TL;DR: Legacy IGA tools often reduce governance to tickets and audit evidence, while the real security question is whether a single compromised identity can be mapped and contained before lateral movement spreads, according to Linx Security. The governance test is no longer access review volume but blast-radius visibility and automated remediation speed.
At a glance
What this is: This is an analysis of how IGA solutions should be evaluated for security outcomes, with blast-radius visibility and automated remediation as the key finding.
Why it matters: It matters because IAM, NHI, and identity lifecycle teams need governance controls that reduce exploitability, not just generate review artifacts.
👉 Read Linx Security's IGA evaluation guide for blast-radius and lifecycle controls
Context
Identity governance and administration is supposed to answer a simple question: who has access to what, and what happens when that access changes or is abused? In practice, many IGA programmes still optimise for workflow completion and audit output rather than security containment, which leaves overprivileged identities as a lateral movement path.
The article argues that modern IGA should expose relationship context, entitlement risk, and revocation speed across human and non-human identities. That matters because the same governance pattern that fails for a former employee with lingering access also fails for service accounts, contractors, and principals with chained permissions.
Key questions
Q: What breaks when IGA only tracks assigned access instead of reachable access?
A: You lose sight of how far a compromised identity can move through nested roles, inherited permissions, and chained accounts. That means the governance view can look clean while the actual blast radius remains wide. Security teams should prioritize relationship-aware modelling that shows reachable systems, not just entitlement records.
Q: Why do revocation tickets create security risk in identity governance?
A: Because a ticket records intent, not containment. If the access remains active while the request waits in a queue, the identity still has usable privileges and the exposure window stays open. Teams should require verified execution, not just workflow completion, before treating revocation as effective.
Q: How do security teams know if an IGA platform is actually reducing blast radius?
A: Look for evidence that the platform can model indirect access paths, flag risky entitlements in context, and remove access through connected systems without manual handoffs. If it only produces reports or tickets, it is improving administration more than security. The control should shorten exposure, not document it.
Q: How should organisations govern non-human identities in the same lifecycle as users?
A: They should treat service accounts, tokens, and other non-human identities as first-class governed objects with provisioning, review, and revocation controls. The key difference is that these identities often persist longer than the people or systems that created them, so lifecycle drift can become a hidden attack path if it is not reviewed alongside human access.
Technical breakdown
Why blast radius is the real IGA security test
Blast radius is the amount of damage a compromised identity can reach through direct and inherited permissions. In flat or ticket-driven governance models, you can see that access exists, but not how far it extends across nested groups, service accounts, and application relationships. Graph-native models change this by traversing paths between identities, entitlements, and resources. That is a security problem, not a reporting problem, because attack containment depends on understanding exposure before compromise becomes movement across the environment.
Practical implication: choose governance tooling that can show reachable permissions and dependency paths, not just entitlement lists.
How revocation latency turns governance into exposure
IGA systems often create a review decision and then hand execution to a separate workflow queue. That separation creates a delay between policy intent and actual access removal, which is exactly where risk accumulates. If revocation is only a ticket, the identity remains effective until someone completes the change elsewhere. Mature governance closes that loop by verifying that the entitlement was actually removed and by preserving evidence that the action completed successfully.
Practical implication: measure revocation time as a security control, not an IT service metric.
Why AI-assisted review is only useful when it changes action
AI in IGA is valuable only when it improves reviewer judgment and accelerates the remediation path. If the platform can highlight why access is risky but still requires manual interpretation and separate execution, then the security gain is limited. The important distinction is between surfacing risk and enforcing change. Security-first governance ties the two together so a reviewer can see the reason, approve the decision, and verify the resulting removal without losing context.
Practical implication: evaluate whether AI features reduce decision friction and remediation lag, rather than just improving dashboard quality.
Threat narrative
Attacker objective: The attacker wants to turn one identity compromise into broad reach across systems and data by exploiting hidden access paths.
- Entry begins with an overprivileged or orphaned identity that still has valid access to one or more applications.
- Escalation occurs when that identity can traverse nested permissions, chained service accounts, or poorly modelled relationships to reach higher-value systems.
- Impact is expanded blast radius, where a single compromised account can move laterally until it reaches the assets the attacker wanted.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Blast-radius visibility is the security boundary that legacy IGA often cannot draw. Traditional governance tools can show whether access exists, but they frequently fail to show how far that access can propagate through nested roles, service accounts, and inherited relationships. That creates a structural blind spot because attackers do not need every permission, only the path that reaches the target. The implication is that IGA must be judged on reachable damage, not on ticket throughput.
Ticket-driven revocation creates a control gap between decision and containment. A revoked entitlement that still exists in downstream systems is not a governance decision, it is residual exposure. This is a failure of execution fidelity, where the policy outcome and the technical state diverge long enough to matter. Practitioners should treat revocation latency as a security defect that directly changes breach potential.
Graph-native identity modelling is the named concept that separates audit administration from security governance. A graph-native model is not just a visual layer, it is a way of representing identity relationships so risk can be traced through inherited access and chained dependencies. Without that model, organisations are forced to reason about accounts one by one instead of the damage paths those accounts open. The practitioner conclusion is simple: if the platform cannot model relationships, it cannot reliably reduce identity blast radius.
IGA maturity should now be measured by whether it changes containment outcomes for both human and non-human identities. The same governance failure pattern appears when former employees retain access and when service accounts keep permissions beyond their useful life. That means lifecycle control, access review, and remediation orchestration must be assessed as one programme, not separate admin tasks. The implication is that identity governance is only security-relevant when it can shorten the window between access drift and enforcement.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding from The 2024 ESG Report: Managing Non-Human Identities shows that 72% of organisations have experienced or suspect a breach of non-human identities.
- The next step is to connect visibility to action, using Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs to tighten review, revocation, and offboarding.
What this signals
Graph-native identity modelling will become a baseline expectation for programmes that need security, not just compliance. As more organisations connect human and non-human access paths, the old entitlement-list view will increasingly fail to explain exposure. The practical shift is toward relationship-aware governance that can show where blast radius starts and how far it reaches before a compromise spreads.
Revocation latency is emerging as a measurable governance risk. If policy decisions are not reflected in connected systems quickly enough, identity governance becomes an audit artifact rather than a containment mechanism. Teams should watch for workflows that create a decision but cannot prove removal.
With 85% of organisations lacking full visibility into OAuth-connected third parties, identity programmes are already operating with incomplete relationship data. That makes entitlement context and lifecycle enforcement the next control frontier, especially where service accounts and delegated access overlap.
For practitioners
- Audit reachable access, not just assigned access Map nested groups, inherited roles, and chained service-account permissions to identify where a single compromise can reach high-value systems. Use those paths to prioritise review and remediation.
- Measure revocation as a completed control Track the time between a revocation decision and verified removal in connected systems. If the access still works after the decision, the control has not actually completed.
- Test whether the platform can model relationship paths Validate that reviewers can see why an entitlement is dangerous without leaving the system and without manually stitching together evidence from other tools.
- Include non-human identities in the same lifecycle process Apply the same governance logic to service accounts, tokens, and other workload identities so access drift does not persist outside normal employee offboarding processes.
Key takeaways
- The core risk is not identity quantity, but hidden reach.
- The scale issue is governance latency, where revocation intent and technical removal diverge.
- The control that matters most is relationship-aware modelling that can prove blast-radius reduction.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Addresses NHI credential and access lifecycle weaknesses that widen blast radius. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access management aligns with the article's blast-radius focus. |
| NIST Zero Trust (SP 800-207) | PR.AC | Zero trust access decisions depend on continuously verified identity context. |
Apply zero trust to shorten trust duration and require verified access decisions before execution.
Key terms
- Blast Radius: Blast radius is the amount of damage a compromised identity can reach once abuse begins. In identity governance, it measures reachable systems, inherited access, and downstream dependencies, not just the permissions shown on a role sheet. Smaller blast radius means faster containment and less lateral movement.
- Graph-Native Identity Model: A graph-native identity model represents identities, entitlements, applications, and relationships as linked nodes and edges. This makes indirect access paths visible and helps practitioners see how privilege propagates across users, service accounts, and nested roles. It is especially valuable when the question is not who has access, but how far that access can go.
- Revocation Latency: Revocation latency is the time between deciding to remove access and the access actually disappearing from all connected systems. In identity governance, latency matters because a revoked entitlement that still works remains a live security exposure. Low latency strengthens containment and reduces the window for misuse.
- Non-Human Identity Lifecycle: Non-human identity lifecycle is the end-to-end management of service accounts, tokens, certificates, and similar machine identities from creation to retirement. It includes provisioning, review, rotation, offboarding, and validation that access no longer persists after the identity's purpose ends. Poor lifecycle control leaves hidden access behind.
What's in the full article
Linx Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The 10-question evaluation framework with good and bad answer patterns for each IGA capability area
- The graph-native model discussion showing how relationship paths change entitlement analysis
- The operational overhead comparison for teams that need to understand implementation burden
- The AI-native remediation examples and connector considerations behind the platform's workflow design
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org