Internal controls are failing the identity layer as access widens

At a glance

What this is: This is a Pathlock explainer on internal controls, showing how control design, approval, verification, monitoring, and accountability work together.

Why it matters: It matters to IAM practitioners because the same control logic underpins NHI governance, autonomous access oversight, and human identity assurance.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.

👉 Read Pathlock's guide to internal control principles and governance

Context

Internal controls are the operating system of governance. They only work when accountability is clear, approvals are meaningful, records are complete, and monitoring can catch drift before it becomes loss. In identity programmes, the same discipline decides whether access is controlled as a governed process or treated as a loose technical setting.

That gap is easiest to see in NHI and access governance, where credentials, approvals, and audit trails often exist in separate tools but are expected to behave like one control system. When access is created faster than it is reviewed, or when responsibility is split across teams without a clean chain of ownership, the control model starts to fail in practice.

For identity teams, the lesson is not that internal controls are outdated. It is that identity has become one of the main places where classic control principles are either enforced well or silently degraded.

Key questions

Q: How should security teams apply internal control principles to identity governance?

A: They should treat identity as a governed control system, not a set of disconnected technical settings. Segregate approval from provisioning, keep complete evidence for each access decision, and verify that entitlements remain aligned to role and business purpose. That structure is what turns IAM into a control environment instead of a record of exceptions.

Q: Why do service accounts and other NHIs expose internal control weaknesses?

A: Because their access often persists outside normal human review cycles and can be reused by multiple systems or teams. If approvals, ownership, and revocation are not clearly documented, the organisation loses the ability to prove why the access still exists. That weakens both accountability and auditability.

Q: What breaks when access review and verification are not independent?

A: The same actor can approve access, use it, and later certify that it was appropriate, which removes the check and balance that internal controls are meant to create. Independent review is what catches stale or excessive privilege before it becomes a security or compliance issue.

Q: How do you know if identity controls are actually working?

A: Look for evidence that approvals, usage, and revocation are all traceable, and that exceptions are being detected before they become repeat findings. If reviews only confirm that paperwork exists, but do not show current entitlement accuracy or timely removal, the control is cosmetic rather than effective.

Technical breakdown

How segregation of duties maps to identity access controls

Segregation of duties prevents one actor from creating, approving, and reconciling the same transaction. In identity terms, that means the same person or system should not be able to provision access, approve it, and later certify it without independent review. This matters for service accounts, privileged access, and delegated admin paths, where a single control failure can conceal misuse for long periods. When the workflow collapses into one operator or one automation chain, auditability weakens and fraud detection becomes retrospective rather than preventive.

Practical implication: Separate entitlement administration, approval, and review across different roles and systems.

Why documentation and audit trails matter for access governance

Documentation is the evidence layer of internal control. For identity, that evidence includes who approved access, when it was granted, what it was used for, and when it was revoked or recertified. Without that record, teams cannot distinguish legitimate access from inherited privilege or stale entitlement. Audit trails are especially important for NHI and delegated service access because those identities often outlive the human workflow that created them. If the record is incomplete, governance becomes assumption-based instead of evidence-based.

Practical implication: Require entitlement, approval, and revocation records to be traceable in one reviewable trail.

How monitoring and continuous improvement change control effectiveness

Monitoring is the part of internal control that stops governance from becoming static. Access patterns change, business workflows change, and machine credentials are introduced, reused, or forgotten faster than annual review cycles can catch. In identity programmes, monitoring should show whether access remains aligned to role, whether privileged paths are being used as intended, and whether controls are still operating after process changes. This is where continuous improvement matters most: a control that was adequate last quarter can become ineffective after a platform shift or an automation rollout.

Practical implication: Track access drift and review control performance after every major workflow or system change.

NHI Mgmt Group analysis

Internal controls in identity fail when accountability is fragmented across tools and teams. Pathlock's control model is strongest when the same process owner can see authorization, documentation, verification, and monitoring as one system. In identity programmes, those responsibilities are often split between IAM, security, application owners, and operations, which makes failure harder to assign and slower to correct. The practitioner implication is that identity controls need a single accountability map, not just more policy language.

Audit trails are only useful when they capture the full identity lifecycle, not just the approval event. A logged approval does not prove that the access remained appropriate, was used within scope, or was removed at the right time. This is where NHI governance and lifecycle control become central, because machine identities and delegated access paths can persist long after the original business case has changed. The practitioner implication is to treat lifecycle evidence as part of control design, not as an afterthought.

Monitoring is the control that converts static compliance into operational assurance. Internal controls that are only reviewed at fixed intervals will miss the drift created by cloud change, automation, and credential sprawl. In identity security, the real question is whether the control still holds after a system or workflow changes, not whether it passed last quarter's review. The practitioner implication is to measure controls continuously against actual access behaviour.

Control environments break when access is treated as a technical entitlement instead of a governed asset. The COSO-style logic Pathlock describes assumes clear ownership, documented procedures, and independent verification. Identity teams that fail to apply that logic to service accounts, privileged sessions, and federated access leave the organisation with controls that look complete but do not constrain real risk. The practitioner implication is to govern access as a business control, not just an IAM configuration.

Identity governance now sits at the junction of financial-style control discipline and cyber-style risk management. The same mechanisms that prevent misstatement in finance, such as review, reconciliation, and independent verification, are increasingly what prevent privilege misuse in digital operations. That makes identity one of the few domains where internal control and cybersecurity are no longer separate conversations. The practitioner implication is to align IAM, audit, and security around the same control evidence.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
• For a deeper lifecycle lens, see NHI Lifecycle Management Guide, which explains how provisioning, review, and offboarding turn identity policy into operational control.

What this signals

Identity control maturity will increasingly be measured by evidence quality, not policy count. Organisations that cannot show clean approval, review, and revocation records will struggle to prove that controls are actually operating. That is especially true for NHI programmes, where one missing lifecycle record can invalidate the apparent strength of the whole control chain.

As machine identities spread, the control gap shifts from access grant to access proof. The programmes that keep pace will be the ones that can reconcile entitlement, use, and removal in one view, backed by independent verification and routine exception handling.

The internal control model remains viable, but only if identity teams stop treating access as a static configuration problem. The practical test is whether a control still constrains behaviour after a workflow, application, or automation change has occurred.

For practitioners

• Separate access creation from access approval Ensure the team or system that provisions entitlements is not the same one that approves them or certifies them later. Where workflows are automated, preserve independent review for privileged and NHI paths.
• Extend audit trails across the full identity lifecycle Record who requested access, who approved it, when it was used, when it was reviewed, and when it was removed. Treat revocation evidence as mandatory for service accounts and delegated access.
• Monitor access drift continuously Track whether entitlements still match role, system purpose, and current business need after changes to applications, automation, or operating model. Use exceptions to trigger review, not just reporting.
• Build one accountability map for identity controls Define which team owns approval, which owns verification, which owns monitoring, and which owns remediation for each identity type. Make the handoffs explicit so failures can be investigated and corrected quickly.
• Apply independent verification to privileged and machine access Use a reviewer who was not involved in the original access grant to reconcile entitlements against actual use. Prioritise service accounts, API credentials, and admin roles where misuse can persist unnoticed.

Key takeaways

• Internal controls only work for identity when approval, evidence, and verification remain separate and independently reviewable.
• Most control failures in identity are lifecycle failures, because access outlives its original business justification.
• Teams should measure whether identity controls still constrain real behaviour after change, not whether they merely exist on paper.

Key terms

• Internal Control Environment: The control environment is the organisational foundation that determines whether policies are actually followed. It combines accountability, oversight, ethical expectations, and review discipline so that access decisions, transaction handling, and verification are managed as part of everyday operations rather than as occasional compliance exercises.
• Segregation Of Duties: Segregation of duties is the practice of splitting a critical process across multiple people or systems so no single actor can create, approve, and verify the same action. In identity governance, it reduces the chance that one operator can silently grant, misuse, and conceal excessive access.
• Audit Trail: An audit trail is the recorded sequence of events that shows who did what, when, and under what approval. For identity and access control, it is the evidence that turns a policy statement into a verifiable control, especially when reviewing privileged or machine access.
• Independent Verification: Independent verification is a check performed by someone who was not involved in the original action. In identity programmes, it means entitlement, usage, and revocation are reviewed by a separate party so that errors, drift, and misuse are more likely to be detected.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Pathlock: Definition of Internal Controls and the key principles behind them. Read the original.