TL;DR: Fragmented identity tooling creates blind spots, weak audit evidence, and delayed incident response because access data, approvals, and logs live in separate systems, according to Cerbos’s discussion with 1Kosmos advisor Giao Nguyen. Continuous governance matters because IAM maturity is no longer about how many tools you have, but whether you can prove and enforce access decisions in real time.
At a glance
What this is: This is a Cerbos analysis of IAM sprawl, showing that fragmented identity tooling creates false confidence, audit friction, and security blind spots.
Why it matters: It matters because IAM teams across NHI, autonomous, and human programmes need a single control view, traceable decisions, and continuous governance rather than periodic checkbox reviews.
By the numbers:
- 84% of companies have suffered an identity-related breach in 2021.
👉 Read Cerbos's blog on continuous governance for fragmented IAM
Context
IAM sprawl happens when identity data, approvals, and policy enforcement are spread across too many systems to produce a reliable control picture. In practice, that means security teams can provision access but still struggle to explain who approved it, where it is used, or whether it was removed when it should have been.
The primary governance failure is not a lack of tooling. It is the absence of a trustworthy, continuously updated identity record that can support audits, incident response, and access decisions without manual reconciliation.
This is a classic identity operations problem in human IAM, but the same pattern later shows up in NHI programmes when service accounts, tokens, and cloud entitlements are managed in separate consoles with no shared oversight.
Key questions
Q: How should security teams reduce IAM sprawl without disrupting operations?
A: Start by inventorying every system that stores identity data, approvals, or entitlements, then identify which source is authoritative for each decision. Consolidate the most security-critical data first, such as privileged roles and production access, so teams can improve control visibility without redesigning the whole programme at once.
Q: Why do fragmented identity systems create audit and security risk?
A: Fragmented systems break the chain between access, approval, and evidence. When logs, policies, and entitlements live in separate places, teams cannot easily prove who approved a change, detect stale access quickly, or show that controls are working continuously rather than only at audit time.
Q: What do organisations get wrong about access reviews?
A: They often treat access reviews as proof of control maturity, when they are really only snapshots. If entitlements drift between review cycles, a clean quarterly review can still sit alongside unmanaged access, orphan accounts, and weak traceability for most of the year.
Q: Who should own continuous governance across IAM and NHI programmes?
A: Ownership should sit with identity governance and security leadership together, because the control problem spans data quality, policy enforcement, logging, and lifecycle management. That shared ownership becomes even more important as the same governance gaps begin to affect service accounts, tokens, and other NHIs.
Technical breakdown
Identity data silos and the false source of truth
Modern IAM environments often accumulate HR directories, AD, SSO, cloud IAM, and governance tools that each hold partial truth. A single user may be disabled in one place and still active in another, while approval history lives in tickets or email rather than in the control plane. The result is not just complexity, but a broken evidentiary chain. Without a consolidated identity record, teams cannot answer basic questions such as who approved access, which entitlements remain active, or whether a policy change actually propagated everywhere.
Practical implication: build an integrated identity inventory before you chase new policy features.
Continuous governance vs periodic access reviews
Periodic reviews only prove that a process exists at a point in time. Continuous governance instead treats every access change, entitlement update, and policy decision as an event that must be evaluated and logged immediately. That matters because stale entitlements, orphaned accounts, and privileged access drift accumulate between review cycles. In NIST CSF terms, this shifts identity from a quarterly compliance activity into an ongoing protect and detect function. The mechanism is not the review itself, but the traceable, real-time state that the review depends on.
Practical implication: move critical identity domains to near-real-time logging and shorter review intervals.
Policy as code and unified authorization layers
Policy as code externalises access rules so applications and infrastructure consult the same decision logic instead of each enforcing its own local interpretation. That creates consistency across environments and preserves a machine-readable record of why a decision was allowed or denied. For IAM teams, the technical value is less about automation speed and more about removing policy drift between systems. When rules are versioned, centrally enforced, and logged, auditors can trace an access decision back to a specific control statement rather than a human memory or spreadsheet.
Practical implication: centralise access rules and make every privileged decision traceable to policy logic.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Identity sprawl is not a tooling problem first, it is a control coherence problem. When identity data is scattered across HR systems, directories, cloud consoles, and governance tools, organisations lose the ability to prove what is true at any given moment. That weakens both audit readiness and day-to-day security operations. The practical conclusion is that governance fails when truth is fragmented.
Continuous governance is the operating model that fragmented IAM has been pretending to be. Quarterly access reviews and annual audits do not compensate for stale entitlements, orphan accounts, or untracked approval paths that persist between checkpoints. This is why control maturity should be measured by continuous traceability, not tool count. Practitioners need to treat identity evidence as a live control surface.
Identity blast radius is the named concept this article exposes. The more systems that hold inconsistent identity state, the larger the set of places where a bad entitlement, delayed removal, or weak approval can create exposure. That blast radius is visible in audits, incidents, and governance disputes alike. The practitioner takeaway is to reduce where identity truth can diverge.
Continuous governance should be understood as a lifecycle discipline, not a reporting feature. Access decisions, policy changes, and revocations all need to be part of one traceable chain across joiner, mover, and leaver events. When that chain breaks, organisations fall back to manual evidence collection and reactive remediation. The conclusion is simple: lifecycle control is the governance backbone, not an afterthought.
This pattern becomes more dangerous when the same fragmentation spreads into NHI governance. Service accounts, API keys, and cloud entitlements amplify the problem because they are often more numerous, less visible, and less consistently reviewed than human access. The field should read this as a warning that human IAM weaknesses become NHI failures quickly. Practitioners should unify governance before identity sprawl crosses actor types.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- For a lifecycle view of how identity evidence and revocation should work in practice, see NHI Lifecycle Management Guide and apply the same discipline to service accounts and access reviews.
What this signals
Identity blast radius: when identity data is split across too many consoles, one bad entitlement can linger in multiple places long after the original change. That is the governance gap practitioners need to shrink first, because better reporting alone does not reduce exposure unless the underlying systems converge on the same state. For the standards side of the house, align the control model to NIST Cybersecurity Framework 2.0 and make traceability a continuous function, not an annual exercise.
The same fragmentation that creates audit pain in human IAM becomes far more dangerous once NHI estates start to scale. With only 1.5 out of 10 organisations highly confident in securing NHIs, the market signal is that identity governance is shifting from periodic review to persistent control. Practitioners should expect pressure to unify human and machine identity evidence in the same operational view.
For teams planning their next governance increment, the next step is not another isolated console. It is a control layer that can express policy once, evaluate it everywhere, and preserve the evidence chain across directories, cloud roles, and privileged workflows. That is where lifecycle management, authorization, and compliance begin to converge in a way auditors can actually follow.
For practitioners
- Inventory every identity system and approval source Map where identity data lives, which system is authoritative for each attribute, and where approvals are recorded. Include HR, directories, cloud IAM, ticketing, and governance tools so you can spot missing links in the evidence chain.
- Create a single traceable record for access changes Tie every privileged change to an approval, ticket, policy reference, and timestamp so auditors and responders can reconstruct who changed what and why without manual spreadsheet work.
- Shift high-risk access into continuous monitoring Start with production systems, finance data, and privileged admin roles, then add automated alerts for dormant accounts, unusual role grants, and policy violations across those domains.
- Codify access rules instead of scattering them across tools Move repeated decisions such as expiry, approval routing, and privileged role assignment into policy-as-code so the same rule is enforced consistently across platforms.
Key takeaways
- IAM sprawl creates a control coherence problem, not just a tooling problem, because identity truth becomes fragmented across systems.
- Periodic audits can coexist with unmanaged access, so continuous governance is the only model that reliably closes the evidence gap.
- The practical response is to unify identity records, make access decisions traceable, and move critical entitlements into continuous monitoring.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions must remain traceable across fragmented IAM systems. |
| NIST Zero Trust (SP 800-207) | Zero Trust depends on current, verifiable identity state across systems. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle and rotation discipline will matter as fragmented governance spreads to NHI. |
Map identity approvals and entitlements to PR.AC-4 and verify changes are continuously logged.
Key terms
- Identity Sprawl: Identity sprawl is the uncontrolled spread of identity systems, directories, policy engines, and approval paths across an environment. It creates multiple partial versions of truth, making it difficult to know which access is active, who approved it, and whether revocation actually happened.
- Continuous Governance: Continuous governance is the practice of evaluating and recording identity decisions in real time rather than at periodic checkpoints. It keeps access, approvals, and policy state continuously traceable so audit evidence and operational enforcement stay aligned.
- Policy as Code: Policy as code means writing access rules in a machine-readable form that systems can evaluate consistently. In identity governance, it reduces drift between applications, preserves decision history, and gives teams a durable control reference instead of scattered local rules.
- Identity Blast Radius: Identity blast radius is the amount of exposure created when identity truth diverges across systems. The wider the divergence, the more places a stale entitlement, bad approval, or delayed revocation can cause security, compliance, or operational harm.
Deepen your knowledge
Identity sprawl and continuous governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme from a fragmented starting point, it is worth exploring.
This post draws on content published by Cerbos: Continuous governance for fragmented IAM and visibility blind spots. Read the original.
Published by the NHIMG editorial team on 2026-03-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
