Identity governance is collapsing into data quality and action

At a glance

What this is: This is RSA Security’s view that identity governance breaks less from lack of visibility than from bad data and weak actionability.

Why it matters: For IAM teams, the message is that governance quality now depends on data hygiene, decision speed, and lifecycle execution across human and non-human identities.

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 5.7% of organisations have full visibility into their service accounts.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read RSA Security's analysis of why identity governance breaks in modern environments

Context

Identity governance is the discipline of deciding who or what should have access, proving that decision is still valid, and removing access when it is no longer needed. RSA Security’s framing is that the core failure in modern programmes is not a lack of dashboards, but weak data quality and poor actionability across entitlements, lifecycle events, and access reviews.

That matters because identity programmes now span human users, service accounts, secrets, and increasingly automated or agentic access patterns. When the underlying identity data is incomplete, stale, or inconsistent, recertification becomes paperwork instead of control, and lifecycle governance turns reactive rather than preventive.

Key questions

Q: How should security teams fix identity governance when the data is unreliable?

A: Start with the inventory layer, not the review layer. Identity governance only works when entitlements, owners, and system relationships are accurate enough to support decisions. Clean the source data, remove duplicates, and reconcile ownership before automating recertification or lifecycle actions. Otherwise, the programme will keep producing decisions on top of broken records.

Q: Why do access reviews often fail to reduce real risk?

A: Access reviews fail when they produce evidence but do not drive closure. If decisions are not converted quickly into revocation or restriction, risk remains in place and the review becomes a compliance artefact. The control only works when remediation is measured and owned, not when completion alone is treated as success.

Q: What do teams get wrong about non-human identity lifecycle management?

A: They often apply human lifecycle thinking to machine credentials. Service accounts, API keys, and tokens need ownership, purpose, expiry, and offboarding tied to the service they support. If the identity can outlive the workload or vendor relationship, it has become an unmanaged persistence risk.

Q: Who should own the cleanup after a risky entitlement is found?

A: The business or technical owner accountable for the application, workload, or data path should own cleanup. Identity teams can orchestrate the process, but they cannot substitute for accountable ownership. Without a named owner, risky access tends to remain open because nobody has authority to approve removal.

Technical breakdown

Why identity governance fails when the data model is incomplete

Identity governance depends on accurate relationships between identities, entitlements, owners, systems, and business context. If that graph is broken, the programme cannot tell which access is excessive, which account is orphaned, or which reviewer is accountable. In practice, the weak point is often not the workflow engine but the source data feeding it. That makes governance quality a data integration problem as much as a policy problem, especially in environments where cloud, SaaS, and NHI inventories are fragmented.

Practical implication: inventory identity sources and entitlement ownership before expanding certification or lifecycle automation.

Why access reviews stall when action is decoupled from review

Access reviews only reduce risk when a decision can be turned into removal, revocation, or restriction quickly. In many programmes, review decisions sit in queues, depend on manual routing, or lack authoritative owners, so the control produces evidence but not change. That creates a compliance-shaped process with limited security value. For NHIs and service accounts, the problem is sharper because stale access often persists longer and is harder to justify than human access.

Practical implication: measure time-to-remediate after certification, not just completion rate.

How lifecycle governance changes when identities are not human

Lifecycle governance for non-human identities is not a human joiner-mover-leaver problem with different labels. Service accounts, API keys, and tokens need ownership, expiry logic, offboarding, and periodic validation tied to the systems they support. Without that, privilege accumulates and identities outlive the service relationships that created them. The same governance structure also matters for autonomous access patterns if they exist, because unmanaged machine identities become long-lived control gaps.

Practical implication: bind every non-human identity to an owner, purpose, expiry, and revocation path.

Threat narrative

Attacker objective: The objective is to turn governance gaps into durable access that can be used for data exposure, lateral movement, or operational disruption.

1. Entry occurs when attackers or internal risk conditions exploit stale, overbroad, or poorly governed identity data to find usable access paths.
2. Escalation follows when excessive privileges, orphaned accounts, or delayed revocation let that access expand beyond its intended scope.
3. Impact is realised when the compromised identity can reach sensitive systems, data, or downstream services without a timely governance response.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance is becoming a data integrity problem before it is a workflow problem. RSA Security’s framing reflects a wider shift in enterprise identity: if the entitlement graph is wrong, no amount of review cadence can restore control. Clean source data is now the prerequisite for meaningful governance, because bad ownership, stale entitlements, and missing context make every downstream decision weaker. Practitioners should treat identity data quality as a control surface, not an operational afterthought.

Visibility without actionability is the new governance failure mode. Programmes can produce reports, dashboards, and certification evidence while leaving the risky access untouched. That creates the illusion of control without actual reduction in exposure. The discipline now needs tighter handoff from review to remediation, with accountable ownership and measurable closure, or governance becomes a compliance exercise rather than a security function.

Non-human identity governance exposes the limits of human-designed lifecycle processes. Service accounts, API keys, and tokens do not age out on a human schedule, and they rarely self-describe their purpose or owner. That means lifecycle models built around employee events miss the real persistence problem. The implication is that identity governance must be re-centred on the asset and service relationship, not just the person relationship.

Access reviews have a time-value problem that modern estates can no longer ignore. The longer a decision sits between identification and revocation, the less meaningful the review becomes. In hybrid estates with cloud sprawl and machine identities, delay is itself a control failure because access can remain exploitable after the reviewer has signed off. Practitioners should treat remediation latency as a first-class governance metric.

Identity governance is collapsing because organisations still separate compliance evidence from operational closure. Many programmes can show that a review happened, but not that the risky entitlement disappeared. That gap matters most where third-party access, NHIs, and privileged pathways overlap. The field needs governance models that prove action, not just decision, if identity controls are going to reduce actual exposure.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• A related finding shows that only 5.7% of organisations have full visibility into their service accounts, which means most governance teams are operating with an incomplete identity picture.
• For lifecycle and remediation depth, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the operational controls that turn identity data into action.

What this signals

Identity data quality is becoming the deciding factor in governance maturity. When entitlement ownership is unclear, recertification and provisioning processes cannot produce trustworthy outcomes. That is why teams should expect identity programmes to shift from periodic review campaigns toward continuous reconciliation of identity records, ownership, and revocation state.

Only 20% of organisations have formal processes for offboarding and revoking API keys, according to Ultimate Guide to NHIs, which means lifecycle discipline remains a structural gap. RSA Security’s emphasis on actionability fits that reality: many teams can list access, but far fewer can reliably remove it. The next maturity step is not another dashboard, but a closure workflow that proves revocation happened.

Access review programmes should be rethought as closure systems, not report generators. If an entitlement review does not trigger a measurable remediation path, the control is only documenting risk. Teams that align governance with operational closure will be better prepared for environments where human, machine, and service access coexist.

For practitioners

• Rebuild the entitlement inventory from authoritative sources Map each application, cloud platform, and directory source to a single entitlement record with owner, business purpose, and system-of-record status. Remove duplicate and stale records before expanding access reviews or lifecycle automation.
• Track review-to-remediation latency as a control metric Measure how long it takes to turn a recertification decision into revocation, restriction, or re-approval. If closure takes longer than the risk window for the access type, the review process is not providing real protection.
• Assign explicit ownership to every non-human identity Require a named owner for service accounts, API keys, tokens, and certificates, plus an expiry or rotation path. If no owner can be identified, classify the identity as unmanaged and remove or quarantine it.
• Tie lifecycle controls to service relationships Link provisioning, recertification, and offboarding to the application or workload that depends on the identity. When the service is retired, decommission the associated credentials and access paths at the same time.

Key takeaways

• The central problem is no longer just visibility. It is whether identity data is accurate enough to support real governance decisions.
• Governance fails when reviews generate evidence but do not reliably remove risky access, especially for non-human identities.
• Teams should prioritise ownership, closure, and lifecycle linkage so identity controls produce actual risk reduction instead of compliance artefacts.

Key terms

• Identity Governance: Identity governance is the discipline of controlling who or what has access, proving that access remains appropriate, and removing it when it is no longer justified. It spans human users, service accounts, secrets, and automated identities, so the quality of the underlying data determines whether the control works in practice.
• Non-Human Identity: A non-human identity is a machine-usable credential or account such as a service account, API key, token, certificate, or workload identity. It must be owned, scoped, and retired like any other identity asset, because long-lived machine credentials can persist well beyond the service relationship they were created for.
• Access Review: An access review is a periodic decision process used to validate whether a person or non-human identity still needs a permission. It only creates security value when the decision is followed by timely remediation, because a review that does not lead to removal or restriction simply records the risk.
• Lifecycle Offboarding: Lifecycle offboarding is the process of revoking access and retiring identities when the associated user, service, vendor, or workload is no longer active. For non-human identities, offboarding must be tied to the service relationship, not just to human employment events, or credentials will outlive their purpose.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.

This post draws on content published by RSA Security: You Don’t Have an IGA Problem. You Have a Data Problem. Read the original.