TL;DR: Identity governance is most exposed where permissions, roles, and identities change faster than review cycles can keep up, and Soffid’s analysis argues automation and standardisation are needed to maintain compliance, reduce over-privilege, and prevent unauthorised access across hybrid estates. The governance problem is not missing controls but stale controls that cannot track thousands of moving identities.
At a glance
What this is: This is a vendor analysis of identity governance risks and the case for automating account, credential, and access-review processes across human and non-human identities.
Why it matters: It matters because IAM teams need governance that keeps pace with changing entitlements, or they inherit over-privilege, audit failure, and access paths that are no longer defensible.
👉 Read Soffid's analysis of identity governance risks and lifecycle automation
Context
Identity governance is the discipline of deciding who or what can access which systems, data, and actions, then continuously verifying that those permissions still make sense. The challenge is not simply defining access once, but keeping it current when users, roles, suppliers, and machine accounts change faster than manual review cycles.
Soffid’s article frames that problem as a governance and lifecycle issue across human and non-human identities, especially in hybrid environments where on-premise, cloud, and SaaS access all need the same policy discipline. That is a typical enterprise problem, not an edge case, and it becomes more acute as identity sprawl grows.
For practitioners, the key question is whether access governance is still being treated as a periodic control exercise or as a live operating model. Once identity volume and change velocity exceed manual oversight, stale entitlements become the control failure, not the exception.
Key questions
Q: How should security teams govern access changes across hybrid identity environments?
A: They should treat provisioning, review, and revocation as one lifecycle control loop rather than separate tasks. The practical goal is to keep permissions aligned with current business need across cloud, SaaS, and on-premise systems. If identity state cannot be updated quickly enough, stale access becomes the real control gap.
Q: Why do access reviews fail when identities change frequently?
A: Access reviews fail when the review cycle is slower than the rate of role and entitlement change. By the time the certifier sees the permission set, it may already be outdated, which means the process validates history instead of current need. That is why review must be tied to live lifecycle data.
Q: What breaks when identity governance is handled manually at scale?
A: Manual governance breaks because account creation, modification, and revocation cannot keep pace with thousands of identities across multiple environments. The result is inconsistent policy enforcement, delayed offboarding, and privilege drift. At scale, manual review becomes an administrative record, not an effective security control.
Q: Who is accountable when access remains active after a role or relationship ends?
A: Accountability sits with the business owner and the identity governance process that failed to revoke access on time. In practice, auditors will look for evidence that lifecycle ownership, approval, and deprovisioning were defined and executed. If they were not, the organisation inherits the risk and the compliance finding.
Technical breakdown
Why dynamic access environments break manual identity governance
Identity governance depends on knowing three things at once: who the identity is, what it can do, and whether that access is still justified. In dynamic estates, those answers drift as roles change, suppliers rotate, projects end, and new applications appear. The result is not usually a total lack of controls, but controls that age out faster than they are reviewed. That is why governance maturity is less about policy wording and more about whether entitlement state can be maintained in near real time across platforms and identity types.
Practical implication: move governance from periodic validation to continuous entitlement state management across all connected systems.
How role-based access control and lifecycle automation work together
RBAC reduces decision complexity by grouping permissions into roles, but it does not solve lifecycle drift on its own. When role assignment, account creation, modification, and deprovisioning are automated, access can be kept aligned with current job function or business relationship instead of historical assignment. The important distinction is that automation here is governance automation, not autonomous decision-making. It standardises repeatable identity administration so that policy can be enforced consistently across internal employees, contractors, suppliers, and service identities.
Practical implication: tie RBAC to automated joiner-mover-leaver workflows so role changes and offboarding actually remove access.
Why access review and credential provisioning must be treated as the same control loop
Access reviews and credential provisioning are often run as separate processes, but they are two halves of the same governance loop. Provisioning creates the entitlement, and review confirms whether it still belongs there. If those functions are disconnected, organisations end up certifying stale access while new access is being issued elsewhere. The strongest governance programmes treat review, re-provisioning, and revocation as one operating model, backed by policy and evidence for auditability.
Practical implication: design one lifecycle workflow that can provision, recertify, and revoke access without separate manual handoffs.
Threat narrative
Attacker objective: The attacker aims to reuse legitimate access to move through the environment and reach sensitive data or systems without triggering immediate challenge.
- entry: legitimate credentials or permissions become the attacker’s entry point when access is no longer tightly aligned with current need.
- escalation: over-privileged or stale entitlements allow movement from a normal user context into broader systems, data, or administrative functions.
- impact: unauthorised access to company data and assets continues because governance did not remove or detect the outdated permission state in time.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity governance breaks first at the point where review cycles lag identity change. The problem in modern IAM is rarely an absence of policy, but a mismatch between how fast entitlements change and how slowly they are certified. That mismatch is what creates stale access, audit noise, and hidden privilege paths. Practitioners should treat review cadence as a control boundary, not a compliance routine.
Automation is the only practical way to keep lifecycle governance aligned with hybrid identity sprawl. When organisations manage thousands of human and non-human identities across cloud, on-premise, and SaaS, manual administration becomes a loss-making control model. Standardising creation, modification, and revocation is the difference between governance that scales and governance that merely documents risk. Practitioners should measure whether lifecycle actions are executed at machine speed, not whether policy exists on paper.
Role-based access control is necessary but incomplete without revocation discipline. RBAC can limit access design, yet it does not remove access that has outlived its business purpose. That is why lifecycle offboarding, access revocation, and recertification must be treated as one control family. Practitioners should assume every role assignment is temporary unless the business can prove otherwise.
Identity governance maturity is increasingly a cross-domain issue, not a human-only IAM problem. The same lifecycle discipline now has to cover employees, contractors, suppliers, and service identities, because each can become a persistent access path if unmanaged. This broadens the control conversation from account administration to identity lifecycle assurance across the estate. Practitioners should align governance operating models to identity type, not just to application ownership.
From our research:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed and 26% suspected.
- For the lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, which explains how provisioning, rotation, and offboarding need to work together.
What this signals
Lifecycle governance is becoming the pressure point in IAM programmes. When access changes faster than review cycles, organisations do not just accumulate risk, they also lose confidence in their own entitlement records. That is why lifecycle evidence, not policy language, will increasingly determine whether governance is operational or performative. See the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the operational baseline.
Access governance now has to scale across identity type, not just application tier. Human users, suppliers, and service identities all create different drift patterns, but the underlying control question is the same: does access still match current need? The more heterogeneous the estate, the more important it becomes to centralise entitlement evidence and automate revocation triggers.
More than 1 in 5 of their non-human identities are insufficiently secured. That figure, from The 2024 ESG Report: Managing Non-Human Identities, is a reminder that identity sprawl is already outpacing many programmes' ability to keep control state current.
For practitioners
- Map access to lifecycle ownership Assign a named owner for every account, role, and entitlement so provisioning, review, and revocation have a single accountable control point across on-premise and cloud systems.
- Automate joiner-mover-leaver workflows Use standard workflows to create, modify, and delete identities and permissions so access changes happen with business events instead of ad hoc tickets.
- Align recertification with entitlement drift Shorten review cycles for high-risk roles and ensure re-provisioning, removal, and approval evidence are captured in the same governance record.
- Segment governance by identity type Separate human, supplier, and non-human identity treatment in policy and reporting so each lifecycle path can be measured against its own risk profile.
Key takeaways
- Identity governance fails fastest when access review cannot keep up with constant entitlement change.
- The article’s core evidence is that hybrid environments now require automated lifecycle control, not just policy definition.
- Practitioners should connect provisioning, recertification, and revocation into one operating model if they want governance to remain credible.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centres on lifecycle drift and stale access across non-human identities. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access management are the core governance themes here. |
| NIST SP 800-53 Rev 5 | AC-2 | Account management directly covers provisioning, modification, and removal of access. |
| NIST Zero Trust (SP 800-207) | Continuous verification aligns with the article’s emphasis on dynamic access governance. | |
| CIS Controls v8 | CIS-5 , Account Management | Account management is the practical control family behind the article’s governance model. |
Implement CIS-5 to inventory accounts, review access, and remove stale permissions on a defined cadence.
Key terms
- Identity Governance: Identity governance is the set of policies and operating controls that decide who or what should have access, then keep that access aligned with current need. It covers approval, review, certification, and revocation across human and non-human identities, with evidence strong enough for audit and compliance.
- Lifecycle Management: Lifecycle management is the process of creating, changing, reviewing, and removing identity access as business conditions change. In practice, it is the mechanism that prevents permissions from becoming stale, especially when identities move roles, leave relationships, or stop needing access.
- Role-Based Access Control: Role-based access control assigns permissions through predefined roles rather than one-off grants. It simplifies administration, but it only remains safe when role assignment and removal are tightly managed through lifecycle processes and reviewed against actual business need.
- Access Recertification: Access recertification is the periodic validation that an identity’s permissions are still justified. It is only effective when the underlying entitlement data is current, because certifying outdated access creates a false sense of control instead of reducing risk.
What's in the full article
Soffid's full post covers the operational detail this post intentionally leaves for the source:
- Automation logic for account creation, modification, and deletion across identity estates.
- How role-based access policy is mapped to tasks and functions inside the platform.
- The article’s own view of lifecycle maturity and operational efficiency gains.
- Examples of how the vendor positions identity governance in relation to compliance requirements.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
Published by the NHIMG editorial team on 2025-12-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org