By NHI Mgmt Group Editorial TeamPublished 2026-04-27Domain: Governance & RiskSource: OpenIAM

TL;DR: Identity governance for Entra works well inside Microsoft’s ecosystem, but it leaves applications, IAM systems, and access paths outside that scope inconsistent or invisible, according to OpenIAM. The real issue is not Entra coverage, but the structural failure of platform-bounded governance in multi-system enterprise estates.


At a glance

What this is: OpenIAM argues that Entra-centric identity governance creates a false sense of centralized control because governance stops at platform boundaries.

Why it matters: This matters because IAM teams need governance that spans human identities, NHI estates, and autonomous systems, not just the platform with the deepest native integrations.

👉 Read OpenIAM’s analysis of identity governance for Entra and enterprise fragmentation


Context

Identity governance for Entra is not failing because Microsoft Entra lacks governance features. It fails when enterprises confuse platform coverage with enterprise-wide governance, leaving SaaS apps, legacy systems, partner access, and workloads outside the control plane.

In practice, that means certifications, access reviews, and lifecycle workflows can look complete inside one system while the broader identity estate remains fragmented. For teams running multi-platform IAM, the problem is the governance model, not the directory alone.


Key questions

Q: How should security teams govern identity access across Entra and other platforms?

A: Use Entra as one control source, but evaluate identity governance at the enterprise layer. Security teams should correlate entitlements, certifications, and lifecycle events across SaaS apps, legacy systems, and other IAM platforms so the review process reflects the full access state, not only what Entra can see.

Q: Why do Entra-centric governance models create blind spots in large enterprises?

A: They create blind spots because many applications, vendors, and local access paths sit outside Entra’s native governance scope. When policy, certification, and revocation only operate inside one platform, every external system becomes a potential unmanaged access path.

Q: How do teams know whether identity governance is actually working across systems?

A: Look for consistent certification coverage, revocation timing, and policy enforcement across all identity systems, not just the primary directory. If access reviews, offboarding, or entitlement changes differ materially by platform, governance is fragmented even if the main dashboard looks complete.

Q: Who is accountable when access remains unmanaged outside Entra?

A: Accountability should sit with the enterprise identity governance function, not the directory owner alone. When access is provisioned or reviewed outside the primary platform, the organisation still owns the risk, and governance teams must define how those systems are brought under one policy model.


Technical breakdown

Why platform-bounded governance creates blind spots

A platform-bounded governance model assumes that the system holding identity data can also govern the whole enterprise. That works only where identity, policy, and enforcement all live inside the same boundary. In mixed estates, Entra can certify and review what it knows about, but it cannot automatically govern adjacent SaaS apps, legacy IAM stacks, or local admin paths that never enter its workflow. The technical failure is not a missing feature. It is a broken control boundary, where visibility, policy, and remediation do not travel together across systems.

Practical implication: Treat Entra as one governance source, not the governance source for the whole estate.

How inconsistent policy enforcement emerges across identity systems

Different identity systems use different data models, entitlement structures, and enforcement logic. A privilege that is tightly reviewed in Entra may be handled by a separate access model in another application, with different approval paths, different certification cadence, and different revocation mechanics. That creates policy drift across the enterprise, even when each individual system appears well controlled. The issue is structural: governance rules cannot remain uniform if each system interprets identity and access independently. Central policy only works if the enforcement layer can evaluate all relevant systems against the same logic.

Practical implication: Map where policy decisions diverge by platform, then close the gap with a governance layer above individual systems.

Why cross-system access risk is invisible to single-platform reviews

Single-platform reviews miss entitlement combinations that only become risky when viewed across systems. A user may look properly certified in Entra while holding separate access in a SaaS app, a legacy system, or a business-managed tenant that changes the actual risk profile. This is a classic governance aggregation problem. Risk does not always sit inside one system. It often appears at the edges, where access is provisioned locally, reviewed inconsistently, or never linked back to enterprise policy. Without cross-system correlation, the organisation sees completeness where there is only partial coverage.

Practical implication: Correlate access across platforms before certification so reviewers see the actual risk state, not the Entra-only view.



NHI Mgmt Group analysis

Identity governance cannot be centralized if the identity estate is not centralized. Entra-centric governance creates the impression that one control plane can govern every identity path, but enterprise environments are multi-system by design. Applications, vendor access, legacy platforms, and decentralised provisioning all break that assumption. The implication is not to add more reviews inside Entra, but to stop treating one platform boundary as an enterprise governance boundary.

Platform-native governance is always partial governance. Access reviews, entitlement management, and lifecycle workflows are only as complete as the systems they can actually see and enforce. That makes the model operationally convenient but structurally incomplete, especially where business units, shadow IT, or external applications manage access outside the platform. Practitioners should recognise the control gap as architectural, not procedural.

Cross-system governance requires a control layer above identity platforms. The article’s core point is that centralized identity infrastructure does not guarantee centralized governance. That aligns with NIST Cybersecurity Framework 2.0 and the general principle of evaluating protect and detect functions across the full asset and identity estate, not just the directory. The practitioner takeaway is to govern across systems, not inside one product boundary.

Fragmentation becomes the default failure mode when governance follows the system of record. When identity review, policy logic, and enforcement all depend on the same platform, every non-integrated system becomes a blind spot. That is the named governance failure this article exposes: platform-bounded control. Teams should treat any single-directory model as a partial view and build for federated governance from the start.

From our research:

  • The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
  • For broader lifecycle context, NHI Lifecycle Management Guide shows why provisioning, rotation, and offboarding must be governed beyond a single platform.

What this signals

Platform-centric governance will keep failing wherever identity estates stay multi-system. The practical lesson for security teams is to stop equating directory dominance with governance completeness. The more enterprises mix Entra, SaaS-native access, legacy systems, and external tenants, the more they need a unified policy layer that can evaluate risk across systems rather than inside one platform.

Identity fragmentation is increasingly a lifecycle problem, not just an access problem. When provisioning, certification, and deprovisioning occur in different systems, governance drift becomes inevitable. For teams modernising IAM, the next planning question is whether they can trace every identity decision across platforms, including the ones Entra does not own.

More than 1 in 5 of their non-human identities are insufficiently secured. That figure matters here because the same control-bounded thinking that fragments human governance also leaves service accounts, tokens, and workload identities outside coherent oversight. Entra coverage alone will not close the gap if machine identities are governed in separate silos.


For practitioners

  • Inventory every identity system that affects access decisions Build a complete map of Entra, other IAM platforms, SaaS-native directories, legacy systems, partner access, and business-managed applications. Governance gaps usually begin where an application or access path was never brought into the review process.
  • Separate visibility from governance authority Use Entra for its native controls, but do not assume its dashboards equal enterprise coverage. Establish a governance layer that can ingest access data from multiple platforms and apply one policy model across them.
  • Reconcile access across systems before certification When running access reviews, correlate entitlements from Entra with external applications and downstream identity systems so reviewers see the full access picture. Cross-system access combinations are where risk often hides.
  • Standardize revocation and lifecycle triggers Define offboarding, role change, and entitlement removal triggers that apply across platforms, not just inside Entra. If revocation depends on each system’s local process, governance will remain fragmented.

Key takeaways

  • Entra-centric governance creates a false sense of completeness when the real identity estate spans multiple systems.
  • The scale of the risk is architectural, because access risk accumulates wherever policy, certification, and enforcement do not follow the same boundary.
  • The practical response is to govern above the platform layer so reviews, revocation, and policy apply consistently across all identity systems.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Cross-system access governance depends on consistent control over identity permissions.
NIST Zero Trust (SP 800-207)Zero Trust requires continuous evaluation across boundaries, not just inside one directory.
OWASP Non-Human Identity Top 10NHI-01Fragmented governance leaves machine identities and secrets outside consistent oversight.

Extend governance to non-human identities and ensure lifecycle controls cover all identity sources.


Key terms

  • Entra-centric governance: A governance model that uses Microsoft Entra as the primary control point for certifications, lifecycle workflows, and access policy decisions. It works inside the platform’s own boundaries, but becomes incomplete when other systems manage identities, entitlements, or reviews outside that scope.
  • Governance fragmentation: The condition where identity policy, reviews, and enforcement differ across systems instead of following one consistent enterprise model. Fragmentation usually appears when applications, business units, or legacy platforms run access processes outside the main governance layer.
  • Cross-system access visibility: The ability to see and evaluate entitlements across multiple identity systems at once. It matters because risk often emerges from combined access, not from any single system viewed in isolation, and because certification without correlation can miss the real exposure.

What's in the full article

OpenIAM's full article covers the operational detail this post intentionally leaves for the source:

  • The full Entra governance breakdown across applications, legacy systems, and decentralised provisioning paths
  • The specific ways access reviews and entitlement management differ when identity systems do not share a common governance layer
  • The enterprise control model OpenIAM proposes for moving governance above individual platforms
  • The article’s FAQ examples on fragmented governance, inconsistent enforcement, and multi-system oversight

👉 OpenIAM’s full article explains where Entra-centric governance stops and how enterprise-wide control can extend beyond it

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity programme maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org