IT compliance audits expose access-control gaps in identity programmes

At a glance

What this is: This is a guide to IT compliance audits that explains how organisations validate security controls, evidence, and regulatory alignment across frameworks such as HIPAA, PCI-DSS, SOC 2, ISO, and GDPR.

Why it matters: It matters because IAM, NHI, and human access programmes all fail audit when access, review, and remediation evidence cannot be produced on demand.

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

👉 Read Zluri's guide to IT compliance audit controls and frameworks

Context

IT compliance audits are formal checks that test whether identity, access, security, and evidence controls meet an external standard or internal policy. In practice, the audit challenge is not only proving that controls exist, but showing they work consistently across human accounts, non-human identities, and privileged access paths.

For IAM teams, the deeper issue is lifecycle governance. Access reviews, offboarding, rotation, and remediation have to produce defensible evidence, because an audit failure often exposes a control design problem long before it becomes a regulatory problem.

Key questions

Q: How should teams make IT compliance audits work across human and non-human identities?

A: Teams should use one governance model for all identity types, then vary the controls by subject. Human users need access review, strong authentication, and segregation of duties. Non-human identities need ownership, rotation, offboarding, and scope limits. The audit succeeds when each identity can be traced to a business purpose, an accountable owner, and a provable removal path.

Q: Why do compliance audits often expose NHI problems before they expose human IAM issues?

A: NHIs usually accumulate faster, are reviewed less often, and persist longer than human accounts. That makes dormant API keys, over-privileged service accounts, and unrotated secrets easier to miss until an auditor asks for evidence. In practice, NHI governance fails first because the lifecycle is weaker and the ownership trail is thinner.

Q: What should organisations do when audit evidence does not match actual access state?

A: They should treat the mismatch as a control failure, not a reporting problem. Reconcile entitlement data, re-run the review, revoke excess access, and verify the change in logs and governance records. If the access state cannot be reconciled quickly, the programme is not ready for audit and remains exposed operationally.

Q: Who is accountable when an audit finds unmanaged service accounts or secrets?

A: Accountability should sit with the system owner, the identity governance function, and the security team together, because unmanaged non-human identities cut across all three. The auditor will usually care less about who created the issue than whether the organisation can prove ownership, remediation, and ongoing control. That is the accountability chain to document.

Technical breakdown

How IT compliance audits test identity and access controls

A compliance audit compares actual control operation against a defined requirement, then asks for evidence that the control works over time. In identity programmes, that evidence usually includes access approvals, certification records, authentication logs, segregation of duties checks, and remediation actions. The important distinction is between having a policy and proving execution. For NHI and privileged access, auditors look for whether permissions are justified, time-bound, reviewed, and revocable. If the evidence trail is missing, the control is treated as ineffective even if the technology exists.

Practical implication: build audit evidence into access workflows, not as a last-minute reporting exercise.

Why compliance frameworks expose weak lifecycle governance

Frameworks such as HIPAA, PCI-DSS, SOC 2, ISO 27001, and GDPR all depend on repeatable governance, which means identity controls must be current, reviewable, and enforceable. That becomes difficult when access persists longer than the business need, when service accounts are not tracked, or when secrets are stored in code and configuration. The audit problem is therefore a lifecycle problem: access granted, access used, access reviewed, and access removed all need traceable ownership. Without that chain, compliance claims rest on assumptions rather than records.

Practical implication: map every privileged identity to an owner, a purpose, a review cadence, and a removal trigger.

Automated access reviews only help if remediation is real

Automated certification can reduce review effort, but automation alone does not satisfy compliance if it simply records approvals without changing access state. Effective programmes connect review outcomes to revocation, rotation, or reclassification. For NHIs, that means the audit evidence must show not just that access was checked, but that excess access was removed and secrets were rotated where needed. In an audit context, a review that does not change entitlement risk is only documentation, not control.

Practical implication: tie every certification outcome to an enforceable remediation action and log the result.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Compliance audits fail where identity governance is treated as documentation instead of control execution. The article correctly frames audits as a way to verify adherence, but the deeper lesson is that access governance only matters when entitlements, reviews, and revocation happen in the live environment. In identity terms, a clean policy without operational removal is not compliance. Practitioners should treat audit readiness as proof of control closure, not evidence collection alone.

Identity lifecycle drift is the real audit exposure in NHI-heavy environments. The most audit-relevant failure mode is not a missing policy statement, but an identity estate where secrets, API keys, and service accounts survive beyond their intended business purpose. That is why lifecycle frameworks matter as much as access design. The practical conclusion is that audit findings often reveal a governance system that cannot prove who owns each non-human identity, when it should be removed, and whether revocation actually occurred.

Scheduled certification without enforced remediation creates false assurance. The article highlights scheduled reviews and auto-remediation, but the discipline issue is whether review outcomes change access state. If excess privilege remains after certification, the audit signal is misleading and the control has not moved risk. Practitioners should read this as a warning that identity governance maturity is measured by closed-loop remediation, not review volume.

Framework alignment across human and non-human identities is now a single governance problem. HIPAA, PCI-DSS, SOC 2, ISO, and GDPR all expect demonstrable control over access to sensitive data, and that expectation no longer fits a human-only model. Organisations that separate user access review from service account governance create audit blind spots. Practitioners should unify review, ownership, and revocation across all identity types or accept fragmented compliance evidence.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why audit evidence often breaks at the ownership and scope layer.
• That visibility gap is explored further in NHI Lifecycle Management Guide, which helps teams link review, rotation, and offboarding to provable control states.

What this signals

Identity audit readiness is becoming a lifecycle discipline, not a checklist exercise. When access review, revocation, and ownership are disconnected, the organisation can pass a policy review and still fail an evidence test. The next maturity step is closed-loop governance, where every review outcome produces a verifiable identity state change.

The strongest programmes will increasingly unify human IAM, privileged access, and NHI governance under the same control evidence model. That reduces audit fragmentation and helps teams prove not only who had access, but who removed it, when, and why.

For practitioners

• Inventory every privileged identity and assign a named owner Build a complete register of human admin accounts, service accounts, API keys, tokens, and certificates, then attach business purpose, system scope, and review cadence to each one. If an identity has no owner, it has no accountable lifecycle and will fail audit evidence tests.
• Connect access reviews to actual entitlement changes Do not let certification end at approval. Every review outcome should trigger revocation, rotation, scope reduction, or documented acceptance, with the resulting state visible in audit logs and governance reports.
• Track secrets outside approved vaults as audit exceptions Identify credentials stored in code, config files, CI/CD tools, and shared documents, then treat each location as a control exception until it is removed or formally justified. This closes one of the most common evidence gaps in compliance programmes.

Key takeaways

• IT compliance audits are really tests of whether identity controls work in the live environment, not just on paper.
• The most common failure mode is lifecycle drift, especially where service accounts, API keys, and other NHIs outlive their business purpose.
• Audit readiness improves when review, revocation, ownership, and logging are tied together as one closed-loop governance process.

Key terms

• Compliance Audit: A compliance audit is an independent check that compares an organisation's real controls against legal, regulatory, or internal requirements. In identity security, it is less about policy language and more about whether access approvals, reviews, revocations, and evidence can be proven end to end.
• Non-Human Identity: A non-human identity is a machine or software credential used by services, applications, workloads, bots, or agents to authenticate and access resources. These identities need ownership, scope control, rotation, and offboarding because they can persist and spread far beyond the original use case.
• Access Certification: Access certification is the periodic review of who or what has access and whether that access is still justified. For NHIs, certification only has value if it leads to a real state change such as revocation, rotation, or scope reduction, rather than a record that access was merely approved.
• Lifecycle Governance: Lifecycle governance is the discipline of managing identity from creation through review to removal. It applies to human users, service accounts, and autonomous systems, and the audit question is always the same: can the organisation show who owns the identity, why it exists, and how it is removed when no longer needed?

Deepen your knowledge

IT compliance audit evidence and NHI lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building audit-ready identity controls from a similar starting point, it is worth exploring.

This post draws on content published by Zluri: Security & Compliance IT Compliance Audit - A Comprehensive Guide in 2026. Read the original.