TL;DR: Identity governance failures still begin with misused or stolen credentials, and IBM says over 80% of breaches involve them, which is why identity governance now has to move beyond account administration into continuous review, policy enforcement, and auditable revocation. The old assumption that access stays valid long enough for periodic review is breaking under cloud sprawl and rapid role changes.
At a glance
What this is: This is an analysis of why identity governance frameworks are becoming the control point for access risk, with the key finding that static governance cannot keep up with cloud-scale identity sprawl.
Why it matters: It matters because IAM, NHI, and autonomous identity programmes all fail when access is granted faster than it is reviewed, retired, and proven compliant.
By the numbers:
- Over 80% of incidents involve misused or stolen credentials.
- 83% of breaches involve misuse of access rights.
- Only 5.7% of organisations have full visibility into their service accounts.
👉 Read SecurEnds' guide to building an identity governance framework
Context
An identity governance framework is the rule set that decides who gets access, why they get it, and when it should be removed. The core problem is not account creation, it is access persistence after the business need has changed. In cloud and hybrid environments, that gap becomes harder to see because entitlements spread across applications, roles, contractors, and service accounts.
For IAM and IGA teams, the practical question is no longer whether access can be granted. It is whether access can still be justified, audited, and revoked at the same speed that the business changes. That is why identity governance has become the control layer that connects lifecycle management, access reviews, compliance evidence, and least privilege across human and non-human identities.
Key questions
Q: How should security teams build an effective identity governance framework?
A: Start with authoritative identity sources, then define who approves access, how often it is reviewed, and what must trigger removal. The framework should connect lifecycle events, certification workflows, and audit evidence so access is not just granted but continuously justified. The objective is measurable reduction in standing privilege, not more process for its own sake.
Q: Why do identity governance frameworks matter more as organisations move to cloud and hybrid IT?
A: Cloud and hybrid environments multiply identities, entitlements, and ownership handoffs faster than manual controls can track them. That increases privilege creep, orphaned access, and review fatigue. Governance matters because it creates a consistent decision model for access across apps, teams, and identity types, including service accounts and contractors.
Q: What do teams get wrong about access reviews?
A: They often treat completion as success, even when reviewers lack enough context to make a real decision. A review is only effective if it changes entitlements, catches stale access, and leaves a usable audit trail. Otherwise, the process records activity without reducing risk.
Q: Who is accountable when access is not revoked on time?
A: Accountability should sit with the business owner of the access, the system owner that enforces it, and the governance team that defines the rules. If those roles are unclear, stale permissions survive role changes and offboarding. Frameworks such as the NIST Cybersecurity Framework 2.0 can help assign governance responsibility more clearly.
Technical breakdown
Identity lifecycle management in cloud and hybrid environments
Identity lifecycle management covers how identities are created, changed, recertified, and removed across the full access journey. In modern estates, the hard part is not provisioning. It is keeping deprovisioning and entitlement updates aligned with role changes, project exits, and contractor offboarding. When those transitions lag, orphaned access and privilege creep appear even when the original grant was valid. Governance fails when the lifecycle process exists in policy but not in execution.
Practical implication: tie joiner-mover-leaver workflows to authoritative sources so access changes automatically when job context changes.
Access reviews, certifications, and audit evidence
Access reviews are the proof mechanism in identity governance. They ask whether a user still needs a role, permission, or exception, and they create evidence that can be traced later by auditors. The weakness is that quarterly or semiannual review cycles assume access persists long enough to be meaningfully examined. In fast-moving environments, outdated entitlements can survive multiple review windows, especially when review decisions are based on incomplete role context or stale ownership data.
Practical implication: enrich certification workflows with application ownership, last-use signals, and business context before reviewers approve anything.
Zero Trust and policy enforcement for identity governance
Zero Trust changes identity governance from a one-time gate to a continuous verification model. Instead of trusting access because it was once approved, the framework assumes every request and entitlement must remain justified. That matters because identity governance is not only about who can log in. It is about whether the permission remains defensible after the environment, device, or business purpose changes. Policy enforcement becomes the bridge between access control and governance evidence.
Practical implication: align governance policy with Zero Trust controls so access stays conditional on current context, not historic approval.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity governance is no longer a back-office control, it is the operating system for access risk. The article gets one thing right: access control alone does not answer whether access should remain in place. As organisations spread across SaaS, cloud, and service accounts, the governance layer has to decide when access expires, not just when it begins. Practitioners should treat governance as the control plane that makes entitlement decisions provable.
Standing entitlement persistence is the failure mode this topic exposes. The governance model assumed that access would be reviewed before it drifted too far from its original purpose. That assumption breaks when teams, contractors, and applications change faster than certification cycles can keep up. The implication is that identity governance cannot rely on periodic review as the primary safety net.
Access review fatigue is now a control-quality issue, not an administrative inconvenience. When reviewers are overwhelmed, they approve by pattern rather than by evidence. That turns certification into paperwork, which weakens audit value and leaves privilege creep untouched. Practitioners should measure whether reviews are actually changing entitlements, not just closing tickets.
Lifecycle without revocation is not governance, it is inventory. The article points to creation and review, but the governance gap is in retirement. If offboarding, role change, and exception cleanup do not happen consistently, identity programmes simply document access that should no longer exist. Security teams should judge the programme by how quickly it removes invalid access, not by how many accounts it can enumerate.
Automation changes identity governance from episodic to continuous, but only if ownership is real. Automated provisioning and certification can reduce delay, yet automation without accountable approvers just scales bad decisions. That means governance maturity depends on clear policy ownership, evidence quality, and exception handling that can survive audit scrutiny. Practitioners should align automation with explicit decision authority.
From our research:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows why entitlement governance breaks down before teams notice it.
- For a deeper view of lifecycle and audit controls, Ultimate Guide to NHIs , Regulatory and Audit Perspectives maps the evidence teams need to prove control.
What this signals
Identity governance is moving from periodic certification to continuous entitlement hygiene. In environments where access changes faster than review cycles, teams need policy logic that can react to lifecycle events, not just quarterly approvals. The practical signal is clear: if access cannot be explained, attributed, and revoked quickly, it is already out of control.
Standing privilege is becoming the real governance metric. The more access persists after the business need changes, the less meaningful the access model becomes. That is why the shift to Zero Trust and lifecycle-driven governance is not a maturity exercise, it is a response to control decay.
With 71% of NHIs not rotated within recommended time frames, the same review and offboarding weaknesses that affect human identities are now visible in machine access too. Teams should prepare for governance programmes that treat human, non-human, and eventually autonomous access through the same entitlement discipline.
For practitioners
- Map every identity lifecycle trigger to an authoritative source Connect HR, contractor systems, and application ownership data so access changes when joiner, mover, and leaver events occur. This prevents entitlement drift from becoming normal operating state.
- Measure certification outcomes, not review completion Track how many entitlements are removed, reduced, or justified after each review cycle. If reviews only close tickets, the programme is producing evidence without changing risk.
- Prioritise offboarding and exception cleanup first Focus on the accounts most likely to outlive their business purpose, including contractors, shared admin roles, and dormant privileged access. These are the fastest paths to privilege creep.
- Align governance rules with Zero Trust policy Make access conditional on current context and policy state rather than historic approval alone. Use the same policy logic across human and non-human identities where the risk model overlaps.
Key takeaways
- Identity governance fails when access outlives the business reason for granting it.
- The scale of the problem is visible in breach data, review fatigue, and persistent privileged access.
- Teams need lifecycle-linked governance that measures entitlement removal, not just review completion.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity governance depends on controlled access provisioning and revocation. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero Trust requires continuous verification of access entitlement and policy state. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential and entitlement lifecycle failures are central to NHI governance risk. |
Use Zero Trust policy enforcement to keep access conditional on current context and business need.
Key terms
- Identity Governance Framework: An identity governance framework is the policy and operating structure that decides who gets access, why they receive it, and when it should be removed. It connects approvals, reviews, lifecycle events, and audit evidence so access remains defensible as the environment changes.
- Access Certification: Access certification is the process of reviewing whether an identity still needs the permissions it holds. In practice, it is only useful when reviewers have enough context to revoke stale access, not just approve it. Otherwise, the process records activity without materially reducing risk.
- Privilege Creep: Privilege creep is the gradual accumulation of access that is no longer justified by current job duties or system use. It usually appears after role changes, project moves, and poor offboarding, and it becomes especially dangerous when governance cycles are too slow to catch it.
- Standing Privilege: Standing privilege is access that remains continuously available instead of being granted only when needed. It is a governance problem because persistent permissions increase blast radius, make audit evidence harder to trust, and often survive long after the original need has ended.
Deepen your knowledge
Identity lifecycle management and access review design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your governance programme is struggling with privilege creep or offboarding gaps, it is a practical place to start.
This post draws on content published by SecurEnds: Why Organizations Need a Strong Identity Governance Framework. Read the original.
Published by the NHIMG editorial team on 2025-10-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
