By NHI Mgmt Group Editorial TeamPublished 2026-06-16Domain: Best PracticesSource: Clear Skye

TL;DR: Identity governance often fails because teams cannot quickly explain why access exists, what changed, or which relationships produced it, according to Clear Skye. The core problem is not execution speed but the ability to see, trace, and defend access decisions at scale.


At a glance

What this is: This is a Clear Skye perspective on why identity governance is becoming a visibility and explanation problem, not an automation problem.

Why it matters: It matters because IAM, IGA, and PAM teams need decisions that can be traced across human identity, service accounts, and emerging AI-driven processes without losing auditability or trust.

By the numbers:

👉 Read Clear Skye's analysis of why identity governance needs understanding, not more automation


Context

Identity governance works only when teams can explain access, not just enforce it. In practice, that means understanding why a person, service account, or workload has access, what created the entitlement, and what changed over time. When those relationships are scattered across systems, governance becomes a reconstruction exercise instead of a control.

Clear Skye is arguing that the real constraint is comprehension. That framing matters for IAM, IGA, and PAM programmes because the same evidence problem shows up in access reviews, certifications, incident response, and lifecycle decisions. The challenge is broader than one product category and increasingly applies across human identities, NHIs, and AI-driven workflows.


Key questions

Q: How should identity teams handle access reviews when evidence is scattered across multiple systems?

A: Start by treating evidence correlation as part of the control, not a side task. Bring approvals, role inheritance, lifecycle events, and entitlement changes into one review context so certifiers can explain why access exists before they approve or revoke it. If reviewers still need manual reconstruction, the programme is measuring activity, not understanding.

Q: Why do identity governance programmes struggle even when automation is already in place?

A: Automation speeds up workflow, but it does not create understanding. If the programme cannot show why access was granted, what changed, and which relationships still justify it, the control remains fragile. Governance fails when decisions are executable but not explainable, especially in audits and incident response.

Q: What breaks when access decisions cannot be explained later?

A: Auditability breaks first, followed by trust in the governance process. Reviewers may approve entitlements they do not understand, incident teams may waste time reconstructing history, and compliance teams may be unable to defend exceptions. The root issue is an evidence gap, not a workflow gap.

Q: Who is accountable when AI helps surface identity decisions but humans still approve them?

A: The human approver remains accountable for the decision, while the programme owner is accountable for the quality of the evidence and the boundaries placed around AI assistance. AI can assist with correlation and explanation, but it should not become the final authority over access.


Technical breakdown

Why identity governance becomes a knowledge graph problem

Identity governance depends on correlating entitlements, approvals, group membership, role inheritance, and change history. When those signals live in separate systems, teams cannot answer basic questions quickly enough for audit or incident response. A knowledge graph approach is useful because it preserves relationships, not just records. That matters when access is indirect, inherited, or shaped by multiple policy layers. The technical issue is not whether data exists, but whether it is connected well enough to reconstruct the decision path. Practical implication: map the evidence chain behind every high-risk entitlement before you rely on it in certification or investigation workflows.

Practical implication: map the evidence chain behind every high-risk entitlement before you rely on it in certification or investigation workflows.

Read-only AI and why human-in-the-loop still matters

Read-only AI in identity governance is best understood as decision support, not decision authority. It can summarise evidence, surface anomalies, and link related access paths, but it does not remove the need for human accountability. That distinction matters because access decisions affect compliance and operational risk, and every answer must be explainable later. If the AI cannot show its reasoning inputs, it becomes another opaque layer in an already opaque process. Practical implication: constrain AI to evidence assembly and explanation generation, then require human review for approvals, exceptions, and remediation.

Practical implication: constrain AI to evidence assembly and explanation generation, then require human review for approvals, exceptions, and remediation.

Platform-native governance and the control plane question

Platform-native identity governance reduces context loss by keeping governance, service management, security operations, and lifecycle signals closer together. That does not magically fix bad entitlement design, but it lowers the odds that teams are reconstructing truth from disconnected exports. The architectural question is where the control plane lives and how much context it can see at decision time. If the platform cannot see lifecycle events, role changes, and incident signals together, it cannot explain access with confidence. Practical implication: evaluate whether your governance stack can use native operational context rather than relying on after-the-fact synchronisation.

Practical implication: evaluate whether your governance stack can use native operational context rather than relying on after-the-fact synchronisation.


NHI Mgmt Group analysis

Identity governance has become a clarity problem before it is an automation problem. The governing issue is not whether teams can trigger workflows, but whether they can explain the access decision itself. When approvals, entitlements, and change history are scattered, the programme loses its ability to defend access under audit or incident pressure. The practitioner conclusion is that governance maturity now depends on reconstructable truth, not process volume.

Access decisions that cannot be traced are not truly governable. Clear Skye's framing is useful because it separates speed from assurance. Faster workflows still fail if teams cannot see which roles, approvals, and relationships produced an entitlement. That is a control problem at the evidence layer, not a user-interface problem. Practitioners should treat explainability as a control requirement, not a reporting feature.

Identity governance now spans people, NHIs, and AI-driven processes in the same operating model. The article rightly notes that identity no longer means employees alone. Once service accounts, machine identities, and AI-assisted processes enter the picture, the evidence burden grows and the cost of uncertainty rises. The implication for IAM leaders is that lifecycle, access review, and audit processes must operate across actor types without losing context.

Clarity is the named concept this article points to, and it is the real control objective. Clear Skye is effectively arguing that governance programmes fail when they optimise for action and underinvest in understanding. That premise aligns with NIST Cybersecurity Framework 2.0's emphasis on governance and risk visibility, and with any serious identity programme that needs to justify privilege. The practitioner conclusion is to build systems that preserve the why, not just the what.

Platform-native context reduces reconstruction work, but it does not eliminate governance design flaws. Running governance closer to operational data can improve evidence quality and shorten investigations. It does not fix over-entitlement, poor role design, or weak lifecycle controls. The field-level takeaway is that architecture can improve confidence, but policy and ownership still determine whether access remains defensible.

From our research:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • Another finding from our research shows that 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
  • For a deeper lifecycle lens, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, which connects visibility, rotation, and offboarding.

What this signals

Clarity debt: when identity programmes cannot explain why access exists, they accumulate review debt that no amount of workflow automation can remove. The practical signal is simple: if a reviewer needs three systems to validate one entitlement, the control plane is already too fragmented.

The next maturity jump in IGA will come from systems that preserve relationship context at the point of decision, not from more approval routing. That aligns with the NIST Cybersecurity Framework 2.0 emphasis on governance and visibility, and it is increasingly relevant as service accounts and machine identities expand the review surface.

Teams should expect AI to be judged less on novelty and more on whether it reduces reconstruction work without obscuring accountability. The programmes that win will be the ones that can turn scattered identity evidence into a defensible answer fast, especially when lifecycle events and access changes arrive together.


For practitioners

  • Inventory the evidence chain behind high-risk access Document which approvals, group memberships, inherited roles, and lifecycle events explain each privileged entitlement before the next access review cycle. Use this to spot where reviewers are being asked to certify access they cannot actually understand.
  • Separate evidence assembly from approval authority Allow AI and automation to gather relationships, changes, and policy context, but keep the final decision with a named reviewer who can explain the outcome later. This keeps the process auditable and avoids opaque recommendations becoming de facto approvals.
  • Unify lifecycle and governance signals Bring joiner, mover, leaver events, entitlement changes, and incident context into the same operational view so access can be traced without manual reconstruction. This is especially useful where service accounts and AI-assisted processes share the same control plane.
  • Test whether your reviews can answer why access exists Run a sample certification and require the reviewer to explain the origin of each entitlement, not just confirm it looks reasonable. If the answer depends on exporting data from multiple systems, the governance model is still too fragmented.

Key takeaways

  • Identity governance fails when teams cannot explain access, not when they cannot trigger workflows.
  • The evidence problem now spans people, service accounts, and AI-assisted processes, which raises the bar for auditability.
  • Programmes should optimise for reconstructable truth, because understanding is the control that makes decisions defensible.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RM-01The article centres on governance visibility and defensible identity decisions.
NIST Zero Trust (SP 800-207)PR.AC-4Access should be continuously justified with context, not just granted once.
OWASP Non-Human Identity Top 10NHI-07Service account visibility and lifecycle context are directly relevant to identity governance.

Track non-human identities as first-class assets and review their entitlement lineage regularly.


Key terms

  • Identity governance: Identity governance is the discipline of controlling, reviewing, and proving who or what has access and why. It covers approvals, certifications, lifecycle events, and audit evidence across human identities, non-human identities, and increasingly AI-assisted processes.
  • Entitlement lineage: Entitlement lineage is the chain of roles, group memberships, approvals, inheritance, and lifecycle events that explains how access was created. It is the evidence path practitioners need when they must defend a privilege, investigate an anomaly, or remove access confidently.
  • Read-only intelligence: Read-only intelligence is AI used to assemble, summarise, and explain identity evidence without changing access decisions directly. It can improve visibility and speed, but the control value comes from preserving human accountability and keeping the output auditable.
  • Clarity debt: Clarity debt is the growing operational cost of not being able to explain access quickly. It appears when teams rely on disconnected systems, manual reconstruction, and incomplete context, turning routine governance tasks into time-consuming investigations.

What's in the full article

Clear Skye's full article covers the operational detail this post intentionally leaves for the source:

  • How Clear View AI is positioned inside the ServiceNow platform and where it sits in the identity workflow.
  • The specific identity governance use cases the vendor says the feature supports, including review and investigation workflows.
  • How the vendor describes read-only intelligence, transparency, and human-in-the-loop operation in practice.
  • The product framing behind Clear Skye IGA 5.4 and the surrounding AI capability set.

👉 Clear Skye's full post covers the Clear View AI framing, platform-native context, and governance implications.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org