Identity governance fails when visibility comes second

At a glance

What this is: This is a visibility-first identity governance guide, and its key finding is that most companies govern only the applications they can already see.

Why it matters: It matters because IAM, NHI, and autonomous governance all fail when discovery is incomplete, leaving reviews, offboarding, and evidence only partly aligned to reality.

By the numbers:

• 60-70% of applications are shadow apps that IT doesn't even know about.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Zluri's visibility-first guide to identity governance and administration

Context

Identity governance is the discipline of proving who has access to what, why they have it, and whether that access is still justified. This article argues that most IGA failures start before policy, review, or certification, because the programme does not have complete visibility across the application and identity surface.

For IAM teams, the core issue is not that controls are absent. The issue is that identity providers, access reviews, and lifecycle workflows only cover the slice of the environment that has been federated or formally onboarded. Once shadow applications, unfederated access, and duplicate identities enter the picture, governance becomes partial by design.

Key questions

Q: What breaks when identity governance starts before visibility?

A: Access reviews, provisioning, and audit reporting all become partial controls when the organisation cannot see its full application and identity surface. The programme may appear mature inside the IdP, but the unseen estate still carries live access, stale entitlements, and orphaned accounts. That is how partial governance turns into a material weakness.

Q: When should organisations prioritise discovery over access reviews?

A: Discovery should come first whenever the team cannot confidently map all applications, identities, and entitlements in scope. If the review population is incomplete, certification becomes a documentation exercise instead of a control. Prioritise discovery before the next major audit, offboarding cleanup, or recertification cycle.

Q: How do you know if identity governance is actually working?

A: You know governance is working when the team can explain coverage, prove offboarding across connected and unconnected systems, and show that review outcomes match the real access surface. If the IdP says one thing and application logs say another, governance is still only partially effective.

Q: What is the difference between IdP administration and identity governance?

A: IdP administration handles login, provisioning, and basic group management for connected apps. Identity governance determines whether access is still appropriate, whether it has been reviewed, and whether it has been revoked everywhere it exists. Administration can create and remove accounts. Governance proves that access remains justified across the full estate.

Technical breakdown

Why visibility is the foundation of identity governance

Identity governance depends on complete inventory before it can assign policy, recertify access, or prove compliance. If an organisation cannot identify every application, account, and entitlement, then reviews only certify the known subset. That creates a structural gap between documented governance and actual access. Visibility is therefore not a reporting feature. It is the control plane that makes certification, least privilege, and offboarding meaningful across the full estate, including unmanaged applications and duplicated identities.

Practical implication: build discovery and inventory coverage before scaling access reviews or certification cycles.

Why identity providers do not equal governance

An identity provider handles authentication and basic administration for connected systems, but it does not inherently discover shadow IT, manage entitlements inside applications, or prove that access has been removed everywhere. That distinction matters because many organisations mistake SSO coverage for governance coverage. Once an application is not federated, the IdP becomes blind to lifecycle changes, role drift, and lingering access. Governance has to extend beyond the login layer into the application and entitlement layer.

Practical implication: treat IdP data as one input to governance, not as the complete access record.

How access debt accumulates in federated and unfederated estates

Access debt is the accumulation of old entitlements, duplicate identities, and unrevoked accounts after role changes, promotions, and offboarding. In federated environments it grows through role creep. In unfederated systems it persists because no control plane is watching. The result is a split reality: the governance team certifies one identity surface while the business continues to use another. That is why audits surface material weaknesses even when review workflows appear complete.

Practical implication: map identity debt across both connected and unmanaged applications before the next review cycle.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Visibility-first governance is the real prerequisite for IGA maturity. The article is right to call out that access review quality is limited by discovery quality. When the programme only sees the federated portion of the environment, certification becomes a false measure of control. Practitioners should treat coverage as the first governance outcome, because incomplete visibility invalidates everything that follows.

Shadow applications create a governance blind spot that looks like compliance until an audit tests it. The post shows how teams can certify the accounts in their IdP while a much larger access population remains outside the review boundary. That is not a tooling problem in the narrow sense. It is a programme design problem, and it usually shows up as evidence gaps, orphaned access, and inconsistent offboarding.

Identity debt is the right named concept for the problem this article exposes. Old identities, duplicate usernames, stale entitlements, and unreconciled access records accumulate when governance starts after provisioning instead of before discovery. The practical conclusion is that every review cycle should begin with coverage validation, or the team will keep certifying a partial truth.

NHI governance inherits the same visibility failure, but at a higher scale. The article's logic maps directly onto service accounts, API keys, and tokens, where discovery is often weaker than for human identities. If an organisation cannot see the full NHI estate, it cannot offboard, rotate, or certify with confidence. Practitioners should assume the blind spot grows as machine identity sprawl increases.

Autonomous identity programmes will fail even faster if they copy this model. Governance that assumes a stable, visible, human-paced identity surface breaks once actors can change behaviour, access paths, or execution timing faster than the review process can observe. The lesson for agentic AI is not just more automation. It is that discovery, lineage, and lifecycle evidence have to exist before autonomy is allowed to scale.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• From our research: 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• For the next step, review the lifecycle lens in NHI Lifecycle Management Guide to see how discovery gaps turn into offboarding failures.

What this signals

Identity coverage is now a governance metric, not an implementation detail. When teams can only see part of the estate, every downstream control inherits that blind spot. The operational question is no longer whether access reviews exist, but whether they are certifying the right population across both federated and shadow systems.

The same visibility gap now appears in NHI programmes, where service accounts, API keys, and tokens often outnumber human identities and remain less observable. That makes discovery, lineage, and ownership mapping the first practical step before rotation or offboarding can be trusted. For a broader baseline, the Ultimate Guide to NHIs remains the clearest reference point.

Identity debt: once access sprawl is visible, the programme can quantify how much old access, duplicate identity state, and stale entitlement data must be retired. That is the point at which governance moves from reporting activity to reducing residual risk, and the control objective becomes coverage completeness rather than review volume.

For practitioners

• Baseline identity coverage across every application Inventory connected, shadow, and team-managed applications before expanding access governance. Compare IdP data with application logs, procurement records, and data-flow evidence so you know the real review boundary, not just the federated one.
• Rebuild access reviews around complete scope Do not certify only the users visible in your IdP. Include unfederated applications, duplicate identities, and non-standard usernames so that review outcomes reflect actual access rather than a partial directory export.
• Close the lifecycle gap for offboarding and role change Link HR events, manager approvals, and application-level revocation so that promotion, transfer, and termination workflows reach both connected systems and the long tail of unmanaged tools.
• Measure governance by coverage, not activity Track the percentage of total applications and entitlements under continuous governance, not the number of reviews completed. A high review count is meaningless if the programme only sees a fraction of the access surface.

Key takeaways

• Identity governance fails when the organisation cannot see the full access surface it is trying to certify.
• The scale problem is structural, with shadow applications and duplicate identities making review evidence incomplete even when workflows appear mature.
• Practitioners should measure coverage first, then use that discovery baseline to drive reviews, offboarding, and entitlement cleanup.

Key terms

• Identity Governance: Identity governance is the discipline of proving that access is appropriate, reviewed, and still justified across the full environment. It goes beyond creating accounts or enabling login. The practical test is whether the organisation can show complete coverage, decision evidence, and revocation across every system that matters.
• Shadow Application: A shadow application is a business tool or service used outside formal IT visibility, procurement, or federation controls. These systems often hold real access and sensitive data, but they do not appear fully in identity reports. That makes them a common source of blind spots in reviews, offboarding, and audit evidence.
• Identity Debt: Identity debt is the accumulation of stale accounts, duplicate identities, excess permissions, and incomplete revocation over time. It grows when lifecycle events outpace governance controls or when teams only manage the portion of the estate they can easily see. The result is risk that looks documented but remains active.
• Access Visibility: Access visibility is the ability to see who has access to what across the full identity surface, including connected and unmanaged systems. It is the prerequisite for meaningful certification, least privilege, and offboarding. Without it, governance reports describe only part of the environment and can mislead auditors and operators alike.

Deepen your knowledge

Identity visibility and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are dealing with shadow applications, offboarding gaps, or duplicate identity state, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance Identity Governance and Administration - A Visibility-First Guide. Read the original.