By NHI Mgmt Group Editorial TeamPublished 2025-12-10Domain: Governance & RiskSource: SailPoint

TL;DR: Identity security is moving from back-end infrastructure to a business-facing control layer that affects compliance, efficiency, and secure access, according to SailPoint’s discussion with Salesforce and Keurig Dr Pepper leaders. The programme lesson is that identity work must be treated as an ongoing operating model, not a one-time project, because fragmented patterns create inconsistency and risk.


At a glance

What this is: SailPoint’s customer discussion shows identity security increasingly serving business enablement, compliance, and secure access rather than only back-end administration.

Why it matters: IAM, NHI, and human identity teams should read this as a signal that governance quality now shapes business velocity, user experience, and risk posture together.

👉 Read SailPoint's customer panel discussion on identity security and business enablement


Context

Identity security is no longer just a back-end control for access administration. In large enterprises, it now shapes compliance outcomes, user productivity, and the speed at which business systems can be safely changed.

That shift matters for IAM programmes because the same governance patterns now affect human users, service accounts, and machine access. When identity systems become inconsistent across applications, the result is not only operational friction but a weaker control model across the whole access estate.


Key questions

Q: How should organisations govern identity security as a business enabler?

A: Treat identity security as an operating control that supports productivity, auditability, and secure change. The practical goal is to standardise access patterns, reduce application-specific exceptions, and make governance measurable across human and non-human identities. That approach keeps business enablement and control design aligned instead of competing.

Q: Why do inconsistent identity integrations create governance risk?

A: Inconsistent integrations create governance risk because each application can end up with different provisioning, review, and revocation behaviours. Over time, that produces access drift, uneven audit evidence, and exceptions that are hard to manage. A standard pattern is safer than custom integration logic spread across the estate.

Q: How do non-human identities fit into zero trust programmes?

A: Non-human identities belong in zero trust because service accounts, machines, and tokens also make access decisions possible. They should be inventoried, scoped, monitored, and reviewed with the same discipline used for human access. Excluding them creates a gap that attackers can exploit through trusted pathways.

Q: What should security teams prioritise before scaling identity security?

A: Security teams should prioritise identity data quality, standard access patterns, and clear ownership for lifecycle decisions. If identity records are fragmented, every downstream control becomes harder to trust. A clean data layer and consistent governance model make scale possible without multiplying exceptions.


Technical breakdown

Why identity security becomes business infrastructure

Identity security becomes business infrastructure when it controls how work actually happens across applications, clouds, and internal systems. In practice, identity and access management is no longer confined to login events or periodic reviews. It influences whether users can do their jobs, whether approvals are defensible in audits, and whether access can be granted with enough precision to support change without creating sprawl. That is why organisations that treat identity as a discrete project tend to accumulate exceptions. The architectural issue is not just tooling coverage, but whether identity data, policy, and integration patterns are consistent enough to support scale.

Practical implication: align identity architecture with business workflow design, not only with access provisioning.

How inconsistent IGA patterns create long-term control debt

When teams migrate applications one by one and customise each integration differently, they create uneven identity governance patterns. That leads to a fragmented control surface where reviews, access rules, and lifecycle handling behave differently across systems that should be governed consistently. The article’s warning about a custom, application-by-application approach reflects a broader identity problem: control debt builds when policy intent is not standardised at the integration layer. This matters for both human and non-human identities, because the more exceptions a programme tolerates, the harder it becomes to prove access quality or scale governance.

Practical implication: standardise integration patterns early so access governance does not become bespoke by application.

Why zero trust and non-human identities belong in the same governance conversation

Zero trust is not only about user authentication. The article explicitly extends verification to nonhuman identities such as service accounts and machines, which is where many programmes still have blind spots. In identity terms, that means access decisions must assume no identity is trusted by default, regardless of whether the subject is a person or a workload. Continuous monitoring and response also matter because identity attacks often move through legitimate credentials rather than obvious perimeter failures. For practitioners, the technical lesson is that identity assurance, authentication strength, and runtime monitoring have to cover both human and machine actors.

Practical implication: include service accounts and machine identities in zero trust scope, not just human logins.


Threat narrative

Attacker objective: The attacker objective is to use trusted identity pathways to gain durable access, evade detection, and disrupt business operations or data control.

  1. Entry occurs when threat actors use legitimate identity paths rather than obvious perimeter exploits, which is why the article emphasises identity attacks as a major business risk.
  2. Escalation follows when access is excessive, inconsistently governed, or poorly monitored, allowing attackers to move through trusted accounts and systems.
  3. Impact comes from loss of control over access, auditability, and business operations, especially where identity systems are tied to cloud scale and productivity.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
  • DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity security has become an operating model, not a project. The article is right to frame identity as something that now affects business enablement as much as compliance. That is the real shift for governance teams: access quality, workflow speed, and auditability are now intertwined. Practitioners should treat identity security as a continuing operating discipline rather than a discrete deployment exercise.

Frankenstein integration is the governance debt that weakens IGA programmes. The warning about custom per-application integration is more than an implementation caution. It describes how identity programmes drift into inconsistent policy enforcement, uneven lifecycle handling, and brittle review processes. The implication is that standardised identity patterns matter as much as policy intent, because bespoke integrations undermine governance at scale.

Non-human identities must be governed inside the same trust model as human users. The article’s inclusion of service accounts and machines inside zero trust is the right direction. Identity security fails when programmes separate human authentication from workload governance, because attackers do not respect those internal boundaries. Practitioners should assume that every identity type can become part of the same breach path.

Data-layer quality is the hidden dependency behind every identity programme. The Salesforce perspective in the article highlights a point many teams still underestimate: multiple identity systems without a clean data layer make policy consistency hard to achieve. That is not a tooling preference, it is a control problem. If the identity data model is fragmented, access decisions, recertification, and reporting all degrade together.

Trust is now a business control surface, not a messaging slogan. The strongest part of the discussion is the recognition that identity security enables customers, employees, and auditors to trust access decisions. That makes the governance burden broader than technical security alone. Practitioners should position identity as a shared control plane for business risk, operational efficiency, and user experience.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% only partial visibility, according to The State of Non-Human Identity Security.
  • Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
  • That visibility gap makes lifecycle control a first-order issue, so review the Ultimate Guide to NHIs for governance, rotation, and offboarding patterns.

What this signals

Identity security is now a programme design problem, not a tool deployment problem: teams that keep treating governance as a series of one-off application migrations will keep inheriting inconsistent controls and fragmented evidence. The better path is to define a common control model for humans, service accounts, and machine access before scale introduces irreversible drift.

The next maturity jump will come from identity data normalisation and policy consistency rather than from more custom integrations. When the same identity attributes, entitlement rules, and lifecycle states are reused across systems, access reviews become more reliable and business stakeholders can trust the outcome.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations, per our Ultimate Guide to NHIs, identity security programmes will increasingly be judged on how well they reduce hidden access paths, not just on how well they manage login journeys.


For practitioners

  • Standardise IGA integration patterns early Define a consistent identity pattern for onboarding, provisioning, certification, and deprovisioning before application migration begins. Avoid custom per-app exceptions unless the business case is explicit and reviewed.
  • Extend zero trust to service accounts and machines Inventory non-human identities alongside human accounts and apply the same verification, access scoping, and monitoring expectations to each identity class.
  • Treat identity data quality as a control requirement Map duplicate identity sources, reconcile conflicting attributes, and establish one authoritative data layer for access decisions and governance reporting.
  • Tie access governance to business workflows Measure whether access approvals, recertification cycles, and exception handling are helping teams work faster without weakening control.

Key takeaways

  • Identity security now influences business enablement, compliance, and operational efficiency, so it has to be managed as a continuous programme.
  • Custom per-application identity integrations create long-term governance debt because they fragment policy, lifecycle handling, and audit evidence.
  • Practitioners should extend zero trust, data quality, and lifecycle discipline across both human and non-human identities.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Identity drift and inconsistent controls are central to the article.
NIST CSF 2.0PR.AC-4Access management and least privilege underpin the article's governance lessons.
NIST Zero Trust (SP 800-207)AC-4The article explicitly connects identity security to zero trust and continuous verification.

Standardise NHI lifecycle controls and review rotation, revocation, and monitoring together.


Key terms

  • Identity Security Operating Model: The way an organisation runs identity as an ongoing control discipline rather than a one-time project. It covers policy, lifecycle, access decisions, data quality, and reporting across applications and identity types so business changes do not create unmanaged access drift.
  • Identity Data Layer: The authoritative set of identity attributes and relationships used to make access and governance decisions. When this layer is fragmented or inconsistent, provisioning, recertification, and audit evidence all become less reliable, especially in organisations with multiple identity systems.
  • Non-Human Identity: A non-human identity is any machine or workload credential used to authenticate and authorize system activity, such as service accounts, tokens, API keys, or certificates. These identities require lifecycle control, visibility, and least privilege because they can be trusted pathways into core systems.
  • Zero Trust For Identities: A security model that treats every identity as untrusted by default and requires verification, scoping, and monitoring before access is allowed. For non-human identities, the model extends beyond login events to include service accounts, machines, and delegated access paths.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Keurig Dr Pepper and Salesforce discuss transforming their businesses with identity security. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org