By NHI Mgmt Group Editorial TeamPublished 2026-07-01Domain: Governance & RiskSource: StackBob

TL;DR: Most IGA programmes govern only 13% to 15% of the application estate, leaving the rest to manual handling, and StackBob estimates that a 1,000-person organisation can absorb $12.9M in five-year costs, with 91.7% tied to the governance gap rather than platform spend. The real issue is not licence cost, but the operational, audit, and productivity drag created when access sits outside lifecycle control.


At a glance

What this is: This analysis argues that the hidden cost of IGA is the unmanaged application estate, not the platform licence itself.

Why it matters: For IAM, IGA, and identity lifecycle teams, the finding reframes governance as a coverage problem because manual exceptions drive cost, delay, and audit exposure across human, NHI, and autonomous access patterns.

By the numbers:

👉 Read StackBob's analysis of the IGA governance gap cost model


Context

IGA programmes are often measured by platform deployment, but the more revealing metric is estate coverage. In practice, governance stops where connectors stop, and the remainder shifts to manual provisioning, scattered approvals, and inconsistent access review coverage. That creates an identity lifecycle gap, not just an operational inconvenience.

For enterprises, the gap matters because access governance is only as strong as the applications it can actually reach. The broader the mix of SCIM-less SaaS, legacy tools, custom apps, and shadow IT, the more likely lifecycle control becomes fragmented across helpdesk queues and local owners.

This is why IGA coverage should be treated as a programme design issue rather than a tooling statistic. The central question is not how many apps the platform manages, but how much of the identity estate still sits outside governed workflows.


Key questions

Q: What breaks when IGA does not cover the full application estate?

A: When IGA does not cover the full application estate, joiner, mover, leaver processes fall back to manual handling, access reviews become inconsistent, and audit evidence fragments across local owners and ticket queues. The result is slower fulfilment, higher remediation effort, and a governance model that looks complete on paper but not in practice.

Q: Why do ungoverned applications increase identity lifecycle cost so much?

A: Ungoverned applications increase identity lifecycle cost because every access change requires human intervention. That adds helpdesk time, approver overhead, delay, and remediation work, while also increasing the chance of stale access and failed audit evidence. The cost grows because the exception becomes the operating model instead of the edge case.

Q: How can security teams tell whether IGA coverage is actually working?

A: Security teams can tell IGA coverage is working when access changes flow through automated lifecycle events, certification evidence is consistent, and manual tickets drop for the applications in scope. If significant parts of the estate still depend on email, spreadsheets, or local admin action, governance is partial rather than effective.

Q: Who is accountable for applications that sit outside IGA governance?

A: Accountability should sit with the application owner, IAM leadership, and the control owner responsible for lifecycle evidence. If an application is excluded from governance, that exception still needs a named owner, documented rationale, and a remediation plan. Otherwise, the organisation is accepting unmanaged access as a permanent state.


Technical breakdown

Why IGA coverage gaps create hidden operating cost

IGA is meant to automate joiner, mover, leaver processes, entitlement reviews, and access certification across the application estate. When an application cannot be connected, those workflows do not disappear, they move into manual queues. That introduces labour cost, slower fulfilment, higher error rates, and inconsistent evidence for audit. The model in this article shows why platform cost is only one slice of the total. The rest comes from the labour required to maintain access outside the governed path. Practical implication: measure IGA success by the proportion of apps under automated lifecycle control, not by licence deployment alone.

Practical implication: quantify the cost of manual fulfilment for every ungoverned application and treat that as a governance debt line item.

How manual JML handling distorts identity lifecycle management

Joiner, mover, leaver processes are only effective when they execute consistently at scale. For ungoverned applications, each JML event becomes a ticket, a chase, or an exception handled by app owners and helpdesk staff. That creates delay and weakens the assurance that access was granted, changed, or removed at the right point in the lifecycle. The result is not just inefficiency. It is a control environment where evidence quality varies by application. Practical implication: map which applications still depend on manual JML handling and isolate them as lifecycle exceptions, not normal operations.

Practical implication: identify every application still using tickets for JML and track it as a control gap until automated workflow coverage exists.

Why the governance gap becomes an audit and access risk

Ungoverned applications are harder to certify, harder to prove, and more likely to generate findings because the access state is distributed across emails, spreadsheets, and local records. That weakens the audit trail and makes certification campaigns less reliable. It also creates a broader risk surface because access decisions are no longer tied to a single source of truth. The important point is that the governance gap is structural, not incidental. Practical implication: treat apps without lifecycle integration as separate audit populations with their own evidence and remediation paths.

Practical implication: build a distinct audit population for non-integrated apps and require evidence of ownership, access review, and offboarding completeness.


Threat narrative

Attacker objective: The objective is to exploit weak lifecycle control and unresolved access states to maintain unauthorized or delayed access inside the ungoverned application estate.

  1. Entry occurs when an application sits outside the IGA connector scope and access is created through manual fulfilment rather than governed workflow.
  2. Escalation happens as standing access, delayed removals, and ad hoc approvals accumulate across SCIM-less, API-less, or shadow applications.
  3. Impact appears as increased audit findings, delayed JML execution, and measurable productivity loss when users wait for access that should have been lifecycle-managed.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
  • DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

IGA coverage gaps are a control-cost problem, not a tooling footnote. The article correctly shifts attention away from platform licence spend and toward the hidden cost of the applications that never enter governance. In identity programmes, the financial drag usually comes from what remains manual, not from what was bought. Practitioners should evaluate IGA as a coverage and operating model issue, not as a procurement line item.

Identity lifecycle governance fails when the estate is larger than the connector map. Joiner, mover, leaver processes can only work where the system of record reaches the system of enforcement. When it does not, access decisions fragment into tickets, local ownership, and delayed fulfilment. The implication is that lifecycle governance needs a full estate inventory, not just a successful implementation project.

Ungoverned applications create identity debt that compounds over time. Each manual exception adds latency, labour, and evidence weakness, which then drives more exceptions because the programme appears too expensive to extend. That is a self-reinforcing governance loop, not an isolated operational nuisance. Practitioners should treat uncaptured applications as accumulated identity debt, not as low-priority leftovers.

Coverage gaps affect human IAM, NHI, and autonomous systems through the same governance failure pattern. Whether the ungoverned object is a person, a service account, or an AI-driven workflow, the root issue is the same: access exists outside consistent lifecycle control. That means the programme design problem crosses actor types, and practitioners should stop assuming human-centric governance models are enough on their own.

Coverage gap economics will keep pushing IGA toward broader lifecycle orchestration. The market signal here is not simply demand for more automation. It is demand for governance that can absorb legacy apps, shadow estates, and non-standard access paths without turning every exception into a manual work queue. Practitioners should expect lifecycle orchestration, not connector count alone, to become the more relevant benchmark.

From our research:

What this signals

Coverage gap economics will push identity teams toward estate-wide lifecycle measurement. The practical signal is that programme success will be judged less by whether the core platform is live and more by how much of the application estate has been brought under repeatable control. The organisations that can tie manual effort to governed exceptions will be able to justify extension projects without relying on breach rhetoric.

The same governance logic now spans human access, NHI administration, and emerging autonomous workflows. As ungoverned apps accumulate, so does identity debt, and that debt eventually shows up as slower access delivery, weaker evidence, and more exceptions in every lifecycle process.

With more than 1 in 5 non-human identities judged insufficiently secured in our research, the issue is already a governance baseline rather than a special case, according to 2024 ESG Report: Managing Non-Human Identities. Teams should expect leadership to ask for coverage metrics, not just platform status updates.


For practitioners

  • Measure governance coverage by application estate, not deployment status. Build a complete inventory of applications, then classify each one by whether joiner, mover, leaver, certification, and offboarding workflows are actually enforced. Use the gap between total estate and governed estate as the core programme metric, because that gap drives manual effort and audit exposure. Create an explicit exception list for SCIM-less and API-less applications.
  • Quantify manual fulfilment cost for every ungoverned application. Track helpdesk time, approver time, delay impact, and remediation work for apps outside lifecycle automation. This turns hidden operating friction into a budgetable control gap and gives finance leaders a basis for prioritising extension projects. Separating labour cost from platform cost makes the governance gap visible.
  • Prioritise lifecycle extension where access delay is most expensive. Start with application groups that create the most JML tickets, the longest fulfilment queues, or the highest audit finding rates. Target those systems first because they deliver the clearest cost reduction and the fastest evidence improvement. Use the reduction in manual queue volume as the success measure, not just connector count.

Key takeaways

  • The real cost in IGA programmes is the unmanaged application estate, because manual governance consumes far more than licence spend.
  • When joiner, mover, leaver processes fall back to tickets and local owners, audit risk and productivity loss rise together.
  • The most defensible response is to measure coverage, quantify manual effort, and extend lifecycle control to the highest-friction applications first.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article centres on incomplete NHI lifecycle coverage and manual exception handling.
NIST CSF 2.0PR.AC-1Access provisioning and governance coverage align with managing who has access to what.
NIST Zero Trust (SP 800-207)AC-4Zero Trust requires consistent, policy-based access enforcement, which manual app handling undermines.

Map ungoverned applications to NHI-03 and close lifecycle gaps where access still depends on manual fulfilment.


Key terms

  • Identity governance coverage: The share of an organisation's application and identity estate that is actually under automated lifecycle control. Coverage is stronger than deployment status because it reflects whether joiner, mover, leaver, certification, and offboarding actions are consistently enforced across the real estate.
  • Ungoverned application: An application that sits outside the normal identity governance workflow and therefore relies on manual provisioning, ad hoc approvals, or local administration. These apps often create hidden cost, weaker evidence, and slower access because the lifecycle process is fragmented or absent.
  • Identity debt: The accumulated operational and governance cost created when identity controls do not reach the full estate. It grows through manual exceptions, delayed offboarding, inconsistent review evidence, and fragmented ownership, eventually making the programme more expensive to operate than its initial design suggested.

What's in the full article

StackBob's full article covers the operational detail this post intentionally leaves for the source:

  • The five-category cost model behind the $12.9M estimate, including professional services, licence, internal labour, audit findings, and access delays.
  • The working assumptions for a 1,000-person enterprise, including application counts, governed versus ungoverned coverage, and growth rates.
  • The calculation method for manual provisioning, audit remediation, and productivity loss, useful if you want to test the model against your own estate.
  • The cost comparison between extending governance to additional applications and leaving the manual queue in place.

👉 StackBob's full article breaks down the cost assumptions, manual effort, and access delay model in detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org