TL;DR: Identity governance is framed as the control plane that keeps zero trust practical, with the article citing $10.5T in predicted global cybercrime costs in 2025 and warning that manual reviews, permission creep, and delayed offboarding leave access excessive and unverified. The governance problem is no longer whether to add more controls, but whether identity processes can keep pace with business and attack speed.
At a glance
What this is: This is an identity governance analysis arguing that modern IGA is what makes zero trust operational by keeping access current, least-privileged, and auditable.
Why it matters: It matters because IAM teams have to govern human, non-human, and automated access with controls that prevent stale permissions from expanding breach impact.
By the numbers:
- Cybercrime has grown into a global economy of staggering scale, and it is predicted to cost the world around $10.5T in 2025.
- Around 40% of organizations still operate with outdated IGA.
👉 Read Omada Identity's analysis of why modern IGA matters for zero trust
Context
Identity governance is the set of processes that decides who or what should have access, how that access changes, and when it must be removed. In this article, the central problem is not identity as a login event but identity as the real-time control point that either contains or expands breach impact across human users, service accounts, and automated processes.
The weakness the article identifies is familiar: manual reviews, ticket-driven provisioning, and delayed offboarding do not keep up with the speed of modern environments. Once access becomes stale or excessive, zero trust becomes a policy slogan rather than an enforceable operating model.
Key questions
Q: How should security teams modernize access reviews in zero trust programmes?
A: They should move from broad, calendar-based approvals to evidence-based reviews that focus on actual usage, role fit, and exception handling. Access reviews work best when they are tied to lifecycle events such as role changes and offboarding, and when reviewers see context that explains why an entitlement exists. The goal is fewer rubber-stamp approvals and faster removal of stale access.
Q: Why does permission creep increase breach impact?
A: Permission creep increases breach impact because compromised identities often retain access from previous roles or projects, giving attackers more paths than the current job actually requires. That wider entitlement set expands the blast radius of compromise and makes containment harder. Security teams should treat stale access as a direct contributor to incident severity, not just an audit issue.
Q: What do organisations get wrong about AI-assisted identity governance?
A: The common mistake is assuming AI can replace accountable decision-making. AI is useful for ranking risk, spotting anomalies, and reducing review fatigue, but it does not own policy exceptions or privileged approvals. Governance fails when automation is allowed to create decisions without clear ownership, so human accountability must remain attached to the highest-risk access changes.
Q: Who is accountable when stale access causes a security incident?
A: Accountability sits with the business owner, access approver, and governance team that allowed outdated entitlements to persist. Zero trust does not remove responsibility. It makes ownership more visible by requiring continuous verification and explicit justification for access. Organisations should be able to trace who approved, who reviewed, and who failed to revoke the access in time.
Technical breakdown
Why manual access reviews fail at enterprise scale
Traditional access certification depends on managers reviewing large entitlement lists with limited context. At scale, that produces rubber-stamp approvals, missed privilege creep, and slow remediation of role changes. The governance issue is not simply review frequency. It is that the decision model assumes humans can reliably validate thousands of permissions from static snapshots, even though access patterns now change across SaaS, cloud, and automated workflows. Modern IGA replaces that brittle model with evidence-based review support, entitlement intelligence, and lifecycle automation so access can be verified against current job need.
Practical implication: measure whether access reviews are identifying and removing stale entitlements, not just completing on schedule.
How permission creep expands the blast radius of compromise
Permission creep occurs when identities accumulate access that is no longer justified by current responsibilities. In practice, that means a compromised account can inherit the authority of multiple past roles, turning one identity event into broad lateral reach. The article ties this directly to zero trust because least privilege only works when entitlements are continuously right-sized. Without automated entitlement cleanup, excess access becomes an attack multiplier, especially where identities span finance, procurement, cloud workloads, and third-party tooling.
Practical implication: tie entitlement drift detection to role changes, because stale access is what magnifies breach impact.
Why AI-assisted governance changes the operating model
AI in IGA is presented as a decision accelerator, not a substitute for accountability. It can analyze usage patterns, compare peers, and flag anomalies faster than manual review cycles, which helps governance keep pace with business. The architectural shift is from periodic certainty to continuous triage. That matters because zero trust depends on ongoing verification, and evidence-based recommendations are more useful than raw entitlement lists when the environment includes human users, contractors, and automated processes with overlapping access paths.
Practical implication: use AI to prioritize high-risk access decisions, while keeping policy exceptions and privileged changes under human ownership.
NHI Mgmt Group analysis
Modern identity governance is the operational layer that makes zero trust real. Zero trust depends on explicit verification and minimum necessary access, but those principles collapse if entitlements stay stale after role changes or offboarding. The article is right to frame IGA as the control plane because access governance is where policy becomes enforceable across human, non-human, and automated identities. Practitioners should treat lifecycle enforcement as the mechanism that turns zero trust from architecture into practice.
Permission creep is not just excess access, it is breach amplification. When identities keep permissions that no longer match current responsibilities, compromise of a single account can expose multiple functions and data sets. That is why blast radius is the right measure of governance quality, not only access approval speed. The article correctly links entitlement drift to incident severity, which makes continuous rightsizing a core security objective rather than an administrative cleanup task.
AI-assisted governance changes the scale of decision support, not the need for accountability. Human reviewers cannot reliably process enterprise entitlement volume without evidence, context, and prioritization. AI can surface anomalies, cluster access patterns, and reduce review fatigue, but the approval responsibility still belongs to accountable owners. The implication is clear: programmes that automate review without preserving ownership will accelerate noise, not governance.
Identity governance now sits at the junction of human IAM, NHI control, and automation oversight. The article shows that access no longer lives only in employee directories, because service accounts, cloud workloads, and automated processes are part of the same entitlement landscape. That widens the governance problem beyond classic joiner-mover-leaver workflows. Practitioners should align review, provisioning, and offboarding across all actor types instead of managing each in isolation.
Continuous governance matters more than periodic certification in dynamic environments. Quarterly or annual review campaigns cannot reliably track the pace of cloud change, contractor churn, or application sprawl. The governance assumption that access remains stable long enough to be reviewed is weaker every year. Practitioners should interpret this as a signal to move from snapshot-based compliance toward continuous entitlement validation and exception handling.
From our research:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how weak lifecycle governance remains in many environments.
- For lifecycle depth, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the governance patterns that keep access current.
What this signals
Identity governance will increasingly be judged by how well it handles non-human and automated access, not just employee access. The same lifecycle discipline that cleans up human joiner-mover-leaver events now has to govern service accounts, workload identities, and automated processes. When access changes faster than review cycles, continuous entitlement validation becomes the programme signal that matters.
The biggest operational shift is moving from periodic certification to exception-driven governance. That means prioritising high-risk access paths, privileged changes, and stale entitlements before they become audit findings or breach enablers. Teams that still rely on manual reconciliation will struggle to keep pace with cloud sprawl and application churn.
Identity blast radius: the amount of damage a compromised identity can cause depends on how much unnecessary access it still carries. If you can reduce unused privileges and shorten the time between role change and entitlement removal, you reduce both incident severity and compliance exposure.
For practitioners
- Replace snapshot reviews with evidence-based certification Prioritize entitlements by actual use, peer comparison, and role relevance so managers review meaningful exceptions instead of bulk approval queues.
- Automate entitlement removal at role change and offboarding Connect HR, IAM, and IGA workflows so access is reduced or revoked as soon as job responsibility changes, rather than after a later reconciliation cycle.
- Right-size permissions to reduce breach blast radius Map high-value accounts and remove inherited privileges that are not required for current work, especially where access spans cloud, SaaS, and privileged functions.
- Use AI to triage review volume, not to replace ownership Apply machine-generated recommendations to surface anomalies and prioritize exceptions, but keep policy changes and privileged approvals with named accountable reviewers.
Key takeaways
- Identity governance is the mechanism that makes zero trust enforceable, because it keeps entitlements current, minimal, and reviewable.
- Excess access does more than violate policy, it increases the blast radius of any identity compromise across human, non-human, and automated accounts.
- AI can help teams process access at scale, but governance still depends on accountable owners making and reviewing high-risk decisions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC | Identity governance controls who gets access and when it changes across the enterprise. |
| NIST Zero Trust (SP 800-207) | The article is built around zero trust principles of verification and least privilege. | |
| OWASP Non-Human Identity Top 10 | The post covers NHI access paths, service accounts, and lifecycle governance concerns. |
Extend governance controls to non-human identities so service accounts and automated access are reviewed like users.
Key terms
- Identity Governance And Administration: Identity Governance and Administration is the discipline that defines, reviews, and removes access across an organisation. It connects provisioning, certification, and offboarding so permissions stay aligned with business need rather than lingering after roles change.
- Blast Radius: Blast radius is the amount of damage a compromised identity can cause once access is abused. In identity programmes, it is reduced by removing stale permissions, tightening privilege scope, and ensuring access is revoked as soon as it is no longer needed.
- Permission Creep: Permission creep is the gradual accumulation of access that is no longer justified by current duties. It often appears after promotions, project changes, or long-lived accounts, and it turns otherwise ordinary identities into broader security risks than their owners realise.
- Access Certification: Access certification is the review process where an owner confirms whether a user or account should keep existing permissions. Its value depends on context, current usage, and timely remediation, otherwise it becomes a paperwork exercise that preserves unnecessary access.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
This post draws on content published by Omada Identity: IGA Cybersecurity Explained: Why Identity Governance Matters Now. Read the original.
Published by the NHIMG editorial team on 2025-09-04.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
