TL;DR: A Q&A with Rita Gurevich on The Last Watchdog argues that many organisations still cannot answer basic questions about who has access to what, despite broad investment in PAM and IGA tools. The result is an accountability gap that lets outdated permissions and forgotten accounts accumulate, showing why identity governance is now foundational to Zero Trust.
At a glance
What this is: This Q&A argues that identity governance has become the control plane for modern security because most organisations still lack clear visibility into access ownership and entitlement sprawl.
Why it matters: It matters because IAM, PAM, and NHI programmes all fail in the same place when nobody can prove who has access, who approved it, or who is responsible for revocation.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
👉 Read SPHERE Technology Solutions' Q&A on identity governance and Zero Trust
Context
Identity governance is the discipline that answers a simple question: who has access to what, and who is accountable for keeping that access accurate over time. In this Q&A, the core problem is not lack of tooling but lack of operational clarity across PAM, IGA, and broader access ownership.
That matters because Zero Trust depends on continuous visibility and decision-making at the identity layer. When organisations cannot explain inherited privileges, stale permissions, or orphaned accounts, they cannot enforce least privilege in a way that survives day-to-day operational drift.
Key questions
Q: How should security teams reduce identity governance gaps in privileged access programmes?
A: Start by making ownership explicit for every privileged entitlement, including break-glass accounts and delegated admin paths. Then reconcile PAM and IGA records against live system use so stale access can be removed, not just reported. The goal is not more documentation, but a clean answer to who can do what and why.
Q: Why do identity governance gaps weaken Zero Trust programmes?
A: Zero Trust depends on continuous verification, but verification is only as good as the identity data behind it. If entitlements are stale, orphaned, or poorly attributed, policy enforcement becomes guesswork. Governance gaps therefore undermine the trust decisions Zero Trust is supposed to make.
Q: What do security teams get wrong about PAM and IGA coverage?
A: They often assume the tools themselves close the loop on access accountability. In practice, PAM can protect a session and IGA can review a record, yet neither guarantees that ownership is assigned, access is current, or revocation will happen cleanly. Coverage is not control completion.
Q: Who is accountable when forgotten access and stale privileges create exposure?
A: Accountability should sit with the business owner of the entitlement and the operational team responsible for revocation and review. If no one can name those roles, the control is already failing. Frameworks such as the NIST Cybersecurity Framework 2.0 expect clear governance, not ambiguous stewardship.
Technical breakdown
Why PAM and IGA still leave visibility gaps
PAM and IGA address parts of the access problem, but they often fail when entitlement data is incomplete, stale, or disconnected from real operational ownership. Privileged access tools can broker high-risk sessions, while governance tools can review entitlements, yet neither automatically resolves the question of whether every account, role, and admin path is still valid in practice. The gap widens when teams manage humans, service accounts, and delegated access in separate processes. Practical implication: treat entitlement completeness and ownership attribution as control objectives, not reporting outputs.
Practical implication: require a defensible owner for every privileged entitlement and reconcile it against actual system use.
Identity governance as the control plane for zero trust
Zero Trust is not just a network design or a policy slogan. It depends on identity signals that are current enough to support continuous verification, access minimisation, and removal of unnecessary privilege. If identity records are wrong, trust decisions become transactional guesswork instead of ongoing risk decisions. That is why identity governance sits underneath the rest of the architecture: it supplies the authoritative view of who or what should have access at a given moment. Practical implication: wire governance outputs into enforcement points, not just audits.
Practical implication: connect governance findings to enforcement so stale access is removed, not only reported.
Access accountability fails when ownership is implied instead of assigned
A recurring failure mode in mature environments is assumed accountability. Teams believe someone owns an account, a privilege, or a service credential, but the operational record says otherwise. That creates a slow-burn exposure pattern where orphaned access, duplicated admin rights, and poorly explained exceptions accumulate outside review cycles. In identity security, ambiguity is itself a control failure because it prevents timely revocation and clean escalation. Practical implication: standardise ownership, approvers, and revocation responsibility across all identity types.
Practical implication: make ownership explicit for each identity and entitlement, including break-glass and non-human access.
Threat narrative
Attacker objective: The attacker aims to exploit invisible or poorly governed access so they can move through systems without triggering timely review or revocation.
- Entry occurs through long-lived identity sprawl, where access exists beyond current business need and remains hard to inventory.
- Escalation follows when stale permissions, forgotten accounts, or unauthorized admin rights expand the number of reachable systems and privileges.
- Impact comes from unobserved access paths that increase breach likelihood, delay containment, and undermine Zero Trust enforcement.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- BeyondTrust API key breach — compromised BeyondTrust API key led to unauthorized SaaS access.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity governance is no longer a back-office control, it is the authority layer for enterprise access. When organisations cannot answer who has access to what, every downstream security decision becomes less reliable. PAM can reduce session risk and IGA can review entitlements, but neither helps if ownership is unclear or records are stale. The practical conclusion is that governance accuracy now determines whether access controls actually mean anything.
Access accountability is the named failure mode this discussion exposes. The article describes a world where outdated permissions and forgotten accounts quietly accumulate because no one can prove responsibility end to end. That is not just a tooling problem, it is a governance assumption that access can be traced, assigned, and removed on schedule. When that assumption fails, Zero Trust becomes difficult to enforce because the identity layer is already compromised by ambiguity.
Zero Trust only works when identity data is current enough to drive enforcement. Acohido’s framing is useful because it places identity governance beneath the architecture rather than beside it. Continuous verification depends on clean entitlement data, clean ownership, and clean revocation paths. If those inputs are weak, the rest of the model degrades into policy theatre. Practitioners should treat governance freshness as a Zero Trust prerequisite, not a reporting metric.
Human access and non-human access fail in the same place when accountability is vague. Forgotten admin rights for employees and unmanaged credentials for service accounts both create silent exposure because nobody owns the cleanup. That makes cross-domain governance more important than tool silos. The field needs programmes that reconcile human IAM, PAM, and NHI oversight through one accountability model, or access drift will keep outrunning review cycles.
Identity blast radius: this topic is really about how far one bad entitlement can travel before anyone notices. Once ownership is weak and privilege records are stale, a single access mistake can persist across systems, teams, and business processes. That changes identity governance from an administrative function into a containment discipline. Practitioners should measure how quickly they can prove, explain, and remove risky access before it compounds into operational exposure.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
- For the governance model behind this risk, see Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs, which details provisioning, rotation, and offboarding discipline.
What this signals
Identity governance is becoming a programme-level dependency, not just an audit capability. When access ownership is unclear, the gap shows up first in review cycles, then in containment speed, and finally in board-level confidence. Teams should expect sharper scrutiny of entitlement provenance, revocation latency, and who can prove that access decisions are still current.
72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities. That level of exposure suggests governance drift is already a mainstream operating condition, not an edge case.
Access accountability will increasingly be measured as a control outcome. If a team cannot tie each privileged path to an owner, a reason, and a revocation path, identity governance will be treated as incomplete regardless of tooling spend.
For practitioners
- Audit entitlement ownership across all privileged paths Map every admin role, break-glass account, and delegated access path to a named business owner and a technical custodian. Remove any privilege that cannot be justified or traced to a current operational requirement.
- Reconcile PAM and IGA data with live system state Compare governance records with actual active accounts, token use, and service access to find drift between policy and reality. Prioritise stale access that survives beyond role changes, project end dates, or vendor offboarding.
- Tie Zero Trust enforcement to governance freshness Use current entitlement reviews, revocation timestamps, and access exceptions as inputs to enforcement decisions rather than audit outputs. If the data is stale, treat the trust decision as untrusted until it is verified.
- Extend accountability controls to non-human identities Apply the same ownership, review, and revocation discipline to service accounts, API keys, and machine credentials that you apply to human privileged access. Hidden non-human access is often where accountability breaks first.
Key takeaways
- Identity governance now determines whether PAM, IGA, and Zero Trust controls are actually enforceable.
- The core risk is not just excess access, but unclear accountability for who owns, approves, and removes it.
- Practitioners should treat entitlement freshness and ownership attribution as operational controls, not reporting exercises.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity governance gaps directly affect who can access what and why. |
| NIST Zero Trust (SP 800-207) | Zero Trust depends on continuous, current identity assertions. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Unmanaged non-human access and weak lifecycle controls drive hidden exposure. |
Map privileged access ownership to PR.AC-1 and verify each entitlement has a current accountable owner.
Key terms
- Identity Governance: Identity governance is the set of processes that keeps access assignments accurate, reviewable, and defensible over time. It covers who approved access, who owns it, and when it should be removed, across human and non-human identities alike.
- Access Accountability: Access accountability is the ability to identify who is responsible for granting, reviewing, and revoking an entitlement. In mature programmes it is more than documentation, because every privileged path should map to a named owner and a clear revocation path.
- Identity Blast Radius: Identity blast radius is the amount of damage a single weak entitlement can create before it is discovered and removed. It reflects how far privilege can move through systems, teams, and workloads when governance data is stale or ownership is unclear.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by SPHERE Technology Solutions: a Q&A on identity governance and the limits of current access control visibility. Read the original.
Published by the NHIMG editorial team on 2025-08-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
