IT teams’ biggest 2026 challenge is identity process sprawl

At a glance

What this is: This article argues that IT teams’ biggest 2026 problems cluster around manual processes, legacy systems, weak access controls, outsourcing risk, and poor asset governance.

Why it matters: It matters because the same operational gaps that slow IT work also weaken IAM, NHI, and lifecycle governance across employee, service account, and outsourced access models.

👉 Read Zluri's analysis of the seven biggest IT team challenges in 2026

Context

IT teams are still carrying too much manual identity and access work across onboarding, offboarding, app monitoring, and audit reporting. In practice, that means the governance burden is spread across spreadsheets, legacy systems, and disconnected tools instead of being managed as a single access lifecycle.

For IAM practitioners, the issue is not just productivity. Manual handoffs and weak process design create error-prone access decisions, delayed revocation, and poor visibility into who or what can reach critical systems, whether the subject is a person, a service account, or an outsourced identity.

The article’s core claim is that automation can reduce friction, but only if teams first understand where their current process model breaks. That is a typical enterprise pattern, not an edge case, and it is why lifecycle discipline matters as much as tool selection.

Key questions

Q: How should IT teams reduce manual onboarding and offboarding risk?

A: IT teams should move joiner, mover, and leaver events into one governed workflow tied to a single source of truth. That reduces revocation lag, avoids duplicate updates, and makes access changes auditable across HR, IT, and application systems. Manual exceptions should be tracked separately so the residual risk stays visible.

Q: Why do legacy systems create identity governance problems?

A: Legacy systems often cannot consume or emit identity changes cleanly, which forces manual reconciliation and weakens policy enforcement. The result is inconsistent access records, slower revocation, and more room for privilege creep. When this happens, the governance issue is the system boundary itself, not only the process around it.

Q: What do security teams get wrong about outsourcing and access control?

A: They often treat third-party access as a one-time approval instead of a lifecycle that includes expiry, review, and offboarding. That mistake leaves vendors or contractors with access longer than intended and makes accountability harder to prove during incidents or audits. Every outsourced identity needs a clear owner and revocation path.

Q: How do you know if identity process automation is actually working?

A: It is working when access changes happen faster than manual handoffs, audit reports match actual entitlement state, and password reset or exception volume falls over time. If automation still depends on routine rework, the organisation has only automated the queue, not the control.

Technical breakdown

Manual onboarding and offboarding create identity drift

When onboarding and offboarding depend on manual updates, access state quickly diverges from HR or system-of-record data. Identity drift means the access picture in one system no longer matches the actual employment or contractor status in another. That creates revocation lag, duplicated work, and mistakes that can persist across apps, directories, and downstream SaaS tools. The same pattern applies to service accounts and third-party users when lifecycle ownership is unclear. In IAM terms, this is a control problem, not just an operations problem. Manual processing cannot reliably keep pace with volume, role changes, or urgent deprovisioning needs.

Practical implication: map every joiner, mover, and leaver step to an owned workflow before automation is introduced.

Legacy systems break identity integration and access governance

Legacy systems often cannot exchange identity state cleanly with modern HR, directory, or SaaS platforms. That forces teams into partial integrations, custom exceptions, and manual reconciliation, all of which weaken policy enforcement. In identity governance, the main failure is not that legacy systems are old. It is that they create inconsistent access signals, so provisioning, review, and audit processes no longer operate from a trusted source of truth. When systems cannot express or consume lifecycle events reliably, controls become fragmented. This is why legacy infrastructure often becomes the hidden source of access exceptions and stale entitlements.

Practical implication: identify which legacy systems still require manual access reconciliation and place them under explicit exception handling.

Password sprawl is really a governance problem

Weak or reused passwords are only one symptom of broader identity sprawl. When teams spend time resetting passwords, managing shared credentials, and patching around weak authentication, they are compensating for a poor access model. The article’s mention of SSO and multifactor authentication points to a deeper issue: identity controls should reduce the number of places credentials need to exist. For human identity, that means fewer password-dependent paths. For machine and outsourced access, it means tighter control over shared secrets, hardcoded credentials, and unmanaged access paths. The governance failure is allowing identity friction to accumulate into operational risk.

Practical implication: reduce credential dependence where possible and treat password reset volume as a governance signal, not just a support metric.

Threat narrative

Attacker objective: The objective is to reach systems or data through weakly governed access paths and then preserve that access long enough to cause operational or compliance damage.

1. Entry begins when manual access processes, weak passwords, or outsourced handling create inconsistent access states that attackers or insiders can exploit.
2. Escalation occurs when stale privileges, poor visibility, or unmanaged third-party access lets a subject move beyond the originally intended access boundary.
3. Impact follows when access gaps lead to data exposure, delayed revocation, service disruption, or compliance failure across applications and asset records.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity process sprawl is the real failure mode behind IT team overload. The article frames the problem as too much manual work, but the deeper issue is that access, app inventory, and lifecycle events are being governed in separate lanes. That creates conflicting records, delayed decisions, and inconsistent enforcement across human, machine, and third-party identities. Practitioners should treat this as a governance architecture issue, not a staffing problem.

Manual onboarding and offboarding are the easiest place to lose control, because revocation is where errors become incidents. When access changes are handled by hand, the lag between source-of-truth change and entitlement removal becomes the exposure window. In NHI and human IAM alike, the control gap is lifecycle synchronization, not just workflow speed. The practitioner conclusion is to measure revocation completeness and lag as first-order governance outcomes.

Lifecycle blind spots in outsourced access: the article’s outsourcing section exposes a familiar assumption that third-party access can be managed as a one-time grant rather than a governed lifecycle. That assumption fails when vendors, contractors, or service providers retain access after the work changes or ends. The implication is that access reviews without offboarding evidence are incomplete, because accountability has already drifted away from the original approval.

Security tooling cannot compensate for weak identity ownership. Discovery, reporting, and automation help only when someone owns the underlying access model and the exceptions it generates. Otherwise, the organisation automates fragmentation instead of reducing it. The practical conclusion is that teams need named owners for onboarding, offboarding, exceptions, and access reconciliation across every identity class.

Modern IAM programmes should read this article as a warning about scale, not just efficiency. The same manual habits that slow IT teams also create the conditions for privilege creep, stale access, and audit failure. That makes process redesign a security requirement, not an optimisation project. Practitioners should align lifecycle controls with the systems that actually issue and revoke access.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows why identity inventory and entitlement control still lag operational reality.
• Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the next step for teams that need to connect discovery, provisioning, rotation, and offboarding into one control model.

What this signals

Identity process sprawl: when onboarding, access review, reporting, and offboarding live in separate workflows, the programme becomes harder to govern than the technology it was meant to manage. Teams should expect more exceptions, slower remediation, and weaker audit evidence unless they collapse those workflows into a single lifecycle model.

With 71% of NHIs not rotated within recommended time frames, per the Ultimate Guide to NHIs, process maturity is now a security variable, not an administrative preference. IT leaders should watch for renewal, revocation, and review lag as leading indicators of exposure.

The practical signal for practitioners is whether access reporting can be trusted without manual correction. If inventory, entitlements, and offboarding records do not line up, the organisation is already running two identity systems at once, which is where audit and security failures usually begin.

For practitioners

• Standardise joiner-mover-leaver workflows Define one approved workflow for onboarding, role changes, and offboarding so that access updates happen from the same source of truth across HR, IT, and app owners.
• Reconcile legacy systems to lifecycle controls List every legacy platform that still requires manual access updates and assign exception ownership, review cadence, and compensating controls for each one.
• Reduce password-dependent access paths Use SSO and multifactor authentication where possible, then track password resets and shared credential use as indicators of identity process weakness.
• Govern third-party access as a lifecycle Require explicit approval, expiry, and offboarding evidence for outsourced users and vendor access, rather than treating access as a one-time grant.
• Audit access reporting against actual entitlements Compare reported users, apps, licenses, and privileged accounts against authoritative records so that audit outputs reflect real access state, not stale inventory.

Key takeaways

• The article’s real message is that manual identity operations create governance drift across onboarding, access management, and reporting.
• Legacy systems, outsourcing, and weak password practices all become more dangerous when access records are fragmented and hard to reconcile.
• IT teams need lifecycle ownership and source-of-truth discipline before automation can reduce risk instead of simply speeding up broken processes.

Key terms

• Identity Drift: Identity drift is the gap between what a source system says an account should have and what downstream systems still allow. It usually appears when onboarding, role change, or offboarding is handled manually or inconsistently, leaving access longer than intended or removing it too late.
• Lifecycle Governance: Lifecycle governance is the discipline of controlling access from joiner to mover to leaver across people, service accounts, and third parties. It focuses on ownership, review, revocation, and auditability so identity changes are reflected consistently across the environment.
• Access Reconciliation: Access reconciliation is the process of comparing authoritative identity records with actual entitlements in systems and applications. It helps teams detect stale access, unauthorized privilege, and mismatches caused by manual updates, legacy integrations, or weak offboarding.
• Identity Process Sprawl: Identity process sprawl is the condition where provisioning, review, reporting, and revocation are spread across disconnected tools and teams. It creates inconsistent control points, more exceptions, and weaker accountability because no single workflow governs the full access lifecycle.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: IT teams’ 7 biggest challenges encountered in 2026. Read the original.