TL;DR: Identity is now the control point for users, apps, and automation, yet the article says many programmes still rely on manual provisioning, ticket-based approvals, and periodic access reviews that miss shadow SaaS and non-human identities, according to Zluri. The core issue is not tooling volume but governance model drift: identity controls designed for slower human workflows no longer match how access is created, used, and abandoned.
At a glance
What this is: This is a practitioner-focused view of modern identity strategy, arguing that access governance must cover humans, contractors, SaaS, and non-human identities through automated, lifecycle-aware controls.
Why it matters: It matters because IAM teams cannot keep treating NHI and shadow SaaS as edge cases when identity has become the security control plane across human and machine access.
By the numbers:
- According to Gartner, by 2026, 70% of cyberattacks against enterprises will target identities, whether through credential compromise, privilege escalation, or unmanaged access.
- Forrester reports that over 65% of enterprises still struggle to govern access across SaaS apps and non-human identities, even after years of IAM investment.
- Only 5.7% of organisations have full visibility into their service accounts, according to NHI Mgmt Group.
👉 Read Zluri's article on modern identity strategy for secure access governance
Context
Modern identity strategy is the shift from periodic, human-centric access administration to continuous governance across every identity type in the stack. In the article's framing, the old model fails because access is now created through SaaS, cloud, automation, bots, and service accounts as often as through employee onboarding.
That matters for IAM programmes because the control boundary has moved. If governance only sees core apps, quarterly reviews, and manual ticket flows, it will miss the identities that most often carry standing access and hidden risk. The result is not just inefficiency but persistent exposure across human and non-human access paths.
For teams building this model, the practical question is no longer whether identity is important. The question is whether identity governance can keep pace with lifecycle events, shadow apps, and non-human entitlements without relying on audit-cycle cleanup.
Key questions
Q: How should security teams govern non-human identities in SaaS-heavy environments?
A: They should govern non-human identities with the same lifecycle discipline used for human access, but with stronger discovery and ownership controls. That means inventorying service accounts, API keys, and bot identities, assigning accountable owners, and tying revocation to system events rather than manual follow-up. The goal is to prevent invisible standing access from accumulating across tools.
Q: Why do quarterly access reviews fail to control access drift?
A: Quarterly reviews fail because they occur after drift has already accumulated and often lack enough context for accurate decisions. Reviewers see entitlements, but not always usage, ownership, or business need, so stale access gets approved again. Continuous, event-driven governance is more effective because it can remove or recertify access when the change happens.
Q: How can organisations reduce hidden risk in shadow SaaS and unmanaged entitlements?
A: They need discovery that goes beyond SSO coverage and maps in-app roles, direct logins, and unmanaged applications. Once those entitlements are visible, teams can assign ownership, right-size permissions, and revoke stale access before it becomes permanent risk. Visibility without entitlement mapping is only partial governance.
Q: What should IAM teams prioritise first in a modern identity strategy?
A: They should prioritise a unified identity foundation, then automate the highest-risk lifecycle events. If identity data remains fragmented across HR, directory, cloud, and SaaS systems, every downstream control will be inconsistent. Once the foundation is in place, offboarding, temporary access expiry, and entitlement discovery become much easier to govern.
Technical breakdown
Identity as the security control plane
A modern identity strategy treats identity as the authoritative layer for access decisions rather than as a directory or login service. That means context such as role, device, app entitlement, ownership, and usage must feed the decision, not just username and password. In practice, the control plane spans HRMS, directories, SaaS platforms, and machine identities, so governance fails if any one source is treated as complete. This is why point-in-time certification and manual approvals break down in distributed environments: they cannot model live access state well enough to enforce policy consistently.
Practical implication: Practitioners should unify identity data before trying to govern it, or every downstream access decision will remain partial.
Lifecycle automation for joiner, mover, leaver events
Lifecycle automation replaces ticket queues and human memory with policy-driven provisioning, re-certification, and revocation. In the article's model, onboarding, role change, and offboarding are not separate administrative tasks but triggers that should update access automatically. This matters because delay creates access drift: users keep privileges after a move or exit, and non-human identities often escape the same process entirely. Modern lifecycle design therefore needs event-driven rules, ownership, and expiry logic rather than ad hoc exceptions.
Practical implication: Security teams should bind access changes to source-of-truth events and remove any dependency on manual deprovisioning for high-risk accounts.
Shadow SaaS and non-human identity entitlement discovery
The article points to a common failure mode in SaaS-heavy estates: governance covers what sits behind SSO, but not the full set of apps, in-app roles, bots, keys, and service accounts. That gap matters because entitlement risk often lives inside the application, not just at the login layer. A complete model therefore has to discover unmanaged apps, map internal roles, and identify who or what owns each non-human identity. Without that visibility, least privilege is only theoretical and orphaned access becomes durable.
Practical implication: Teams should measure governance coverage by entitlement visibility, not by SSO coverage alone.
NHI Mgmt Group analysis
Identity governance is no longer a human-user problem with a few machine exceptions. The article describes a control environment where SaaS, shadow IT, service accounts, bots, and contractors all participate in access creation and persistence. That changes the governance model itself because the identity layer must now account for who or what can hold standing access across multiple systems. The practitioner conclusion is that IAM and NHI programmes can no longer be run as separate visibility domains.
Manual provisioning and periodic access reviews were designed for slower, reviewable access states. That assumption fails when identity is created and consumed through event-driven automation, SaaS entitlements, and non-human workloads that change outside human audit cycles. The implication is not just more automation, but a redefinition of what counts as governable access in the first place.
Shadow SaaS and unmanaged non-human identities create identity blast radius that traditional IAM tooling does not see. The article correctly connects discovery, entitlement mapping, and lifecycle control because access risk now accumulates in the gaps between directories, SaaS admin layers, and ownership records. Practitioners should treat hidden entitlements as a governance defect, not a visibility nuisance.
Modern identity strategy is converging NHI governance, IAM, and compliance into one operating model. The article reflects the broader market shift: governance can no longer be a separate audit function when access decisions are made continuously. That is consistent with the Zero Trust direction of travel and with NHI guidance that puts identity ownership, scope, and lifecycle at the centre. The practitioner conclusion is that identity architecture, not just process, now determines auditability.
Access review fatigue is a signal that the control is mis-scoped, not merely overloaded. When reviewers lack context, they rubber-stamp access that should never have existed in the first place. The better governance question is whether entitlements were created, owned, and classified correctly before review ever began. Practitioners should treat review quality as an output of upstream identity hygiene.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- For a deeper control model: Review NHI Lifecycle Management Guide for provisioning, rotation, and offboarding practices that help close the visibility gap.
What this signals
Identity blast radius is now the right way to think about SaaS-heavy governance. When identities span HR, SaaS, cloud, and machine accounts, the practical risk is not a single bad entitlement but the number of places where stale access can persist undetected. Teams that cannot measure entitlement coverage across all three identity classes will continue to overestimate control maturity.
The governance signal is clear: quarterly certification alone no longer proves control effectiveness. Organisations need event-based lifecycle handling, entitlement discovery, and ownership assignment to keep pace with the way access is actually created and used.
With 97% of NHIs carrying excessive privileges, the case for treating service accounts and bots as first-class identities is no longer theoretical. The reader's programme should shift from app-by-app visibility to entitlement-by-entitlement accountability.
For practitioners
- Unify identity sources before expanding governance Connect HR, directory, SaaS, and cloud identity data into one governed view so access decisions reflect actual ownership and entitlement state, not just what one system can see.
- Automate lifecycle triggers for moves and exits Tie provisioning and revocation to joiner, mover, and leaver events, then add expiry logic for temporary access so manual tickets do not become the default control.
- Discover non-human identities at the entitlement layer Inventory service accounts, bots, API keys, and application roles inside SaaS tools, then assign owners and classify what each identity can actually do.
- Measure review quality by context, not completion rate Track whether reviewers receive usage, ownership, and sensitivity context before certification so access reviews stop functioning as rubber stamps.
Key takeaways
- The article's central warning is that legacy IAM assumptions break once access spans humans, SaaS, and non-human identities.
- The scale of the problem is visible in the data: only 5.7% of organisations have full visibility into service accounts.
- The most effective response is a modern identity model built on unified discovery, lifecycle automation, and entitlement-level governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers NHI rotation and lifecycle gaps discussed in the article. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions management fits the article's least-privilege and lifecycle emphasis. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | The article frames identity as the control plane for continuous verification. |
Map service accounts and API keys to NHI-03 and automate rotation and offboarding when ownership changes.
Key terms
- Non-human identity: A non-human identity is any digital identity used by software, services, automation, or workloads instead of a person. It includes service accounts, API keys, tokens, certificates, bots, and AI agents when they operate with access privileges inside an environment.
- Identity control plane: The identity control plane is the governance layer that determines who or what can access systems, data, and applications. In modern environments it must combine identity source data, entitlement context, ownership, and policy enforcement across human and non-human actors.
- Access drift: Access drift is the gradual mismatch between intended access and actual access over time. It appears when role changes, unused entitlements, unmanaged accounts, or delayed offboarding allow privileges to persist beyond their legitimate business need.
- Shadow SaaS: Shadow SaaS refers to software adopted or used outside formal IT and security oversight. It creates governance risk because access, entitlements, and ownership can exist outside the systems that identity teams typically monitor.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
This post draws on content published by Zluri: Access Management Modern Identity Strategy: Blueprint for Secure, Scalable Access. Read the original.
Published by the NHIMG editorial team on 2025-09-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
