TL;DR: Working-from-anywhere exposed a dangerous gap between enabling access and securing it, because identity has become the modern enterprise perimeter and each identity can open hundreds or thousands of access points, according to SailPoint. The real risk is false confidence in authentication alone, because access that is not continuously governed becomes exposure.
At a glance
What this is: This is a SailPoint opinion piece arguing that identity security must move beyond access enablement to continuous control of every identity and access point.
Why it matters: It matters because IAM, NHI, and human identity programmes all fail when they treat access approval as equivalent to access security.
👉 Read SailPoint's blog on why access enablement is not identity security
Context
Identity security is the discipline of deciding not only who or what gets access, but whether that access is necessary, appropriate, and still valid as conditions change. SailPoint’s core claim is that the enterprise perimeter has shifted to identity, so enabling access without governance creates a control gap across human users, contractors, partners, and software identities.
For IAM teams, the issue is not authentication alone. Strong login controls can coexist with overbroad privileges, stale entitlements, and role drift, which means the access model can look healthy while the governance model is already failing.
Key questions
Q: How should security teams balance access enablement and identity control?
A: Security teams should treat access enablement as a delivery function and identity control as a governance function. The key is to provision quickly, then continuously validate whether access remains necessary, role-appropriate, and policy-compliant. Without that second layer, identity security becomes an illusion of productivity rather than a control over exposure.
Q: Why do strong authentication controls not eliminate identity risk?
A: Strong authentication only proves that an identity can sign in. It does not prove the identity should keep the access it has, whether the privilege is excessive, or whether the entitlement is still relevant after a role change. Risk remains wherever access is persistent, overbroad, or never retired.
Q: What breaks when access reviews are disconnected from lifecycle events?
A: When reviews are disconnected from joiner, mover, and leaver events, organisations end up certifying access that no longer matches business need. That creates stale permissions, weak accountability, and delayed removal. The control fails because the review process is detached from the moment when access actually becomes wrong.
Q: Who should own identity security in a modern enterprise perimeter model?
A: Ownership should sit across IAM, IGA, PAM, and security architecture, because the perimeter now consists of identity relationships rather than network boundaries. Operations can provision access, but governance must define scope, review, and removal. The business cannot delegate accountability to authentication alone.
Technical breakdown
Why enablement without governance creates identity risk
Modern access programmes often optimise for speed of onboarding and application reach, but that optimisation can hide unresolved entitlement risk. If teams focus only on granting access, they lose the ability to answer basic governance questions about role fit, privilege scope, duration, and removal. Identity becomes the perimeter because every identity and every connected system becomes an exposure point when access is not reviewed, constrained, and retired with the same discipline used to provision it.
Practical implication: treat access approval as the start of governance, not the end of control.
How identity becomes the new perimeter in SaaS-heavy environments
As organisations adopt more SaaS and cloud services, the number of access points multiplies across people, applications, data, and shared resources. The perimeter is no longer a network boundary but a set of identity relationships that must be continuously managed. In that model, the question is not whether MFA exists, but whether each identity still needs the access it holds and whether policy can keep pace with changing roles.
Practical implication: map privilege by identity and service rather than assuming the network or SSO layer is enough.
Why access reviews fail when they are not tied to lifecycle change
Access review processes only work when they are tied to real lifecycle events such as role changes, project completion, contractor offboarding, or privilege escalation. If review is detached from change, organisations keep certifying stale access because the business context that justified it has already moved on. That is how enablement turns into accumulated exposure rather than controlled productivity.
Practical implication: connect recertification, role change, and offboarding into one lifecycle control loop.
NHI Mgmt Group analysis
Enablement without control is the core identity governance failure. The article is right to separate giving access from securing it, because those are different control problems with different failure modes. In practice, organisations often celebrate faster access provisioning while leaving privilege scope, approval quality, and removal discipline underdeveloped. The practitioner conclusion is simple: access velocity is not security.
The modern perimeter is now a policy problem, not a network problem. Once identity becomes the primary boundary, every person, contractor, partner, and software identity must be governed as an exposure surface. That changes the design task for IAM and IGA teams because the control objective is no longer just authentication, but entitlement integrity across the full access lifecycle. The practitioner implication is to treat identity policy as perimeter policy.
Standing access creates a false sense of security because the risk sits in what remains after the login succeeds. MFA can reduce account compromise risk, but it does not answer whether access is still required, least-privileged, or properly retired. This is the assumption many programmes make and then never test. The practitioner conclusion is to judge identity security by privileged state, not by successful sign-in.
Identity lifecycle governance is the missing bridge between workforce enablement and enterprise protection. The article’s strongest insight is that access decisions must be revisited whenever jobs, contracts, or system relationships change. Without that lifecycle bridge, organisations keep opening doors they never close. The practitioner implication is to unify joiner, mover, and leaver controls with entitlement governance.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- In the same research, 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, which shows that access often fails after provisioning, not at login.
- For a broader governance baseline, see Ultimate Guide to NHIs for how identity lifecycle controls connect provisioning, rotation, and offboarding.
What this signals
Identity enablement will keep outpacing governance unless teams design for removal as well as grant. The article reflects a pattern we still see across IAM and NHI programmes: access is easy to create, harder to constrain, and often slow to retire. That is why entitlement drift becomes a board-level exposure, not an admin inconvenience.
Identity perimeter thinking should push practitioners toward lifecycle control, not authentication theatre. Once every user, contractor, partner, and machine identity is part of the perimeter, the key question becomes whether governance can follow change fast enough. Teams that cannot trace and remove stale access will keep mistaking productivity for security.
For practitioners
- Separate access approval from access governance Require a second control step after initial provisioning to confirm role fit, privilege scope, and business need before access is treated as acceptable.
- Tie every access review to a lifecycle trigger Trigger recertification when a role changes, a contractor engagement ends, or a project closes, so stale access is not re-certified by default.
- Inventory the identities that define your perimeter Build a single view of employees, contractors, partners, and non-human identities so each access relationship can be evaluated against policy.
- Measure removal as carefully as grant speed Track how quickly unnecessary access is removed after role change or offboarding, because delayed removal is where enablement becomes exposure.
Key takeaways
- The article’s central warning is that enabling access without governing it creates a false sense of security.
- The practical problem is not authentication alone, but stale or overbroad access that remains after business conditions change.
- Identity security programmes need lifecycle-linked review and removal controls if they are to protect a modern enterprise perimeter.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be managed and limited across the identity perimeter. |
| NIST Zero Trust (SP 800-207) | Identity is treated as the perimeter, which aligns with continuous verification. | |
| NIST SP 800-63 | Strong authentication can reduce sign-in risk, but it does not govern entitlement scope. |
Use strong authentication as one layer, then govern privilege separately through lifecycle controls.
Key terms
- Identity perimeter: The identity perimeter is the idea that enterprise security boundaries are defined by who or what has access, not by the network edge. It includes people, contractors, partners, service accounts, and other identities whose privileges must be governed continuously.
- Access enablement: Access enablement is the process of giving an identity the permissions it needs to work. It solves productivity and onboarding, but on its own it does not prove those permissions are still appropriate, least-privileged, or properly retired after business conditions change.
- Identity governance: Identity governance is the control discipline that decides whether access should exist, how long it should remain, and when it should be removed. It connects provisioning, review, recertification, and offboarding so that entitlement state stays aligned with business need.
- Lifecycle control: Lifecycle control is the set of processes that keep identity decisions aligned with change across joiner, mover, and leaver events. It matters because access that is valid at creation can become risky or unnecessary as roles, contracts, and system relationships evolve.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by SailPoint: False Sense of Security. Read the original.
Published by the NHIMG editorial team on 2025-12-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
