Modern identity at scale means governance must become continuous

At a glance

What this is: This is a product update about making identity governance more dynamic, self-service, and observable, with a key finding that modern programmes need continuous controls rather than static checkpoints.

Why it matters: It matters because IAM teams must govern humans, NHIs, and emerging autonomous workflows with the same operational discipline, or review, provisioning, and offboarding will keep lagging how work actually happens.

By the numbers:

• On average, C1 customers saved nearly 3,000 hours over the course of the year by using C1.
• That’s the equivalent of 25 full work weeks returned to security, IT, and engineering teams.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read ConductorOne's January 2026 product updates on modern identity at scale

Context

Identity governance breaks down when it is treated as a set of periodic approvals instead of a continuous control plane. That gap is visible across access reviews, provisioning, automation, and workflow orchestration, where modern work now moves faster than quarterly governance cycles.

ConductorOne’s January updates are framed around a simple operational problem: how to make identity easier to use without turning convenience into unmanaged privilege. The primary issue for IAM teams is not whether workflows are automated, but whether they remain observable, policy-bound, and reversible across human access, NHI access, and any agent-driven access paths that may emerge.

Key questions

Q: How should security teams design self-service identity workflows without creating standing privilege?

A: Security teams should expose only repeatable, low-risk workflows through governed request paths, with structured forms, policy-based approvals, and auditable execution. The request experience can be simple, but the underlying entitlement model must stay narrow, time-bound, and reversible. If a workflow requires broad admin access to function, it is not self-service, it is delegated privilege.

Q: Why do access reviews fail when they become too manual at scale?

A: Access reviews fail when reviewer effort is high enough that people delay decisions, approve in batches without sufficient scrutiny, or ignore campaigns altogether. The result is not just slower governance, but weaker evidence quality and more stale access. Review design has to optimise for completion fidelity, not just formal compliance.

Q: How do organisations know whether identity operations are actually under control?

A: They know by tracking operational signals such as expiring grants, extension requests, submission timing, and workflow exceptions. If those measures show repeated delays, repeated extensions, or unexplained gaps in deprovisioning, the programme is managing paperwork rather than access. Control exists when exceptions are visible, attributable, and resolved quickly.

Q: What should IAM teams prioritise as identity programmes scale?

A: IAM teams should prioritise observability, reversibility, and policy enforcement over simply adding more workflows. Scale increases the chance that edge cases, fallback logic, and deprovisioning overlaps will create hidden risk. A mature programme can show who requested access, who approved it, when it expires, and how it is removed.

Technical breakdown

Requestable automations as governed service delivery

Requestable automations turn backend identity and IT workflows into user-facing services without granting standing administrative access. The control model is still governance first: structured forms collect required context, approvals enforce policy, and execution is recorded in a full audit trail. This matters because it separates the request channel from the privilege model. Users can ask for an outcome, while the system decides whether and how the workflow runs. The technical shift is from ad hoc scripting and ticket handoffs to policy-mediated orchestration that can be monitored and reviewed.

Practical implication: expose repeatable workflows through the access catalog only when approvals, logging, and rollback paths are already defined.

Batch access review submission and reviewer ergonomics

Batch submission changes access reviews from one-decision-at-a-time friction into a grouped workflow that still preserves reviewer accountability. Reviewers can assess multiple entitlements incrementally, then submit once the full context is visible. That reduces context switching, which is a real failure mode in large campaigns where reviewers make inconsistent choices or abandon reviews entirely. The added submission tracking also gives administrators a clearer audit record of who decided what and when, which improves evidence quality without changing the underlying review semantics.

Practical implication: use batch review mechanics to improve completion rates, but keep the entitlement model and approver evidence tied to each decision.

Access operations telemetry and workflow edge-case handling

The access operations dashboard enhancements point to a broader governance pattern: identity programmes need operational telemetry, not just policy definitions. Expiring grants, extension requests, response-time percentiles, and mapping-error debugging all help teams see where access processes slow down or drift outside intended behaviour. The edge-case fixes matter because governance failures often begin where workflows stall, accounts are deprovisioned mid-process, or fallback logic is unclear. Better observability makes those states detectable before they become permission debt or audit gaps.

Practical implication: measure workflow latency, extension rates, and deprovisioning exceptions as governance signals, not just operational noise.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance is becoming a service model, not a review calendar. The strongest signal in this update is not the individual feature set but the operating model behind it. Identity programmes that still rely on static checkpoints will keep missing the point because access is now requested, approved, extended, and revoked as part of live work. Practitioners should treat governance as an always-on service layer rather than a quarterly administrative event.

Review throughput is now a control quality issue, not just a usability issue. Batch submission, submission tracking, and clearer exports are all responses to a real governance constraint: reviewer friction changes decision quality. When access campaigns become too cumbersome, approvers defer, rubber-stamp, or disengage, and the organisation inherits stale entitlements. The implication is that access review design must be judged by completion fidelity and evidence quality, not by whether the workflow exists.

Observable identity operations are the new baseline for modern IAM. Expiring grants, extension requests, and response-time percentiles are useful because they expose how access really behaves once policy meets execution. Access drift in governance workflows: if you cannot see where extensions accumulate or where deprovisioning creates gaps, you cannot claim control over the lifecycle. The practitioner conclusion is straightforward: programmes need operational telemetry before they can credibly claim maturity.

Self-service only reduces risk when the request path and the privilege path stay separated. Requestable automations are valuable only because they let teams serve common needs without converting every workflow into privileged human access. That separation matters across human IAM and NHI governance alike, because the control objective is the same: request convenience must not become standing authority. IAM teams should evaluate every self-service workflow by whether it narrows or widens entitlement exposure.

Governance programmes will increasingly be judged on reversibility. The more identity work becomes automated and self-service, the more important it is that actions can be traced, extended, and undone cleanly. That principle applies to human approvals today and to machine or agent-driven access tomorrow. Practitioners should expect auditability, rollback, and offboarding continuity to become the real maturity markers, not the number of workflows automated.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why lifecycle blind spots persist even in mature identity programmes.
• That visibility gap is explored further in 52 NHI Breaches Analysis, where recurring access and offboarding failures show how privilege debt accumulates.

What this signals

Access drift in governance workflows: the more identity operations are made self-service, the more valuable it becomes to measure where requests, approvals, and extensions diverge from policy intent. Teams that cannot see those divergences will keep confusing activity with control.

The operational signal to watch is not whether the workflow exists but whether it can be completed, audited, and reversed without manual rescue. That is where identity maturity shows up in practice, especially once access reviews and deprovisioning begin to scale.

With 91.6% of secrets still valid five days after notification, per our Ultimate Guide to NHIs, the lesson for programmes modernising governance is clear: visibility without timely reversal is not control.

For practitioners

• Map identity workflows to service boundaries Identify which access requests, approvals, and revocations can be exposed as governed services without creating standing administrative privilege. Require structured input, policy checks, and auditable execution for each service before users can request it.
• Treat access review friction as a governance defect Measure completion rates, reviewer delay, and abandonment across campaigns. If reviewers need to switch contexts repeatedly, redesign the review batch size and evidence layout so decisions remain deliberate and attributable.
• Instrument lifecycle exceptions as control failures Track expiring grants, extension requests, deprovisioning overlaps, and mapping errors in the same dashboard. Use those signals to find where lifecycle processes break down before stale access becomes accepted state.
• Separate request convenience from privilege expansion Review every self-service workflow to ensure it does not quietly reintroduce admin access through back doors, fallbacks, or unbounded extensions. The safest workflows are the ones that reduce manual work without widening entitlement scope.

Key takeaways

• Identity governance is moving from periodic approvals toward continuous, service-oriented control.
• The scale signal is operational, not cosmetic: customer usage shows thousands of hours can be recovered when workflows are policy-bound and observable.
• Teams should treat review friction, extension debt, and lifecycle exceptions as control signals that shape governance maturity.

Key terms

• Governed automation: A governed automation is a workflow that executes a task without giving the requester broad standing access. It uses policy checks, structured inputs, and audit records so the organisation can approve outcomes while keeping privilege narrow and traceable.
• Access review batch submission: Access review batch submission lets reviewers assess multiple decisions incrementally and submit them together. The control value is not speed alone, but reduced context switching and better decision consistency in large campaigns where partial work would otherwise be abandoned or rubber-stamped.
• Lifecycle exception: A lifecycle exception is any access state that falls outside the expected joiner, mover, or leaver flow, such as an extension, a deprovisioning overlap, or a mapping error. These exceptions often reveal where governance is losing visibility or failing to complete cleanup.
• Access drift: Access drift is the gradual gap between intended permissions and actual entitlements over time. It appears when reviews are delayed, extensions accumulate, or deprovisioning does not fully remove access, leaving the programme with more privilege than policy intended.

Deepen your knowledge

Identity governance as a service layer is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising reviews, provisioning, and offboarding in a similar operating model, it is worth exploring.

This post draws on content published by ConductorOne: January 2026 Product Updates: Modern Identity at Scale. Read the original.