TL;DR: IGA tools only improve security when they combine real-time visibility, automated provisioning and deprovisioning, self-service requests, access certification, and audit reporting, according to Zluri. The deeper issue is that access governance fails when entitlements are scattered across SaaS, shadow IT, and service accounts faster than human review can keep up.
At a glance
What this is: This is a practitioner guide to the core features of identity governance and administration tools, with a strong emphasis on visibility, automation, self-service, certification, and reporting.
Why it matters: It matters because IAM programmes need governance controls that work across human accounts, service accounts, and emerging autonomous systems without relying on spreadsheets or manual review.
👉 Read Zluri's article on the key features of identity governance and administration tools
Context
Identity governance and administration only works when teams can see every entitlement, decide who should have it, and remove it on time. In practice, spreadsheets, fragmented SaaS data, and manual approvals create blind spots that undermine both access control and audit readiness across human identities and non-human identities.
That gap is widening as SaaS sprawl, shadow IT, and service-account access outgrow human review cycles. For IAM teams, the question is no longer whether an IGA platform can automate workflow, but whether it can maintain reliable lifecycle governance across multiple identity types and produce defensible evidence for compliance reviews.
Key questions
Q: How should security teams implement IGA for both human and non-human identities?
A: Teams should start with unified discovery, then connect onboarding, move, offboarding, and certification workflows to the same entitlement record. The goal is not just faster approvals. It is consistent lifecycle governance that removes standing access, reduces orphaned accounts, and keeps human and service-account permissions aligned with current business need.
Q: Why do spreadsheets fail as an access governance control?
A: Spreadsheets fail because they are static, manually maintained, and usually incomplete by the time review starts. They cannot reliably reflect real-time SaaS changes, unmanaged apps, or service-account dependencies, so reviewers end up certifying an outdated picture of access rather than the actual entitlement state.
Q: What do organisations get wrong about access certification?
A: They treat certification as a paperwork exercise instead of a control decision. If the underlying data is stale, reviewers can approve the wrong access or miss risky permissions entirely. Effective certification depends on live entitlement records, clear ownership, and a process that removes rejected access promptly.
Q: Who should be accountable for service-account access in IGA programmes?
A: Service-account access should be owned by the business or technical team that depends on the account, with governance enforced by IAM and security teams. That accountability matters because non-human identities often outlive the people who created them, which makes ownership, review, and offboarding essential to limiting lingering risk.
Technical breakdown
Comprehensive access visibility across SaaS and service accounts
Access visibility is the foundation of identity governance because you cannot certify, revoke, or rationalise access you cannot see. Modern IGA tools ingest identity and application data from directories, SSO, HR systems, direct app integrations, and related sources to build a current view of who or what can reach each system. The important mechanism is correlation: the tool has to link an account to an identity, an app, and a permission set, then distinguish managed, unmanaged, and shadow usage. Without that mapping, governance becomes inference instead of control.
Practical implication: centralise discovery so entitlement reviews start from a complete access inventory, not a partial spreadsheet.
Automated provisioning, deprovisioning, and lifecycle workflows
IGA automation is about consistently translating identity events into access changes. Onboarding, role change, and offboarding workflows reduce the delay between a business event and the corresponding access action, which limits privilege creep and orphaned accounts. In mature setups, the workflow engine applies rules, plays back approvals, and records the resulting state change in a usable audit trail. The technical risk is not automation itself but ungoverned exceptions, where manual overrides or inconsistent workflows recreate the very drift the platform is meant to remove.
Practical implication: standardise joiner-mover-leaver workflows and treat every exception as a tracked governance event.
Access certification, reporting, and audit evidence
Access certification turns raw entitlement data into an explicit governance decision. Reviewers approve, reject, or adjust access based on role, sensitivity, and business need, while reporting functions preserve evidence that the decision occurred. The reporting layer matters because it supports both operational oversight and audit defence, especially where multiple systems and reviewers are involved. Certification is strongest when it is tied to real system data rather than a static list, because stale source data produces false confidence and weak recertification outcomes.
Practical implication: build certification around live entitlement data and retain evidence that links each decision to a specific access record.
Breaches seen in the wild
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity governance fails first at visibility, not at approval. The core problem in many IGA deployments is that teams cannot govern what they cannot map across SaaS, directories, and service accounts. Spreadsheets and fragmented discovery create a false sense of control because the review process starts after the inventory is already incomplete. The practitioner conclusion is that visibility quality is a governance control, not a reporting feature.
Automated lifecycle workflows matter because manual access handling does not scale with identity sprawl. As joiner-mover-leaver events multiply across employees, contractors, and machine identities, the lag between business change and entitlement change becomes the real risk surface. That lag is where privilege creep, orphaned access, and audit exceptions accumulate. The practitioner conclusion is that lifecycle orchestration must be measured by remediation speed, not just workflow volume.
Access certification only works when the underlying identity record is trustworthy. Review campaigns built on stale application data can certify the wrong access state and leave residual permissions untouched. This is especially visible when service accounts are included in broad governance programmes that were designed around human review patterns. The practitioner conclusion is that review quality depends on entitlement accuracy before reviewer engagement.
NHI blast radius is the named concept that matters here. Once service accounts, API keys, and other non-human identities are managed alongside human accounts, the issue becomes how far a single entitlement can move laterally if it is never revoked or is over-scoped. IGA tools that stop at user lifecycle miss the larger governance problem. The practitioner conclusion is to evaluate whether the programme reduces entitlement blast radius across all identity types.
Human IAM and NHI governance are converging around the same control failure. Whether the subject is an employee, contractor, or service account, the recurring problem is standing access that persists beyond its intended purpose. The difference is that non-human identities often escape recertification discipline because they are embedded in workflows and integrations rather than visible to users. The practitioner conclusion is to govern access by function and lifecycle state, not by identity label.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting only partial visibility, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for human identities.
- For broader lifecycle context, the NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding shape the risk surface this post is addressing.
What this signals
NHI blast radius: When service accounts and OAuth-connected identities sit outside the same governance loop as employees, the issue is not just visibility. It is how far stale access can propagate before anyone notices, especially when review cycles were designed for human pacing rather than machine-scale change.
The practical signal for programme owners is to stop measuring governance by the number of completed reviews and start measuring how much access was actually removed. That aligns IGA with operational risk reduction and gives security teams a more defensible way to prioritise service accounts, unmanaged SaaS, and shadow IT exposure.
For teams building out lifecycle controls, the relevant benchmark is whether entitlement data is rich enough to support trustworthy review. The Ultimate Guide to NHIs is useful for aligning discovery, Zero Trust thinking, and lifecycle governance across identity types.
For practitioners
- Build a complete entitlement inventory first Correlate directory, SSO, HR, direct app, and service-account data before you start certifying access. If your catalogue cannot identify unmanaged and shadow applications, the rest of the programme will certify incomplete reality.
- Standardise joiner-mover-leaver workflows Map onboarding, role changes, and offboarding to explicit access actions for employees, contractors, and service accounts. Use the same workflow discipline to remove lingering permissions as you use to grant initial access.
- Make certification evidence-driven Require reviewers to approve or reject access against live entitlement records, not exported spreadsheets. Preserve each decision with the relevant application, role, and reviewer context so audits can trace the rationale.
- Treat service accounts as governed identities Include service accounts in review, ownership, and deprovisioning processes instead of leaving them outside user-centric IGA workflows. That reduces orphaned access and narrows the potential blast radius of stale credentials.
- Measure remediation speed, not workflow volume Track how quickly access is removed after a mover or leaver event and how many exceptions remain unresolved after each review cycle. Those metrics show whether governance is changing actual risk.
Key takeaways
- IGA tools reduce risk only when they can see the full identity surface, including unmanaged SaaS and service accounts.
- Automation matters because lifecycle delays create privilege creep, orphaned access, and weak audit evidence.
- The strongest governance programmes treat certification as a live entitlement decision, not a spreadsheet exercise.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery and inventory are central to this article's access visibility theme. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions governance maps directly to least-privilege and entitlement review. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust requires continuous verification of access across human and machine identities. |
Inventory all NHIs and entitlements before certification, then keep the inventory continuously updated.
Key terms
- Identity Governance And Administration: Identity Governance and Administration is the control layer that defines who or what should have access, who approves it, and how that access is reviewed over time. In practice, it combines lifecycle workflows, certification, and audit evidence so access decisions are repeatable and defensible.
- Access Certification: Access certification is the process of reviewing existing permissions and confirming whether they still match business need. The value is not the review itself but the resulting decision record, especially when it removes stale access and proves governance for auditors and security teams.
- Shadow It: Shadow IT is software or cloud usage that operates outside formal governance and often escapes identity and access oversight. For identity teams, it creates a blind spot because entitlements can exist without being inventoried, reviewed, or tied to an accountable owner.
- Service Account: A service account is a non-human identity used by systems, applications, or automated workflows to authenticate and act. Because it is not tied to a person, ownership and lifecycle control must be explicit or the account can persist long after the original use case has changed.
Deepen your knowledge
Identity governance, lifecycle automation, and certification discipline are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building control coverage across human and non-human identities, it is worth exploring.
This post draws on content published by Zluri: 6 Key Features of Identity Governance & Administration Tools. Read the original.
Published by the NHIMG editorial team on 2026-03-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
