TL;DR: IGA buyers now expect adoption, operational speed, and user experience to carry as much weight as policy coverage. Lumos was named a Strong Performer in Gartner Peer Insights’ 2026 Voice of the Customer for IGA, with a 4.7 out of 5.0 rating, 96% willingness to recommend, and 51 verified reviews that point to faster access workflows and lower manual effort.
At a glance
What this is: Lumos’ first Gartner Peer Insights appearance in IGA highlights customer demand for faster, easier access governance with strong deployment and support outcomes.
Why it matters: For IAM teams, the lesson is that IGA success is increasingly measured by usable workflows, review completion, and operational lift across human, NHI, and emerging autonomous identity programmes.
By the numbers:
- Lumos earned a 4.7 out of 5.0 overall rating and a 96% willingness-to-recommend score based on 51 verified reviews.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
👉 Read Lumos’ perspective on its Gartner Peer Insights recognition for IGA
Context
IGA platforms are being judged less on policy intent and more on whether they actually reduce work, improve completion rates, and support day-to-day access decisions. In practice, that means access governance now has to serve administrators, reviewers, and end users at the same time, or adoption stalls.
Lumos’ customer feedback is a useful signal because it frames IGA as an operational programme, not a compliance artifact. That matters across human identity, NHI lifecycle control, and the emerging governance needs around agentic access, where review friction and manual overhead can quickly become control failures.
Key questions
Q: How should organisations make IGA workflows usable without weakening control?
A: Design access request and review flows around completion, not just policy intent. Shorten approval paths, pre-populate entitlement context, and remove manual steps that add no decision value. If reviewers and end users routinely abandon the process, the control is not operating as designed. Usability is a security requirement because incomplete workflows create unmanaged access outside the review cycle.
Q: Why do deployment and support outcomes matter in identity governance?
A: Because governance controls that are difficult to deploy or maintain often remain only partially in force. When rollout is inconsistent, reporting is incomplete and lifecycle actions lag behind business change. Deployment quality therefore affects whether the programme can actually enforce reviews, revocations, and accountability across the environment.
Q: How can IAM teams govern human, NHI, and autonomous access in one programme?
A: Use one lifecycle governance model, but apply different enforcement rules by actor type. Humans need attestation and access review, NHIs need ownership, rotation, and offboarding, and autonomous identities need scrutiny of runtime authority and delegation. One programme works best when the governance model is unified and the controls are actor-specific.
Q: What does high user satisfaction tell security leaders about IGA maturity?
A: It usually means the governance process is becoming usable enough to support repeatable operation. High satisfaction does not replace control validation, but it often correlates with higher completion rates, fewer workarounds, and better adoption across business units. That combination matters because access governance only works when people actually use it.
Technical breakdown
Why IGA platforms fail when access workflows are not operationally usable
IGA breaks down when approval and review flows create more friction than teams can absorb. If request paths are hard to navigate, reviewers delay decisions, and access decisions drift outside the governed process. That is not a UI problem only; it is a governance failure because policy exists on paper but not in practice. In mature programmes, the real test is whether access requests, certifications, and revocations can be completed consistently enough to support audit and least privilege. The best signal of control quality is completion rate, not policy volume.
Practical implication: measure access workflow completion and cycle time before adding more policy layers.
What deployment and support scores say about IGA control maturity
Deployment and support experience are often proxies for whether a governance programme can be operationalised. A platform that is difficult to deploy or support tends to leave access reviews partially implemented, reporting incomplete, and lifecycle actions delayed. In identity work, incomplete implementation is itself risk because the control exists only where the rollout succeeded. For IAM and IGA leads, the question is not whether a tool can claim coverage, but whether the control can be sustained across business units, SaaS sprawl, and changing entitlement structures.
Practical implication: treat deployment friction as a control risk, not just an implementation inconvenience.
IGA for human users, NHIs, and autonomous identities is converging
The governance model is moving toward a shared lifecycle discipline across human, machine, and autonomous identities, even though the execution patterns differ. Human access reviews still rely on attestation, NHI governance depends on ownership, rotation, and offboarding, and autonomous identities introduce runtime behaviour that can outpace review cadences. The common thread is accountability for entitlement creation, use, and removal. A programme that is easy for humans but brittle for machine identities will not scale; neither will one that ignores the operational reality of autonomous access paths.
Practical implication: design one lifecycle governance model with actor-specific controls instead of separate disconnected processes.
NHI Mgmt Group analysis
IGA buyers are rewarding controls that users can actually complete, not just controls that exist in policy. The reviewer themes in this article point to a mature market correction: access governance is no longer judged by entitlement catalogues alone. When access request and review steps are simpler for end users and reviewers, completion rates rise and compliance evidence becomes more reliable. Practitioners should read this as a shift from policy-centric IGA to execution-centric IGA.
Deployment and support experience are now governance indicators, not just service metrics. A platform that is hard to operationalise leaves gaps in review coverage, entitlement cleanup, and reporting continuity. That is especially relevant in mixed identity environments where humans, service accounts, and AI-driven access paths all need consistent oversight. The field should stop treating implementation quality as secondary; it is part of the control surface.
Identity governance is converging across human, NHI, and autonomous identity lifecycles. The same programme pressures are showing up in every actor class: reduce friction, prove accountability, and remove access on time. The governance challenge is no longer whether a team manages access, but whether it can do so at the pace identities now move. Practitioners should plan for one lifecycle model with actor-specific enforcement, not three disconnected ones.
Access governance value is shifting toward measurable business outcomes. Reviewers cited lower IT overhead, faster access, and better savings from removing idle access, which shows that identity governance is increasingly expected to produce operational efficiency as well as control. That changes how programmes justify investment: the question is no longer only whether access is compliant, but whether governance is helping the business move faster without expanding risk. Practitioners should align identity metrics to both control and productivity.
From our research:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- A broader lifecycle view is available in 52 NHI Breaches Analysis, which shows how delayed revocation and ownership gaps compound exposure across identity programmes.
What this signals
Identity governance is becoming an execution discipline. The Lumos review themes reinforce a market-wide shift: teams will be judged on whether access reviews, request flows, and revocations actually finish. For programmes that still rely on manual follow-up, the gap is no longer theoretical. The practical benchmark is whether review completion and entitlement cleanup can be sustained as the identity estate grows, especially as NHI lifecycle pressures keep rising.
Completion friction is the hidden failure mode in many governance programmes. When requests are easy to make but hard to finish, risk migrates outside the controlled workflow. That matters for both human access governance and non-human identities, where the cost of delay is often persistent entitlement exposure. The control question is no longer whether access is approved, but whether the approval process is fast enough to remain the real system of record.
Access governance now needs to absorb emerging autonomous identity behaviour without losing auditability. As agentic systems enter enterprise workflows, the same expectations around accountability, revocation, and oversight will be applied to identities that can act at runtime. The most resilient programmes will build one governance model that can extend from human access to machine identity and then to autonomous actors, while keeping review evidence and ownership clear.
For practitioners
- Measure access workflow completion rates Track how many access requests and reviews are completed on time, rejected, or abandoned. Low completion is a governance failure because the process is not usable enough to become the system of record.
- Treat deployment friction as control risk Record where implementation slows rollout, fragments reporting, or leaves certain business units outside the operating model. Controls that cannot be deployed consistently should not be counted as fully effective.
- Unify lifecycle governance across identity types Use one governance model for humans, service accounts, and AI-driven access, but enforce actor-specific rules for approval, ownership, review cadence, and offboarding.
- Prioritise revocation of idle and inactive access Build periodic removal into access operations so unused entitlements do not stay available simply because they were never challenged. Pair that with ownership checks for every entitlement class.
Key takeaways
- IGA is being judged on usability and completion, not only on policy design.
- Deployment and support quality now shape whether access controls are actually enforceable.
- Identity programmes should converge human, NHI, and autonomous lifecycle governance into one operating model.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | IGA review and revocation align directly to access control governance. |
| NIST Zero Trust (SP 800-207) | AC-6 | Least privilege depends on timely entitlement enforcement across access lifecycles. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle and revocation failures are central to non-human identity risk. |
Apply least-privilege enforcement to every identity type and verify entitlement removal after task completion.
Key terms
- Identity governance and administration: Identity governance and administration is the set of processes that define, approve, review, and remove access across an organisation. It turns policy into repeatable control by linking entitlements to ownership, lifecycle action, and evidence. In modern programmes, it must work for human users, non-human identities, and emerging autonomous actors.
- Access review: An access review is a periodic check that confirms whether an identity still needs its current entitlements. The control is only effective when reviewers can act on current information, the process is completed on time, and removal is enforceable. For non-human and autonomous identities, the review must account for faster change and clearer ownership.
- Lifecycle governance: Lifecycle governance is the discipline of managing identity from creation through use to removal. It includes onboarding, changes in access, certification, revocation, and offboarding, with different enforcement patterns for humans, NHIs, and autonomous systems. The goal is to keep entitlement state aligned with real operational need.
- Autonomous identity: An autonomous identity is a non-human identity that can make runtime decisions about actions, tools, and execution timing without human approval gates. That changes governance because entitlement scope can shift within a session, which means traditional review cadences may no longer capture meaningful evidence. It requires lifecycle controls that reflect behaviour, not just provisioning state.
What's in the full analysis
Lumos' full post covers the reviewer feedback and category placement this analysis intentionally leaves at a higher level:
- Verified review excerpts describing access request and review experience in day-to-day operations
- Category score breakdowns across product capabilities, sales, deployment, and support
- Customer themes around time-to-value, reduced IT overhead, and access workflow adoption
- How Lumos frames its own autonomous identity positioning in the context of the Gartner recognition
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org