Light IGA reaches its limit when identity sprawl outgrows reviews

At a glance

What this is: The article argues that Light IGA is useful for basic lifecycle governance, but insufficient when identity environments become hybrid, fragmented, and NHI-heavy.

Why it matters: It matters because IAM teams cannot rely on access reviews and provisioning alone when policy drift, legacy systems, and non-human identities create governance blind spots.

By the numbers:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, and organisations failing to scope AI access properly are 4.5x more likely to experience a security incident.

👉 Read Gathid's analysis of why Light IGA reaches its limits

Context

Light IGA is the version of identity governance that covers the basics: provisioning, deprovisioning, and access reviews. That is enough for some cloud-native organisations, but it assumes roles are clean, systems are connected, and access can be governed from a relatively tidy directory-centric model.

The problem is that modern identity estates are not tidy. Hybrid infrastructure, legacy applications, operational technology, mergers, re-organisations, and non-human identities all create drift that basic IGA cannot fully see or explain. That is why many teams need a broader governance layer such as the Ultimate Guide to NHIs and the NHI Lifecycle Management Guide, not just a lighter workflow engine.

Key questions

Q: What breaks when Light IGA is used in a fragmented identity estate?

A: Light IGA breaks down when access must be governed across disconnected systems, legacy applications, and non-human identities that do not fit clean directory models. In that environment it can still run reviews and approvals, but it cannot reliably prove that the live identity state matches policy. The result is partial governance, not full assurance.

Q: Why do non-human identities complicate identity governance?

A: Non-human identities complicate governance because they often live outside the systems and workflows that standard IAM tools were designed to cover. Service accounts, API keys, bots, and AI agents can accumulate access in cloud, operational, and custom platforms without a clear ownership trail. That makes lifecycle control and audit evidence harder to sustain.

Q: How do organisations know if access reviews are actually working?

A: Access reviews are working only if they reduce drift, remove stale access, and keep the live estate aligned with policy after approvals are complete. If review campaigns happen on schedule but disconnected systems, role sprawl, or orphaned non-human identities still exist, the programme is producing compliance activity without governance certainty.

Q: Who should own governance when human and machine identities overlap?

A: Ownership should sit with the identity governance function, but accountability must be shared with system owners and platform teams that control the source systems. When machine identities are involved, the control objective is the same as for humans, which is to ensure every account has a purpose, an owner, and a lifecycle endpoint.

Technical breakdown

Why Light IGA struggles with identity drift

Light IGA is built to manage the lifecycle of access in systems that can be described cleanly through directories, roles, and review campaigns. Identity drift appears when actual access diverges from the model because users accumulate exceptions, systems sit outside core integrations, or roles multiply faster than they can be rationalised. In those conditions, the governance layer can still issue reviews and approvals, but it cannot reliably prove that the live environment matches policy. The result is partial governance, where activity exists but assurance does not.

Practical implication: measure whether your governance tooling can detect drift across disconnected systems, not just run review campaigns.

Visibility gaps across non-human identities and hybrid systems

Non-human identities, including service accounts, API keys, bots, and AI agents, do not behave like employee identities. They are often distributed across cloud services, operational platforms, and custom applications, which means access can exist outside the scope of standard IGA connectors. When governance cannot correlate identity, privilege, and system ownership across those environments, it loses the ability to answer basic questions about why access exists and whether it should still exist. That is a visibility problem first, and a lifecycle problem second.

Practical implication: build an inventory that includes machine and agent identities alongside human accounts, then reconcile it against authoritative sources.

Toxic role combinations in fragmented environments

Toxic role combinations emerge when individually acceptable entitlements combine into a privilege pattern that no one intended. Light IGA often handles role assignment and recertification, but it does not always model the interaction effects between roles, inherited entitlements, and business exceptions across multiple platforms. In fragmented estates, that means the organisation may approve access in isolation while still creating an excessive effective privilege set. Governance becomes reactive instead of relational, which is exactly where hidden risk accumulates.

Practical implication: test for combined privilege exposure across systems, not only for isolated entitlements in a single application.

Threat narrative

Attacker objective: The objective is to exploit governance blind spots that let excessive or obsolete access persist undetected across human and machine identities.

1. Entry occurs when governance is extended into a fragmented environment that still contains disconnected systems, legacy applications, and non-human identities outside the core model.
2. Escalation occurs when access drift, toxic role overlaps, and stale entitlements accumulate faster than review campaigns can correct them.
3. Impact appears when the organisation cannot confidently prove who has access, why they have it, or whether terminated or over-privileged identities have been fully removed.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Partial identity governance is a control state, not a governance outcome. Light IGA can prove that processes ran, but not that the environment is actually governed. When disconnected systems, legacy applications, and non-human identities sit outside the governance model, the organisation gets activity without assurance. The practitioner conclusion is simple: coverage metrics are not the same as governance maturity.

Daily visibility is now the minimum viable governance standard. Access review cadence was built for stable environments, but modern identity estates change continuously through SaaS growth, M&A, infrastructure churn, and AI adoption. A daily relational view is what turns identity data into governance evidence, because the problem is not only who was approved, but what changed after approval. Practitioners should treat daily correlation as a baseline control.

Identity governance must extend beyond human accounts to service accounts, bots, and AI agents. The article’s core warning is that human IAM assumptions collapse when machine identities become part of the operating model. NHI governance is no longer a specialist add-on, it is now part of core enterprise identity control. The practitioner conclusion is to govern all identity types through the same lifecycle discipline, while recognising their different access behaviours.

Light IGA fails where role models stop matching reality. The named concept here is governance gap by model drift: the organisation believes it is governing access, but the operating environment has already moved beyond the model. That gap widens in hybrid estates because access logic becomes fragmented across directories, applications, and operational platforms. Practitioners should assume that any role model that is not continuously validated will eventually become a compliance artefact rather than a control.

Board-level trust claims require proof across the full identity estate. Saying “we know who has access” only matters if the answer includes human, non-human, legacy, and federated accounts. The article shows that governance is increasingly a cross-domain integrity problem, not a workflow problem. Practitioners should align identity assurance with evidence that survives audit, incident response, and business change.

From our research:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
• A separate finding from the same survey shows that 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
• For broader NHI lifecycle context, compare this with NHI Lifecycle Management Guide and the gap between policy intent and operational control.

What this signals

Governance teams should treat Light IGA as a front door, not the control plane. Once an estate includes disconnected applications, non-human identities, and rapidly changing access relationships, the real work moves to continuous correlation and exception detection. The practical question is no longer whether reviews exist, but whether the organisation can reconstruct access truth after business change.

Governance gap by model drift: the most dangerous identity risk is often not a missing policy, but a model that no longer matches the estate it is supposed to govern. That is why a daily identity graph matters in hybrid environments, especially when M&A and AI adoption keep changing the access topology. Practitioners should prepare for governance to become a continuous evidence function, not a periodic workflow.

With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, the boundary between human IAM and NHI governance is already collapsing in practice, per The 2026 Infrastructure Identity Survey. Teams should expect future governance designs to validate relationships, not just entitlements.

For practitioners

• Map governance coverage against real identity complexity Inventory which systems, account types, and identity relationships are actually visible to Light IGA, then compare that coverage with legacy applications, OT, SaaS, and AI-related identities that sit outside the model.
• Reconcile human and non-human identities in one control view Build a single view that links users, service accounts, API keys, bots, and AI agents to their owning systems and business purpose, then flag identities that cannot be tied to an accountable owner.
• Test for privilege combinations across systems Review whether separated entitlements become toxic when combined across finance, HR, OT, and cloud platforms, and validate the result against actual usage rather than theoretical role design.
• Move from annual review cycles to daily validation Use a daily reconciliation process to detect access drift, terminated-user residue, and role sprawl before the next access certification campaign, especially in environments with frequent organisational change.
• Treat NHI lifecycle governance as part of core IAM Extend ownership, offboarding, and re-certification discipline to service accounts and AI agents so that machine access is reviewed with the same seriousness as human access.

Key takeaways

• Light IGA is sufficient for basic lifecycle tasks, but it does not fully govern fragmented identity estates.
• Identity drift, toxic role overlap, and non-human identities expose the limits of directory-centric access control.
• Practitioners need continuous visibility and lifecycle accountability across human, machine, and legacy identities to produce real assurance.

Key terms

• Light IGA: A lighter identity governance model that focuses on core lifecycle tasks such as provisioning, deprovisioning, and access reviews. It is useful when systems are relatively clean and well-connected, but it often struggles to represent hybrid estates, disconnected applications, and non-human identities accurately enough for full assurance.
• Identity drift: The gap between the access model an organisation thinks it governs and the access state that actually exists in production. It appears when exceptions, exceptions, stale entitlements, and system changes accumulate faster than governance processes can reconcile them, especially across mixed human and machine identity environments.
• Toxic role combination: A privilege pattern created when two or more individually acceptable roles combine into a level of access that was never intended. In practice, this is a modelling problem as much as an assignment problem, because the risk emerges from how entitlements interact across systems and business contexts.
• Non-human identity: An identity used by software rather than a person, such as a service account, API key, token, certificate, bot, workload, or AI agent. These identities need ownership, lifecycle control, and visibility because they often persist longer and operate more broadly than human access is expected to.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Gathid: Daily Trust, a smarter path to identity governance part three. Read the original.