Identity governance still breaks on manual access decisions

At a glance

What this is: This is Axiad's analysis of why identity governance and administration remains hard, with manual processes and weak provisioning oversight creating persistent access risk.

Why it matters: It matters because IAM teams still need reliable governance for people, applications, and privileged access across hybrid environments, not just better tooling claims.

👉 Read Axiad's analysis of the current challenges in identity governance and administration

Context

Identity governance and administration is the control layer that tells an organisation who has access, why they have it, and when it should be removed. In Axiad's framing, the problem is not the absence of IAM in principle, but the persistence of ad hoc workflows, spreadsheets, and partial automation that leave access decisions fragmented.

For IAM practitioners, the challenge is that access sprawl is not only a provisioning issue. It is also a governance issue, because permissions inherited from existing users, stale accounts, and weak cross-system coordination can outlive the business need they were supposed to support.

Key questions

Q: What breaks when identity governance still relies on spreadsheets?

A: The review process stops being authoritative. Spreadsheets fragment identity data, delay remediation, and make it hard to prove who approved what, which means the organisation may complete a review without actually changing any risky access.

Q: Why do inherited access approvals create governance risk?

A: Because copied access often carries hidden excess privilege into the new account. If approvers do not inspect the source entitlement set, they can reproduce over-privilege at scale and normalise access that was never justified for the new role.

Q: How can security teams tell whether IGA automation is working?

A: Look for a closed loop from discovery to decision to revocation. If the system can only generate reports or route approvals but does not change entitlements and capture evidence, it is reducing effort, not reducing risk.

Q: Who is accountable when stale accounts remain active after role changes?

A: Accountability sits with the identity governance owner, the business approver, and the system owner that failed to enforce lifecycle offboarding. In practice, frameworks expect shared responsibility, but the control failure is usually the absence of a clear revocation owner.

Technical breakdown

Why spreadsheets and ad hoc workflows fail for IGA

When identity governance depends on spreadsheets and email handoffs, the control plane becomes a documentation exercise rather than an enforcement system. Data may be collected from multiple systems, but it is rarely normalised fast enough to support timely certification, remediation, or exception handling. That creates blind spots between the systems that hold access and the people who are supposed to govern it. The result is not just slower reporting. It is governance that cannot reliably answer who has access to what across the estate.

Practical implication: replace spreadsheet-driven review cycles with a single governance workflow tied to authoritative identity and entitlement data.

How provisioning oversights create inherited privilege

Provisioning errors often begin with role copying, manager approvals, or inherited access from existing accounts. If the source identity already carries excess privilege, that excess spreads to new users and is then normalised as acceptable access. The same problem appears at offboarding, where accounts remain active because inventory data is stale or handoffs are incomplete. In practice, provisioning without lifecycle oversight turns access into a chain of inherited decisions rather than a controlled entitlement model.

Practical implication: validate source entitlements before cloning access and make revocation dependent on lifecycle state, not manual follow-up.

Why partial automation is not governance automation

Some organisations automate fragments of IGA, such as data processing or remediation scripts, but still leave critical decision points dependent on humans. That creates a false sense of control because the process looks modern while key notifications, exceptions, or evidence trails are missing. True governance needs integrated data flows, policy logic, and oversight that can detect change and route it for action without relying on someone to notice a spreadsheet problem. Partial automation reduces effort, but it does not close the governance gap by itself.

Practical implication: test whether automation covers the full certification-to-remediation path, not just the easiest reporting steps.

Threat narrative

Attacker objective: The attacker aims to exploit unmanaged access paths and stale entitlements to reach high-value systems or sensitive information.

1. Entry begins when governance is handled through ad hoc processes, spreadsheets, or incomplete automation that leave identity data fragmented across systems.
2. Escalation occurs when excess access is copied from existing users, approvals are granted without full context, or dormant accounts stay active after role change or departure.
3. Impact follows when attackers or insiders can exploit unmanaged or over-privileged accounts to reach sensitive systems, privileged data, or compliance failures.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance fails first as a coordination problem, not a tooling problem. Axiad's article shows that fragmented ownership, inconsistent data, and manual handoffs are what keep IGA from becoming reliable at scale. The governance model breaks when no one system can answer who has access, why it exists, and whether it should still be there. Practitioners should treat cross-system coordination as the primary control gap, not a reporting inconvenience.

Inherited privilege is the hidden failure mode in weak provisioning processes. When access is granted by copying from another identity or by manager approval without entitlement context, excess privilege gets reproduced as normal. That is how standing access becomes organisationally invisible. The practitioner takeaway is that provisioning governance must inspect the source of access, not just the destination account.

Manual certification creates the illusion of control while leaving revocation unresolved. If reviews depend on people assembling data by hand, the programme can produce paperwork without producing risk reduction. The control failure is the delay and inconsistency between discovery, decision, and removal. Teams should measure whether certification outcomes actually change entitlement state, not whether a review was completed.

Compliance culture is a governance control, not a soft management concern. The article correctly frames weak top-down reinforcement as one reason identity governance remains inconsistent. Policies do not enforce themselves, and local business priorities will override them when leadership does not insist on shared standards. Practitioners should treat culture as an operational dependency for IGA effectiveness.

Adaptive governance is the only durable response to identity change velocity. The article's most useful signal is its emphasis on systems that can respond to role changes in real time. That maps directly to modern IAM reality, where access state changes faster than traditional review cadences. The practitioner implication is that governance must be designed for continuous change, not periodic cleanup.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one identity failure can cascade into repeated exposure.
• For a broader breach lens, review 52 NHI Breaches Analysis to see how governance gaps, not just isolated mistakes, repeat across environments.

What this signals

Identity governance will be judged by revocation speed, not review volume. If entitlements can be documented but not removed promptly, the programme is producing audit artefacts rather than risk reduction. Teams should watch for the gap between approval, certification, and enforced state change, because that gap is where governance fails in practice.

Adaptive IGA has to become the baseline for mixed human and machine estates. The same governance model cannot rely on quarterly human review cadences when access moves continuously across users, applications, and service identities. Practitioners should align governance with continuous state change, not with legacy review calendars.

Lifecycle discipline is the control theme that will matter most next. Offboarding, recertification, and entitlement hygiene are no longer separate operational tasks. They are the mechanism that keeps identity sprawl from turning into access debt, especially when business units keep expanding their application footprint.

For practitioners

• Replace spreadsheet-based governance workflows Consolidate access reviews, remediation tracking, and evidence capture into one governed workflow so reviewers act on current entitlement data rather than emailed exports.
• Validate source entitlements before copying access Block role cloning unless the source identity has already been reviewed for excess privilege and the copied set is approved against the new job function.
• Tie revocation to lifecycle events Make access removal automatic when employment, contract, or role status changes, and use stale-account reporting to catch anything the workflow misses.
• Test whether automation closes the full loop Check that each automated path covers detection, decision, remediation, and evidence, not just data extraction or alert generation.

Key takeaways

• Axiad's core argument is that identity governance still fails when access decisions are fragmented across manual workflows and incomplete automation.
• The practical risk is inherited and stale privilege, which can survive provisioning, approvals, and even offboarding when lifecycle oversight is weak.
• IAM teams should measure whether governance changes entitlement state, not whether it merely produces evidence for the audit trail.

Key terms

• Identity Governance and Administration: Identity governance and administration is the set of policies, workflows, and controls that determine who has access to what, why they have it, and when it should be removed. It is the operating model that turns identity data into enforced entitlement decisions across the business.
• Provisioning Oversight: Provisioning oversight is the control function that checks access is granted for the right reason, to the right account, at the right level. It also covers how access is reviewed, inherited, and revoked so that new entitlements do not silently inherit old mistakes.
• Lifecycle Offboarding: Lifecycle offboarding is the process of removing access when a person, contractor, or workload no longer needs it. In identity governance, it is the point where stale privilege must be closed down cleanly, because leaving accounts active creates avoidable exposure.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: 5 Current Challenges of Identity Governance and Administration. Read the original.