Identity governance gaps are widening as SaaS access sprawl grows

At a glance

What this is: This is a vendor guide arguing that unified identity governance reduces breach exposure by closing visibility, privilege, and lifecycle gaps across SaaS and infrastructure access.

Why it matters: It matters because IAM and NHI teams are often managing more identities and service access than they can accurately see, review, or retire.

By the numbers:

• Identity-related vulnerabilities continue to be a leading cause of security incidents, with over 77% of breaches linked to Identity issues.
• 25% of these services remain underutilized, leading to unmonitored and unmanaged access points that increase security risks.

👉 Read Okta's guide on five ways identity governance reduces security incidents

Context

Identity governance is the discipline of controlling who or what gets access, for how long, and under what conditions. In practice, that includes human users, service accounts, API tokens, and other NHI forms that accumulate over time in SaaS and infrastructure environments. When visibility is incomplete, access review becomes a paper exercise and least privilege is impossible to enforce consistently.

The article frames identity governance as a way to reduce breach exposure by removing orphan and inactive accounts, tightening privileged access, and improving approval workflows. That starting point is typical for enterprise IAM programmes, but it becomes more urgent when teams are also managing machine identities and cloud access paths that outgrow manual review.

Identity governance is the discipline of controlling who or what gets access, for how long, and under what conditions. In practice, that includes human users, service accounts, API tokens, and other NHI forms that accumulate over time in SaaS and infrastructure environments. When visibility is incomplete, access review becomes a paper exercise and least privilege is impossible to enforce consistently.

Key questions

Q: How should security teams implement identity governance in SaaS-heavy environments?

A: Start with a complete inventory of users, service accounts, integrations, and privileged entitlements across all major applications. Then enforce ownership, periodic review, and automatic deprovisioning when accounts become unused or unassigned. The goal is to make access changes traceable and reversible before stale privileges become a security issue.

Q: Why do orphan accounts create so much risk?

A: Orphan accounts matter because they preserve valid access paths after the original business owner is gone. Attackers favour these accounts because they often escape review, rotate less often, and sit outside normal operational attention. In practice, they turn lifecycle failure into persistent exposure.

Q: What is the difference between least privilege and access review?

A: Least privilege is the design principle that limits access to what is required, while access review is the governance activity that checks whether current access still matches that principle. You need both. One sets the target state, the other detects entitlement drift and exception creep.

Q: Should organisations prioritise access governance before expanding automation?

A: Yes, because automation increases the speed at which access can be created, inherited, and forgotten. If governance is weak first, automation simply scales unmanaged privilege. Organisations should define ownership, review cadence, and revocation rules before allowing more automated provisioning.

Technical breakdown

Why identity sprawl turns governance into a control-plane problem

Identity sprawl happens when accounts, entitlements, tokens, and approvals grow faster than the organisation can inventory them. The security issue is not just volume, but drift: access is created for a business need, then left in place after the need changes. In SaaS-heavy environments, this creates orphan accounts, stale privileges, and untracked access paths that bypass normal review cycles. For NHI governance, the same pattern appears in service accounts and automation credentials, where ownership is often unclear and offboarding is inconsistent.

Practical implication: Practitioners need a continuous inventory of identities and entitlements, not periodic spreadsheets.

Least privilege and approval workflows in identity governance

Least privilege means each identity receives only the access needed for a defined task or role. In governance terms, that requires policy, approvals, and periodic review, not just role assignment at onboarding. The weak point is accumulation: broad roles, inherited permissions, and exception handling often make access wider than intended. Automated approvals help only if they are paired with policy constraints, entitlement baselines, and clear ownership for exceptions.

Practical implication: Teams should set entitlement baselines and require time-bound access for anything beyond standard roles.

Orphan and inactive accounts as hidden attack surface

Orphan accounts are identities with no active owner, while inactive accounts are still valid but no longer used for business purposes. Both are dangerous because they preserve authentication paths that attackers can exploit without needing to create new access. In NHI environments, these often include dormant service accounts, old keys, and stale integrations that survive application changes. Governance tooling is effective only when it can connect identity state to ownership and lifecycle status.

Practical implication: Security teams should tie deprovisioning to application, HR, and platform lifecycle events.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance is now the control layer that determines whether access sprawl becomes security debt. The article’s core message is that visibility, privilege reduction, and lifecycle cleanup matter because modern environments produce too many identities for manual oversight. That is especially true once NHIs are included, since service accounts and tokens often outlive the teams that created them. Practitioners should treat governance as an always-on control plane, not a quarterly review.

Least privilege fails when organisations treat access design as a one-time event. Role design, approval routing, and exception handling all need continuous reassessment as applications, teams, and automation patterns change. Without that, entitlement creep turns standard access into de facto standing privilege. The practical conclusion is simple: governance must be tied to change, not calendar.

Orphan accounts are a lifecycle failure, not just a cleanup task. They reveal gaps in ownership, deprovisioning, and integration hygiene across the identity stack. In NHI programmes, the same failure shows up when secrets and service accounts are left active after pipelines, vendors, or workloads are retired. Practitioners should manage identity retirement with the same discipline as identity creation.

Identity governance and NHI governance are converging around the same operating model. Human and non-human access both require inventory, policy, review, and revocation. The difference is speed and scale: NHIs change faster and are more likely to be embedded in automation. The field should stop treating them as separate problems and build one lifecycle model with different enforcement rules.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap is why teams should align identity governance with the Ultimate Guide to NHIs and ownership-driven lifecycle controls.

What this signals

Access governance is becoming a lifecycle discipline, not an application administration task. As identities spread across SaaS, infrastructure, and automation, teams need one operating model that can inventory, review, and retire access at the same pace as business change. That means linking identity governance to change management, application ownership, and revocation workflows instead of relying on periodic audits.

Identity sprawl will keep exposing the gap between policy and practice. A programme can define least privilege on paper and still accumulate stale access through exceptions, inherited roles, and dormant accounts. The practical response is to track drift continuously and to use governance reporting to show whether access is tightening or widening over time.

With 1 in 4 organisations already investing in dedicated NHI security capabilities, according to The State of Non-Human Identity Security, the market is moving toward unified human and machine identity governance. Practitioners should prepare for tools and processes that treat service accounts, tokens, and SaaS delegations as first-class identities rather than edge cases.

For practitioners

• Inventory every identity type continuously Build a single inventory that includes human users, service accounts, API keys, tokens, certificates, and delegated SaaS access. Reconcile that inventory against application owners and business systems so orphaned access is visible before it becomes a finding.
• Enforce least privilege with time-bound exceptions Require approvals for elevated access, but make exceptions expire automatically and trigger review. Use role baselines and entitlement thresholds so broad access is treated as an exception, not a default.
• Tie deprovisioning to lifecycle events Connect identity retirement to application shutdown, employee departure, vendor offboarding, and pipeline teardown. That closes the gap where dormant access survives after the business reason for it has disappeared.
• Report on access drift, not just access count Track how many identities exist, how many are inactive, and how many exceed policy by scope or duration. Governance reports should show whether access is getting tighter over time, not just larger or smaller.

Key takeaways

• Identity governance reduces risk only when it is treated as a continuous control, not a periodic review.
• Orphan accounts, inactive accounts, and broad entitlements are symptoms of the same lifecycle failure.
• IAM teams should govern NHIs with the same ownership, review, and revocation discipline used for human identities.

Key terms

• Identity Governance: Identity governance is the set of policies, workflows, and controls used to decide who or what can access resources, for how long, and under what conditions. It covers review, approval, revocation, and ownership so access can be audited and corrected as the environment changes.
• Orphan Account: An orphan account is an identity that still has valid access but no longer has an active owner responsible for it. These accounts are risky because they survive organisational change, often evade review, and can preserve an attack path long after the original business need has disappeared.
• Least Privilege: Least privilege is the principle that an identity should have only the minimum access required to perform its assigned function. In practice, it means role design, exception handling, and review processes must keep permissions narrow over time, not just at the moment they are granted.

Deepen your knowledge

Identity governance, lifecycle review, and least privilege are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending governance into service accounts and automation, it is a useful next step.

This post draws on content published by Okta: Top five ways identity governance helps prevent security incidents. Read the original.