By NHI Mgmt Group Editorial TeamPublished 2025-12-10Domain: Governance & RiskSource: SailPoint

TL;DR: As organisations face remote work, compliance pressure, and cyber risk shifts, identity security must evolve continuously, according to SailPoint, while introducing Atlas, Data Access Security, Activity Insights, and MySailPoint to support that model. The key issue is not feature breadth but whether identity programmes can adapt without re-architecture as the environment changes.


At a glance

What this is: SailPoint frames identity security as an ongoing programme and positions its platform updates around adapting governance as business and threat conditions change.

Why it matters: This matters because IAM teams must keep human, NHI, and emerging autonomous access models aligned to changing operations without losing governance coverage.

👉 Read SailPoint's blog on continuous identity security and new platform capabilities


Context

Identity security is not a static control set. In this article, the underlying problem is programme drift: business change, remote work, regulatory pressure, and cyber risk all move faster than identity architectures that were designed for a fixed environment. For IAM teams, that means the question is not whether access can be granted, but whether governance can keep pace across human identities, non-human identities, and future autonomous access patterns.

The article uses SailPoint Navigate 2023 to argue for platforms that can evolve with the enterprise rather than force repeated re-architecture. That message lands in the identity governance conversation because the same structural pressure shows up in lifecycle management, access reviews, and privilege control wherever the identity subject changes faster than the control model. When identity programmes cannot absorb change, they accumulate blind spots and rework.


Key questions

Q: How should identity teams handle governance when the business keeps changing?

A: Identity teams should design governance around change, not around a fixed operating model. That means mapping business events to access impact, keeping policy reusable across applications, and ensuring certification, provisioning, and review processes can absorb new demands without being rebuilt each time the environment shifts.

Q: Why does unstructured data create identity governance risk?

A: Unstructured data creates risk when access is spread across repositories and shares without clear entitlement ownership or review. In that model, sensitive content can remain accessible long after the business need has passed, and the IAM programme loses visibility over who can reach it and why.

Q: How can security teams tell whether least privilege is still working?

A: Security teams should compare granted access with actual usage, then remove entitlements that no longer match real work patterns. If access review outcomes do not change over time, or if unused accounts and privileges keep appearing, least privilege is probably operating as a paperwork control rather than a living one.

Q: What should organisations look for in a flexible identity platform?

A: Organisations should look for a platform that can extend governance across lifecycle, access, and data use cases without forcing re-architecture. If adding a new workload or policy requires separate tooling and duplicate processes, the platform is not reducing identity complexity.


Technical breakdown

Why identity programmes break when the operating model changes

Identity security fails when controls are built as point solutions around a stable organisation chart, stable application set, and stable access model. In practice, remote work, M&A, cloud adoption, and compliance pressure alter who needs access, where they use it, and how often entitlements should be reviewed. If the identity platform cannot adapt without re-engineering, governance becomes slower than the business it is meant to protect. The technical issue is not only provisioning. It is the ability to keep policy, visibility, and lifecycle enforcement aligned as identity populations and application behaviour change.

Practical implication: assess whether your identity architecture can absorb new use cases without breaking review, certification, and policy workflows.

Data access security as an identity governance problem

Unstructured data becomes an identity problem when access is spread across repositories, shares, and applications without clear ownership or usage context. Data access security links discovery, classification, and entitlement governance so security teams can see who can reach sensitive content and whether that access is still justified. That matters because unstructured data often sits outside the clean role models used for structured systems. Without identity-linked governance, exposure remains hidden until audit, incident response, or insider misuse surfaces it.

Practical implication: connect data discovery and classification to access governance so sensitive content is reviewed as part of identity controls, not as a separate data exercise.

Activity insights and least privilege enforcement

Least privilege depends on knowing how access is actually used, not just what was granted. Activity insights provide usage context at the application level, which can reveal dormant entitlements, over-broad access, and licences that no longer reflect real work patterns. This is especially important in large enterprises where access decisions are often based on outdated assumptions about role fit. In identity governance terms, usage telemetry is a correction layer for entitlement models that drift over time.

Practical implication: use activity evidence to trim unused access and reduce privilege creep before the next certification cycle.


NHI Mgmt Group analysis

Identity security has become a change-management discipline, not just an access-control discipline. The article is really describing a world where business change outpaces static identity design. That matters because governance failures now emerge when identity processes cannot adapt to new work patterns, new applications, and new compliance demands quickly enough. Practitioners should treat programme adaptability as a core control objective, not an implementation detail.

Continuous identity governance is now the baseline expectation for modern enterprises. The platform framing in the article reflects a broader market shift toward identity control planes that can support multiple workloads without re-architecture. That is consistent with the way modern IAM, NHI, and lifecycle management are converging around shared governance functions. The practical conclusion is that identity teams need reusable policy, visibility, and review mechanisms that survive organisational change.

Unstructured data governance is increasingly part of the identity perimeter. When access to documents, files, and repositories is disconnected from identity policy, the organisation loses track of who can reach sensitive content and why. That is not a niche data problem. It is an identity governance gap that expands the attack surface and complicates audit readiness. Practitioners should fold data access into the same governance model as other entitlements.

Activity-based entitlement review is the missing feedback loop in many programmes. Access decisions degrade when they are made once and never reconciled against usage. The article’s emphasis on activity insight points to a broader requirement: governance teams need evidence of actual use to sustain least privilege at scale. Without that feedback loop, recertification becomes a paperwork exercise rather than a control.

Identity platforms are being judged on their ability to scale governance with the enterprise. The market is moving away from tools that solve one narrow identity problem and toward systems that can absorb new identities, new applications, and new policy demands together. Practitioners should evaluate whether their current architecture can extend into lifecycle, access, and data governance without creating separate control islands.

From our research:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to NHI Mgmt Group research.
  • For the broader control model, review Ultimate Guide to NHIs , Regulatory and Audit Perspectives for the audit and governance angle.

What this signals

Identity control planes are becoming the deciding factor in whether programmes scale with the business. If your current architecture cannot absorb new applications, new compliance demands, and new identity types without rework, the problem is structural rather than procedural. The next programme maturity question is not whether you can add controls, but whether the control model can survive change without fragmentation.

Activity-based governance will matter more as privilege sprawl grows. The difference between granted access and used access is where many least-privilege programmes fail in practice. Teams that can turn usage evidence into entitlement decisions will reduce audit noise, shrink dormant access, and make recertification materially better than a checkbox exercise.

With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, access models that do not generalise across human and machine identities will keep producing blind spots. That is why the next wave of identity governance is about one control plane that can span people, workloads, and emerging agentic systems without duplicating policy logic.


For practitioners

  • Map change events to identity control impact Track remote work shifts, compliance changes, new applications, and organisational restructures against the identity processes they stress most. Use that mapping to identify where certification, provisioning, and policy workflows will slow down or lose coverage.
  • Tie data discovery to access governance Bring unstructured data repositories into the same entitlement review cycle as applications. Classify sensitive content, assign ownership, and require access justification so hidden data exposure is not left outside the IAM programme.
  • Use activity evidence to clean up privilege creep Compare granted access with actual application use and remove dormant or excessive entitlements before the next recertification cycle. Treat usage telemetry as a control signal, not just an optimisation metric.
  • Evaluate platform flexibility before the next expansion Test whether your identity stack can absorb new identity populations and policy requirements without re-architecting. The key question is whether it can extend governance across access, lifecycle, and data without creating parallel processes.

Key takeaways

  • Identity security fails when governance cannot keep pace with business and technology change.
  • Usage evidence is essential for turning least privilege into a living control rather than a static approval record.
  • Flexible identity architectures are now a prerequisite for scaling lifecycle, access, and data governance together.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Identity governance and rotation are central to the article's NHI implications.
NIST CSF 2.0PR.AC-4Least privilege and entitlement review align with access management.
NIST Zero Trust (SP 800-207)The post's continuous verification theme fits zero trust governance.

Apply zero-trust principles so access decisions stay tied to current context, not legacy assumptions.


Key terms

  • Identity Security Programme: An identity security programme is the operating model that governs access, lifecycle, and entitlement review across people, machines, and applications. It combines policy, visibility, and enforcement so identity controls can change as the organisation changes.
  • Least Privilege: Least privilege is the practice of giving each identity only the access it needs for its current task. In mature programmes, that means entitlements are continuously compared with real usage so excessive permissions can be removed before they become routine risk.
  • Unstructured Data Governance: Unstructured data governance is the control of access to files, documents, and shared content that does not fit neatly into a traditional application model. It becomes an identity issue when entitlement ownership, classification, and review are missing or disconnected.
  • Activity Insight: Activity insight is the use of application and entitlement usage evidence to inform access decisions. It helps identity teams see whether granted permissions are actually being used and whether an entitlement should be kept, reduced, or removed.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Identity Security: A continuous journey in the evolving digital landscape. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org