Identity governance is now the control plane for attack surface

At a glance

What this is: This is an identity governance analysis arguing that IGA has become the control plane for security because it reveals who has access, what they can reach and where entitlement risk is accumulating.

Why it matters: It matters because IAM, NHI and autonomous programme owners need a governance layer that can see blast radius, deprovision stale access and manage machine-speed identity sprawl before attackers exploit it.

By the numbers:

• Identity-based attacks now account for roughly 30% of all cyberattacks.
• 74% of organizations have users with unnecessary access and overly permissive accounts.
• Attackers attempt access within an average of 17 minutes when AWS credentials are exposed publicly.

👉 Read Omada Identity's analysis of identity governance as the new security perimeter

Context

Identity governance matters because the old perimeter model no longer matches how access works. Once cloud services, SaaS, remote work and AI-driven workflows spread identity across many systems, security teams lose a single place to answer who has access to what and how far a compromised identity can move.

The article argues that IGA is the missing control plane for that new reality. In practice, that means closing orphaned accounts, exposing entitlement creep, and giving incident responders enough identity context to understand blast radius before a breach becomes a prolonged containment exercise.

Key questions

Q: What breaks when identity governance is missing in hybrid environments?

A: Without identity governance, access becomes fragmented across cloud, SaaS, directories and workloads, so no one can reliably answer who has access to what or how far a compromised identity can reach. That creates hidden entitlement creep, orphaned accounts and larger blast radius during incidents. The result is slower response and more attacker dwell time.

Q: Why do service accounts and contractors increase lateral movement risk?

A: Service accounts and contractors often keep active privileges after the original business need has passed, which means attackers can inherit broad access from a single compromised credential. In hybrid environments, that access may span multiple platforms and applications, turning one stale identity into a path for lateral movement and data exposure.

Q: How do security teams know if entitlement reviews are actually working?

A: Effective entitlement reviews should reduce the number of unnecessary access rights, surface risky combinations and shrink the reach of high-value identities over time. If reviews keep finding the same stale permissions or cannot show revocation across connected systems, the programme is producing reports rather than control.

Q: Who is accountable when orphaned access causes a breach?

A: Accountability usually sits with the identity governance, application and system owners who failed to ensure access was removed when business need ended. In regulated environments, audit teams will expect evidence that certifications, deprovisioning and ownership mapping were operating across the full identity lifecycle, not just in one system.

Technical breakdown

Why identity governance becomes the control plane

Identity governance and administration centralises identity data from HR systems, directories, cloud platforms and SaaS applications so security teams can see entitlements in one place. The technical shift is from isolated identity stores to a unified governance layer that can correlate access, ownership and lifecycle state. That correlation is what makes access certification, deprovisioning and risk scoring operational instead of manual. Without it, every identity system becomes a blind spot and every entitlement review becomes a spreadsheet exercise.

Practical implication: Map all identity sources into one governance plane before trying to reduce access risk.

How blast radius is calculated from identity relationships

Blast radius is the set of systems, data stores and privileged functions an identity can reach if it is compromised. IGA can estimate that radius by linking accounts to roles, roles to entitlements, and entitlements to applications and resources. That matters because the security problem is not just whether credentials exist, but how much control those credentials unlock across hybrid environments. Identity analytics adds continuous risk scoring so high-impact accounts surface before an incident forces the analysis.

Practical implication: Use identity relationship mapping to prioritise the accounts whose compromise would spread fastest.

Machine identities and lifecycle automation at scale

Machine identities such as service accounts, API keys, OAuth tokens and workload certificates do not wait for annual reviews. They are created, used and retired at software speed, so governance has to track provisioning, rotation and deprovisioning continuously. The article’s core mechanism is lifecycle automation: new identities are granted policy-based access, and removed identities are revoked everywhere they exist. This is where manual governance fails, because stale machine access persists long after its original business purpose ends.

Practical implication: Automate machine identity provisioning, rotation and offboarding as a single governance workflow.

Threat narrative

Attacker objective: The objective is to turn legitimate, still-active identity permissions into broad operational reach that accelerates lateral movement and increases the blast radius of the compromise.

1. Entry occurs when an attacker uses an orphaned contractor account or another compromised identity that still has active credentials.
2. Escalation follows as that identity inherits accumulated entitlements, including elevated access across cloud, SaaS and on-premises systems.
3. Impact comes when the attacker uses that broad access to move laterally, modify configurations, exfiltrate data or deploy ransomware at scale.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance is now the practical control plane for identity security. The article is right that perimeter controls cannot answer entitlement, ownership or reach questions once access is distributed across cloud, SaaS and machine identities. What matters for the field is that governance has shifted from compliance support to operational security control. Practitioners should treat IGA as the layer that makes identity attack surface measurable.

Entitlement creep is not a process nuisance, it is accumulated attack surface. When users, contractors and service accounts keep old access after role changes, the result is not just excess permission but hidden pathways for compromise. That is why lifecycle governance, access certification and identity analytics belong in the same control conversation. Security teams should assume every unreviewed entitlement expands lateral movement options.

Blast radius is the metric that matters once identity becomes the perimeter. The field still overweights whether an account exists and underweights what that account can touch across systems. This article correctly reframes the problem around reach, not inventory. Practitioners should organise governance, monitoring and incident response around the identities whose compromise would expose the most business-critical resources.

Shadow AI and machine identities create a governance class that many IAM programmes still treat as exceptional. That is no longer tenable when AI tools, APIs and workloads create identities faster than human review cycles can absorb. The implication is not simply more tooling. It is a governance model that treats machine-created access as a first-class identity population with its own lifecycle, certification and risk logic.

Visibility without lifecycle enforcement is incomplete security. The article stresses that seeing access is only the first step. In practice, a governance programme that cannot revoke, rotate and recertify across systems still leaves stale credentials in place for attackers to use. Practitioners should judge IGA by how quickly it can remove risk, not just how well it can display it.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
• For a broader breach lens, 52 NHI Breaches Analysis shows how stale access and weak lifecycle controls repeatedly translate into real compromise.

What this signals

Identity attack surface is now a governance problem before it is a detection problem: if access is distributed across directories, SaaS, cloud and machine identities, teams need a control plane that can certify and revoke at the same speed that access is granted. The security model changes from perimeter defence to entitlement management, and that change should influence roadmap priorities immediately.

Entitlement creep has become a measurable security debt. Once accounts accumulate access across role changes, the programme is no longer just carrying excess permission, it is carrying hidden lateral movement potential. Teams that still measure success only by the number of certifications completed are likely missing the harder question of whether risk actually went down.

Machine identities need lifecycle rules that match software velocity: service accounts, API keys and workload credentials are created and retired faster than human governance cycles can handle. The practical response is to align access reviews, rotation triggers and offboarding workflows to the systems these identities actually touch, not to annual compliance rhythms.

For practitioners

• Map identity sources into a single governance view Aggregate HR, directory, cloud and SaaS identity data so access, ownership and lifecycle state are visible in one control plane. Use that view to identify orphaned accounts, duplicate entitlements and unmanaged service identities before they become incident work.
• Prioritise blast-radius reduction for high-reach accounts Rank identities by the number of systems, applications and data sets they can reach, then review the accounts whose compromise would spread fastest. Focus first on elevated service accounts, contractor accounts and cross-environment access.
• Automate deprovisioning across all connected systems Trigger revocation across directories, SaaS, cloud platforms and downstream applications when a user, contractor or workload loses business need. The control only works if access removal is propagated everywhere, not just in the primary directory.
• Certify machine identities on a shorter operational cadence Treat service accounts, API keys and workload certificates as governed identities that need recurring review of scope, ownership and necessity. Tie certification to the systems they actually touch, not to a generic annual access review cycle.

Key takeaways

• Identity governance has moved from administrative hygiene to core security control because it reveals who can reach what across a distributed environment.
• The main risk is accumulated entitlement, where old access and unmanaged identities widen the blast radius long before an incident is detected.
• Practitioners need governance that can certify, rotate and revoke access across all connected systems, including machine identities, in near real time.

Key terms

• Identity governance and administration: Identity governance and administration is the control layer that records, reviews and removes access across an organisation’s identity estate. It connects identity data from multiple systems so teams can certify entitlements, enforce lifecycle changes and reduce hidden privilege across human and non-human identities.
• Blast radius: Blast radius is the amount of access, data and operational reach an identity has if it is compromised. In identity programmes, it is a practical way to measure how badly one stolen account, token or workload credential could affect cloud, SaaS and on-premises systems.
• Entitlement creep: Entitlement creep is the gradual accumulation of access rights as people, contractors or systems change roles over time. The problem is not the move itself, but the failure to remove old permissions, which leaves hidden privilege in place and expands lateral movement options.
• Machine identity: A machine identity is a non-human identity used by software, workloads, services, bots or automated processes to authenticate and access resources. These identities often rely on secrets, certificates or tokens and need the same lifecycle discipline as human access, but at software speed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by Omada Identity: As Identity Becomes the New Security Perimeter, IGA Becomes Essential. Read the original.