Identity governance is breaking under scale and lifecycle sprawl

At a glance

What this is: This is a primer on identity governance that argues access, lifecycle, and compliance controls need to be managed as a single programme.

Why it matters: It matters because IAM teams must govern human access, machine access, and lifecycle processes together if they want to reduce audit friction, privilege creep, and exposure.

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

👉 Read 1Kosmos's analysis of identity governance, RBAC, and lifecycle control

Context

Identity governance is the discipline of deciding who or what should have access, for how long, and under what policy. In practice, it is the control layer that keeps access aligned to role change, offboarding, and compliance obligations as environments expand.

The article frames identity governance as more than audit preparation. For IAM, IGA, and security teams, the central problem is keeping entitlements accurate as business change speeds up and access decisions spread across humans, machines, and shared workflows.

Key questions

Q: How should organisations implement identity governance without creating process overload?

A: Start by anchoring governance to lifecycle events, role models, and risk tiers. The aim is not more approvals, but fewer ambiguous entitlements. High-risk identities need stronger review and revocation controls, while low-risk access can use lighter-weight processes. That keeps governance effective without turning it into manual bottleneck work.

Q: Why do access reviews often fail to improve identity governance?

A: Access reviews fail when teams treat completion as success. If reviewers only confirm that an entitlement exists, rather than whether it should exist, the programme becomes a reporting exercise. Effective reviews remove unnecessary access, surface role drift, and trigger follow-up on exceptions that no longer match business need.

Q: What breaks when identity lifecycle management is too slow?

A: When lifecycle management lags behind business change, access outlives the event that justified it. That creates orphaned accounts, stale privileges, and audit evidence that no longer reflects current reality. The result is avoidable exposure and more work for security, operations, and compliance teams.

Q: Who should own identity governance across security and compliance teams?

A: Identity governance needs shared ownership because it sits between HR, IAM, security operations, audit, and the business. Security can run the controls, but business owners must confirm role intent and managers must validate access need. Without that split of responsibility, governance becomes either disconnected or overly centralised.

Technical breakdown

Identity lifecycle management as the control plane for access

Identity lifecycle management covers provisioning, changes in role, and deprovisioning. It is the part of governance that keeps identities aligned with business state instead of leaving access to drift. When lifecycle steps are weak, organisations create orphaned accounts, outdated entitlements, and review evidence that no longer matches reality. The article correctly treats lifecycle as the backbone of governance rather than a side process because every later control depends on it being accurate.

Practical implication: tie joiner, mover, and leaver events directly to entitlement updates and revocation workflows.

RBAC and access reviews are governance controls, not admin tasks

Role-based access control groups permissions by job function, while access reviews test whether those permissions still belong. Used together, they reduce entitlement sprawl and create evidence for audit and policy enforcement. The failure mode is treating roles as static and reviews as paperwork, which allows exceptions to harden into normal access. In mature programmes, RBAC defines expected access and review cycles validate whether reality still matches that definition.

Practical implication: define role models from business functions and recertify them against actual access patterns on a fixed schedule.

Policy and risk management define the boundaries of identity governance

Policy and risk management turn identity governance from a catalogue of controls into a decision framework. Policies decide which access patterns are acceptable, while risk management determines where exceptions, compensating controls, or extra scrutiny are needed. This matters because not all identities carry the same exposure. Privileged users, third parties, and service-linked identities need different governance depth than low-risk, low-impact accounts.

Practical implication: segment governance by risk tier so high-impact identities receive stronger review, approval, and monitoring controls.

NHI Mgmt Group analysis

Identity governance fails when lifecycle processes lag identity change. The article is right to centre provisioning and deprovisioning because governance breaks when access outlives the business event that justified it. Orphaned access, stale roles, and delayed revocation are not side effects, they are the operating condition of weak lifecycle control. The practitioner conclusion is simple: governance is only as current as the last lifecycle event it accurately processed.

Role-based access control is useful only when roles stay close to reality. RBAC is often sold as simplification, but simplification becomes risk when roles accumulate exceptions faster than they are cleaned up. The article’s emphasis on aligning access with job responsibilities reflects the core governance problem, which is role drift. The practitioner conclusion is that role engineering and recertification must be treated as ongoing control work, not one-time design.

Access review programmes often measure activity instead of entitlement truth. The article’s discussion of periodic audits points to a common failure mode in governance programmes: reviewers confirm that a review happened, not that access was actually justified. That turns certification into a compliance ritual. The practitioner conclusion is to judge review quality by removal of unnecessary access, not by completion rates alone.

Identity governance is now a cross-domain control problem, not an IAM-only one. The article spans compliance, operational efficiency, onboarding, offboarding, and policy enforcement because governance sits between HR, security, operations, and audit. That breadth is the point. The practitioner conclusion is that identity governance programmes need shared ownership and common decision criteria across functions, or they will fragment into disconnected controls.

Named concept: entitlement drift. The article describes how access changes over time while policies and job roles fail to keep up. That gap is entitlement drift, the slow mismatch between what an identity can do and what it should do. The practitioner conclusion is to treat drift as a governance signal, not an isolated permissions issue.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• For lifecycle and offboarding depth, see NHI Lifecycle Management Guide, which maps provisioning, rotation, and revocation to governance outcomes.

What this signals

Entitlement drift: identity governance programmes should now be judged by how quickly they remove obsolete access, not by how many certifications they complete. The practical risk is that every delayed mover or leaver event widens the gap between policy and reality, especially where third-party access and shared accounts are involved.

A governance model built only around annual reviews will miss the pace of modern business change. Teams need lifecycle automation, risk-based segmentation, and manager accountability so access decisions stay tied to current work, not historic assumptions.

For practitioners, the signal is clear: identity governance is becoming an operational control, not an audit wrapper. Programmes that cannot prove timely revocation, clean role design, and defensible exception handling will keep absorbing risk instead of reducing it.

For practitioners

• Rebuild lifecycle triggers around business events Connect provisioning, role change, and deprovisioning to HR and contractor status changes so access is updated when the identity changes, not at the next review cycle.
• Use role engineering to shrink entitlement drift Map job functions to a small number of durable roles, then remove local exceptions that have accumulated through project work, temporary access, or informal approvals.
• Measure access review outcomes by removals, not completion Track how many entitlements were revoked, narrowed, or re-scoped during recertification so the programme shows actual governance effect rather than administrative activity.
• Separate high-risk identities into stricter governance paths Apply stronger approval, monitoring, and evidence requirements to privileged users, third parties, and service-linked accounts instead of running every identity through the same process.
• Document policy exceptions with expiry conditions Require every exception to carry an owner, a reason, and a removal date so temporary access does not become permanent by default.

Key takeaways

• Identity governance breaks down when access, role, and lifecycle changes are not kept in sync.
• The scale of the problem is already visible in third-party exposure, privilege sprawl, and weak offboarding discipline.
• Teams should measure governance by entitlement removal, role accuracy, and revocation speed rather than review completion alone.

Key terms

• Identity Governance: Identity governance is the set of policies and operating controls used to decide who or what should have access, why that access exists, and when it must be removed. It turns identity management into a governed lifecycle with auditability, accountability, and risk control.
• Entitlement Drift: Entitlement drift is the gap that appears when an identity’s actual permissions no longer match the role, task, or business need that originally justified them. It grows through exceptions, delayed reviews, and incomplete offboarding, and it is one of the clearest signs of weak governance.
• Access Review: An access review is a formal check that confirms whether an identity still needs the permissions it has been granted. Done well, it removes stale access and documents accountability. Done badly, it becomes a compliance exercise that records activity without reducing exposure.
• Identity Lifecycle Management: Identity lifecycle management is the process of provisioning, changing, and removing access as the identity’s role or relationship to the organisation changes. It is the operational backbone of governance because every delayed lifecycle event increases the chance of excess or orphaned access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: identity governance, lifecycle management, and access control best practices. Read the original.