Identity hygiene at scale breaks where legacy infrastructure outlives policy

At a glance

What this is: This is an analysis of why identity hygiene breaks down in large enterprises when legacy systems, service-account sprawl, and fragmented identity data outgrow modern IAM tooling.

Why it matters: It matters because IAM, PAM, and IGA programmes can look compliant while leaving critical access outside governance, especially across NHI estates and inherited infrastructure.

👉 Read Hydden's analysis of why identity basics fail at enterprise scale

Context

Identity hygiene is only as strong as the systems it can actually see and govern. In large enterprises, policy often promises least privilege, access reviews, and complete visibility, but legacy applications, proprietary data stores, and orphaned service accounts sit outside the reach of modern IGA and PAM workflows.

That gap is not theoretical. When identity data lives in mainframes, custom ERP tables, old scripts, and non-standard applications, governance becomes manual, delayed, and error-prone. The result is an identity programme that looks mature in policy language but remains incomplete in operational coverage.

Key questions

Q: What breaks when legacy systems cannot be covered by modern IGA and PAM tools?

A: Access governance becomes partial even when policy is strong. If a critical system cannot be discovered, normalised, and reviewed through the identity stack, the organisation falls back to spreadsheets, manual attestations, and assumed ownership. That creates blind spots in privileged access, especially where local accounts and custom tables sit outside standard connectors.

Q: Why do service accounts create more risk than many teams expect?

A: Service accounts often carry privileged access, are poorly owned, and persist long after the original purpose has ended. In large enterprises they can outnumber human users by a wide margin, which makes them a structural governance issue rather than an edge case. The risk rises when passwords never rotate and the accounts are invisible to PAM.

Q: How can security teams tell whether identity drift is becoming a control failure?

A: Look for a growing delay between unauthorised changes and formal review, especially on systems that still depend on manual extracts. If access changes faster than your certification cycle can observe them, the programme is recording compliance after the fact rather than controlling privilege in real time.

Q: How should IAM leaders respond when a large part of the estate sits outside automated governance?

A: They should prioritise data coverage over tool expansion. The right first move is to identify which systems cannot be ingested, which identities have no owner, and which privileged accounts do not rotate. Once those gaps are visible, governance can be redesigned around actual estate conditions instead of vendor assumptions.

Technical breakdown

Why modern IGA and PAM connectors fail on legacy identity estates

Modern IGA and PAM platforms are usually built around clean integration patterns such as REST, SCIM, LDAP, and SaaS APIs. Legacy estates rarely expose access data that neatly. Mainframes, AS/400 environments, and custom enterprise applications often store entitlement state in local profiles or undocumented tables, which makes discovery and normalisation difficult. That means access governance does not fail because the policy is absent. It fails because the system of record cannot be reliably ingested into the governance layer.

Practical implication: inventory which critical systems cannot be normalised into your identity stack before you treat access review results as complete.

How service-account sprawl creates invisible privileged access

Service accounts are non-human identities, but they are frequently treated as implementation detail rather than governed identities. In mature enterprises they can outnumber human users by an order of magnitude, and many are embedded in scripts, retired projects, and admin workflows no one owns. If those accounts never rotate and are not onboarded into PAM, they become invisible privileged paths. The technical problem is not just excess count. It is unmanaged persistence across applications, scripts, and infrastructure layers.

Practical implication: build a discovery process that maps service accounts to business ownership, privilege level, and rotation state across every environment.

Why point-in-time access reviews miss identity drift

Point-in-time reviews assume access state is relatively stable between audit cycles. In practice, enterprise infrastructure changes continuously, especially where legacy systems and manual spreadsheets still sit in the governance loop. Identity drift is the window between an unauthorized change and the next formal review, and that window can be long enough to matter operationally. The failure is architectural: governance is scheduled while infrastructure is continuous. Continuous observation is therefore not a luxury, it is the only way to narrow the gap between policy and reality.

Practical implication: supplement quarterly certification with continuous detection on high-risk systems that remain outside automated connector coverage.

NHI Mgmt Group analysis

Legacy identity estates expose a governance gap, not just a tooling gap. The article shows that many programmes are blocked because identity data cannot be extracted cleanly from mainframes, custom SQL stores, and other non-standard systems. That means policy can be correct while enforcement is blind. The implication is that identity maturity is constrained by data accessibility, not by policy maturity alone.

Non-human identity sprawl is the real scale problem hiding inside enterprise basics. Service accounts often outnumber human identities by 10x in large organisations, and many are invisible to the tools meant to govern them. When those accounts are hard-coded or orphaned, PAM coverage becomes partial by design. Practitioners should treat NHI discovery and ownership mapping as a first-order governance problem.

Identity drift is what happens when governance operates slower than infrastructure changes. Quarterly reviews create a false sense of control when the environment changes daily. This is why compliance on paper can coexist with residual privilege in practice. The field needs to stop treating access review frequency as a proxy for control strength.

Identity data is the fuel line for the whole governance engine. IGA and PAM are only as effective as the data they can ingest, clean, and continuously refresh. In environments with legacy systems and hidden entitlements, the data layer becomes the limiting factor. The implication is that identity programmes should measure coverage of identity data pipelines, not just tool deployment.

Continuous observation is now a governance requirement, not an optimisation. A point-in-time model may work for SaaS-first estates, but it does not close the gap in fifty-year technical environments. The more inherited systems an enterprise carries, the more governance depends on persistent discovery rather than periodic certification. Practitioners should reframe identity operations as an always-on control plane.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• For the broader governance pattern, see Ultimate Guide to NHIs , Key Challenges and Risks.

What this signals

The practical signal for enterprise teams is that identity maturity must be measured by coverage, not intention. When legacy estates, undocumented entitlements, and orphaned service accounts sit outside the data plane, IAM and PAM programmes will overstate control unless they track where governance stops working.

Identity data completeness: enterprises should treat ingestibility, ownership mapping, and refresh cadence as core operational metrics. If those measures are weak, access reviews become a reporting exercise rather than a control.

With 97% of NHIs carrying excessive privileges according to our Ultimate Guide to NHIs, the next maturity step is not more policy language but a cleaner bridge between infrastructure reality and governance tooling.

For practitioners

• Map every critical system that cannot be governed through standard connectors Create a coverage register for mainframes, custom ERP, legacy SQL stores, and any application that cannot be fully normalised into IGA or PAM. Track where access state remains manual so you can separate real governance from assumed coverage.
• Discover and classify service accounts as governed identities Inventory service accounts across scripts, infrastructure, and retired projects, then assign business owners, privilege tiers, and rotation expectations. Treat unowned accounts as outstanding governance debt, not technical noise.
• Replace quarterly-only reviews with continuous monitoring on high-risk estates Keep certification for formal control, but add ongoing detection for systems where access changes outside the review cycle. Focus first on platforms with manual exports, undocumented tables, and privileged local accounts.
• Measure identity data completeness before you measure programme maturity Report on how much of your critical estate is actually ingestible, mapped, and reviewable by the identity stack. Without that baseline, maturity scores can overstate control in the parts of the estate that matter most.

Key takeaways

• Large enterprises often have strong identity policy and weak enforcement because legacy systems cannot be governed cleanly by modern connectors.
• Service-account sprawl turns non-human identity into a scale problem, especially when accounts are unowned, non-rotating, and invisible to PAM.
• The decisive improvement is not more IAM language but better identity data coverage, continuous observation, and ownership mapping across the full estate.

Key terms

• Identity Drift: The period between an unauthorized access change and the point when governance processes detect it. In practice, drift is what happens when infrastructure changes faster than certification, logging, or review cycles can keep up, leaving a programme compliant on paper but stale operationally.
• Service Account: A non-human identity used by applications, scripts, systems, or infrastructure to perform automated work. Service accounts often carry privileged access and outlive the business purpose that created them, which makes ownership, rotation, and offboarding essential rather than optional.
• Identity Data Coverage: The share of an organisation’s systems, entitlements, and identities that can be discovered, normalised, and governed by the identity stack. Coverage is a practical measure of whether IAM and PAM tools can see the estate well enough to enforce policy, not just report it.
• Legacy Identity Estate: The collection of older systems, platforms, and access stores that predate modern identity standards and clean connector patterns. These environments often hold critical entitlements in local accounts or proprietary structures, making them hard to govern with off-the-shelf IAM and PAM tooling.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Hydden: Identity hygiene at scale breaks where legacy infrastructure outlives policy. Read the original.