Modern identity governance for cloud-first enterprise access sprawl

At a glance

What this is: RSA Security argues that cloud-first identity governance must move beyond manual, siloed access reviews to handle sprawling entitlements across hybrid and SaaS environments.

Why it matters: This matters because IAM, IGA, PAM, and lifecycle teams now have to govern access data and remediation across many systems without losing context, auditability, or speed.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

👉 Read RSA Security's analysis of modern identity governance for cloud-first enterprises

Context

Identity governance is the discipline of deciding who or what should have access, how that access is approved, and when it should be removed. In cloud-first enterprises, the problem is not just more identities, but more places where entitlement data can drift away from reality, especially across SaaS, hybrid infrastructure, and delegated access paths.

RSA Security’s argument is that traditional governance assumptions no longer hold when access changes faster than review cycles and when business users expect self-service without losing control. That is a familiar pressure point for IAM, IGA, and lifecycle teams, because the same access sprawl that creates human review fatigue also creates blind spots for non-human identities and workload access.

The article is typical of the current market conversation: organisations want faster approvals and better auditability, but they still rely on governance models designed for smaller, slower, more centralised environments.

Key questions

Q: How should security teams govern access in cloud-first identity environments?

A: Security teams should govern cloud-first access by normalizing entitlement data across directories, SaaS apps, and HR systems, then applying policy-driven certification and remediation against that unified view. The key is to connect review outcomes to actual enforcement so approvals, removals, and exceptions change the underlying access state instead of only generating audit records.

Q: Why do manual access reviews fail in hybrid IAM programmes?

A: Manual access reviews fail because reviewers receive fragmented snapshots, not a complete access story. In hybrid IAM programmes, entitlements change across many systems at different speeds, so stale exports, missing context, and reviewer fatigue all increase the chance of rubber-stamped approvals and lingering privilege.

Q: What breaks when entitlement drift is not remediated quickly?

A: When entitlement drift is not remediated quickly, policy violations remain active long enough to become real exposure, not just control exceptions. The organisation may still pass a review, but the access state on the ground has already drifted away from what the review approved, which weakens both security and audit confidence.

Q: Who is accountable when self-service access requests create excess privilege?

A: Accountability sits with the governance process owner, the application owner, and the access approver together, because self-service only works when policy checks, approval rules, and audit logs are aligned. If the workflow permits excess privilege, the issue is not user demand alone but weak control design and ownership.

Technical breakdown

Why manual access certifications break down in cloud estates

Manual certifications depend on reviewers understanding the business context behind each entitlement, but cloud-first environments fragment that context across many systems. When access is spread across AD, Entra ID, Okta, Workday, Salesforce, and GitHub, a reviewer sees snapshots rather than an access story. That makes rubber-stamping more likely and remediation less reliable. Modern governance therefore depends on normalized entitlement data, policy context, and workflow automation so review decisions can be made against current state rather than stale exports.

Practical implication: replace spreadsheet-driven review cycles with normalized entitlement data and policy-driven certification workflows.

How policy-driven remediation changes identity governance

Governance is not only about deciding whether access is acceptable. It is also about what happens after the decision, especially when policy violations, orphaned entitlements, or role changes create drift. Policy-driven remediation closes the loop by converting findings into removal, adjustment, or escalation actions rather than leaving them as audit evidence only. In practice, that means governance must be connected to the systems that actually enforce access, otherwise reviews become documentation exercises instead of control points.

Practical implication: connect governance findings to enforcement systems so risky entitlements are removed, not just reported.

Why self-service access still needs strong control boundaries

Self-service access requests work only when approval logic, policy checks, and audit trails are all aligned. The point is not to remove oversight, but to make approvals fast enough for the business while still preventing policy violations and privilege creep. In cloud-first estates, this matters because approval speed can create pressure to over-grant access unless the request path is tightly tied to role, department, and resource sensitivity. Without those boundaries, convenience becomes a control failure.

Practical implication: implement self-service only where approval rules, policy checks, and logging are enforced end to end.

Threat narrative

Attacker objective: The objective is not a single exploit but sustained access persistence through governance weakness, so over-privileged accounts remain available longer than they should.

1. entry: access sprawl enters through many cloud, SaaS, and on-prem systems that each maintain their own entitlement model, creating blind spots for governance teams.
2. escalation: stale access and role changes persist because manual certification cycles cannot keep pace with entitlement drift, so excessive permissions remain active.
3. impact: reviewers approve access with incomplete context, which allows lingering privilege, weak auditability, and preventable exposure across the enterprise.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Manual certification was designed for smaller access surfaces. That assumption fails in cloud-first enterprises because entitlements now span too many systems, each with its own role model and rate of change. Reviewers no longer see a stable, reviewable snapshot of access, so certification quality degrades into administrative approval. The implication is that identity governance must be judged by how well it preserves context across systems, not by how many review tickets it closes.

Identity governance without remediation linkage is not governance, it is documentation. The article’s emphasis on automated remediation reflects a real discipline shift, because finding a policy violation is not the same as removing exposure. When entitlement drift is persistent, the control gap is the delay between detection and enforcement. Practitioners should treat closed-loop remediation as part of the control itself, not as an optional workflow enhancement.

Access requests and access reviews are converging on the same control problem. In borderless environments, the same policy data must support new access approval, periodic recertification, and offboarding decisions. That convergence means teams cannot keep treating request workflows, certification workflows, and revocation workflows as separate governance islands. The practical conclusion is that lifecycle design now matters as much as approval design.

Cloud-first governance exposes the identity blast radius concept. Once access is distributed across hybrid and SaaS platforms, the true risk is not a single entitlement but the cumulative scope created when review quality, logging, and enforcement diverge. This is why identity security programs need to evaluate blast radius at the governance layer, not only at the infrastructure layer. Practitioners should map which systems can still grant, retain, or revoke access without centralized visibility.

The market is moving toward governance as an operating layer, not a reporting layer. That shift is visible whenever vendors position automation, normalization, and audit logging as core governance capabilities rather than adjacent features. For practitioners, the discipline changes from proving access existed to proving access changed correctly. The real question is whether the governance stack can keep pace with the speed of the enterprise.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how often privilege persists beyond its business need.
• For the broader lifecycle angle, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding should be governed across machine identities.

What this signals

Identity governance is shifting from review cadence to control latency. In cloud-first programmes, the question is not whether a review happened, but how long stale access survived before it was removed. That makes remediation speed, entitlement normalization, and ownership clarity the practical measures that matter for security teams.

With only 5.7% of organisations reporting full visibility into their service accounts, per the Ultimate Guide to NHIs, the same blind-spot problem that affects human access reviews is now amplified across machine identities and shared service accounts.

Identity blast radius: when governance data, approval logic, and enforcement are not aligned, privilege accumulates across systems faster than most programmes can prove it was removed. Teams should expect future governance roadmaps to converge certification, offboarding, and remediation into a single operating layer, not separate processes.

For practitioners

• Standardize entitlement data across core platforms Normalize access records from AD, cloud directories, SaaS applications, and HR systems before certification begins so reviewers are not comparing incompatible snapshots. Link the data model to role, department, and resource sensitivity so the same entitlement means the same thing everywhere it appears.
• Close the loop from review to enforcement Make every approved exception, revoked entitlement, and remediation outcome land in the systems that actually enforce access. If a governance finding does not change the underlying permission state, treat that as a control gap rather than a successful review.
• Separate access request logic from access review logic Use the same policy source for approvals, recertification, and offboarding, but do not let workflow convenience override lifecycle discipline. Requests can be self-service only when approval rules and audit logs remain tied to current policy and current ownership.
• Measure governance by stale access age Track how long revoked, outdated, or role-inconsistent access remains active after a change event. That metric tells you more about governance quality than the number of certifications completed, because it captures the time window in which privilege drift still exists.

Key takeaways

• Cloud-first identity governance fails when reviewers cannot see a complete, current entitlement picture across all systems.
• The scale of the problem is exposure persistence, not just review volume, because stale access can remain active long after business changes occur.
• Practitioners need closed-loop remediation, normalized entitlement data, and shared lifecycle logic across request, review, and revocation workflows.

Key terms

• Identity Governance: Identity governance is the set of policies, workflows, and controls used to decide who or what gets access, how that access is approved, and when it is removed. In cloud-first environments, it must also keep entitlement data synchronized across many systems so decisions remain accurate and auditable.
• Entitlement Drift: Entitlement drift is the gap that appears when actual access no longer matches approved access because roles change, accounts linger, or manual processes fall behind. It is a control problem, not just an administrative inconvenience, because drift creates unreviewed exposure and weakens audit confidence.
• Closed-Loop Remediation: Closed-loop remediation means a governance finding automatically or operationally leads to a change in access state, not just a report or ticket. This matters because reviews without enforcement can document risk while leaving the underlying permission unchanged.
• Identity Blast Radius: Identity blast radius is the practical scope of harm that can follow from a single identity or entitlement failure. It grows when access is distributed across systems, governance data is stale, or revocation is slow, making one weak control propagate across many applications.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: Modern Identity Governance for the Cloud-First Enterprise. Read the original.