By NHI Mgmt Group Editorial TeamPublished 2025-07-07Domain: Governance & RiskSource: Orchid Security

TL;DR: Identity governance and administration projects still take 42 months on average and remain incomplete despite $3 billion spent on technology last year, according to Gartner cited in Orchid Security’s post. The deeper problem is structural: complexity now exceeds what manual IAM operations can reliably govern, so identity programmes need better intelligence, not just more tooling.


At a glance

What this is: This is a vendor-authored perspective on why identity governance remains fragmented and why LLM-driven intelligence is being positioned as the missing layer.

Why it matters: It matters because IAM, NHI, and autonomous identity programmes all fail when governance cannot keep pace with scale, complexity, and lifecycle sprawl.

By the numbers:

  • The average identity governance and administration project takes 42 months and remains incomplete.

👉 Read Orchid Security's perspective on why identity governance remains fragmented


Context

Identity governance becomes fragmented when the programme cannot keep a consistent picture of who or what has access, why that access exists, and when it should be removed. In practice, that shows up as long implementation cycles, partial coverage, and governance work that never quite catches up with application change, compliance demands, or identity sprawl.

Orchid Security’s post argues that this fragmentation is no longer just a people problem or a tooling problem. The core issue is that IAM environments have become too complex for static process design alone, which is why the post frames LLMs as a way to process identity complexity at scale rather than as a replacement for governance discipline.


Key questions

Q: How should security teams reduce fragmentation in identity governance programmes?

A: Start by defining one governance operating model for lifecycle, access review, and evidence collection across all major identity types. Then measure where the model breaks across applications, process owners, and control handoffs. Fragmentation is usually a visibility and accountability problem before it is a tooling problem.

Q: When do LLMs help identity governance, and when do they not?

A: LLMs help when the task is interpretation, summarisation, correlation, or triage across complex identity data. They do not replace ownership, approval authority, or policy enforcement. If the problem requires a human to remain accountable for access decisions, the model should assist governance rather than make governance decisions.

Q: What do teams get wrong about identity governance and administration projects?

A: They often treat IGA as a software rollout instead of an operating-model redesign. That leads to incomplete coverage, poor evidence quality, and long programme timelines. The better question is whether the programme can produce reliable decisions about access and lifecycle state at enterprise scale.

Q: How can organisations tell whether identity governance is actually working?

A: Look for complete coverage of key applications, consistent evidence for access decisions, and short paths from detected exceptions to remediation. If certifications exist but do not change entitlement state, or if lifecycle actions remain manual and delayed, governance is only partially functioning.


Technical breakdown

Why identity governance projects stall in complex estates

Identity governance and administration breaks down when discovery, policy mapping, and certification all rely on slow manual interpretation. The larger the application estate, the more identity states drift between review cycles, and the more exceptions accumulate outside clean governance workflows. That creates an incomplete operating model rather than a clean implementation failure. The article’s point is that complexity is now a first-order constraint, not a nuisance variable. Practical implication: teams should treat incomplete coverage as a structural risk signal, not a temporary deployment issue.

Practical implication: measure governance completeness across applications and identities, not just project milestones.

Where LLMs fit in identity governance operations

Large language models can help interpret identity-related context across policies, applications, access patterns, and control descriptions faster than humans can do at scale. That does not make them the authority on access decisions. It makes them a processing layer that can reduce the time spent reconciling unstructured identity information into governance workflows. In an environment with overlapping systems and inconsistent documentation, that distinction matters. Practical implication: use LLMs to accelerate analysis and triage, but keep control ownership and approval logic in the IAM programme.

Practical implication: use LLMs for interpretation and summarisation, not autonomous access approval.

Why fragmented identity tooling creates governance debt

Fragmentation happens when no single operating model can connect lifecycle, access review, entitlement design, and compliance evidence across the full identity stack. The result is governance debt, meaning unresolved identity decisions that persist across audits, migrations, and application changes. That debt grows when teams add products without fixing the underlying process model. Practical implication: map where identity evidence is produced, where it is consumed, and where it disappears between systems before adding new tooling.

Practical implication: identify where evidence is lost between systems before expanding the stack.


NHI Mgmt Group analysis

Fragmentation, not lack of tools, is the real identity governance failure mode. The post’s strongest argument is that the market is fragmented because no consensus operating model exists for solving identity governance at enterprise scale. That is a governance problem, not a procurement problem. When access, application context, and compliance evidence are distributed across too many systems, the programme cannot keep a stable control picture. The practitioner implication is to assess whether your identity stack produces decision-ready evidence or only more inventory.

Identity governance and administration remains a long-cycle discipline because the control surface is wider than the project model. The cited 42-month average shows how long it takes organisations to move from intent to incomplete reality. That suggests many programmes are being planned as software deployments when they should be managed as operating-model redesigns. The practitioner implication is to scope governance work around lifecycle and control outcomes, not implementation tasks.

LLMs introduce a processing advantage, but they do not remove governance accountability. Orchid Security’s thesis is that humans cannot easily cut through identity complexity, so machine intelligence becomes useful for interpretation and scale. That is credible as an operating assumption, but it does not change who owns entitlements, approvals, and evidence quality. The practitioner implication is to separate analytical augmentation from control authority.

Identity governance debt is accumulating faster than most programmes can retire it. Every new application, access path, and compliance demand adds to the backlog of unresolved identity decisions. The more fragmented the environment, the more the backlog turns into structural risk rather than administrative overhead. The practitioner implication is to treat unresolved identity state as a measurable debt class, not an IT hygiene issue.

From our research:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
  • For a broader control baseline, read 52 NHI Breaches Analysis for recurring failure patterns across identity-led incidents.

What this signals

Fragmentation is becoming the default state of identity programmes. As application estates expand and governance tooling multiplies, teams need a control model that can reconcile evidence across systems rather than merely add another dashboard. The practical signal is to prioritise data consistency and lifecycle ownership before expanding platform scope.

Identity governance debt is the hidden constraint in most programmes. In our research, only 5.7% of organisations have full visibility into their service accounts, which means most teams are operating with partial control pictures already. That visibility gap is the kind of debt that LLMs can help surface, but not eliminate.

The next phase of identity work will reward programmes that can translate complexity into decision-quality evidence. Teams that pair policy design with structured analysis, and that anchor their model in resources like the Ultimate Guide to NHIs, will be better placed to govern human, machine, and emerging AI identity estates.


For practitioners

  • Measure governance completeness across the identity estate Track how many applications, service accounts, and access paths are actually covered by certification, lifecycle, and evidence workflows. If coverage is incomplete, the programme is not mature enough for accurate audit or risk decisions.
  • Map where identity evidence breaks between systems Document where entitlement data is created, transformed, and lost across IAM, IGA, PAM, and downstream operational tools. Focus on the handoffs where approvals and recertification evidence stop being trustworthy.
  • Use LLMs for interpretation, not approval authority Apply machine intelligence to summarise policy context, cluster access anomalies, and reduce manual triage time. Keep access decisions, entitlement ownership, and remediation sign-off with accountable teams.
  • Reframe identity governance as operating-model work Treat the programme as a control-design and evidence problem, not only a tool deployment. Align business processes, data quality, and lifecycle ownership before adding another platform layer.

Key takeaways

  • Identity governance fails when the operating model cannot keep up with application and compliance complexity.
  • The cited 42-month project cycle shows that many IGA programmes are still incomplete even after major investment.
  • Teams should use LLMs to improve analysis and evidence handling, but not to replace control ownership or approval authority.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RM-01Identity governance fragmentation is a risk-management and operating-model issue.
NIST Zero Trust (SP 800-207)PR.AC-1The post's control challenge is aligning access decisions with consistent identity context.
OWASP Non-Human Identity Top 10NHI-01The article touches identity sprawl and incomplete visibility across non-human identities.

Define identity governance risk ownership and track incomplete coverage as a recurring enterprise risk.


Key terms

  • Identity governance and administration: Identity governance and administration is the set of processes used to define, review, certify, and revoke access across an organisation. It combines policy, access evidence, lifecycle controls, and accountability so that identity state can be governed at scale rather than managed informally.
  • Governance debt: Governance debt is the accumulation of unresolved identity decisions, incomplete control coverage, and stale evidence across systems. It behaves like technical debt, but the cost shows up in audit friction, delayed remediation, and weak confidence in who or what still has access.
  • Identity evidence: Identity evidence is the collection of records that prove an access decision, lifecycle event, or control action happened as intended. In mature programmes, evidence is structured, traceable, and usable by both operations and audit teams, not buried in disconnected tools or spreadsheets.
  • Control surface: The control surface is the full set of identities, applications, entitlements, and processes that a governance programme must manage. When the control surface grows faster than the operating model, visibility drops and access decisions become harder to verify consistently.

What's in the full article

Orchid Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • The vendor's explanation of how its LLM approach is intended to process identity complexity across large estates.
  • The specific market argument for why fragmented IAM and IGA environments need a new intelligence layer.
  • The customer-facing framing around scaling identity governance through partners and delivery teams.
  • The broader business narrative behind the company's position in the identity market.

👉 Orchid Security's full post expands on the market thesis and the author’s career context behind it.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-07-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org