TL;DR: Legacy IGA models were built to prove that access was reviewed, not to determine whether it still makes sense in real time; as estates exceed 100 applications and service accounts outnumber humans, continuous access intelligence becomes the meaningful control, according to Abnormal AI. The old evidence-first model no longer matches how lateral movers, permission drift, and blended governance-posture programmes actually create risk.
At a glance
What this is: This is an analysis of why traditional identity governance is giving way to continuous access intelligence and posture-driven control.
Why it matters: It matters because IAM teams need one operating model that covers human, NHI, and lifecycle risk instead of treating access reviews as a quarterly audit exercise.
👉 Read Abnormal AI's analysis of identity governance shifting to continuous access intelligence
Context
Identity governance is the discipline of deciding whether access still makes sense, not just whether someone once approved it. This article argues that the old IGA model was built to collect evidence for audits, while modern environments need continuous access intelligence across human users, service accounts, and entitlement drift.
The primary IAM problem is not joiners or leavers. It is movers, overgrown application estates, and permissions that persist after roles change. For teams trying to move beyond quarterly certification, the practical starting point is the gap between recorded approval and effective access, which is why the NHI Lifecycle Management Guide is relevant here.
Key questions
Q: How should security teams move from access reviews to continuous identity governance?
A: Start by measuring effective permissions rather than only confirmed approvals. Continuous identity governance ties review results to real entitlement state, unused access, and drift since the last cycle, so teams can remediate as part of the same workflow instead of waiting for the next certification campaign.
Q: Why do movers create more identity governance risk than joiners and leavers?
A: Movers accumulate permissions across roles, teams, and inherited groups, while joiners and leavers usually follow clearer lifecycle checkpoints. If governance only focuses on onboarding and offboarding, it misses the point where stale access quietly builds up and becomes difficult to unwind later.
Q: What breaks when access reviews are not tied to remediation?
A: They become evidence for auditors rather than a control that reduces risk. Without remediation, the same excessive entitlements can pass review repeatedly, giving teams proof that governance happened while leaving the underlying exposure untouched.
Q: Who should own identity posture when human and machine identities are both in scope?
A: Ownership should sit with the programme that can see and act on the effective access state across both classes of identity. Human IAM, NHI governance, and security operations need a shared remediation model, otherwise machine identities stay outside the review cycle and risk persists.
Technical breakdown
Why evidence-based IGA stalled
Traditional identity governance was built around attestation, exportable reports, and proof of review. That model can demonstrate that a manager or app owner signed off, but it cannot determine whether the access is still appropriate at the moment of use. As environments expanded, the weakness became obvious: quarterly campaigns do not track entitlement drift, peer-group anomalies, or unused permissions between reviews. The result is governance that satisfies audit timing but misses operational risk. Practical implication: treat access review as one control in a broader continuous governance loop, not as the governance programme itself.
Practical implication: Move from periodic certification to continuous evaluation of effective permissions and drift.
How lateral movers break the joiner-mover-leaver model
The article’s strongest point is that movers, not just joiners and leavers, now define the governance failure mode. When employees change roles, permissions accumulate across teams, tools, and inherited groups, and the resulting access set is rarely reassembled from first principles. Service accounts make the problem harder because they often outnumber human identities and sit outside the attention span of classic access reviews. In that setting, recertification alone becomes descriptive rather than corrective. Practical implication: design governance around role change and entitlement combination risk, not only onboarding and offboarding events.
Practical implication: Build lifecycle controls that re-evaluate access whenever roles, ownership, or application context changes.
Why identity governance and posture are converging
The post describes a move from separate governance and security workstreams toward one continuous programme. That convergence makes sense because posture data answers the operational question that old IGA never could: what is the effective permission state right now, and how far has it drifted from intent? Controls such as last-used activity, peer comparison, and effective entitlement visibility make remediation actionable instead of ceremonial. This is not a replacement for audit evidence. It is the layer that turns evidence into control. Practical implication: align governance, security, and audit teams on one living entitlement picture.
Practical implication: Unify posture telemetry and governance workflows so remediation follows evidence quickly.
NHI Mgmt Group analysis
Evidence-first IGA was designed for audit proof, not control fidelity. The old model could answer whether a review happened, but it was never designed to answer whether the access was still justified. That assumption held in smaller estates with clearer role boundaries, but it collapses once permission drift becomes the dominant risk signal. The implication is that governance programmes built only around attestations are structurally incomplete.
Movers are the governance gap that most access programmes still under-handle. Joiners and leavers fit the classic lifecycle story, but movers create the hardest-to-see accumulation of entitlements across applications, groups, and inherited roles. When no process exists to recalculate access at the point of change, organisations keep certifying stale entitlements instead of correcting them. The implication is that lifecycle governance must centre role change, not just onboarding and offboarding.
Persistent visibility into effective permissions is the named control gap this article exposes. The article’s core concept is that identity posture becomes the only meaningful way to see whether access is still appropriate between quarterly cycles. Effective permission visibility, unused access, and cohort drift are the signals that evidence-based governance misses. The implication is that teams should treat identity posture as the operational layer beneath governance, not as a separate programme.
Service account sprawl turns governance from a human process into a mixed identity problem. When service accounts outnumber human identities, the assumptions behind manager-driven review break down because no person naturally owns the access lifecycle end to end. This is where human IAM processes stop scaling cleanly and NHI governance becomes unavoidable. The implication is that access governance now has to cover machine identities with the same seriousness as employee access.
Identity governance and posture are converging because audit cadence no longer matches attack cadence. Quarterly certification can still produce evidence, but it does not keep pace with entitlement drift, lateral movement, or the speed of infrastructure change. Organisations that separate governance from security end up with proof on one side and risk on the other. The implication is that the programme model itself has to move toward continuous, shared control ownership.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, according to the same Astrix Security & CSA report.
- For a lifecycle lens on this problem, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding controls.
What this signals
Persistent permission drift is becoming the control signal that matters more than certification completion. As identity estates spread across human and non-human accounts, the programme question shifts from whether access was reviewed to whether the access state is still defensible. Teams that can connect review findings to remediation will outpace teams that still treat access reviews as a quarterly artefact.
Identity posture is now the operational layer under governance. That means access intelligence, entitlement use, and ownership clarity need to sit alongside lifecycle controls in the same operating model. For practitioners, the practical test is whether they can explain effective access at any moment, not just after a review cycle closes.
Service account sprawl will keep pushing IAM teams toward cross-domain governance. The broader the estate, the more the programme has to connect human IAM, NHI lifecycle, and audit evidence through one remediation path. The NIST Cybersecurity Framework 2.0 is a useful anchor for aligning identify, protect, detect, and respond activities around that model.
For practitioners
- Map governance to effective access, not just approved access Track whether permissions are actually in use, how they compare to peer cohorts, and whether they changed since the last review. Use that inventory to drive remediation instead of treating certification as the end state.
- Prioritise movers in lifecycle control design Trigger re-evaluation when role, team, application ownership, or group membership changes. Movers should force a fresh access decision because they are where entitlement accumulation starts.
- Extend governance coverage to service accounts and other non-human identities Assign ownership, review cadence, and remediation paths for machine identities that sit outside traditional HR-driven lifecycle workflows. Treat them as governed identities, not as technical leftovers.
- Connect certification outputs to remediation workflows Do not stop at attestations. Feed review findings into access removal, role cleanup, and exception tracking so the next review starts from a corrected baseline.
Key takeaways
- Traditional IGA still proves that access was reviewed, but it often fails to prove that access still makes sense.
- Mover-driven drift and expanding service-account estates are what turn governance from an audit activity into a live risk issue.
- Teams that connect continuous entitlement visibility to remediation will get more value from identity governance than teams that rely on quarterly certification alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access review and entitlement control are central to the article's governance gap. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Service account sprawl and weak lifecycle control fit the NHI rotation and governance problem. |
| NIST SP 800-63 | The article touches lifecycle and assurance patterns that transfer from human identity governance. |
Map effective access to PR.AC-4 and remediate drift before the next certification cycle.
Key terms
- Identity posture: Identity posture is the current security state of identities, entitlements, and access relationships. It focuses on effective permissions, drift, ownership, and usage rather than only whether a review or approval exists. In practice, it turns governance from a periodic record into a live control signal.
- Effective permissions: Effective permissions are the access rights an identity can actually use, including inherited, grouped, and conditionally granted entitlements. They can differ from what policy or documentation says on paper. Security teams care about them because risk is created by usable access, not by nominal entitlements alone.
- Identity governance: Identity governance is the discipline of deciding whether access should continue to exist, who owns it, and how exceptions are managed over time. It spans certification, lifecycle controls, remediation, and audit evidence. The modern version has to account for both human and non-human identities.
- Mover: A mover is an identity whose role, team, application ownership, or operating context has changed. Movers are a governance hotspot because permissions often accumulate during transitions and are not re-evaluated from scratch. In mature programmes, movers trigger more control logic than joiners or leavers.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Abnormal AI: Identity governance is shifting from audit evidence to live control. Read the original.
Published by the NHIMG editorial team on 2026-06-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
