TL;DR: Identity governance is the control layer that helps security teams answer who has access, why they have it, and whether it should still exist across cloud, on-premises, and third-party environments, according to RSA Security. Without it, access drift, orphaned entitlements, and audit gaps grow faster than manual review cycles can contain them.
At a glance
What this is: This is RSA Security’s identity governance explainer, arguing that governance is the control layer that turns access visibility, lifecycle discipline, and review evidence into enforceable access decisions.
Why it matters: It matters because IAM only proves who signed in, while IGA determines whether access is still justified, which is the difference between basic authentication and real entitlement control across NHI, autonomous, and human programmes.
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
👉 Read RSA Security’s identity governance questions for security teams
Context
Identity governance is the discipline that keeps access tied to purpose, ownership, and time. In hybrid estates, the problem is not signing users in. It is proving that access remains appropriate after roles change, applications proliferate, and exceptions start to behave like permanent entitlements.
RSA Security’s argument is really about the gap between authentication and governance. IAM answers who the user is at the door. IGA answers what they can still reach inside the environment, which is the control question that matters once cloud, SaaS, and data centre access overlap.
For teams managing NHI, agentic AI, and human identities together, the lesson is the same: access visibility without lifecycle enforcement produces compliance theatre, not control. NHIMG’s lifecycle guidance on the Ultimate Guide to NHIs is useful context when governance has to extend beyond people.
Key questions
Q: How should security teams implement identity governance alongside IAM?
A: Security teams should treat IAM as the control that proves identity and IGA as the control that proves access is still justified. The practical model is simple: authenticate at the edge, govern entitlements after sign-in, and require review, approval, and remediation for high-risk access. Without that split, organisations confuse login assurance with access control.
Q: Why do access reviews fail to reduce risk in many organisations?
A: Access reviews fail when they produce documentation instead of entitlement change. If reviewers approve, revoke, or adjust access but the downstream systems do not enforce those decisions, the review becomes a compliance artefact. Reviews only reduce risk when they are scoped to meaningful access, owned by accountable approvers, and verified after remediation.
Q: What breaks when joiner, mover, and leaver processes are not automated?
A: When lifecycle workflows are manual, access changes lag behind job changes and terminations. That leaves orphaned accounts, stale entitlements, and unowned access in place long after the business need has ended. The result is avoidable breach impact, slower investigations, and weaker audit evidence.
Q: Who is accountable when access is over-provisioned across cloud and on-premises systems?
A: Accountability should sit with the business owner for the access decision, the application owner for the control, and the identity team for the workflow. Frameworks such as the NIST Cybersecurity Framework 2.0 help map that responsibility to governance, but the organisation still has to prove who approved what and why.
Technical breakdown
IAM verifies identity, IGA governs access after sign-in
IAM and IGA solve different problems. IAM confirms that a user or workload is who they claim to be, usually through authentication and federation. IGA starts after admission and tracks whether the resulting entitlements are still appropriate, approved, and reviewable across SaaS, cloud, and on-premises systems. That distinction matters because a valid login does not make access justified. When governance is weak, access accumulates through role changes, project exceptions, and unmanaged application onboarding, creating a control gap that authentication alone cannot close.
Practical implication: map authentication controls and entitlement governance to separate control owners so sign-in assurance is not mistaken for access assurance.
Least privilege fails when access drift becomes normal
Least privilege is not a static policy statement. It is the ongoing discipline of keeping access limited to what the role, task, and risk profile still justify. In real environments, drift happens when temporary exceptions become permanent, roles expand without recertification, and toxic combinations of access are never re-evaluated. This is why role-based access, policy-based exceptions, and access certification have to operate together. Without that loop, the programme can claim least privilege while the actual entitlement set keeps expanding underneath it.
Practical implication: build recurring review and exception expiry into entitlement governance so access drift cannot settle into the baseline.
Joiner, mover, and leaver workflows are the lifecycle control plane
Identity lifecycle governance is the mechanism that keeps access aligned with employment status, role changes, and offboarding events. Joiner, mover, and leaver processes should trigger requests, approvals, provisioning, deprovisioning, and evidence capture across all connected systems. When those workflows fail, orphaned accounts, stale entitlements, and unowned access remain available long after the business reason has disappeared. That creates both security exposure and audit weakness, because the organisation can no longer prove that access was removed when it should have been.
Practical implication: tie provisioning and deprovisioning to authoritative lifecycle events, not manual tickets or periodic clean-up projects.
NHI Mgmt Group analysis
Identity governance is the control layer that decides whether access still deserves to exist. Authentication proves identity at entry, but governance is what keeps entitlements tied to business purpose, risk, and ownership after sign-in. In hybrid environments, that separation is the difference between a login event and an enforceable access decision. The practitioner implication is that IGA must be measured by remediation outcomes, not by review activity volume.
Access drift is the hidden failure mode that turns mature IAM into weak governance. Users change roles, applications spread, and exceptions quietly harden into standing entitlements. That is not a visibility problem alone, it is a lifecycle failure that leaves least privilege as a claim rather than a state. The practitioner implication is to treat drift as a control defect, not an administrative nuisance.
Lifecycle governance matters because access outlives the event that justified it. Joiner, mover, and leaver processes are supposed to end privilege when the business need ends. When they stall, orphaned access becomes the default inheritance pattern inside the programme. The practitioner implication is to make lifecycle offboarding and revalidation operational dependencies, not periodic clean-up tasks.
Data access governance and business role management are the missing links between entitlement and consequence. IGA is not only about listing who has access, it is about understanding which access touches sensitive data, privileged actions, and toxic combinations. That is where role design, access certification, and remediation become meaningful together. The practitioner implication is to align entitlement decisions to business roles and data sensitivity, not directory structure.
Least privilege only works when the programme can continuously prove it. The article correctly frames least privilege as ongoing discipline, not a one-time policy. That means the real governance question is whether the organisation can keep proving necessity after provisioning, not whether access was justified at day one. The practitioner implication is to design for continuous evidence, because stale entitlement evidence is operationally equivalent to no evidence at all.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that remediation often lags the discovery window, according to the Ultimate Guide to NHIs.
- For a broader control lens, see Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs for how access change, revocation, and offboarding should work together.
What this signals
Access governance is becoming the practical test of IAM maturity. The organisations that can prove entitlement change, not just identity verification, will have the clearest path to reducing access sprawl across cloud and SaaS. NHIMG’s own lifecycle guidance remains relevant here because lifecycle discipline is what turns review outcomes into actual control.
Entitlement evidence now matters as much as entitlement design. When governance programmes cannot show who reviewed access, what changed, and whether revocation actually happened, they lose both security value and audit credibility. That is why the access review process has to be measurable end to end, not treated as a paper exercise.
Only 5.7% of organisations have full visibility into their service accounts, a reminder that unmanaged non-human access often mirrors the same governance weaknesses seen in human IAM. Teams should expect the boundary between human and machine entitlement governance to blur further as cloud, automation, and delegated access continue to converge.
For practitioners
- Separate authentication from governance ownership Assign sign-in assurance to IAM and entitlement review to IGA, then measure each control independently across SaaS, cloud, and on-premises systems.
- Expire exceptions with the same discipline as approvals Make every non-standard entitlement time-bound, owner-approved, and automatically revalidated before it becomes a permanent exception.
- Automate joiner, mover, and leaver triggers Connect lifecycle events to provisioning and deprovisioning so access changes happen when roles change, not after a manual clean-up cycle.
- Review toxic access combinations first Prioritise entitlements that combine privileged actions, sensitive data reach, or conflicting duties, then remove them before broad review campaigns.
- Use audit evidence as a remediation check Track whether review decisions actually resulted in revocation, adjustment, or confirmation, and reject programmes that only document the review.
Key takeaways
- Identity governance is the control layer that turns access visibility into enforceable access decisions.
- Access drift, stale entitlements, and weak lifecycle workflows are the real failure modes behind many governance gaps.
- Programmes should measure remediation and offboarding outcomes, because reviews without enforced change do not reduce risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and authorised access are central to the article's governance focus. |
| NIST Zero Trust (SP 800-207) | AC-1 | Continuous verification fits the article's emphasis on access visibility beyond sign-in. |
| NIST SP 800-63 | Identity proofing and authentication underpin the sign-in side of the governance split. |
Map entitlement approval and review to PR.AC-4 and verify that access stays constrained over time.
Key terms
- Identity Governance And Administration: Identity Governance and Administration is the control discipline that decides who should have access, why they have it, and whether it should still exist. It combines review, approval, lifecycle enforcement, and evidence so access becomes measurable rather than assumed.
- Access Drift: Access drift is the gradual accumulation of permissions beyond what the current role, task, or risk level justifies. It happens when exceptions become permanent, role changes are not fully reflected, or reviewers fail to remove stale entitlements.
- Joiner, Mover, And Leaver Process: Joiner, mover, and leaver process is the lifecycle workflow that aligns access with onboarding, role changes, and exit events. In practice, it should trigger provisioning, updates, deprovisioning, and evidence capture across systems before access becomes orphaned or excessive.
- Least Privilege: Least privilege means an identity has only the access needed to perform a task, for only as long as it is needed. In governance terms, it is an ongoing state to be proven through review and remediation, not a one-time policy declaration.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by RSA Security: Identity Governance Questions Every Security Team Should Ask. Read the original.
Published by the NHIMG editorial team on 2026-03-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
