TL;DR: IGA is framed as a layered security control that strengthens MFA and SSO with provisioning, deprovisioning, segregation of duties, RBAC, and automated access reviews, according to Zluri. The deeper issue is that governance only works when lifecycle controls are consistently enforced across identities, systems, and entitlements.
At a glance
What this is: This is an analysis of identity governance and administration as a layered security control, with the key finding that IGA closes lifecycle, access, and compliance gaps that MFA and SSO do not.
Why it matters: It matters because IAM programmes that stop at authentication leave provisioning, recertification, and offboarding gaps open across human, NHI, and automated identity estates.
👉 Read Zluri's analysis of IGA in a layered security approach
Context
Identity governance and administration is the control layer that decides who or what should have access, when that access begins, when it ends, and who approves changes. In a layered security model, IGA fills the gap left by MFA and SSO, because authentication does not manage entitlement lifecycle, segregation of duties, or access recertification across SaaS and enterprise systems.
The article argues that access control fails when it is treated as a one-time login problem rather than a lifecycle problem. That is the right frame for human identity, but it also maps directly to service accounts, API access, and other non-human identities that need the same governance discipline. For a broader view of those controls, see the Ultimate Guide to NHIs and the NHI Lifecycle Management Guide.
Key questions
Q: How should security teams govern access beyond MFA and SSO?
A: Security teams should treat MFA and SSO as authentication controls, not governance controls. Access should be tied to role, lifecycle state, approval workflow, and recurring certification so permissions are removed when the business need ends. Without that layer, authenticated users can still retain stale, excessive, or conflicting access.
Q: Why do identity governance controls matter for non-human identities too?
A: Non-human identities can outlive the project, workload, or vendor relationship that created them. If service accounts, API keys, or SaaS connectors are not governed through the same lifecycle logic as human access, they become standing access paths with no clear owner, review cadence, or removal trigger.
Q: What breaks when access reviews are not connected to remediation?
A: Access reviews become paperwork if findings do not trigger revocation, approval changes, or ownership correction. The common failure is knowing an entitlement is excessive and leaving it in place. Effective review programmes close the loop by linking certification results to a real access change.
Q: What is the difference between authentication and identity governance?
A: Authentication confirms that an identity can log in, while identity governance decides whether that identity should have access at all, how much access it should keep, and when that access must be removed. The first is about entry, the second is about lifecycle and accountability.
Technical breakdown
MFA and SSO do not govern entitlement lifecycle
MFA and SSO answer a narrow question: can this identity authenticate and reach the portal? They do not decide whether the account should still exist, whether its access remains appropriate, or whether the identity has accumulated privileges over time. That is why they reduce login risk but do not solve access sprawl, over-provisioning, or stale entitlements. IGA extends the control plane from authentication into governance by tying access to role, department, and lifecycle state. In practice, that means login security and entitlement security are separate problems, even if they are often sold together.
Practical implication: treat MFA and SSO as entry controls and IGA as the system that governs entitlement creation, change, and removal.
Automated provisioning and deprovisioning reduce standing access drift
Provisioning and deprovisioning are the operational core of IGA. When joiner, mover, and leaver events are handled manually, entitlements linger, role changes are applied inconsistently, and offboarding becomes a race against shadow access. Automation reduces those delays by tying access changes to workflow, role data, and approval rules. The real security value is not speed alone, but consistency. That consistency matters because access that outlives the business need for it becomes standing privilege, regardless of whether the identity is human or non-human.
Practical implication: connect lifecycle triggers to access changes so stale permissions are removed as part of the normal operating process.
Segregation of duties and RBAC turn policy into enforceable constraints
Segregation of duties prevents a single identity from combining conflicting actions, such as creating and approving the same transaction. RBAC makes that enforceable by mapping permissions to job functions rather than ad hoc exceptions. Together, they translate policy into predictable access patterns that auditors can test and operators can review. This matters because governance failures often begin when exceptions become the norm. In layered security terms, SoD and RBAC do not merely reduce risk, they define the boundaries that make compliance possible across systems and teams.
Practical implication: use SoD and RBAC to narrow who can both request and approve high-risk actions, then review exceptions on a recurring basis.
Breaches seen in the wild
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
IGA is not a substitute for authentication, it is the governance layer that prevents access from becoming unowned. MFA and SSO can verify a session, but they cannot answer whether the entitlement behind that session still belongs there. That distinction matters across human accounts and non-human identities because the risk is not just compromise, it is lingering authority. Practitioners should treat lifecycle governance as the control that gives authentication meaning.
Standing privilege is the failure mode that layered security still allows when IGA is missing. The article correctly highlights automated revocation and recertification because access that remains after a role change or departure becomes an attack surface in its own right. This is especially visible in SaaS estates where manual offboarding lags behind business change. The practitioner conclusion is straightforward: if access does not end cleanly, the control model is already broken.
Access certification is the compliance proof point that separates policy from process. Organisations often claim least privilege, but without scheduled review and remediation, that claim cannot be defended. The security issue is not only excess access, it is the absence of a repeatable decision record showing why access was retained. That is why IGA belongs in both security and audit conversations, not just identity administration.
Non-human identities inherit the same lifecycle problem, but at higher speed and lower visibility. Service accounts, API tokens, and SaaS connectors can remain active long after the business reason for them has changed. The control gap is not identity type, it is lifecycle discipline. For teams running mixed estates, the governance model must cover humans and NHIs with the same joiner-mover-leaver logic, otherwise the layered approach stops at the visible user account.
Layered security only works when each layer has a distinct job and a clear handoff to the next. The article is strongest when it treats IGA as the bridge between authentication, authorization, and operational compliance. That is the right design principle for modern identity programmes because no single control can see every risk. Practitioners should use IGA to connect policy, access decisions, and evidence generation across the stack.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which means governance gaps often begin outside the primary identity team.
- That visibility problem sits alongside lifecycle control gaps covered in the NHI Lifecycle Management Guide, which is the right next step for teams trying to connect provisioning, rotation, and offboarding.
What this signals
Lifecycle governance is becoming the real control boundary. As organisations add more SaaS, automation, and machine access paths, the question is no longer whether authentication works, but whether access can be created, reviewed, and removed with enough fidelity to keep pace. Teams that still separate human IAM from NHI governance will miss the common lifecycle pattern that drives both.
The practical signal is that review cycles, approval workflows, and offboarding logic need to be designed as an operating system for access, not as an audit afterthought. If the lifecycle is manual, the security model will lag the business by design. For teams building that operating model, the 52 NHI Breaches Analysis is a useful way to see how control failures turn into real exposure.
Control sprawl is now a governance problem, not just a tooling problem. MFA, SSO, IGA, and NHI controls each solve a different part of the access chain, but the programme only works when the handoffs are explicit. Practitioners should watch for orphaned approvals, stale entitlements, and unmanaged connectors as the earliest signs that the layered model is failing.
For practitioners
- Map lifecycle ownership for every identity class Assign a named owner for joiner, mover, and leaver decisions across human accounts, service accounts, API tokens, and SaaS connectors. If no owner exists, the access path will eventually become orphaned.
- Automate revocation where business need ends Tie termination, role change, and application offboarding to access removal workflows so entitlements do not survive the event that justified them. Prioritise systems where manual ticketing still drives deprovisioning.
- Separate authentication from entitlement review Use MFA and SSO for access entry, then run scheduled access certification to confirm the account still needs its permissions. Treat the two controls as complementary, not interchangeable.
- Enforce segregation of duties for high-risk workflows Block the same identity from initiating and approving sensitive actions, especially in finance, admin, and SaaS provisioning paths. Where exceptions are unavoidable, require explicit time-bound approval and review.
Key takeaways
- IGA closes the gap between authentication and access governance by managing provisioning, deprovisioning, recertification, and segregation of duties.
- MFA and SSO reduce login risk, but without lifecycle controls they leave stale entitlements and standing privilege in place.
- Practitioners should connect review, remediation, and offboarding so policy becomes an enforceable access process, not an audit statement.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be governed beyond authentication in layered security. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle drift in non-human credentials mirrors the article's revocation gap. |
| NIST Zero Trust (SP 800-207) | Layered security depends on continuous verification, not one-time login trust. |
Map entitlement governance to PR.AC-4 and verify access changes are enforced, not just approved.
Key terms
- Identity Governance And Administration: Identity governance and administration is the discipline that decides who or what should have access, how that access is approved, and when it is removed. It connects policy, workflow, and evidence so access decisions are repeatable, auditable, and tied to business need rather than static entitlements.
- Segregation Of Duties: Segregation of duties is a control that prevents one identity from carrying out conflicting tasks in the same process. It reduces fraud and error by splitting initiation, approval, and execution across different roles or identities, and it is as relevant to service accounts and workflows as it is to human users.
- Access Certification: Access certification is a recurring review process that confirms whether an entitlement should remain in place. The control only works when review results can trigger removal, correction, or escalation, otherwise it becomes documentation without enforcement.
- Standing Privilege: Standing privilege is access that remains active beyond the moment it is needed. It is a governance problem because persistent entitlements expand attack surface, weaken accountability, and make offboarding or remediation harder across both human and non-human identities.
Deepen your knowledge
IGA lifecycle governance and access certification are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning human and non-human access controls under one governance model, it is worth exploring.
This post draws on content published by Zluri: Security & Compliance Role of IGA in a Layered Approach to Security. Read the original.
Published by the NHIMG editorial team on 2025-12-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
