By NHI Mgmt Group Editorial TeamPublished 2026-06-27Domain: Governance & RiskSource: Zluri

TL;DR: Identity incidents often begin with legitimate access, and Zluri argues that the real gap is full-lifecycle control across authentication, authorization, provisioning, reviews, and offboarding, with Microsoft reporting 600 million identity attacks per day and more than 99% password-based. The governance assumption that access stays stable long enough for manual review is breaking under real operating conditions.


At a glance

What this is: A candid evaluation of identity security tools that says the core failure is not sign-in control but end-to-end lifecycle governance across human and non-human access.

Why it matters: IAM teams need to see where specialist tools stop, because unmanaged access changes, orphaned accounts, and incomplete offboarding create risk across human, NHI, and workload programmes.

By the numbers:

👉 Read Zluri's evaluation of identity security solutions in 2026


Context

Identity security is the discipline that keeps access correct from the moment it is granted until the moment it should be removed. In this article, the primary gap is not authentication at the edge but lifecycle and governance failure: access is granted informally, role changes leave old permissions behind, and offboarding is incomplete for both human and non-human identities.

That is the right problem statement for SaaS-heavy environments, where the hidden risk is not one failed login but many small governance misses accumulating into standing access. The article frames the market around full-lifecycle control, which is the area where IAM, IGA, PAM, and NHI governance increasingly overlap.


Key questions

Q: What breaks when access reviews are not linked to deprovisioning?

A: Access reviews become an observation exercise instead of a control. Teams may detect stale or excessive access, but if the finding does not drive removal, the same entitlement remains live after the review. That creates a gap between governance evidence and actual reduction in risk, especially for app accounts and tokens that are easy to miss.

Q: Why do role changes often create more identity risk than new hires?

A: Role changes are where permission accumulation starts. A new hire usually begins with a constrained baseline, but a mover can inherit additional access while the old set stays active. If lifecycle logic does not remove previous entitlements at the same time it grants new ones, the identity quietly expands beyond its current job need.

Q: How do security teams know whether lifecycle governance is actually working?

A: Look for whether joiner, mover, and leaver actions are executed from the same control model and whether revocation happens without manual follow-up. If reviews find orphaned accounts, delayed offboarding, or unused access that survives beyond the business event, lifecycle governance is not closed-loop.

Q: What is the difference between access reviews and identity posture management?

A: Access reviews are scheduled checks that ask whether access is still correct at a point in time. Identity posture management is continuous monitoring that looks for drift, orphaned access, and policy violations as they happen. Together they work best when posture findings feed directly into removal or recertification workflows.


Technical breakdown

Why identity security breaks when lifecycle control is fragmented

Identity security only works when provisioning, review, and deprovisioning are part of one control path. If requests arrive through Slack, access changes happen in one system, and offboarding happens in another, the audit trail fragments and stale access persists. The article correctly treats this as a governance problem, not a perimeter problem. For non-human identities, the same fragmentation leaves API tokens, app accounts, and service access untouched long after the business reason for them has expired.

Practical implication: map every access path to one lifecycle owner and one revocation path, especially for app accounts and tokens.

How JIT access changes the authorization layer

Just-in-time access is a time-bound authorisation pattern, not a replacement for governance. It reduces standing privilege by provisioning access for a defined window and revoking it automatically at expiry. That matters when elevated access is required only for a task or incident response. But JIT only works if the underlying identity is still tracked, approved, and logged correctly. Without that, temporary access becomes another unmanaged entitlement with a shorter clock.

Practical implication: apply JIT only where approvals, expiry, and logging are enforced end to end, not as a standalone feature.

What identity posture management adds beyond periodic reviews

Identity Security Posture Management shifts detection from periodic review cycles to continuous monitoring of entitlement drift, orphaned access, and policy violations. That is important because risk usually accumulates between certification campaigns, not during them. Continuous posture monitoring catches the account that becomes over-privileged mid-quarter or the access that never gets cleaned up after a move. In practice, ISPM is the control layer that closes the gap between a scheduled review and a live environment.

Practical implication: use continuous posture monitoring to surface drift between review cycles, then feed those findings into revocation workflows.


Threat narrative

Attacker objective: The attacker aims to retain authenticating access after the business believes the identity has moved on or been removed.

  1. entry: A legitimate access request is granted informally, often outside a formal ticketing workflow, so the identity enters the environment with weak governance behind it.
  2. escalation: A later role change adds more access while the old access remains in place, creating permission accumulation and a broader blast radius.
  3. impact: Offboarding leaves some app accounts and tokens active, allowing continued authentication and eventual suspicious sign-in from an unusual location.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
  • DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Full-lifecycle identity control, not point-in-time access control, is the real security boundary. This article is strongest when it argues that authentication alone does not solve identity risk. The failure mode is cumulative access drift across joiner, mover, and leaver events, which means governance must follow the identity across its whole lifecycle. For SaaS-heavy estates, that is the discipline that separates clean access from delayed incident response.

Permission accumulation is the governance debt that most programmes still undercount. The article describes a mover event that grants new access but leaves the old set in place, which is the classic lifecycle gap. That is not just a tooling issue, it is a control design issue that turns role changes into hidden privilege expansion. Practitioners should read this as evidence that access change is often more dangerous than initial provisioning.

Orphaned non-human access is the same governance failure in a different actor class. The article discusses app accounts and API tokens surviving offboarding, which is exactly why NHI lifecycle cannot be treated as a side topic. Service accounts, API keys, and tokens need the same offboarding logic as human identities, or accountability outlives ownership. The implication is straightforward: identity programmes that stop at users are already incomplete.

Identity Security Posture Management is becoming the control plane for drift, not the replacement for governance. Continuous detection matters because review cycles are too slow to catch mid-quarter entitlement changes and orphaned access. The field should treat ISPM as the system that finds what the lifecycle process missed, then passes it into governance workflows. Practitioners should align detection, certification, and revocation instead of treating them as separate programmes.

Identity blast radius is the right named concept for this market shift. The article shows that the decisive question is no longer whether access exists, but how far it can spread when lifecycle controls fail. That is why full-lifecycle governance, not isolated authentication, now defines identity security maturity. Teams should measure and reduce blast radius across human, NHI, and workload identities.

From our research:

  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
  • 46% of organisations in that same report said they had confirmed a breach of non-human identities, while 26% suspected one had occurred.
  • If lifecycle control is the control gap, the next step is the NHI Lifecycle Management Guide, which focuses on provisioning, rotation, and offboarding discipline.

What this signals

Permission accumulation will remain the most under-measured identity risk in SaaS-heavy environments. The article points to a familiar failure pattern where new access is granted but old access survives. Security teams should expect auditors and attackers to focus less on sign-in hardening and more on whether mover logic actually removes stale entitlements.

Lifecycle evidence will matter more in board and audit conversations than feature breadth. Access reviews, deprovisioning logs, and revocation evidence are becoming the proof points that identity governance is working. Teams that cannot show closed-loop removal will struggle to demonstrate control maturity, even if their authentication stack is strong.

From our research: Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which is why identity programmes need a named concept for drift across human and machine accounts: identity blast radius. The practical signal is simple, if offboarding or role-change cleanup is still manual, the programme is carrying hidden access debt.


For practitioners

  • Unify joiner-mover-leaver logic across all app accounts Tie provisioning, role-change cleanup, and deprovisioning into one workflow so old access is removed when new access is added. Pay special attention to app accounts and API tokens, which often survive manual offboarding.
  • Replace manual access checks with event-driven revocation Trigger revocation from HR and identity events rather than spreadsheet-based checklists, especially when contractors move projects or leave. Manual ownership breaks down fastest when the person responsible is unavailable.
  • Treat access reviews as evidence gathering, not remediation alone Use review campaigns to surface privileged, orphaned, and unused access, then route the result into automated removal or approval workflows. Reviews that end in a spreadsheet do not close the loop.
  • Measure permission accumulation after role changes Track how often movers receive new access while old entitlements remain active. That metric reveals whether lifecycle governance is actually removing stale permissions or simply adding more.

Key takeaways

  • The article's central point is that identity security fails when lifecycle control is fragmented across requests, reviews, and offboarding.
  • The evidence aligns with a broader NHI problem, where compromised identities and incomplete revocation keep creating repeat exposure.
  • Practitioners should focus on closed-loop lifecycle governance, especially for movers, app accounts, and API tokens that outlive ownership.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article centers on rotation, offboarding, and stale NHI access.
NIST CSF 2.0PR.AC-4Access enforcement and review logic align with least-privilege control maintenance.
NIST Zero Trust (SP 800-207)AC-2The post emphasizes continuous verification and removal of stale access.

Apply zero-trust access governance to ensure entitlements are revalidated and removed when no longer needed.


Key terms

  • Identity Security Posture Management: Continuous monitoring of identity configuration, entitlement drift, and access anomalies across users, service accounts, and applications. It shifts identity control from periodic checks to ongoing detection and remediation, so risk is found when it appears rather than at the next review cycle.
  • Joiner-Mover-Leaver: The identity lifecycle process that provisions access for new joiners, updates access when people or workloads change role, and removes access when they depart. In mature programmes, it also governs non-human identities, because tokens, app accounts, and service access can outlive the business relationship.
  • Permission Accumulation: The gradual growth of access rights over time when new entitlements are added but old ones are not removed. It is a common governance failure in lifecycle management and creates hidden privilege expansion, especially where movers or project-based access changes are handled manually.
  • Identity Blast Radius: The amount of damage or reach an identity can create if governance fails. It reflects how far a compromised or over-privileged identity can move across systems, apps, and data. The concept applies to human, non-human, and autonomous identities when access is not tightly bounded.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance Identity Security Solutions in 2026: A Candid Evaluation Guide for Security Leaders. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org