: They should apply the same lifecycle discipline to both populations while preserving identity-specific review logic. That means ownership, offboarding, recertification, and entitlement scope must be defined consistently, even if the workflow steps differ between people and non-human identities.
Technical breakdown
Why static role models slow down IAM governance
Static role models work when access patterns are stable, but they become brittle as organisations add applications, exceptions, and cross-functional work. A role model should translate business function into repeatable entitlement bundles, yet in many environments roles accumulate edge cases until they no longer reflect real work. That gap forces recertification teams to review individual entitlements manually, which is where governance slows down. The technical problem is not only scale. It is model drift, where the catalog of roles no longer matches the actual shape of access in the enterprise.
Practical implication: reassess role design before trying to accelerate certification cycles.
How recertification backlogs emerge in heterogeneous target systems
Heterogeneous target systems make access governance harder because entitlements, ownership metadata, and application semantics differ from one system to the next. If the IAM layer cannot map those systems cleanly into a common review model, certification campaigns become a data reconciliation exercise instead of a control. Backlogs then grow when approvers cannot understand what they are reviewing, or when the workflow has to wait for manual interpretation of access records. The real technical constraint is not just workflow capacity. It is the quality and normalisation of entitlement data across connected systems.
Practical implication: normalise entitlement data and ownership metadata before expanding campaign scope.
SaaS versus on-premises in identity governance architecture
SaaS and on-premises deployments shift the operational burden differently. SaaS reduces infrastructure upkeep and speeds updates, while on-premises can offer more control over integration boundaries and local compliance constraints. For identity governance, the question is not which model is universally better. It is whether the organisation can sustain review cadence, integration coverage, and control evidence in the deployment model it chooses. If deployment choice is made without considering governance operations, teams often inherit a tooling model that is easy to buy but hard to run.
Practical implication: choose deployment architecture based on governance operations, not procurement convenience.
NHI Mgmt Group analysis
IAM governance fails when role models become a substitute for live access intelligence. The CSS example shows what happens when organisations try to govern a dynamic environment with a static entitlement structure. A role model can improve transparency, but only if it stays aligned with actual access patterns and system semantics. Practitioners should treat role drift as a governance defect, not just a maintenance issue.
Recertification backlog is a control failure, not a scheduling inconvenience. When campaigns stretch across months, the review process stops being a meaningful check on current access and becomes a historical audit of old state. That is why cycle time matters: the longer the campaign, the more likely the evidence is stale before certification completes. Practitioners should view backlog reduction as a core governance objective, not an administrative optimisation.
Identity governance across human and non-human identities needs the same lifecycle discipline, not separate exceptions. The post is a reminder that access review, entitlement ownership, and offboarding logic are lifecycle controls that apply across human users, service accounts, and other machine identities. If those populations are governed through different cadences or standards, organisations create inconsistent trust boundaries. Practitioners should unify lifecycle governance where the access model is shared.
Explainable automation only helps when the underlying entitlement model is already trustworthy. Faster recertification from AI or rules-based assistance is useful when it reduces reviewer effort without obscuring why access exists. But automation cannot fix poor role taxonomy, missing ownership, or unresolved access drift. The practical conclusion is that governance acceleration depends on data quality first, automation second.
Role model drift: The lasting governance problem here is not just too many roles, but roles that no longer describe how access is actually used across connected systems. That breaks auditability, slows certification, and widens the gap between policy and practice. Practitioners should treat role drift as a foundational control issue rather than a reporting nuisance.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- That is why practitioners should also study the NHI Lifecycle Management Guide before scaling access reviews into machine identity populations.
What this signals
Role governance is becoming the pressure point in broader identity operations. As organisations add more connected systems, the IAM programme can no longer rely on annual clean-up exercises to preserve control quality. The operational signal is simple: if role definitions, ownership, and evidence trails do not stay current, review cadence becomes a reporting exercise rather than a governance mechanism.
Identity lifecycle discipline now has to span humans and non-human identities together. That is especially true where entitlement review and offboarding happen in different systems or at different speeds. The management implication is that access governance will increasingly be judged by how well it handles shared lifecycle logic across populations, not by how many certifications it can complete.
Role drift is the named concept that matters here: the moment a role model no longer reflects real entitlement use, every downstream review becomes slower and less reliable. Practitioners should pair governance reporting with access evidence and lifecycle controls from resources like the Ultimate Guide to NHIs and NIST Cybersecurity Framework 2.0.
For practitioners
- Rebuild role models around actual access usage Map high-churn entitlements back to business functions and remove role fragments that exist only to satisfy historical exceptions. Use live entitlement evidence from connected systems before the next certification cycle starts.
- Shorten certification scope before shortening certification windows Reduce the number of entitlements per campaign by splitting high-risk application sets, stale permissions, and low-value access into separate review tracks. Smaller scopes improve reviewer accuracy and cut backlog faster than workflow tuning alone.
- Normalise ownership for every connected system Require an accountable owner, a review cadence, and a revocation path for each application and entitlement source. If ownership is ambiguous, the entitlement should not remain in the active review population.
- Treat deployment choice as a governance decision Evaluate whether SaaS or on-premises better supports integration coverage, evidence retention, and control cadence in your environment. The right deployment model is the one that can sustain review quality at scale.
Key takeaways
- IAM governance weakens when role models lag behind real access patterns and force reviewers to interpret stale entitlement structures.
- The CSS case study shows that reducing recertification from months to weeks is possible when access is modelled and reviewed more cleanly.
- Practitioners should treat recertification speed, role drift, and lifecycle consistency as core governance metrics, not back-office admin details.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions and approvals are central to recertification and role governance. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle and rotation discipline for non-human access aligns with the article's governance theme. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires continuous verification of access, not slow retrospective review cycles. |
Apply AC-4 to reduce standing access and align certification with continuously verified permissions.
Key terms
- Role model drift: Role model drift occurs when a permission model no longer reflects how access is actually used across applications and target systems. Over time, exceptions, one-off entitlements, and changed business functions make the model harder to trust, which slows certification and weakens audit evidence.
- Recertification campaign: A recertification campaign is a structured review cycle where managers, application owners, or approvers validate that existing access is still justified. In practice, campaign quality depends on current ownership data, clear entitlement meaning, and a scope small enough for reviewers to make accurate decisions.
- Entitlement normalisation: Entitlement normalisation is the process of translating different access structures from multiple systems into a common governance model. It allows identity teams to compare, review, and certify access consistently, but it only works when source data is accurate and ownership is maintained.
- Identity lifecycle discipline: Identity lifecycle discipline is the set of governance controls that manage access from creation through change and removal. It applies to human accounts, service accounts, and other non-human identities, but the review cadence and evidence requirements must match the actor type being governed.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Nexis: NEXIS Impulse, July 8, 2025. Read the original.
Published by the NHIMG editorial team on 2025-07-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
