Identity governance needs a risk lens, not a compliance lens

At a glance

What this is: This is RSA Security’s argument that identity governance must move from compliance-led review cycles to continuous, risk-aware control.

Why it matters: It matters because IAM, NHI, and human identity teams all need governance that detects and prioritises risk in real time, not just after the fact.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

👉 Read RSA Security's analysis of risk-aware identity governance and ISPM

Context

Identity governance is the discipline of proving and controlling who or what has access, and whether that access still makes sense. The problem in this article is that many programmes still treat governance as a compliance exercise, even though identity governance now needs to handle continuously changing risk across human users, service accounts, and machine access.

That gap matters because static access reviews and manual certification cycles are not designed to detect abuse while it is happening. RSA Security is arguing that governance has to become context-aware, with risk signals feeding decisions before access becomes an incident.

For teams looking to ground that shift in an NHI programme, the operational baseline is clear in the Ultimate Guide to NHIs and the Top 10 NHI Issues, which frame visibility, lifecycle control, and least privilege as ongoing controls rather than audit artefacts.

Key questions

Q: How should organisations make identity governance risk aware?

A: They should combine periodic certification with live risk inputs such as role change, device posture, location, and anomalous behaviour. The goal is to decide whether access is still appropriate in the current context, not merely whether it was once approved. Risk-aware governance should prioritise the most sensitive entitlements first and route violations into immediate remediation.

Q: Why do quarterly access reviews miss identity risk?

A: Quarterly reviews miss risk because entitlement abuse can happen and finish long before the next certification cycle. A clean audit trail only proves that someone reviewed access later. It does not show whether the access was safe during the interval when an attacker or insider could use it.

Q: What do security teams get wrong about compliance-driven governance?

A: They often assume that a successful audit means access control is working. In reality, compliance evidence is backward-looking and may ignore real-time privilege misuse, toxic combinations, or context shifts. Governance is only effective when it reduces exposure while access is active, not when it documents it after the fact.

Q: Who should own identity governance when access risk changes quickly?

A: Ownership should sit with the identity, security, and risk functions together, because fast-moving access decisions need policy, telemetry, and operational context. Governance cannot be a pure audit function if it is expected to stop abuse in time. It must be treated as a security control with clear accountability.

Technical breakdown

Why compliance-led access reviews miss active risk

Traditional identity governance centres on periodic access certification, usually tied to audit cycles. That model proves that a control existed at a point in time, but it does not evaluate whether access was risky during the interval between reviews. When entitlements are granted, changed, or abused between quarterly checks, the governance record can remain clean while the environment is already exposed. This is why manual review programmes often trail operational reality. Risk-aware governance adds context such as role change, device posture, location, and anomalous behaviour so that the decision to keep or remove access reflects current conditions, not stale evidence.

Practical implication: move high-risk entitlements out of fixed review cadences and into context-driven certification queues.

How identity security posture management changes the control model

Identity security posture management, or ISPM, treats identity state as something to monitor continuously rather than certify occasionally. In practice, that means mapping access across cloud apps, infrastructure, and legacy systems, then evaluating it against risk signals and policy violations in near real time. The architectural shift is important because governance stops being a records function and becomes a control plane for access risk. ISPM does not replace governance outcomes such as attestation or least privilege. Instead, it gives those outcomes live inputs, so toxic combinations and separation-of-duties violations can be surfaced before they become audit findings or security incidents.

Practical implication: integrate posture signals into governance workflows so violations are found before the next review cycle.

Why contextual signals matter for privilege decisions

Contextual governance uses signals such as location, device, time of access, and behavioural patterns to decide whether access still fits the situation. That matters because the same entitlement can be low risk in one context and high risk in another. A user moving roles, using unusual infrastructure, or attempting access at an abnormal time may not be malicious, but the context is strong enough to justify intervention. The core technical point is that governance decisions are no longer binary entitle or deny choices. They become conditional decisions informed by telemetry, policy, and the operational sensitivity of the resource being accessed.

Practical implication: feed behavioural and contextual telemetry into recertification so decisions reflect real operating conditions.

Threat narrative

Attacker objective: The objective is to keep access alive long enough to exploit it before governance catches up.

1. Entry occurred when an employee changed roles and inherited access to a critical system without an immediate governance reset.
2. Escalation followed when that standing access remained available long enough for the user to exfiltrate data before the next quarterly review.
3. Impact was delayed detection and unauthorised data removal, showing that compliance evidence did not stop operational abuse.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Compliance-only governance is a backward-looking control model. Passing an audit proves that access was reviewed, not that it was safe when it mattered. Quarterly certification and manual attestation can easily miss abuse that occurs between review points, which means the programme is measuring evidence quality rather than risk exposure. The practitioner conclusion is that governance must be judged by live risk reduction, not audit completeness.

Identity security posture management is the missing operational layer between entitlement and certification. ISPM matters because it connects inventory, posture, policy, and risk signals before the review cycle closes. That makes governance less about document collection and more about intervention timing. Practitioners should treat posture visibility as the control that decides which access deserves attention first.

Risk-aware governance is a control strategy, not a reporting enhancement. The article is right that toxic combinations, separation-of-duties violations, and behavioural anomalies need to be surfaced immediately, because waiting for a scheduled review means the threat has already matured. This is where identity governance intersects with broader NIST CSF risk management and access control expectations. The practitioner implication is simple: if governance cannot see current risk, it cannot govern current access.

Access reviews designed for stable entitlement lifecycles fail when roles, context, and behaviour change faster than the cadence. That assumption was designed for reviewable access states. It fails when access becomes operationally dynamic and the governance record lags the real decision environment. The implication is that teams must rethink what a review is meant to prove: accountability after the fact, or prevention before abuse.

Risk-aware identity governance creates a common control language across human, NHI, and autonomous access. The same governance problem appears whenever access can change faster than human review cycles can react. For NHI and machine identity, that means secret and token state must be tied to posture and lifecycle. For human identity, it means role change and contextual risk must drive recertification. The practitioner conclusion is to unify governance logic across actor types, rather than run separate review philosophies.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• For teams building the control layer behind this risk lens, 52 NHI Breaches Analysis shows how governance gaps become breach patterns in practice.

What this signals

Identity governance is shifting from evidence collection to live risk control. That shift matters because quarterly review logic cannot keep pace with modern entitlement change, especially where cloud access, third-party OAuth connections, and service credentials move faster than certification cycles. For programmes that still separate governance from telemetry, the result is predictable delay between risk emergence and control action.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, the governance gap is already structural. That number shows why access review alone is not enough when delegated access is distributed across platforms and partners. Teams should align their governance model with a broader posture and lifecycle view, then anchor it to the 52 NHI Breaches Analysis for pattern recognition.

Risk-aware governance will increasingly be judged by whether it can act before abuse is operationalised. That means practitioners should expect closer coupling between identity telemetry, policy enforcement, and lifecycle reset points, especially in environments with heavy NHI and cloud app dependency. The next maturity step is not more review volume, but better decision timing.

For practitioners

• Prioritise access reviews by risk, not calendar date Replace blanket quarterly certifications with queues ordered by role sensitivity, recent privilege change, and anomalous use. High-impact systems should move first, so reviewers spend time where a missed entitlement creates the largest exposure.
• Feed live posture signals into governance workflows Use device, location, time-of-access, and behavioural signals to decide whether entitlements remain appropriate. This makes access review a live control decision instead of a retrospective checkbox.
• Map toxic combinations before auditors find them Continuously flag separation-of-duties conflicts and privileged role overlaps, then route them to remediation before the next certification cycle. This shortens the time between violation and action.
• Tie lifecycle events to immediate governance resets When a user changes roles, starts a new project, or inherits elevated access, force an immediate reassessment of standing entitlements. The goal is to prevent old access assumptions from surviving new business context.

Key takeaways

• Identity governance that only proves compliance can still miss active abuse, because the control is backward-looking rather than risk-aware.
• Real-time posture, behavioural context, and lifecycle events are what turn governance into a security control instead of a records function.
• Practitioners should shift review effort toward high-risk access, toxic combinations, and immediate reassessment after role or context changes.

Key terms

• Identity Security Posture Management: Identity security posture management is the practice of continuously assessing identity risk across users, machines, and access paths. It turns governance from a periodic review activity into an ongoing control layer that surfaces toxic combinations, weak entitlements, and context-driven exposure before they become incidents.
• Risk-Aware Governance: Risk-aware governance is an identity control approach that uses live context to decide whether access should remain in place. Instead of relying only on scheduled certifications, it weighs factors such as role change, behaviour, device posture, and resource sensitivity to keep decisions current.
• Access Certification: Access certification is the formal review and attestation of who or what has access to systems and data. In mature programmes it supports accountability, but by itself it is a retrospective control that cannot guarantee the access was safe during the period before review.
• Toxic Combination: A toxic combination is a set of entitlements or roles that together create unacceptable risk, often because they break separation-of-duties rules. These conflicts are especially dangerous when they remain hidden between review cycles and are not surfaced by identity telemetry or policy checks.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by RSA Security: Identity Governance & Administration Compliance Isn’t Security: Why Identity Governance Needs a Risk Lens. Read the original.