Identity governance in the gray zone: why binary IGA fails

At a glance

What this is: This analysis argues that identity governance is stuck between light and full IGA, and that the real gap is the gray zone where manual processes cannot keep up with changing access.

Why it matters: It matters because IAM teams must govern human, machine, and workload access continuously, not only after a heavyweight platform rollout is complete.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

👉 Read Gathid's analysis of why binary IGA models fail in real environments

Context

Identity governance is the discipline of knowing who and what has access, why that access exists, and when it should be removed. The problem in most enterprises is not the absence of tools, but the mismatch between governance cadence and identity change across cloud apps, on-prem systems, OT, and disconnected records.

The article frames a common IAM mistake: treating governance as a binary choice between lightweight controls and heavyweight platforms. In practice, access drift accumulates in the middle, where human reviews, spreadsheets, and delayed workflows cannot keep up with daily changes in roles, systems, and entitlements.

For teams managing human identity, Non-Human Identity, and workload access together, this is a lifecycle problem as much as a tooling problem. The most relevant benchmark is whether the programme can detect and act on identity drift continuously, not whether a platform can eventually be deployed.

Key questions

Q: How should teams govern access when they are stuck between light and full IGA?

A: Teams should govern the identities that change fastest first, then expand coverage based on risk rather than platform completeness. The practical goal is daily visibility into stale access, privilege creep, and SoD conflicts across the systems that matter most. That approach reduces identity debt while larger IGA decisions are still in progress.

Q: Why does identity debt become harder to control in hybrid environments?

A: Identity debt grows because access changes faster than manual review cycles can clear it, especially when cloud, OT, legacy, and disconnected sources each hold part of the truth. Hybrid estates create more handoffs, more stale entitlements, and more places for risky access to survive unnoticed.

Q: What breaks when governance relies only on quarterly access reviews?

A: Quarterly reviews miss the day-to-day drift that accumulates between certification cycles. By the time the review happens, the access graph may already have changed, so the programme validates yesterday’s state rather than today’s risk. That makes certification useful for assurance, but weak as a primary control.

Q: How can security teams decide whether they need a full IGA rollout?

A: Teams should decide based on the complexity of their identity estate, not on whether a platform sounds more complete. If they manage multiple authoritative sources, disconnected systems, or significant privileged access, they need stronger continuous governance regardless of rollout timing. A bridge layer can reduce risk while the long-term architecture is planned.

Technical breakdown

Why the light IGA versus full IGA model breaks down

The light versus full IGA model assumes identity environments can be cleanly sorted into simple or complex deployments. That breaks in hybrid estates where cloud apps, on-prem systems, disconnected HR sources, OT, and physical access all coexist. Light IGA can provide provisioning and reviews, but it often lacks the depth for SoD analysis and cross-domain visibility. Full IGA can deliver deeper control, but it typically depends on long implementation cycles and mature data models that many organisations do not have.

Practical implication: assess governance by current identity complexity, not by whether a platform class looks simpler or more complete.

Identity debt and why it compounds in hybrid estates

Identity debt is the accumulation of stale, excessive, or unmanaged access over time. It grows when access decisions are made faster than they are reviewed, especially in environments where systems change frequently and authoritative data is fragmented. Once identity debt forms, quarterly recertification can only sample the problem, not remove it. The result is privilege creep, inherited access, and unresolved segregation-of-duties conflicts across systems that do not share a single governance model.

Practical implication: treat identity debt as an operational backlog that needs daily reduction, not an annual audit issue.

Governance intelligence layers and continuous visibility

A governance intelligence layer sits above existing identity tools and creates a unified view of accounts, roles, access paths, and policy violations. The value is not replacement, but correlation. By building a digital twin or knowledge graph of identity relationships, teams can surface drift, simulate role changes, and identify violations without waiting for a full IGA rebuild. This matters most where governance must span multiple authoritative sources and mixed identity types, including service accounts and workload identities.

Practical implication: add an observability layer where legacy, cloud, and non-human identities cannot be governed consistently through one platform.

Threat narrative

Attacker objective: The objective is to exploit stale or overbroad access that governance teams have not fully reconciled, increasing the chance of unauthorised use or lateral movement.

1. Entry occurs through unmanaged identity sprawl, where access is granted across cloud apps, on-prem systems, and disconnected sources without a single control point.
2. Escalation follows when privilege creep, stale entitlements, and unresolved segregation-of-duties conflicts accumulate faster than manual reviews can remove them.
3. Impact is governance failure: auditors and operators lose confidence in access decisions, and risky permissions persist long enough to become material exposure.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance in the gray zone is a control problem, not a platform problem. The article is right to reject a binary model, because most enterprises do not live in a clean Light IGA or Full IGA state. They live in a mixed environment where entitlement sprawl, disconnected records, and delayed reviews create governance gaps that no single deployment wave can erase. The practitioner conclusion is that governance maturity must be measured by continuity of control, not by product category.

Identity debt is the real operational failure mode behind the gray zone. Stale entitlements, excessive privilege, and unresolved SoD conflicts do not appear suddenly. They accumulate when identity change is faster than governance resolution, especially across cloud, OT, and legacy estates. That makes identity debt a discipline issue for IAM and IGA leaders, not just a visibility issue. The practitioner conclusion is to treat unresolved access as a rolling liability.

Continuous governance beats episodic certification because identity change is continuous. Quarterly access reviews assume stable entitlements and stable systems, but modern estates do not stay still long enough for that assumption to hold. This is where continuous observability, digital twins, and graph-based correlation add value: they turn access from a point-in-time exercise into a daily control surface. The practitioner conclusion is to govern the rate of change, not just the state at review time.

Greenfield platform thinking is the wrong benchmark for most identity programmes. The article captures a hard truth: many teams are not choosing between ideal tools, they are choosing between partial control now and delayed control later. That means the better question is what can raise assurance across existing systems without waiting for a multi-year replacement. The practitioner conclusion is to prioritise bridge controls that improve coverage immediately.

Governance intelligence layers sharpen the boundary between visibility and enforcement. A digital twin can expose drift, simulate roles, and reveal access paths, but it does not by itself remove risky entitlements. That distinction matters because many programmes confuse observability with control. The practitioner conclusion is to use graph-based visibility to drive action, not to declare governance complete.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• That gap is why practitioners should pair continuous governance with a deeper read on the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10.

What this signals

Identity governance is moving from certification cycles to continuous observation. The gray zone described in the article is where most programmes fail in practice, because access changes faster than governance workflows can close the loop. With 97% of NHIs carrying excessive privileges according to the Ultimate Guide to NHIs, the same drift problem increasingly applies to machine identities as well.

Governance intelligence will become a bridge control, not a destination. Teams that already rely on quarterly reviews need a way to see identity drift before the next certification window, especially where cloud, legacy, and workload identities overlap. That is why continuous visibility and graph-based correlation are becoming operational necessities, not architecture preferences.

Identity debt is now a board-relevant risk signal. The more fragmented the identity estate, the less reliable point-in-time attestation becomes, and the more likely risky access remains in place long enough to matter. Practitioners should expect governance conversations to shift toward measurable reduction in unresolved access, not just tool coverage.

For practitioners

• Map the gray zone explicitly Classify systems by governance maturity, not by whether they sit in a cloud or full-suite category. Identify where manual reviews, spreadsheets, and disconnected sources are carrying production decisions.
• Measure identity debt as a backlog Track stale access, unresolved SoD conflicts, orphaned accounts, and delayed review completion as open governance work. Use the backlog to prioritise remediation by risk and business criticality.
• Add continuous visibility before platform replacement Overlay a governance intelligence layer that correlates people, accounts, roles, and entitlements across mixed estates. Use it to expose drift daily while longer-term IGA decisions are still in flight.
• Focus review effort on high-change identities Prioritise identities that change frequently, span multiple authoritative sources, or carry privileged access. These accounts create the fastest-growing governance gaps and the highest audit exposure.
• Use digital twin outputs to drive remediation Translate simulated role and access findings into revocation, reclassification, or policy correction work. Do not treat the visibility layer as the end state of governance.

Key takeaways

• The article’s core argument is that identity governance fails when teams are forced to choose between shallow speed and slow completeness.
• The real risk is identity debt, which compounds across hybrid estates and makes manual review cycles structurally too slow.
• Continuous observability can bridge the gap, but practitioners still need remediation workflows that actually remove risky access.

Key terms

• Identity debt: Identity debt is the buildup of unmanaged, excessive, outdated, or orphaned access across an organisation. It forms when governance cannot keep pace with change, and it becomes harder to remove as systems, roles, and approvals spread across multiple platforms and owners.
• Light IGA: Light IGA is a streamlined identity governance approach focused on fast deployment, basic provisioning, and routine access reviews. It is useful when identity environments are relatively simple, but it often lacks the depth needed for complex SoD enforcement, hybrid visibility, and mature lifecycle control.
• Full IGA: Full IGA is a comprehensive identity governance model that aims to manage entitlements, workflows, segregation of duties, and richer analytics across a complex enterprise. It is typically better suited to large and diverse environments, but it usually requires extensive integration and longer delivery cycles.
• Governance intelligence layer: A governance intelligence layer is an independent observability capability placed above existing identity tools to correlate accounts, roles, access paths, and policy violations. It does not replace core IAM or IGA systems. Its purpose is to improve visibility, simulate change, and accelerate governance decisions.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Gathid: Identity governance in the gray zone and the case for continuous control. Read the original.