Legacy identity governance is giving way to continuous assurance

At a glance

What this is: This is an analysis of how enterprises are replacing legacy identity governance with unified, continuous assurance across ERP, cloud, and finance systems.

Why it matters: It matters because IAM, IGA, PAM, and audit teams need governance models that can keep pace with business change, not just certify access after the fact.

By the numbers:

• A 2025 State of Identity Governance Report, based on a survey of 500+ IT leaders, shows nearly 60% cite restrictive cost and complexity as a deficiency of legacy identity management.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read SafePaaS's analysis of the shift from legacy IGA to continuous assurance

Context

Legacy identity governance breaks down when access changes faster than review cycles can absorb. In large ERP, cloud HR, procurement, and finance environments, teams inherit a governance problem that spreadsheet workflows and siloed IGA tools cannot resolve: they can record who had access, but they cannot continuously prove that access is still appropriate.

The primary keyword here is identity governance. In practice, that means moving from periodic certification to real-time assurance across human identities, service accounts, and the entitlements that connect business processes to financial and operational control.

Key questions

Q: How should organisations modernise identity governance in ERP and cloud environments?

A: They should replace periodic spreadsheet reviews with continuous controls that connect identity data, policy evaluation, remediation, and evidence capture in one workflow. The goal is not more review activity, but faster detection of bad access, cleaner audit proof, and less lag between business change and governance response. Prioritise high-risk ERP and finance systems first.

Q: Why do legacy IGA tools struggle with business change?

A: Legacy IGA tools struggle because they were built for discrete review cycles, not for environments where roles, vendors, and acquisitions constantly change access. They can record entitlement snapshots, but they cannot keep pace with live policy drift, so risk accumulates between review windows. That creates audit effort without timely assurance.

Q: What breaks when access reviews stay manual?

A: Manual reviews break when reviewers cannot validate current business context quickly enough to identify toxic access, orphaned accounts, or stale approvals. The result is not just inefficiency, but false confidence, because the certification may be completed after the access has already become inappropriate. The control exists on paper, not in practice.

Q: Who is accountable when continuous assurance fails?

A: Accountability sits with the owners of identity governance, the application teams controlling entitlements, and the audit function that relies on the evidence. If controls are fragmented, no single party can prove that access was reviewed, enforced, and remediated in time. The answer is a shared operating model with named control ownership.

Technical breakdown

Why manual access certification fails in ERP and SaaS governance

Manual access certification assumes entitlements are stable long enough for reviewers to validate them after the fact. In ERP and SaaS environments, roles shift with reorganisations, vendor onboarding, acquisitions, and process changes, so the review often captures a stale snapshot rather than live risk. When governance is spreadsheet-driven, the control is not only slow, it is structurally behind the environment it is meant to govern. That is why auditors see effort without assurance and why business change keeps outpacing review cadence.

Practical implication: replace spreadsheet certification with controls that evaluate access against current business context, not last quarter's entitlement list.

How unified IGA changes the control surface

Unified IGA collapses fragmented governance into a single operating view across identity, SoD, monitoring, and remediation. Instead of treating audit evidence, policy enforcement, and access review as separate tasks, the platform aligns them into one continuous workflow. That matters because control failures in ERP and finance systems are often cross-functional: a toxic access combination may be approved in one system and invisible in another. Continuous assurance only works when the same policy logic is visible at review, enforcement, and evidence time.

Practical implication: map SoD, access governance, and monitoring to one policy model so exceptions are detected and remediated in the same control plane.

Why continuous assurance matters more than annual compliance

Continuous assurance shifts governance from retrospective proof to live control. In the article's model, time-stamped evidence, automated remediation, and real-time alerts are what reduce audit friction and shorten closure cycles. The deeper change is not automation for its own sake, but the removal of lag between risk creation and risk detection. For organisations operating across ERP, ITSM, and cloud, that lag is where control gaps accumulate and where audit cost balloons.

Practical implication: measure governance by how quickly exceptions are detected and closed, not by how many certifications were completed.

Threat narrative

Attacker objective: The objective is to exploit governance lag so improper access can survive long enough to create financial, compliance, or operational damage.

1. Entry occurs when business change such as a new role, vendor relationship, or acquisition creates fresh access paths that legacy governance cannot immediately reconcile.
2. Escalation occurs when stale access, privileged role combinations, or orphaned entitlements remain in place long enough to broaden exposure across ERP and finance workflows.
3. Impact occurs when a missed permission contributes to fraud, segregation-of-duties failure, regulatory findings, or costly audit remediation.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legacy IGA is now a control-lag problem, not a reporting problem. The article describes a market shift away from spreadsheet-driven reviews toward continuous assurance, but the real issue is that periodic governance no longer matches how access changes in ERP and cloud systems. When business change creates new entitlements faster than reviewers can certify them, the control arrives after the risk. Practitioners should treat governance latency as a first-class risk metric.

Unified access governance is becoming the operating model for cross-domain control. ERP, ITSM, cloud, SoD, and remediation cannot be managed as separate islands if the business expects auditable trust. The point is not platform consolidation for its own sake, but the removal of blind spots between policy, evidence, and enforcement. The practitioner takeaway is to design governance around one policy fabric, not multiple disconnected control planes.

Continuous assurance changes the economics of audit. The article's strongest claim is that automation can cut audit effort and close findings faster, but the deeper lesson is that control evidence must be generated at the point of change. That moves governance from seasonal compliance work to always-on operational assurance. Boards and auditors should now expect exception closure speed, not review volume, as the relevant maturity signal.

Identity governance is expanding from access approval to risk choreography. The combination of real-time monitoring, embedded analytics, and automated remediation means governance is no longer just deciding who gets access. It is about spotting when access becomes toxic, when business events invalidate prior approvals, and when controls need to move faster than the transaction stream. Practitioners should align IAM, audit, and finance around the same risk language.

Control lag is the named concept this article exposes. Legacy identity governance was designed for discrete review cycles, but modern enterprise access changes continuously across roles, vendors, and acquisitions. That assumption fails when governance is asked to prove state after the environment has already changed. The implication is that review-based assurance alone cannot describe or contain current risk.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why governance programs that rely on periodic review keep missing live exposure.
• For the next step, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding need to change when access must be continuously governed.

What this signals

Control lag will become the defining metric in identity governance programmes. Teams that still measure success by certification completion will miss the more important question of how long risky access remains live after business change. The governance conversation is shifting from periodic review to real-time closure, and that will reshape how auditors judge maturity.

Multi-system governance will matter more than point-in-time compliance evidence. As ERP, finance, and cloud controls converge, practitioners will need one operating model for policy enforcement, remediation, and attestation. The organisations that can prove consistent treatment across systems will reduce both audit cost and exception drift.

Access governance is becoming a lifecycle discipline, not a quarterly task. The practical shift is to connect HR, procurement, and M&A events directly to entitlement changes so stale access is removed at the source. That is the difference between an identity programme that reports on risk and one that actually constrains it.

For practitioners

• Replace spreadsheet access reviews with continuous certification Move from periodic exports and manual attestations to live entitlement checks tied to current role, business unit, and system state. Focus first on ERP and finance applications where missed permissions create the highest audit and fraud exposure.
• Unify SoD, access policy, and remediation workflows Create one control model for rule evaluation, exception handling, and evidence capture so toxic combinations are not approved in one system and discovered in another. Use the same policy logic across ERP, cloud HR, procurement, and finance platforms.
• Measure governance by closure speed, not review volume Track how quickly exceptions are detected, triaged, and removed after a role change, vendor onboarding, or acquisition event. Audit teams need closure time, evidence quality, and exception recurrence rates, not just certification completion counts.
• Synchronise identity changes with business events Hook governance triggers to HR, procurement, and M&A events so access is re-evaluated when the business changes, not after the next review cycle. This reduces the window where stale access can persist unnoticed.
• Prioritise high-risk applications first Start with Oracle, SAP, Workday, and other systems where access mistakes can affect financial reporting, payments, or segregation of duties. Expand the model outward once control evidence is stable and repeatable.

Key takeaways

• Legacy identity governance fails when access changes faster than review cycles can catch up.
• The evidence points to a structural shift toward continuous assurance, not just faster audits.
• Practitioners should focus on one policy model, live entitlement checks, and faster exception closure.

Key terms

• Identity Governance and Administration: Identity Governance and Administration is the discipline of deciding who should have access, proving that access is appropriate, and removing it when it is no longer justified. In practice, it combines approvals, certifications, SoD controls, evidence, and remediation across human and non-human identities.
• Continuous Assurance: Continuous assurance is a governance model where controls, evidence, and remediation operate continuously rather than at fixed review intervals. It matters because access risk changes with business events, so proof of control must be generated close to the moment of change, not after the fact.
• Segregation of Duties: Segregation of Duties is a control that prevents one identity from holding combinations of access that could enable fraud, abuse, or unreviewed changes. In enterprise systems, it is often the difference between approved business efficiency and hidden financial or operational risk.
• Control Lag: Control lag is the time gap between when a risky change occurs and when governance detects or corrects it. In identity programmes, longer lag means more exposure, weaker audit evidence, and more opportunities for stale or toxic access to persist undetected.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.

This post draws on content published by SafePaaS: Enterprise governance is being transformed through modern identity access governance. Read the original.