TL;DR: Service management is moving from reactive support to autonomous execution, with Gartner’s 2026 Agenda putting operational cost reduction at the top of CIO priorities and Gartner projecting that 75% of European enterprises will geopatriate by 2030, according to Efecte. The identity issue is not automation alone but governance for systems that act, trigger access, and cross policy boundaries faster than legacy IAM and review cycles can respond.
At a glance
What this is: This is an analyst view of how intelligent service management is changing operational control, with AI-driven execution, business-led workflows, and sovereignty pressures reshaping governance expectations.
Why it matters: It matters because IAM, IGA, PAM, and NHI programmes now have to govern faster, more distributed decision paths across people, services, and machine-driven workflows.
By the numbers:
- 2030, ner predicts that by 2030, 75% of European enterprises will "geopatriate," moving virtual workloads to regional or sovereign alternatives.
👉 Read Efecte's analysis of intelligent service management in 2026
Context
Intelligent service management is the move from ticket-driven support to systems that identify, route, and execute work with less human intervention. In identity terms, that changes who or what is making access-adjacent decisions, which makes governance more than a workflow issue. The first question for practitioners is no longer whether automation exists, but whether it stays inside the identity controls designed for human-paced approval and review.
The article is really about operational complexity meeting governance lag. As business functions begin orchestrating their own outcomes and AI becomes more execution-oriented, identity programmes have to decide how far delegated access, approvals, and accountability can stretch before they stop being governable. That is a familiar NHI problem dressed in service-management language.
Key questions
Q: How should security teams govern access when business units run their own workflows?
A: Treat business-led workflows as part of the identity control plane. Define which actions they can initiate, which entitlements they can touch, and what evidence is required before access changes become effective. Without that boundary, access decisions drift into shadow governance, especially when HR and finance tools are integrated into service orchestration.
Q: When does continuous control become more effective than periodic access review?
A: Continuous control becomes necessary when usage, spend, and entitlement changes happen faster than the review cycle can detect them. That is common in SaaS-heavy environments and delegated workflow models. If the evidence of use is event-driven, governance should be event-driven too, or stale access will survive between recertification windows.
Q: What breaks when employee experience is poor in identity-heavy workflows?
A: Poor experience encourages users and administrators to bypass formal IAM paths, which creates duplicate approvals, informal grants, and unmanaged exceptions. Over time, the organisation loses a clean audit trail and cannot reliably tell which access was intentional, temporary, or simply a workaround.
Q: Who is accountable when sovereignty requirements affect identity operations?
A: Accountability sits with the organisation that decides where identity administration, logging, and approval enforcement occur. If workloads are regionalised, the same principle applies to access governance. Teams should assign ownership for jurisdictional control points before the workload moves, not after the audit evidence is already fragmented.
Technical breakdown
From workflow automation to autonomous execution
Traditional automation follows predefined rules, but the article points to AI that executes tasks and identifies issues before escalation. That shift matters because the identity boundary moves from requesting action to initiating action. When a system can decide that work should happen and then trigger it, the governance question changes from approval routing to runtime authority. In practice, that means access, logging, and policy enforcement need to follow the execution path, not just the ticket path.
Practical implication: Map which service-management workflows now create or consume identity privileges at runtime.
Business-led workflows and delegated access approvals
The article describes HR and Finance orchestrating end-to-end outcomes, including onboarding and access approvals. That is not just process decentralisation. It creates a broader class of non-IT operators who can influence identity state through workflow tooling, SaaS integrations, and automated approvals. The technical risk is that access can be granted, modified, or deferred without a single clear owner of the resulting entitlement. Identity governance has to account for delegated initiation as well as delegated approval.
Practical implication: Define who can initiate identity changes, not only who can approve them.
Continuous control of the software estate
The article contrasts periodic license tracking with continuous control and real-time usage intelligence. Technically, that is the difference between snapshot governance and event-driven governance. In modern SaaS estates, access, spend, and usage shift too quickly for monthly reconciliation to catch drift in time. Continuous visibility is therefore a control-plane issue, not a reporting feature. Without it, organisations lose the ability to distinguish legitimate demand from dormant, over-permissioned, or shadow-managed access.
Practical implication: Tie software discovery, entitlement review, and usage telemetry into one continuous control loop.
Threat narrative
Attacker objective: The objective is to gain persistent operational influence through trusted workflows and distributed access decisions rather than through overt compromise.
- Entry occurs when business units and service-management tools are allowed to create low-touch workflows that connect directly to identity-dependent systems.
- Escalation happens when automated orchestration extends beyond suggestion into execution, letting processes trigger approvals, access changes, or operational actions without sufficient oversight.
- Impact follows when those delegated paths multiply shadow IT, weaken accountability, and create unmanaged access or spend across the software estate.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Intelligent service management is becoming an identity governance problem, not just an operations problem. Once AI systems begin executing tasks rather than recommending them, the control surface shifts from service desk efficiency to entitlement authority. That means identity teams inherit a broader set of runtime decisions that were previously bounded by human approval. Practitioners need to treat service management orchestration as part of the access governance perimeter.
Continuous control is the right model for software estate governance because periodic review is too slow for modern SaaS sprawl. The article’s emphasis on real-time usage and spend intelligence reflects a wider truth: snapshot controls cannot keep pace with distributed application ownership. The governance gap is not visibility in the abstract but decision latency between entitlement drift and remediation. Security teams should align software oversight with event-driven identity controls.
Geopatriation turns identity jurisdiction into an operational design issue. When workloads move to regional or sovereign alternatives, the identity model must account for where access is administered, logged, and audited. That affects trust boundaries, evidence retention, and cross-border service accounts just as much as it affects data residency. The implication is that identity governance now has to track control location as well as data location.
Experience-led service management will expose weak identity journeys faster than traditional compliance reviews. If the employee experience is poor, users and business teams will route around formal IAM paths to get work done. That creates unofficial access paths, duplicate approvals, and shadow workflows that undermine governance. Organisations should read EX as an early warning signal for policy drift across human and machine identity processes.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- For a deeper governance lens, the NHI Lifecycle Management Guide helps teams align provisioning, rotation, and offboarding to continuous control models.
What this signals
Identity teams should expect service-management platforms to become higher-risk control points as AI execution expands. The practical issue is not whether automation exists, but whether delegated actions are still visible to IAM, IGA, and PAM controls before they change production access. A useful concept here is workflow-originated privilege drift: when operational tools create entitlements faster than governance processes can certify them.
The governance signal is clear: organisations that still rely on periodic review will struggle to keep up with low-touch, business-led orchestration. A 97% excessive-privilege rate among NHIs shows how quickly unmanaged access accumulates once control loops lag the operational tempo, according to the Ultimate Guide to NHIs.
For programmes that are already modernising, the next step is to connect service-management telemetry to identity evidence, not just ITSM reporting. The NIST Cybersecurity Framework 2.0 provides the right language for doing that across identify, protect, detect, and respond functions.
For practitioners
- Classify workflow-triggered identity actions Inventory where service-management, HR, and finance workflows can create, modify, or approve access so those paths sit under explicit IAM and IGA oversight.
- Replace snapshot review with continuous entitlement monitoring Use real-time usage telemetry to identify dormant access, shadow-managed applications, and entitlement drift before the next recertification cycle.
- Define sovereignty-aware identity controls Document where approvals, logs, and administrative actions must occur for regional workloads so audit evidence remains usable across jurisdictional boundaries.
- Tighten delegated authority in low-touch workflows Limit who can initiate access-related actions in business-led processes and require explicit review for workflows that touch production entitlements.
Key takeaways
- Intelligent service management is changing who can initiate identity-relevant actions, which expands the governance perimeter beyond traditional IT support.
- Continuous control matters because workflow-led access and SaaS drift move faster than periodic recertification can reliably catch.
- Sovereignty, experience, and automation are converging into a single identity challenge, so practitioners should treat service orchestration as part of identity governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | Service management telemetry and identity evidence map to governance and detection functions. | |
| NIST Zero Trust (SP 800-207) | Delegated workflows and sovereignty-aware operations fit continuous verification thinking. | |
| OWASP Non-Human Identity Top 10 | NHI-06 | Workflows that create or approve access can produce unmanaged non-human privileges. |
Treat identity-changing workflows as zero-trust policy points and verify them continuously.
Key terms
- Intelligent service management: Service management that uses automation and AI to classify, route, and execute operational work with less manual intervention. In identity terms, it can also create or modify access-related actions, which means governance must cover not only the ticket flow but the authority path behind the workflow.
- Workflow-originated privilege drift: Privilege drift created by business or service workflows that generate access faster than governance teams can review it. The entitlements may look legitimate because they came through approved systems, but over time they accumulate outside intended policy boundaries and become difficult to certify or remove cleanly.
- Continuous control: A governance model that uses ongoing telemetry and policy enforcement instead of periodic snapshots to manage access, usage, and risk. For identity teams, it means evidence is collected as activity happens, which is better suited to SaaS sprawl, delegated workflows, and fast-moving machine access.
What's in the full article
Efecte's full post covers the operational detail this post intentionally leaves for the source:
- The five-driver breakdown behind the 2026 service-management shift and how each driver changes operating assumptions
- The source article's examples of low-touch business workflows in HR and Finance and the service-management rationale behind them
- The vendor's discussion of geopolitical sovereignty pressures and why regional workload placement is becoming a planning input
- The article's framing of employee experience as a service-management priority and how that intersects with digital friction
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org