Identity security and business continuity at Nationwide Building Society

At a glance

What this is: This is a brief customer story about how Nationwide Building Society ties identity security to business continuity and automates controls around critical applications.

Why it matters: It matters because identity controls now sit inside resilience, compliance, and access governance programmes, affecting NHI, autonomous, and human access paths alike.

👉 Read SailPoint’s customer story on identity security and business continuity at Nationwide Building Society

Context

Identity security is not just an access control problem. In this case, the core issue is how a large financial services organisation keeps critical applications governed while the business changes around them, and why manual control points become a continuity risk.

For IAM teams, the useful signal is that automation and compliance are being treated as operational resilience measures, not separate projects. That framing is relevant across human access, service accounts, and other non-human identities where continuity depends on predictable governance.

SailPoint’s customer example points to a familiar pattern in mature programmes: when access management becomes part of business continuity planning, the priority shifts from isolated control administration to repeatable governance over the most critical applications.

Key questions

Q: How should security teams include identity in business continuity planning?

A: They should treat identity as a recovery dependency, not just an administration task. That means defining which applications are continuity-critical, automating the control steps around them, and documenting how access is approved, reviewed, and revoked during disruption. Continuity plans should answer who can get in, under what authority, and how control is restored after the event.

Q: Why do manual identity processes create resilience risk?

A: Manual processes slow down access decisions, create inconsistency, and are the first thing to weaken when teams are under pressure. In a continuity scenario, that can leave critical systems either overexposed or inaccessible. Automated governance reduces that drift by making the access path repeatable and auditable even when operations are disrupted.

Q: When should organisations automate identity governance for critical systems?

A: They should automate it wherever a delay, error, or exception in access control would affect service continuity or compliance. The highest priority is usually the small set of applications that the business cannot operate without. Those systems need controls that remain stable when staffing, demand, or infrastructure conditions change.

Q: What is the difference between authentication resilience and identity governance?

A: Authentication resilience is about whether people can still sign in and reach essential systems during disruption. Identity governance is about whether the access granted is still appropriate, controlled, and reviewable. Mature programmes need both. A system can be easy to use and still be poorly governed, or tightly governed and still fail under operational stress.

Technical breakdown

Automated control enforcement for critical applications

The article describes an end-to-end automated approach for controlling access to the applications that matter most. In practice, this means moving from manual approval steps and ad hoc administration to governed workflows that can apply consistently as the business evolves. Automation here is less about speed and more about reducing the chance that critical entitlements drift outside policy when teams are busy or processes are fragmented. For security architects, the architectural question is whether the identity layer can still enforce control when operating conditions change quickly.

Practical implication: map the highest-risk applications first and remove any manual step that can delay or bypass access governance.

Seamless authentication as a continuity requirement

The story links identity security to seamless authentication, which matters because recovery and continuity fail if users cannot get to essential systems when needed. In a financial services setting, authentication has to support both protection and usability, especially where staff need dependable access to core services during disruption. Seamless does not mean weaker. It means the access path should be reliable, governed, and resilient enough to support the business without creating avoidable friction or control exceptions.

Practical implication: test whether authentication and access workflows still function during disruption, not only under normal operating conditions.

Identity governance as part of resilience planning

The strongest message in the article is that identity is being treated as part of the wider security strategy, not as a back-office support function. That matters because continuity planning often focuses on infrastructure and recovery while leaving access governance behind. When identity is not built into the resilience model, organisations can restore systems but still lack clear control over who can use them. The governance layer needs to survive change, outage, and operational pressure.

Practical implication: include identity controls, access review ownership, and emergency governance paths in continuity playbooks.

NHI Mgmt Group analysis

Identity security becomes a continuity control when business change is the constant. This article shows a familiar maturity shift: access management is no longer justified only by compliance or convenience, but by the need to keep critical services governable as the organisation changes. That is the right framing for modern IAM programmes, because brittle access processes become operational risk the moment business continuity is tested. The practitioner lesson is to treat identity governance as part of resilience design, not a separate administrative layer.

Automation is the control plane that prevents manual identity drift. The article points to automated end-to-end control as the mechanism that improves risk posture and compliance. In governance terms, that reduces dependency on manual actions that are slow, inconsistent, and easy to bypass under operational pressure. For identity teams, the point is not automation for its own sake, but the removal of friction where manual control cannot scale with business-critical access decisions.

Seamless authentication and strong control are not opposing goals. The Nationwide example reinforces a practical truth for regulated environments: user experience degrades when control is bolted on after the fact, but resilience also fails when access is made easy without governance. Identity programmes that align authentication, automation, and application criticality are better positioned to support both security and continuity. Practitioners should align identity design with business service tiers, not treat all applications the same.

Business continuity plans that omit identity governance leave a structural gap. This article assumes identity is already part of the broader security strategy, which is where mature programmes should land. Continuity planning that focuses on systems restoration without access governance still leaves uncertainty about who can reach what, when, and under which controls. The implication is straightforward: if identity is not in the continuity model, the organisation can recover infrastructure while still losing operational control.

Identity security for critical applications is now a governance benchmark, not a side project. The example signals that mature programmes are being measured by their ability to automate control, support compliance, and preserve access reliability for the applications that drive the business. That raises the bar for IAM teams, especially where privileged access, service accounts, and user access all intersect in the same operational estate. Practitioners should use this lens to prioritise the systems where identity failure would become a business failure.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
• For a deeper governance baseline, review NHI Lifecycle Management Guide for provisioning, rotation, and offboarding controls.

What this signals

Identity governance is increasingly being evaluated as part of resilience architecture, not just access administration. That matters because continuity plans that exclude identity usually discover the gap only when a critical service needs emergency access. The practical next step is to make access ownership, review cadence, and emergency authority visible in the same programme that tracks recovery and uptime.

The broader market signal is that organisations are trying to automate away the most failure-prone parts of access control. In practice, that points toward tighter integration between IAM, privileged access, and business continuity planning, especially for regulated services where control failures become operational failures.

For teams building governance roadmaps, the lesson is to prioritise the applications where access failure would have the largest service impact. Identity blast radius: the portion of the business exposed when access control fails for a critical application. Once that is understood, control design becomes a resilience decision, not a tooling decision.

For practitioners

• Align identity controls to business continuity tiers Identify which applications and access paths must remain governable during disruption, then assign stronger approval, recovery, and oversight rules to those tiers. Use the continuity plan to decide where identity automation is mandatory rather than optional.
• Replace manual access steps in critical workflows Map the approval, provisioning, and exception steps that still depend on human handoffs, and remove the ones that create delay or inconsistency for essential systems. Keep the process deterministic so the control remains intact under pressure.
• Test authentication for disruption scenarios Verify that access workflows still support essential users and administrators during outage conditions, failover events, and recovery operations. The goal is to prove that control and availability can coexist when normal operating assumptions no longer hold.
• Include identity ownership in continuity runbooks Document who can approve emergency access, who can review it afterward, and how access is revoked when the incident ends. Make those decisions explicit before an outage rather than improvising them during recovery.

Key takeaways

• Nationwide’s example shows that identity governance is now part of continuity planning, not separate from it.
• Automating access control reduces manual drift and strengthens the reliability of critical applications.
• Teams should design emergency access, review, and revocation paths before disruption occurs, not during recovery.

Key terms

• Identity Governance: Identity governance is the discipline of deciding who or what should have access, who approves it, and how that access is reviewed and removed over time. It spans human users, service accounts, and other non-human identities, with policy, evidence, and accountability built into the process.
• Business Continuity: Business continuity is the capability to keep essential services operating through disruption and recover them afterward. In identity programmes, continuity depends on access control, authentication, and recovery governance remaining dependable when normal workflows are stressed or unavailable.
• Automated Control: An automated control is a policy or workflow that enforces access decisions without relying on manual intervention at each step. In identity security, automation reduces drift, improves consistency, and makes governance more resilient when volume, urgency, or staffing changes.
• Critical Application: A critical application is a system whose failure would materially affect business operations, regulatory obligations, or service delivery. For identity teams, these applications deserve the strongest access governance because an access error can quickly become an operational incident.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by SailPoint: Identity Security and Business Continuity at Nationwide Building Society. Read the original.