TL;DR: Identity governance fails when organisations rely on ad hoc processes, spreadsheets, and partial automation that cannot keep pace with access changes, according to Axiad. Manual remediation, weak provisioning oversight, and poor cross-system coordination leave users over-privileged and make compliance harder to sustain.
At a glance
What this is: Axiad’s post argues that identity governance and administration still breaks down because manual workflows, fragmented systems, and incomplete provisioning oversight leave access decisions inconsistent and risky.
Why it matters: That matters because IAM teams have to govern humans, workloads, and emerging autonomous actors with the same lifecycle discipline, and weak governance in one area quickly becomes a broader identity risk.
By the numbers:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
👉 Read Axiad's blog on current identity governance and administration challenges
Context
Identity governance and administration is the control layer that decides who or what should have access, what that access should look like, and when it should be removed. The problem in Axiad’s post is not the existence of IAM tools, but the operational drift that appears when governance is handled through ad hoc decisions, spreadsheets, and loosely connected scripts.
That pattern matters because access excess is rarely created all at once. It accumulates through unmanaged approvals, inherited permissions, weak offboarding, and poor visibility across systems. In practice, the same governance failure can affect human users, service accounts, and AI-adjacent workflows whenever lifecycle controls are treated as optional instead of continuous.
The article’s starting point is typical rather than exceptional. Most enterprises have the tools for identity control, but many still lack the discipline and integration needed to make governance reliable at scale.
Key questions
Q: What breaks when identity governance relies on spreadsheets and email approvals?
A: Access decisions lose traceability, version control, and reliable ownership. Spreadsheets can document entitlement data, but they cannot enforce review timing, prove revocation, or keep pace with cross-system change. The result is stale access, slow remediation, and weak audit evidence across the identity lifecycle.
Q: Why do inherited permissions create so much identity risk?
A: Inherited permissions are risky because they transfer trust from one identity to another without proving that the new subject needs the same access. That is how privilege creep starts. In cloud, SaaS, and internal platforms, cloned entitlements often outlive the original business case and become standing exposure.
Q: How can security teams tell whether identity governance is working?
A: Look for evidence that approvals, recertifications, and removals are happening through a single authoritative process with clear owners and timestamps. If teams still need manual reconciliation to answer who has access, governance is not working. Reliable programmes can show current entitlement state without spreadsheet recovery.
Q: Who is accountable when access is left active after a role change or departure?
A: Accountability should sit with the identity owner, the application owner, and the business approver chain that failed to remove or revalidate access. Governance frameworks such as NIST Cybersecurity Framework 2.0 and internal access review processes assume responsibility is explicit. If it is not, risk persists after the person leaves.
Technical breakdown
Why spreadsheet-based IGA fails at enterprise scale
Spreadsheets can document access, but they cannot govern identity lifecycle reliably. Once data is copied out of authoritative systems, every approval, recertification, and remediation step becomes vulnerable to version drift, stale entries, and inconsistent ownership. The result is not just administrative friction. It is a loss of traceability across who approved access, when it changed, and whether removal actually occurred. In larger environments, this becomes especially dangerous because access decisions span multiple business units and platforms that do not share a common control plane.
Practical implication: replace spreadsheet governance with system-of-record workflows that preserve provenance, ownership, and revocation state.
Provisioning oversight and privilege inheritance
Provisioning failures often begin with good intent. Teams grant new access by cloning an existing account or reusing a prior role, then fail to re-evaluate whether the inherited permissions fit the new user or task. Over time, that creates privilege creep, where access survives long after the business need has changed. The same pattern appears when offboarding is incomplete: accounts remain active, approvals are not reversed, and dormant access becomes an attack path. Governance breaks when entitlement inheritance is treated as efficiency rather than a risk signal.
Practical implication: review clone-based onboarding, inherited roles, and account closure paths for every identity class.
Cross-system coordination and adaptive governance
Identity governance only works when policy, inventory, and certification data can move across systems fast enough to reflect real organisational change. Without that coordination, teams cannot accurately answer basic questions such as who has access to what, which access is still justified, or which changes require immediate review. Axiad’s point about an adaptive governance system is really about timing and coherence. Governance must react as roles, contracts, and business conditions shift, otherwise review cycles arrive after risk has already accumulated.
Practical implication: connect identity sources, application owners, and review workflows so access changes are reflected in near real time.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Manual identity governance is a control failure, not just an efficiency problem. When access decisions move into spreadsheets and email chains, accountability becomes fragmented and revocation becomes uncertain. That is not a tooling inconvenience, it is a governance collapse that weakens evidence, ownership, and auditability across the identity lifecycle. Practitioners should treat manual governance as an exposed control plane, not an acceptable fallback.
Privilege inheritance is where governance debt becomes breach exposure. The article describes a familiar failure mode: access is copied from an existing account, then preserved because no one revalidates the downstream entitlement set. That pattern turns provisioning into privilege amplification, especially when offboarding is incomplete or approvals are issued without context. The implication is that access lineage must be visible enough for teams to challenge inherited trust before it becomes standing risk.
Adaptive governance is the minimum viable response to multi-system identity sprawl. The central challenge is not lack of policy, but the inability to keep policy synchronized across business units, applications, and identity states. A governance programme that cannot react to changes in near real time will always certify stale access after the fact. Practitioners should view coordination latency as a first-order identity risk.
Identity governance now has to span human, machine, and autonomous actors with one lifecycle logic. Axiad’s article is written around human access management, but the deeper lesson carries into NHI and agentic programmes: if the lifecycle process cannot track issuance, inheritance, and removal cleanly, the actor type does not matter. The discipline is the same, and the failure mode is the same. Practitioners should build governance once, then adapt it by actor class rather than by silo.
Compliance culture only works when ownership is operational, not aspirational. The article correctly places culture alongside process because governance fails when business units treat it as someone else’s job. That is especially true in distributed environments where no single team can see every approval or revocation event. Practitioners should measure whether control ownership is explicit enough to survive organisational change.
From our research:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- From our research: 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- From our research: The 52 NHI Breaches Analysis shows how access sprawl, credential persistence, and weak offboarding turn governance gaps into real incidents.
What this signals
Privilege inheritance debt: governance programmes that allow access cloning and weak offboarding accumulate risk faster than review cycles can clear it. The practical signal is simple: if entitlement provenance is unclear, certification outcomes will be unreliable no matter how polished the workflow looks.
With 72% of organisations reporting or suspecting an NHI breach in our research, the broader lesson is that identity control fails first at the seams between systems. Teams should expect the same seam risk to show up in human access, workload credentials, and agent oversight unless lifecycle ownership is explicit.
For programmes that still rely on periodic review alone, the next step is to connect identity inventory, approval history, and revocation evidence into a single control view. The fastest way to reduce exposure is not more review volume, but less ambiguity about who can still act.
For practitioners
- Replace ad hoc tracking with system-owned governance workflows Move access approvals, recertifications, and removals into authoritative identity workflows so the source of truth is the same place decisions are made and evidenced. This reduces version drift and makes revocation auditable.
- Review privilege inheritance at onboarding Audit clone-based account creation, role templates, and delegated approvals to find where excess permissions are being passed forward by default. Require explicit justification when inherited access exceeds the target job or function.
- Tighten offboarding and account closure checks Verify that leaver, contractor-end, and role-change processes actually disable access, revoke linked permissions, and close dormant accounts across connected systems. Incomplete offboarding is one of the clearest governance gaps in the article.
- Map identity ownership across business units Assign named owners for every critical entitlement set, application, and certification queue so remediation does not disappear into shared responsibility. Governance breaks fastest where no one can prove who must act.
Key takeaways
- Identity governance breaks when access decisions depend on spreadsheets, email chains, and manual reconciliation.
- Privilege inheritance and incomplete offboarding are the most visible pathways from governance weakness to standing risk.
- Practitioners need authoritative workflows, clear ownership, and near-real-time coordination across systems to keep access decisions current.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity governance depends on approved, managed access assignments. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification instead of static trust in access state. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Offboarding and credential lifecycle failures mirror NHI persistence risks. |
Design governance so access is revalidated as conditions change, not only at review time.
Key terms
- Identity Governance And Administration: Identity governance and administration is the discipline for deciding who or what should have access, proving that access is appropriate, and removing it when the business need ends. It combines policy, review, and remediation so access can be controlled across applications, data, and lifecycle events.
- Privilege Inheritance: Privilege inheritance is the transfer of access from one identity or role to another, usually through cloning, templates, or reused approval paths. It is efficient, but it becomes risky when inherited permissions are not revalidated against the new subject's actual need, especially during onboarding and role change.
- Access Recertification: Access recertification is the periodic review of existing entitlements to confirm they are still needed and correctly assigned. In practice, it only works when the review reflects current system state, has a clear owner, and can trigger removal without manual reconstruction of the access history.
- Offboarding: Offboarding is the process of removing access when an employee, contractor, or service relationship ends. In identity governance, it is not just account disablement. It also includes revoking linked permissions, closing inherited access paths, and confirming that no dormant entitlement remains active.
Deepen your knowledge
Identity governance, privilege inheritance, and offboarding discipline are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is wrestling with the same lifecycle and coordination problems, it is worth exploring.
This post draws on content published by Axiad: 5 Current Challenges of Identity Governance and Administration. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
