Identity governance and administration still falls short for audit

At a glance

What this is: The article argues that identity governance and administration often improves workflow but still fails to give auditors the evidence, risk context, and control independence they need.

Why it matters: For IAM and NHI practitioners, this matters because governance that cannot prove who approved access, why it was approved, and under which policy will keep producing audit friction.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

👉 Read SafePaaS's analysis of identity governance and administration for audit

Context

Identity governance and administration is supposed to answer who has access, why they have it, and whether that access still fits policy. In practice, many enterprises treat IGA as a workflow system while audit teams still need an evidence layer that proves decisions across ERP and other in-scope applications. That gap matters for NHI governance too, because service accounts, bots, and AI agents often sit outside the same review discipline as human identities.

The article uses SOX and ITGC as the lens, which is the right one for understanding where traditional IGA deployments drift into formality. When access reviews are reduced to spreadsheets and approvals are detached from business risk, the control is administratively complete but operationally weak. For practitioners, this is a familiar failure pattern rather than an edge case.

If you need a broader reference point for the control objectives that should shape this work, the Ultimate Guide to NHIs is useful for framing visibility, lifecycle, and over-privilege as governance problems rather than tool problems.

Key questions

Q: How should security teams make IGA evidence audit-ready?

A: Security teams should make evidence audit-ready by ensuring every approval, review, exception, and compensating control is stored in the governance layer with time stamps and policy context. Auditors should not need ERP exports, spreadsheets, or email threads to reconstruct the decision. If evidence cannot be produced directly, the control is incomplete.

Q: Why do access reviews often fail to reduce audit findings?

A: Access reviews fail when they certify large entitlement lists without risk context. Reviewers cannot reasonably judge hundreds of low- and high-risk items the same way, so they either rubber-stamp or over-revoke. Reviews work only when scope, business process impact, and SoD risk determine what gets attention first.

Q: What breaks when non-human identities are left out of governance?

A: When non-human identities are left out, ownership becomes unclear, credentials stay active too long, and audit cannot verify who approved the access or why it still exists. That creates a blind spot for service accounts, bots, and AI agents that often hold powerful permissions but rarely get the same lifecycle scrutiny as people.

Q: What should organisations do when IGA controls are strong but audits still fail?

A: Organisations should test whether their IGA platform is only moving work or actually controlling risk. If evidence is scattered, risk context is missing, and lifecycle ownership is informal, then the control layer is too thin. The right response is to strengthen governance, not just add more workflow steps.

Technical breakdown

Why traditional IGA workflows fail as an evidence layer

Identity governance and administration systems are often built to move access through request, approval, certification, and removal. That workflow is useful, but it does not automatically create audit-grade evidence. The technical failure is that the platform records activity while the organisation still depends on other systems, spreadsheets, and emails to explain business context, segregation of duties, and compensating controls. Once evidence is split across tools, the IGA platform becomes a provisioning hub rather than a control layer. In NHI environments, this weakness is amplified because service accounts and automation identities often bypass the same approval paths as people.

Practical implication: Treat evidence capture as a control requirement, not an afterthought, and verify that approvals, policy context, and exceptions are retained in one system of record.

How policy context changes access decisions

A functional governance model does more than map roles to entitlements. It ties access to business processes such as order-to-cash or record-to-report and evaluates whether a request creates conflicts, elevated transaction rights, or separation-of-duties violations. The key technical distinction is between identity data and policy data. Identity data says who the user is, while policy data says what that identity may do in a specific process state. Without that second layer, approvers see role names but not operational risk. The same problem appears with NHI access, where technical permissions can obscure what a service account or agent can actually execute.

Practical implication: Embed process and SoD context into approval workflows so reviewers judge operational risk, not just job title or department.

What audit-ready lifecycle governance looks like for NHIs

Audit-ready lifecycle governance requires every access event to be traceable from creation to review to removal. For NHIs, that means owners, purpose, expiry, rotation, and revocation must be explicit rather than implied. A platform should be able to show when an identity was created, which policy allowed it, what controls were attached, and when evidence was produced. This is the same lifecycle logic that many organisations apply to humans, but it becomes stricter for machines because automation can spread credentials quickly and silently. The control goal is not just visibility. It is durable accountability across the identity lifecycle.

Practical implication: Require named ownership, expiry, and review evidence for every non-human identity before it is allowed into production.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IGA has become an operational layer in many enterprises, but audit needs a control layer. The distinction matters because workflow completion is not the same as governance effectiveness. If approvals, reviews, and deprovisioning do not produce independent evidence with policy context, the organisation is still reconstructing control after the fact. Practitioners should treat that as a design flaw, not an audit inconvenience.

Identity evidence is now a cross-domain problem, and NHI growth makes it harder to ignore. Human access reviews already strain teams, but machine identities multiply the evidence burden because owners, purposes, and lifecycle events are often inconsistent or missing. Ephemeral evidence debt: the longer an identity exists without durable ownership and policy traces, the harder it becomes to prove that access was justified. Audit teams should expect this pattern to widen as automation expands.

Risk-aware review is the real differentiator between administration and governance. If every entitlement is treated as equal, reviewers are forced into mechanical certification rather than judgment. That is why high-risk access, sensitive processes, and NHI entitlements should be separated from routine access in both workflow and reporting. Practitioners should redesign review scope around impact, not volume.

NHI governance cannot remain a side conversation inside traditional IGA programmes. Service accounts, bots, and AI agents are now part of the same control environment as human users, but they often lack the review cadence and evidence expectations that audit requires. That creates a blind spot that will keep surfacing as compliance exceptions unless teams explicitly extend governance to non-human identities. Security leaders should make that extension a formal control objective.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• A separate finding in the same research shows that only 20% of organisations have formal processes for offboarding and revoking API keys, which explains why lifecycle gaps persist.
• For the governance layer behind those failures, see NHI Lifecycle Management Guide for practical lifecycle controls that close ownership and revocation gaps.

What this signals

Ephemeral control without durable evidence is the next governance trap. As more access decisions move into automation, teams will need proofs that survive beyond the request workflow itself. That means designing for retrievability, ownership, and policy traceability from the start, not retrofitting them during audit.

The broader signal for practitioners is that IGA and NHI governance are converging around the same control question: can you prove why an identity exists and why it still needs access? Teams that answer that well will reduce rework during audit, while teams that rely on exports and manual reconciliation will keep paying a time tax.

With 90% of IT leaders already saying that properly managing NHIs is essential for a successful zero-trust implementation, the identity programme is being judged on more than access requests. Security leaders should align IGA, NHI lifecycle management, and evidence retention to one policy model, then validate it against NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10.

For practitioners

• Implement process-based access policies Map high-risk entitlements to business processes such as record-to-report, procure-to-pay, and production changes so approvers can see SoD and impact context before granting access.
• Centralise audit evidence in the governance layer Require approvals, policy context, exceptions, and compensating controls to be stored and retrievable from the governance system rather than reconstructed from ERP exports and email chains.
• Segment reviews by risk and identity type Separate routine access from high-impact roles, and give service accounts, bots, and AI agents their own review criteria, owners, and expiry rules.
• Enforce lifecycle controls for non-human identities Tie each non-human identity to a named owner, a stated purpose, a review cadence, and a removal trigger so audit can test accountability end to end.

Key takeaways

• IGA that only moves access requests is not enough when audit needs proof of business context, ownership, and policy enforcement.
• Non-human identities widen the control gap because they often have excess privilege, weak lifecycle discipline, and inconsistent evidence trails.
• Practitioners should treat evidence, lifecycle ownership, and risk-based review as core governance functions, not as audit-season cleanup.

Key terms

• Identity Governance and Administration: Identity Governance and Administration is the control layer that defines, approves, reviews, and removes access across systems. In practice, it should connect policy to lifecycle events and produce evidence that access decisions were justified, time bound, and traceable for audit and security review.
• Segregation of Duties: Segregation of Duties is the principle that no single identity should be able to complete conflicting actions that create fraud or control risk. In identity programmes, it is enforced through policy checks, review rules, and compensating controls when business needs make perfect separation impossible.
• Non-Human Identity: A Non-Human Identity is any machine, service, or autonomous software identity that can authenticate and act inside an environment. These identities include service accounts, API keys, tokens, certificates, bots, and AI agents, and they need ownership, lifecycle control, and review just like human access.
• Audit-Ready Evidence: Audit-ready evidence is access proof that can be retrieved directly from the control system without manual reconstruction. It should show who approved access, what policy they used, when the decision occurred, and whether any exceptions or compensating controls were applied.

Deepen your knowledge

Identity governance and administration for audit is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending governance from human users to service accounts, bots, and AI agents, it is worth exploring.

This post draws on content published by SafePaaS: Internal Audit and CISOs rarely complain about a lack of systems. Read the original.