Identity is the new control plane: why IAM controls are lagging

At a glance

What this is: Veza's 2026 State of Identity & Access report argues that identity now functions as the enterprise control plane, with machine identities, entitlement sprawl, and stale access creating systemic risk.

Why it matters: For IAM and NHI practitioners, the report reinforces that governance must move from periodic review to continuous visibility over effective permissions across human and non-human identities.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

👉 Read Veza's 2026 State of Identity & Access report on identity risk and control gaps

Context

Identity is the control plane when access decisions, entitlement sprawl, and machine identities determine what can be reached, altered, or exfiltrated across the environment. In this report's framing, the NHI governance problem is not simply too many accounts. It is that identity creation now outpaces governance, leaving security teams to manage permissions that are persistent, distributed, and often disconnected from ownership.

That matters because NHIs do not follow human lifecycle assumptions. They are not reliably offboarded, they often sit outside HR-driven workflows, and they can hold high-value access with little day-to-day visibility. The article's starting point is typical of mature enterprise environments, where existing IAM controls remain in place even after the identity population has changed materially.

Identity now functions as the enterprise control plane when access decisions, entitlement sprawl, and machine identities determine what can be reached, altered, or exfiltrated across the environment. In this framing, the NHI governance problem is not simply too many accounts. It is that identity creation now outpaces governance, leaving security teams to manage permissions that are persistent, distributed, and often disconnected from ownership.

Key questions

Q: How should security teams govern machine identities that do not follow human lifecycle processes?

A: Treat machine identities as production assets with owners, expiry, and revocation requirements. Service accounts, API keys, tokens, and certificates need the same lifecycle discipline as human accounts, but the controls must be automated because manual offboarding does not scale. The goal is to remove unused access quickly and prove who is responsible for each credential.

Q: What is the difference between assigned roles and effective permissions?

A: Assigned roles describe what access should exist on paper. Effective permissions describe what an identity can actually do after inheritance, exceptions, nested groups, and resource-level policies are applied. For governance, effective permissions matter more because they reveal the real attack surface and the paths an attacker could use to move from low-value access to sensitive systems.

Q: When does entitlement sprawl become a security problem?

A: Entitlement sprawl becomes a security problem when permissions grow faster than the organisation can review, understand, and remove them. At that point, small access grants combine into hidden escalation paths, and the business loses confidence in who can reach critical data or infrastructure. The risk is operational as much as technical.

Q: Why do NHIs complicate zero trust architecture?

A: NHIs complicate zero trust because they often use long-lived credentials, lack strong ownership, and operate outside human offboarding workflows. Zero trust requires continuous verification, but machine identities can keep authenticating after their business purpose changes. That creates a gap between policy intent and runtime access unless lifecycle controls are enforced.

Technical breakdown

Why effective permissions matter more than assigned roles

The report's core technical point is that assigned roles are a poor proxy for actual risk. Effective permissions are the privileges an identity can truly exercise after policy inheritance, group nesting, and resource-level exceptions are applied. In large environments, this is where legacy IAM programs lose fidelity, because the answer to who can do what changes faster than review cycles can capture. For NHIs, the gap is sharper because service accounts, API keys, and AI agents can accumulate broad access without the same social controls that constrain humans.

Practical implication: inventory effective permissions, not just role assignments, before you decide where access remediation starts.

How entitlement sprawl creates hidden escalation paths

Entitlement sprawl appears when permissions become too granular, too numerous, and too persistent for governance processes to manage as a coherent system. The risk is not only over-privilege. It is that small, forgotten entitlements combine into escalation paths that an attacker can chain. In practice, this means a dormant account, a stale token, and an overbroad resource policy can become a single path to sensitive systems. That is why entitlement analysis has to include relationship context, not just entitlement counts.

Practical implication: map transitive access paths across identities so you can remove escalation chains, not just individual permissions.

Machine identity governance in zero trust environments

Zero trust assumes continuous verification, but machine identities often operate with long-lived credentials and weak ownership metadata. That creates a mismatch between policy intent and runtime reality. A workload, bot, or AI agent may authenticate successfully even when the underlying credential is stale, over-scoped, or no longer tied to a current business purpose. The governance problem is therefore not authentication alone. It is proving that the credential, the workload, and the business use case still match at the moment access is exercised.

Practical implication: tie machine identities to explicit ownership, business purpose, and expiry so zero trust controls can actually enforce current context.

Threat narrative

Attacker objective: The attacker objective is to convert unnoticed identity weakness into reliable access to high-value systems with minimal detection.

1. Entry occurs through dormant accounts, orphaned logins, or machine identities with access that no one actively monitors.
2. Escalation follows when entitlement sprawl exposes unexpected permissions that allow privilege chaining or lateral movement.
3. Impact is achieved when attackers reach sensitive data, critical infrastructure, or business systems through effective permissions rather than obvious malware.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity has become the enterprise control plane, and that changes the governance model. The old assumption was that IAM supports the business after systems are built. The report shows the reverse is now true, because identity determines how infrastructure, applications, and automation are actually used. Practitioners should treat identity control as a live operational dependency, not a periodic compliance exercise.

Machine identities are now a first-class governance problem, not a niche infrastructure issue. Service accounts, API keys, and AI agents can hold concentrated access without human-style lifecycle checkpoints. That means discovery, ownership, and expiry need to be enforced as baseline controls. The field needs to stop treating NHI inventory as optional hygiene and start treating it as core attack-surface management.

Effective permission visibility is the real unit of control. Role catalogs and joiner-mover-leaver processes are necessary but insufficient when inheritance, exceptions, and cross-system entitlements define actual access. The governance gap is not a lack of policy language. It is the inability to see what permissions are operational right now. Practitioners should re-baseline on effective access before any audit or remediation programme.

Identity debt is becoming a measurable form of operational risk. Dormant accounts, orphaned logins, and stale credentials accumulate like technical debt, but they compound faster because they can be exploited immediately. The market is moving toward continuous authorization because enterprises can no longer afford point-in-time trust decisions. Teams that do not reduce identity debt will keep paying for it in incident response and audit friction.

Zero trust will remain incomplete until machine identity lifecycle is brought into scope. The report underscores a common failure mode: policies focus on users while automation runs on credentials that outlive the job they were created for. That creates trust gaps at runtime. The practical conclusion is straightforward. Zero trust programs need ownership, rotation, and offboarding discipline for every NHI, not just human identities.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• From our research: Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• From our research: For teams building a control baseline, the next step is to compare identity lifecycle maturity against Top 10 NHI Issues and close the gaps that create persistent access.

What this signals

Identity governance is moving from periodic review to continuous authorization. The practical shift for programmes is that access decisions must be validated against current context, not historical entitlement records. Teams that continue to rely on quarterly certification will miss the fastest-growing part of the attack surface, especially where machine identities and automation are involved.

With 97% of NHIs carrying excessive privileges, the governance problem is structural rather than accidental. That statistic from the Ultimate Guide to NHIs makes a clear point: privilege reduction cannot be a side project. Security programmes need ownership, expiry, and runtime enforcement baked into identity lifecycle operations.

Identity debt is now a board-level signal because it affects resilience, compliance, and incident cost at the same time. In practice, that means security leaders should align their NHI programme with NIST Cybersecurity Framework 2.0 and use continuous visibility to show whether access is shrinking or compounding.

For practitioners

• Build an effective-permission inventory Track the permissions identities can actually exercise after inheritance and policy layering. Use that view to identify high-risk paths, not just to count roles or accounts.
• Assign ownership to every machine identity Require a named owner, business purpose, and expiry for service accounts, API keys, tokens, and AI agents so unmanaged identities do not persist beyond their use case.
• Shorten review cycles for privileged access Move from annual or quarterly reviews to continuous or event-driven review for identities that can reach sensitive systems or automation pipelines.
• Tie offboarding to identity lifecycle events Make de-provisioning, rotation, and revocation part of workflow closure so dormant access does not survive staff changes, vendor exits, or application retirement.

Key takeaways

• Identity risk is no longer a perimeter issue. It is the operating condition of the enterprise control plane.
• Machine identities and entitlement sprawl create the kind of persistent exposure that legacy IAM processes were never designed to absorb.
• The next governance step is continuous visibility into effective permissions, ownership, and lifecycle state across every identity type.

Key terms

• Effective Permissions: Effective permissions are the access rights an identity can actually exercise after role inheritance, group nesting, exceptions, and resource policies are applied. They are the practical measure of identity risk because they show the real attack surface, not just what the access catalog says should exist.
• Identity Debt: Identity debt is the accumulation of dormant accounts, stale credentials, excessive privileges, and unmanaged access that teams have not removed. It behaves like technical debt in that it compounds over time, but it is more dangerous because it can be exploited immediately if an attacker finds it first.
• Non-Human Identity: A non-human identity is a digital identity used by software rather than a person. It includes service accounts, API keys, tokens, certificates, workloads, bots, and AI agents. These identities often outnumber human accounts and require lifecycle controls, ownership, and rotation to remain governable.

Deepen your knowledge

Identity lifecycle control and machine identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to close visibility and offboarding gaps in a similar environment, it is worth exploring.

This post draws on content published by Veza: 2026 State of Identity & Access analysis on identity as the new control plane. Read the original.