Identity data fragmentation is straining enterprise IAM programmes

At a glance

What this is: Hydden argues that fragmented identity data, manual IAM operations, and services dependency are now the main reasons enterprise identity programmes underperform.

Why it matters: For IAM teams, the issue is not just tooling sprawl but governance failure across NHI, autonomous, and human identity workflows that rely on the same broken data and review assumptions.

👉 Read Hydden's analysis of fragmented identity data and manual IAM operations

Context

Modern IAM programmes break down when identity data is scattered across multiple systems with different schemas, update cycles, and ownership models. That fragmentation makes it difficult to know which record is authoritative, and it slows every downstream control that depends on accurate identity state, from access reviews to provisioning and attestation.

The article frames this as a governance problem as much as an operational one. When teams still rely on manual exports, spreadsheet reconciliation, and services-led implementation work, identity oversight becomes fragile across human users, service accounts, and emerging agentic systems that all depend on trustworthy identity data.

As AI adoption expands, the pressure on identity foundations increases rather than decreases. Continuous discovery and lifecycle governance become central because the programme can no longer assume that access state, inventory state, or control state will stay stable long enough for manual processes to catch up.

Key questions

Q: Where do IAM programmes fail when identity data is fragmented across many systems?

A: They fail where review, provisioning, and audit decisions depend on inconsistent identity state. If different systems hold different attributes or refresh on different schedules, the programme cannot trust its own evidence. That creates manual reconciliation, delayed remediation, and incomplete access control decisions, especially when teams rely on spreadsheets to bridge the gaps.

Q: When should organisations stop treating manual IAM work as acceptable?

A: They should stop when manual work becomes the default mechanism for validating entitlements, reconciling records, or approving access. At that point, the programme is compensating for broken data and weak ownership rather than operating controls. Persistent manual effort is a sign that automation will keep failing until the identity model is cleaned up.

Q: What do security teams get wrong about IAM platform consolidation?

A: They often assume more catalog breadth means better governance. In practice, overlapping modules can increase integration burden, dilute ownership, and preserve partial implementations. A larger platform stack does not fix fragmented identity data or unclear accountability, so teams should evaluate control reliability, not vendor breadth.

Q: How do you know if an IAM control is actually sustainable?

A: A control is sustainable only if the internal team can operate, update, and recover it without depending on external specialists for routine changes. If configuration knowledge lives mainly with consultants, the control is fragile. Sustainability shows up in repeatable ownership, not in the size of the deployment project.

Technical breakdown

Why fragmented identity data breaks IAM governance

Identity data fragmentation means the same subject can exist in multiple stores with different attributes, ownership, and refresh schedules. In practice, Active Directory, HRIS, cloud control planes, SaaS applications, and PAM/IGA tools often disagree about entitlements or even whether an identity still exists. That makes authoritative reporting difficult and weakens recertification, provisioning, and audit evidence. The core issue is not simply duplication. It is that governance decisions are being made from inconsistent state, which turns every downstream control into a reconciliation exercise instead of a trust decision.

Practical implication: establish a single authoritative identity data model before expecting certification or provisioning controls to scale.

Why manual access reviews keep reappearing in mature IAM programmes

Manual IAM work persists when organisations automate the workflow but not the underlying data quality or ownership model. Spreadsheet exports, email approvals, and contractor-driven certification campaigns are symptoms of a deeper dependency: each system still needs human reconciliation because the programme lacks clean identity state and reliable control boundaries. That creates a loop where automation fails to stick, because every exception creates more manual handling, and every manual cycle produces more inconsistency. The result is not just inefficiency. It is governance latency, where access decisions arrive after the risk has already moved on.

Practical implication: measure how much of certification and provisioning still depends on manual reconciliation, not just workflow tooling.

How professional services dependency distorts identity platform outcomes

When deployment and configuration require continuous external services, the identity platform becomes operationally dependent on specialists rather than embedded programme capability. That changes incentives: complexity is preserved because complexity sustains implementation revenue, while customers inherit brittle systems that are hard to tune, expand, or replace. From a governance perspective, this is a hidden control risk. A control that cannot be maintained by the owning team is not really in control. The article is describing a structural failure mode where the programme purchases capability but not sustainable operating capacity.

Practical implication: evaluate whether each IAM control can be owned, changed, and recovered by the internal team without external intervention.

Threat narrative

Attacker objective: The objective is to exploit inconsistent identity state and delayed governance so access remains broader or longer-lived than the programme intended.

1. entry: identity data enters multiple disconnected systems with different schemas and refresh cycles, creating inconsistent trust inputs across the programme.
2. escalation: manual processes and partially implemented controls allow stale entitlements, unresolved exceptions, and incomplete reviews to persist.
3. impact: attackers and internal risk conditions both benefit from delayed decisions, weak evidence, and control gaps that remain invisible until audit or incident response.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity fragmentation is now a control problem, not a data-quality nuisance. When identity state is split across directory services, HR systems, clouds, and SaaS platforms, every review, attestation, and provisioning decision starts from disagreement. That means the programme is governing access against conflicting evidence instead of a single source of truth. The implication is straightforward: identity governance cannot be mature while identity data remains operationally fragmented.

Manual IAM work is a symptom of governance debt that automation alone will not erase. Exporting reviews to spreadsheets and routing provisioning through email are not just process inefficiencies. They reveal that the programme has not normalised identity data or ownership strongly enough to support reliable automation. Teams should treat persistent manual work as evidence that the control model is unstable, not merely under-resourced.

Professional services dependency creates a hidden availability risk for identity controls. If critical IAM and PAM functions only work when external specialists are actively tuning them, then the organisation does not truly own those controls. That matters because identity systems are not static assets; they must absorb joins, moves, leaves, exceptions, and audits continuously. Practitioners should view services dependence as a signal that control sustainability has been outsourced.

Identity data visibility is becoming the foundation for AI-era governance. The more organisations rely on human oversight for access reviews and control validation, the more brittle those processes become as agentic and machine identities increase. Clean inventory, lifecycle discipline, and continuous discovery are no longer back-office hygiene. They are the precondition for governing access at the pace modern systems demand.

Platform consolidation has not removed complexity from IAM, it has redistributed it. Large vendors can accumulate overlapping capabilities without eliminating the operational burden that comes from partial implementation and disconnected modules. That leaves practitioners with more catalogue breadth but not necessarily better governance outcomes. The field should judge IAM maturity by control reliability and operability, not by the size of the platform stack.

From our research:

• Only 44% of developers are reported to follow security best practices for secrets management, according to The State of Secrets in AppSec.
• 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
• For related lifecycle governance guidance, see NHI Lifecycle Management Guide and 52 NHI Breaches Analysis.

What this signals

Identity data debt will shape the next phase of IAM modernisation. Teams that cannot reconcile identity sources quickly will keep paying for manual certification, support contracts, and exception handling. The practical signal is that governance maturity will be measured less by platform adoption and more by how quickly the organisation can answer who has access, where that answer comes from, and how often it drifts.

Fragmentation is becoming a lifecycle problem as much as a tooling problem. Once identities span HR, directory, cloud, SaaS, and legacy estates, joiner-mover-leaver processes depend on consistent propagation across systems. Practitioners should expect more pressure to centralise identity inventory and lifecycle evidence, particularly where access review and recertification are still operationally manual.

Teams should expect AI adoption to expose weak identity foundations faster than traditional audits do. If machine and agentic workloads inherit the same broken data model, the programme will accumulate risk faster than review cycles can absorb it. That makes continuous discovery and lifecycle visibility a prerequisite for AI-era identity governance, not an optional enhancement.

For practitioners

• Map the authoritative identity record Document which system owns each identity attribute, entitlement, and status field across HRIS, directory, cloud, SaaS, and PAM sources. Then remove duplicate decision points where different systems can contradict the same identity state.
• Measure manual reconciliation effort Track how many certification, provisioning, and audit tasks still rely on spreadsheet exports, email approvals, or contractor cleanup. Use that baseline to identify which controls are failing because data quality is unresolved.
• Test control ownership without external services Ask whether the internal team can run, modify, and recover the IAM control without a consultant on call. If the answer is no, treat the control as operationally fragile and redesign the support model.
• Prioritise continuous discovery across identity stores Continuously inventory identities and entitlements across directories, clouds, SaaS applications, and legacy systems so governance decisions are based on current state rather than periodic exports.

Key takeaways

• Fragmented identity data is undermining IAM governance because access decisions are being made from inconsistent state.
• Manual reviews, spreadsheet workflows, and consultant-dependent deployments are evidence that identity controls are not yet operationally sustainable.
• Teams should focus on authoritative identity data, continuous discovery, and internal control ownership before adding more IAM tooling.

Key terms

• Identity Data Fragmentation: Identity data fragmentation is the condition where the same person, service account, or workload exists across multiple systems with different attributes, timestamps, or ownership. It makes governance decisions harder because no single source can be trusted without reconciliation. In mature programmes, fragmentation is a control risk, not just an administrative inconvenience.
• Manual Governance Loop: A manual governance loop is a recurring identity process that depends on spreadsheet exports, email approvals, or human reconciliation to keep access records usable. It often appears when automation sits on top of inconsistent identity data. The loop creates latency, increases error rates, and hides the real source of control failure.
• Services Dependency: Services dependency is the condition where an identity control can only be deployed, tuned, or recovered with continuous outside assistance. It signals that the organisation owns software licences but not the operating capability. In practice, it weakens resilience because control sustainability depends on specialist availability rather than internal competence.
• Authoritative Identity Record: An authoritative identity record is the system or data model that other controls treat as the primary source for identity attributes, status, and entitlements. It is not simply the largest database. It is the record that governance processes rely on when they need to decide who or what should have access right now.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Hydden: the case for a new foundation in identity management. Read the original.