TL;DR: Governance value depends less on workflow polish than on how much of the identity surface a platform can actually discover and control, including shadow apps, NHIs, and lifecycle events, according to Zluri. The real issue is that access review and JIT controls fail when the governed perimeter is narrower than the environment.
At a glance
What this is: A vendor comparison argues that identity governance breaks down when discovery, review, and lifecycle controls stop at an integration boundary.
Why it matters: IAM teams need to judge platforms by governed coverage across human and non-human identities, not by request UX alone.
👉 Read Zluri’s comparison of identity governance coverage against Lumos
Context
Identity governance fails when the system of record does not match the actual identity surface. In this comparison, the real issue is not which interface is cleaner, but whether the platform can discover, review, and offboard every human and non-human identity that has access to enterprise systems.
That gap matters because access requests, access reviews, JIT, and lifecycle controls are only as strong as the estate they can see. Once shadow apps, OAuth-connected tools, service accounts, and AI agents sit outside the governed perimeter, the programme becomes partial by design.
Key questions
Q: How should security teams evaluate identity governance platforms that rely on integration libraries?
A: Teams should test whether the platform can discover, certify, and revoke access beyond its connector catalogue. If shadow apps, OAuth connections, service accounts, or AI-driven access paths sit outside scope, the platform is governing a subset of the estate rather than the estate itself. Coverage is the control.
Q: Why do incomplete identity inventories weaken access reviews and offboarding?
A: Because certifications and leaver workflows only work on identities the programme can see. When access exists outside the inventory, reviewers cannot attest to it and offboarding cannot remove it. That leaves lingering access in shadow systems, which creates audit risk and preserves opportunities for misuse.
Q: What do security teams get wrong about just-in-time access in mixed environments?
A: They assume JIT is a single control when it is really a boundary-dependent control. If temporary access works only in the main app catalogue, then every system outside that catalogue still relies on manual handling. The result is uneven privilege reduction and weak revocation assurance.
Q: Who is accountable when non-human identities remain outside lifecycle governance?
A: Accountability sits with the identity and platform owners who allow non-human access to bypass the same joiner, mover, and leaver processes used for people. If service accounts, tokens, and OAuth grants are excluded, compliance evidence is incomplete and ownership is effectively diffused across teams.
Technical breakdown
Why integration-library discovery creates governance blind spots
A single integration library is a bounded discovery model. It can only govern applications and identities that have connectors, while leaving direct SaaS sign-ups, OAuth-connected tools, browser extensions, API tokens, and other shadow assets outside visibility. That matters because discovery is not just inventory. It determines what can be certified, what can be revoked, and what can be proved to auditors. If discovery is partial, every downstream control inherits that limitation. The result is a governance perimeter that looks complete in dashboards but is incomplete in practice.
Practical implication: treat discovery coverage as a control requirement, not an implementation detail.
How access reviews fail when the governed surface is incomplete
Access reviews are point-in-time certifications, so they depend on the review scope matching actual access. If the platform only certifies what it can see, then unconnected applications, NHI credentials, and shadow access never enter the attestation workflow. That creates a false sense of compliance: reviewers complete their tasks, but the organisation still retains unreviewed access outside the catalogue. In identity governance terms, the issue is not review cadence. It is review perimeter. A narrow perimeter turns certifications into partial evidence rather than complete control.
Practical implication: verify that every access path, including NHI access, is in certification scope.
Why JIT access is only as strong as its enforcement boundary
Just-in-time access reduces standing privilege only when the grant and revoke actions are enforced across the full environment. If the platform applies JIT inside a limited app catalogue, requests for out-of-library systems fall back to email, chat, or tickets, which breaks time-bound enforcement. That creates a split governance model: controlled access in one zone, unmanaged temporary privilege in another. For security teams, the technical question is not whether JIT exists. It is whether the revocation event is authoritative everywhere access can be created.
Practical implication: confirm that JIT revocation works across all governed systems, not just the easy ones.
Threat narrative
Attacker objective: The attacker objective is to exploit unmanaged identity paths that the governance programme cannot see, review, or revoke.
- Entry occurs through identities and applications that sit outside the platform's discovery boundary, including shadow IT, OAuth-connected tools, and unmanaged non-human credentials.
- Escalation happens when those unseen identities retain access after offboarding, lack certification coverage, or bypass time-bound control workflows.
- Impact follows when over-privileged or forgotten access persists long enough to enable unauthorized data access, audit failure, or lateral movement.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Governance that stops at a connector boundary is not full identity governance. The article’s core premise is that visibility determines control, and that premise is correct. If a platform cannot discover shadow apps, OAuth-connected tools, service accounts, and AI agents, then access requests and certifications are only partial governance artifacts. The practitioner conclusion is simple: coverage, not interface polish, is the real evaluation criterion.
Discovery-first governance is the named concept this comparison exposes. The useful term here is governance perimeter, meaning the set of identities and applications a programme can actually observe, review, and revoke. Once that perimeter narrows to an integration library, the organisation starts certifying a subset of access and calling it control. The implication is that identity governance must be judged by observable estate coverage, not by the number of workflows it exposes.
NHI governance fails when service accounts and API tokens are treated as an add-on rather than part of the core identity surface. The comparison correctly acknowledges that non-human identities now occupy a large share of enterprise access, but the deeper point is lifecycle symmetry. If humans are offboarded while API keys, OAuth grants, and service accounts remain outside the same process, the programme is inconsistent by design. Practitioners should read that as a lifecycle governance flaw, not a feature gap.
Access review cadence cannot compensate for an incomplete review perimeter. Review frequency matters only after scope is right. A quarterly certification process that excludes shadow IT and unmanaged NHI credentials still leaves material access untouched for months. The practitioner takeaway is that evidence of governance maturity should start with perimeter completeness, then move to cadence and remediation quality.
Just-in-time access is only meaningful when revocation is authoritative across the whole estate. If temporary access becomes email or ticket-based outside the governed catalogue, standing privilege simply reappears under a different label. That is not least privilege, it is fragmented privilege management. The right question for teams is whether JIT applies to every identity type and every system that matters.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprise confidence is still low, with only 1.5 out of 10 organisations highly confident in securing NHIs according to The State of Non-Human Identity Security.
- If your programme cannot see every NHI, use the 52 NHI Breaches Analysis to pressure-test discovery, rotation, and offboarding assumptions.
What this signals
Governance perimeter will become the more useful evaluation lens for identity programmes than feature checklists. When the platform cannot see an identity, it cannot certify, revoke, or explain it, and that gap will continue to matter more than workflow polish.
The teams most exposed are the ones that have already mixed SaaS sprawl, OAuth-connected apps, and non-human identities into one environment. For them, the next buying decision is not about request UX, it is about whether the tool can govern the full identity surface with evidence.
Because 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, the practical signal is clear: discovery maturity is now a prerequisite for lifecycle control, not a separate hygiene task.
For practitioners
- Map the governed identity perimeter Inventory every access path that sits outside the platform’s direct connector model, including shadow SaaS, OAuth-linked tools, API keys, service accounts, and AI-driven automations.
- Test offboarding against the real access footprint Validate whether leaver workflows revoke access beyond the HRMS and IdP boundary, including third-party apps, non-human credentials, and app ownership records.
- Re-scope access certifications to include non-human identities Require evidence that service accounts, tokens, certificates, and OAuth grants enter the same review cycle as human entitlements and are remediated on the same timetable.
- Verify time-bound enforcement outside the main catalog Check whether temporary access can be created and revoked in legacy systems, niche apps, and non-standard SaaS without reverting to manual ticket handling.
Key takeaways
- The central risk in this comparison is not weak UX, but a governance perimeter that ends before the real identity surface does.
- The evidence points to a familiar pattern: once discovery is partial, access reviews, JIT, and offboarding all become partial too.
- Teams should choose platforms based on whether they can observe, certify, and revoke every identity type in scope, including NHIs and shadow access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Discovery gaps and unmanaged secrets are central to the article's governance critique. |
| NIST CSF 2.0 | PR.AC-4 | Access rights management depends on complete scope, not partial catalogue coverage. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Zero Trust requires continuous verification across the full identity surface. |
Map all non-human identities and verify they are inventoried before any certification or offboarding workflow.
Key terms
- Governance Perimeter: The set of identities, applications, and entitlements a programme can actually observe and control. In practice, it is the boundary between what can be reviewed, revoked, and evidenced and what remains outside the governance workflow, regardless of whether it is sanctioned or shadow.
- Non-Human Identity: A machine or software identity that authenticates and acts on behalf of a workload, integration, or automated process. This includes service accounts, API keys, tokens, certificates, OAuth grants, and AI agents when they are operating as identities rather than as people.
- Access Review Perimeter: The exact scope of identities and permissions that enter a certification cycle. A narrow perimeter can produce audit-ready paperwork while still leaving material access untouched, so the control is only as strong as the completeness of its scope.
- Just-In-Time Access: A provisioning pattern where elevated access is granted only when needed and removed automatically after use. Its security value depends on authoritative revocation and coverage across every system where temporary privilege can be created.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: Security & Compliance Zluri vs. Lumos: An In-Depth Comparison. Read the original.
Published by the NHIMG editorial team on 2026-06-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
