TL;DR: Identity governance is the discipline of proving access remains appropriate, not just that joiner-mover-leaver workflows executed correctly, according to AlertEnterprise. The practical break point is certification, separation of duties, and attestation across both digital and physical access, where governance evidence often lags behind automation and review outcomes are not visible.
At a glance
What this is: This is an explainer on identity governance, with the key finding that lifecycle automation is not the same as proving access is still appropriate.
Why it matters: It matters because IAM, IGA, PAM, and physical access teams all need continuous review and evidence, not just provisioning and revocation workflows.
By the numbers:
- 40 percent of executives lack visibility into access, nto access revocation outcomes.
👉 Read AlertEnterprise's explanation of identity governance, certification, and attestation
Context
Identity governance is the ongoing proof that access is still appropriate, not simply the automation that grants or removes it. In practice, many programmes stop at joiner-mover-leaver execution and never close the loop on whether access remains justified across digital entitlements and physical entry points.
That gap matters because certification, separation of duties, and attestation are the controls that convert identity administration into governed identity management. For teams responsible for IGA, PAM, and physical access, the question is whether the organisation can prove access decisions, not just execute them.
Key questions
Q: How should organisations govern access beyond lifecycle automation?
A: They should separate workflow execution from governance proof. Lifecycle automation can provision or revoke access, but governance must certify that access is still appropriate, enforce separation of duties, and preserve audit evidence. The practical test is whether the organisation can prove who approved access, what changed, and whether the change actually took effect.
Q: Why do access reviews matter if joiner-mover-leaver workflows already work?
A: Because automated workflows only confirm that a lifecycle event triggered the right action. Access reviews verify that the remaining entitlement is still justified for the current role, risk, and policy. Without reviews, stale access, toxic combinations, and exceptions can persist even when the underlying provisioning process is functioning correctly.
Q: What breaks when physical access is not included in identity governance?
A: Governance becomes incomplete because the organisation can no longer prove who can enter sensitive spaces or whether that access conflicts with digital privileges. Badge systems may enforce entry, but they do not provide certification, attestation, or SoD control unless they are integrated into a broader governance model.
Q: How do teams know whether access governance is actually working?
A: They should be able to show timely certification completion, documented remediation, verified revocation outcomes, and an audit trail that can answer access questions without manual reconstruction. If evidence comes from multiple disconnected systems and cannot be produced quickly, the governance control is weak even if automation is in place.
Technical breakdown
Access certification is evidence, not a workflow
Access certification, also called review or attestation, is the periodic validation that existing access still matches role, business need, and policy. The control is only useful if the organisation can show who reviewed what, what was approved or removed, and whether the revocation actually occurred. In practice, certification is less about task completion and more about trustable evidence. Without that evidence, a review campaign becomes an administrative ritual instead of a governance control.
Practical implication: ensure certification results are traceable end to end, including proof that removals executed after approval.
Separation of duties must span digital and physical access
Separation of duties prevents one identity from holding combinations of access that create fraud, conflict of interest, or operational risk. The article’s key insight is that SoD does not stop at application permissions. If a person can approve a sensitive action and also carry the physical access to the restricted area where that action is executed, the control gap persists across domains. Governance breaks when the policy model only sees one side of the entitlement picture.
Practical implication: evaluate SoD rules across badge access, application access, and operational authority together.
Attestation fails when evidence is fragmented
Attestation is the durable audit record for access changes, approvals, denials, exceptions, and policy decisions. A governance programme can only answer auditor questions quickly if the evidence is generated in one control plane instead of reconstructed from tickets, badge logs, and emails. The article highlights a common architectural failure: PACS enforces entry, but it does not govern access decisions. That leaves physical access as a disconnected evidence problem.
Practical implication: unify audit trails so governance evidence is created continuously, not assembled after the fact.
NHI Mgmt Group analysis
Identity governance is the proof layer of IAM, not a synonym for lifecycle automation. Joiner-mover-leaver workflows answer whether access changed correctly. Governance answers whether the resulting access is still appropriate, justified, and reviewable. That distinction matters because organisations often measure identity maturity by provisioning speed when they should be measuring decision quality and evidence integrity. Practitioners should treat governance as the control that validates entitlement legitimacy, not the mechanism that moves it.
Physical access becomes a governance blind spot when the model stops at the badge reader. Digital IGA platforms have matured around certification and attestation, but the same discipline is often missing for facilities, secure zones, and operational spaces. The governance assumption that access evidence lives in one identity system fails when a separate PACS owns the real-world entry record. Practitioners should treat disconnected physical access as an incomplete identity model, not an edge case.
Separation of duties is a cross-domain control, not an application-only rule. The article correctly shows that toxic combinations can span systems, facilities, and operational responsibility. A person who can both authorise access and use it is a risk regardless of whether the entitlement is digital or physical. That means SoD design must reflect the full execution path, not just the permission matrix inside one platform. Practitioners should map SoD around business actions, not product silos.
Continuous attestation is the difference between governance and retrospective forensics. If the audit trail is reconstructed after the fact, the programme is recording history rather than controlling access. The operational standard should be that every approval, denial, exception, and revocation is captured as part of the governance process itself. Practitioners should judge identity maturity by whether they can answer auditor questions immediately, not whether they can eventually assemble the answer.
PIAM extends identity governance into the places where IGA stops. The real market signal here is that physical access management is being pulled into the same governance conversation as digital identity. That does not replace IGA or PAM. It means identity programmes increasingly need one evidence model for entitlements, approvals, and revocations across both cyber and physical domains. Practitioners should expect governance scope to keep widening, not narrowing.
From our research:
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
- For a broader operating model view, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for lifecycle discipline across non-human access.
What this signals
Identity governance programmes are being forced to prove value in evidence quality, not just in workflow completion. The practical shift is toward continuous certification and revocation verification, because boards and auditors care less about whether a ticket moved than whether entitlement risk actually came down.
Evidence fragmentation: when badge systems, IGA platforms, and ticketing tools each hold part of the story, the organisation loses a single accountable record of access. That problem is now familiar in digital identity and becomes more acute when physical access is added to the programme.
With only 44% of organisations already managing AI agents through policy, the industry is normalising governance gaps before those gaps are closed. Identity teams should expect the same pressure to extend policy, certification, and attestation across every identity type, not just human users.
For practitioners
- Separate automation from governance reporting Track joiner-mover-leaver completion separately from certification outcomes, revocation verification, and auditor-ready evidence so leaders can see whether access was only changed or actually governed.
- Extend SoD policy to physical access paths Review combinations that cross badge access, application authority, and operational approval rights, then flag toxic combinations that no single system can see on its own.
- Unify attestation evidence sources Pull approvals, denials, exceptions, revocations, and badge history into one governed record so audit questions do not depend on email trails and spreadsheet reconstruction.
- Measure revocation closure, not ticket closure Validate that revoked access is actually removed across connected systems and that the result is visible in governance reporting before the case is closed.
Key takeaways
- Identity governance is about proving access is still appropriate, not merely automating lifecycle changes.
- Certification, separation of duties, and attestation are the controls that make access review meaningful across digital and physical domains.
- If the organisation cannot verify revocation outcomes and preserve evidence in one place, it has automation without governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access reviews and entitlement validation map directly to managed access permissions. |
| NIST SP 800-53 Rev 5 | AC-2 | Access account management supports certification and revocation governance. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy is central to governance over digital and physical entitlements. |
| CIS Controls v8 | CIS-5 , Account Management | Account management controls support entitlement reviews and revocation tracking. |
Align access governance policy with A.5.15 and extend it across systems and facilities.
Key terms
- Identity Governance: The discipline of proving that access is appropriate, justified, and reviewable over time. It sits above provisioning and deprovisioning workflows, focusing on certification, separation of duties, and attestable evidence rather than just whether a technical change occurred.
- Access Certification: A formal review process that validates whether an identity should keep its existing access rights. It checks current role, business need, and policy alignment, and it is only effective when removals are confirmed and recorded as part of the control, not after the fact.
- Separation of Duties: A control that prevents one identity from holding conflicting powers that could enable fraud, abuse, or unreviewed action. In mature governance programmes, it applies across applications, approvals, and physical access paths, not only inside a single system.
- Attestation: The auditable proof that access decisions, exceptions, approvals, and revocations were made and captured correctly. It is the evidence layer of governance, allowing auditors and security teams to reconstruct decisions without relying on emails, spreadsheets, or manual memory.
What's in the full article
AlertEnterprise's full blog covers the operational detail this post intentionally leaves for the source:
- The article's full explanation of how certification differs from lifecycle automation in day-to-day identity operations.
- The physical-access governance examples that show how badge systems, PACS, and IGA controls should intersect.
- The implementation framing for PIAM as a layer above enforcement systems, not a replacement for identity governance.
- The source's product-specific discussion of automated certification, attestation reporting, and cross-domain policy handling.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org