Identity governance at AI speed is becoming the new baseline

At a glance

What this is: This blog argues that identity governance is moving from periodic human review to continuous automation, with ConductorOne's data showing most access activity is now handled by policy and workflow.

Why it matters: IAM teams must adapt governance for NHI, autonomous, and human identities alike because access decisions are increasingly machine-paced, exception-driven, and operationally embedded.

By the numbers:

• At the median, ~98% of access requests were automated.
• At the median, 90% of access review tasks were completed in under five days.

👉 Read ConductorOne's blog on identity governance at AI speed

Context

Identity governance is the discipline of deciding who or what can access which systems, and under what conditions. In this post, the primary issue is not new tooling but the shift from periodic, human-led review to continuous, policy-driven governance at machine speed.

The article's core claim is that older review cadences break down when applications, access changes, service accounts, and AI agents all move faster than quarterly or annual governance cycles. That matters for NHI, because software identities now dominate execution in many environments, but it also changes how human access review is operated.

ConductorOne frames this as an operating-model change, not a compliance-only update. The typical organisation now has to govern far more identities, more frequently, and with less tolerance for manual bottlenecks than legacy identity programmes were built to handle.

Key questions

Q: How should security teams govern access when automation handles most requests?

A: Security teams should treat automation as the default execution path and build policy around exception handling, risk thresholds, and enforcement hooks. Human review should focus on sensitive access, ambiguous cases, and control failures that policy cannot resolve. The key is to design governance for decision volume, not reviewer availability.

Q: Why do periodic access reviews break down in software-first environments?

A: Periodic reviews assume access changes slowly enough for humans to inspect it on a fixed schedule. In software-first environments, entitlements, service accounts, and automation identities change continuously, so review campaigns become stale before they finish. Governance has to move closer to the change event if it is to remain effective.

Q: What do organisations get wrong about automating identity governance?

A: They often automate the workflow without hardening the policy. That scales inconsistency, because the system will grant or certify access according to whatever rules exist, even if those rules are incomplete or too permissive. The real work is policy design, not simply workflow acceleration.

Q: How do you know if identity governance automation is actually working?

A: Look for fast exception closure, low manual rework, and clean enforcement across provisioning and revocation, not just a high automation rate. If approvals are automated but exceptions linger or access remains after revocation, the programme is moving faster without improving control.

Technical breakdown

Automated access requests and policy-driven governance

Automation shifts access governance from ticket handling to policy evaluation. Instead of a human approving each request, the system checks rules, entitlements, risk signals, and workflow conditions before deciding whether access can be granted. That changes governance from a serial review process into a control plane that operates continuously. The practical impact is that policy quality, exception logic, and enforcement integration become more important than reviewer throughput. If the rules are weak, automation scales the weakness just as effectively as it scales efficiency. Practical implication: map request classes to explicit policy paths, then test exception handling before expanding automation.

Practical implication: map request classes to explicit policy paths, then test exception handling before expanding automation.

Continuous access reviews in high-volume identity environments

Modern review programmes fail when they still assume humans can meaningfully inspect every entitlement on a fixed cadence. Once organisations reach thousands or millions of review decisions, the review campaign becomes an orchestration problem, not a manual audit task. Automation compresses the review cycle by pre-populating evidence, routing only exceptions, and enforcing outcomes in-line with provisioning systems. This does not remove governance. It changes its timing and artifact model. Reviews become continuous signals from the system rather than discrete events managed by calendar. Practical implication: redesign review workflows around exception volume, evidence quality, and enforcement speed rather than campaign completion alone.

Practical implication: redesign review workflows around exception volume, evidence quality, and enforcement speed rather than campaign completion alone.

Why identity governance becomes the control plane in software-first environments

When software identities, service accounts, and AI-driven automation outnumber humans in execution, identity governance becomes the mechanism that controls business operations, not just user access. The control plane is the layer where policy, provisioning, approvals, and revocation are coordinated across SaaS, cloud, and infrastructure. In that model, governance determines both access and operational continuity. If identity controls are fragmented, the organisation gets inconsistent enforcement and delayed revocation. If they are embedded, governance can keep pace with machine-speed change. Practical implication: unify lifecycle, provisioning, and review telemetry so governance can act as an operating control rather than a retrospective report.

Practical implication: unify lifecycle, provisioning, and review telemetry so governance can act as an operating control rather than a retrospective report.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance is no longer an episodic review function; it is becoming the execution layer for access decisions. The post's strongest signal is that automation is now absorbing the bulk of routine governance work, which means the old quarterly model is structurally late. For practitioners, this reframes identity governance from a compliance calendar into a continuous policy system.

Continuous review cadence: A governance model designed for human-paced certification assumes access persists long enough to be inspected on schedule. That assumption fails when automation resolves most access decisions immediately and at scale, before a reviewer ever sees a queue item. The implication is not simply more automation, but a redefinition of what can be governed through human review at all.

The rise of software-first identity populations makes NHI governance inseparable from enterprise identity strategy. The article's data points to environments where service accounts and automation dominate operational identity volume, which means access governance can no longer be designed around employee-centric assumptions. A programme that treats non-human access as a side category will miss the control plane where actual execution occurs.

Policy quality is now the primary governance variable, because automation magnifies both control and error. When 98% of requests are automated, the policy layer becomes the place where least privilege is either enforced or overextended. That makes entitlement design, exception handling, and lifecycle linkage the real governance battleground for IAM teams.

AI-speed governance will validate only the programmes that can separate oversight from execution. Human teams should not try to preserve manual approval as the default control for machine-paced environments. The field is moving toward embedded governance, where humans own judgment and policy while systems handle repeatable enforcement. Practitioners should treat this as a redesign of the operating model, not a tooling preference.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Treat governance as lifecycle control, not just access approval, and use the NHI Lifecycle Management Guide to align provisioning, rotation, and offboarding with enforcement.

What this signals

Policy-first governance will become the baseline for identity teams that operate at machine speed. The immediate programme implication is that review cadence, provisioning logic, and exception routing must be designed together, because separate tooling layers cannot keep up with continuous access change. For organisations governing mixed human and non-human populations, the winning model is the one that reduces manual decision points without weakening accountability.

Identity sprawl now forces teams to treat non-human access as operational infrastructure. With 97% of NHIs carrying excessive privileges according to the Ultimate Guide to NHIs, the margin for improvisation is already gone. Practitioners should expect governance programmes to move toward centralised policy control, stronger entitlement hygiene, and tighter lifecycle enforcement across service accounts and automation identities.

Continuous governance only works when the audit trail is built into execution. That aligns with the NIST Cybersecurity Framework 2.0 emphasis on protect, detect, and recover functions, but the practical shift is broader: teams need evidence that can be generated as work happens, not assembled after the fact. The programme signal is clear, if governance cannot prove itself in the flow of work, it will be treated as overhead.

For practitioners

• Redesign access workflows around policy enforcement Classify requests into policy-driven paths, then reserve human review for exceptions, sensitive entitlements, and regulatory triggers. Measure whether approvals are still happening because policy cannot decide, or because teams have not yet encoded the rule set cleanly.
• Rebuild review campaigns as continuous exception workflows Use automated evidence collection, reminder logic, and enforcement hooks so access reviews become a live control, not a quarterly scramble. Track exception volume and closure speed separately from campaign completion so you can see where human effort is still the bottleneck.
• Govern NHI and human access through one operating model Bring service accounts, automation identities, and employee access into the same governance inventory so lifecycle, recertification, and revocation are not fragmented by actor type. The objective is to see where machine-driven execution already exceeds human review cadence.
• Instrument governance as a control plane, not a report Connect provisioning, approval, revocation, and audit telemetry so policy outcomes can be enforced and verified in the flow of work. That gives security teams visibility into whether governance is shaping execution or simply recording it after the fact.

Key takeaways

• Identity governance is shifting from periodic human review to continuous policy enforcement because software now executes most routine access work.
• Automation at scale changes the governance problem, since policy design and exception handling matter more than manual approval throughput.
• IAM teams should rebuild governance around lifecycle control, auditable enforcement, and mixed human and non-human identity populations.

Key terms

• Identity governance: Identity governance is the control discipline that determines who or what should have access, under what conditions, and for how long. In modern environments it spans employees, service accounts, automation, and AI-driven actors, with policy, review, and revocation all tied to execution rather than calendar-based oversight.
• Access review automation: Access review automation is the use of workflow, policy, and evidence collection to reduce manual certification work. It does not remove governance. It changes the operating model so reviewers focus on exceptions, risk, and accountability instead of reading every entitlement one by one.
• Control plane: A control plane is the governance layer that coordinates policy, provisioning, revocation, and audit across systems. In identity security, it becomes the place where access decisions are enforced in real time, rather than documented after the fact in a separate reporting process.
• Non-human identity: A non-human identity is any machine-issued or software-run identity such as a service account, API key, token, certificate, workload identity, bot, or AI agent. These identities execute at machine speed and require lifecycle and access controls that are different from, but aligned with, human IAM.

Deepen your knowledge

Identity governance at AI speed is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are redesigning governance for automation-heavy environments, this is a practical place to start.

This post draws on content published by ConductorOne: What Identity Governance Looks Like When Automation Does the Work. Read the original.