NASCIO 2025 priorities show identity as the state security core

At a glance

What this is: This is SailPoint's analysis of how NASCIO 2025 priorities map to state identity security, with emphasis on lifecycle governance, overprovisioning, machine identities, and cloud access.

Why it matters: It matters because state identity programmes now have to govern human, machine, and cloud access together, or modernization will widen the attack surface rather than reduce it.

By the numbers:

• Only 44% of organizations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

👉 Read SailPoint's analysis of NASCIO 2025 identity priorities for state agencies

Context

State agencies modernizing digital services are running into the same problem in different forms: identity is the control layer that determines who, what, and which machine can reach sensitive data and systems. In state environments, that includes employees, partners, machine identities, and cloud infrastructure entitlements, which means access governance has to cover the full identity lifecycle, not just human logins.

SailPoint's framing follows a familiar public-sector pattern. Cybersecurity, AI, data governance, and cloud services all collapse into one practical question for identity teams: can access be granted, reviewed, and revoked quickly enough to keep modernization from expanding the attack surface?

For practitioners, the starting point is typical rather than exceptional. Most state identity programmes already have access controls and some lifecycle processes, but the article shows those controls are being asked to govern broader identity populations and cloud entitlements than they were originally designed to handle.

Key questions

Q: How should state agencies govern machine identities in cloud and RPA environments?

A: State agencies should govern machine identities the same way they govern human access, with ownership, purpose, lifecycle triggers, and removal paths. The critical difference is that machine identities often outlive the workflow that created them, so inventory and deprovisioning must be explicit rather than assumed.

Q: Why do overprovisioned identities increase risk in state modernization programmes?

A: Overprovisioned identities increase risk because one account can reach more systems, data sets, and cloud services than the current role requires. When credentials are stolen or left active after a change, that excess access widens the blast radius and makes containment slower and harder.

Q: What breaks when access review is not tied to lifecycle events?

A: Access review becomes a snapshot of stale reality. If reviews are not triggered by role changes, vendor changes, or service retirement, permissions remain in place after the need has ended, which leaves orphaned access and outdated cloud entitlements in production.

Q: Which identity controls matter most for zero trust in public-sector environments?

A: The controls that matter most are continuous access reduction, reliable revocation, and clear ownership for every identity type. Zero trust fails in practice when standing permissions remain broader than necessary, because the programme cannot contain the blast radius of compromised or stale access.

Technical breakdown

Identity lifecycle control in state agencies

Identity lifecycle control is the discipline of granting, adjusting, and removing access as roles, duties, and system relationships change. In state agencies, that includes employees, contractors, partners, machine identities, and cloud workloads. The issue is not whether access exists, but whether it can be changed fast enough to match organizational reality. When lifecycle governance is weak, orphaned accounts and stale permissions remain active long after their original need has passed, creating avoidable exposure across both internal systems and citizen-facing services.

Practical implication: map every identity type to an owner, lifecycle trigger, and revocation path before expanding modernization programmes.

Overprovisioned access and identity blast radius

Overprovisioned access means identities hold more permissions than they need for their current task. In practice, that increases the blast radius when credentials are stolen, misused, or simply left active after a job change. The article connects this directly to zero trust, where modifying and revoking access throughout the lifecycle is a core control principle. For state agencies, overprovisioning is especially dangerous because one identity often spans multiple systems, cloud services, and data sets, making one stale entitlement enough to create a broad compromise path.

Practical implication: review and shrink standing access before automating more onboarding, cloud migration, or third-party onboarding.

Machine identities in cloud and RPA environments

Machine identities are non-human identities used by automated processes, cloud services, and robotic process automation. They are often created to make systems run smoothly, but they become risky when left active without a clear owner or retirement process. The article notes that ungoverned non-human identities can become orphaned accounts, which expands the attack surface. In cloud infrastructure, the challenge grows because access is distributed across services and entitlements, making it easy for machine credentials to persist unnoticed after the workflow or integration changes.

Practical implication: treat machine accounts like governed identities, with creation standards, inventory, ownership, and deprovisioning controls.

Threat narrative

Attacker objective: The objective is to turn identity sprawl into unauthorized access to sensitive state data and infrastructure.

1. Entry begins when an attacker or insider leverages overprovisioned access that was never narrowed after a role, project, or vendor relationship changed.
2. Escalation occurs when stale permissions, orphaned machine identities, or broad cloud entitlements provide access beyond the identity's current business need.
3. Impact follows when that excessive access is used to reach critical data, cloud resources, or administrative functions that should have been out of scope.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance is now the practical control layer for state modernization. The article shows that cybersecurity, AI, data management, and cloud services all depend on the same underlying access decisions. That is why public-sector programmes that treat identity as a back-office function keep missing the real risk boundary. The implication is straightforward: state agencies should organize security modernization around identity lifecycle governance, not around disconnected technology silos.

Overprovisioned access is the state sector's most common identity failure mode. The article links unauthorized access and access creep to the same root problem, which is that permissions outlive need. That failure pattern is not just a user issue, because the same overreach affects partners, machine identities, and cloud entitlements. Practitioners should read this as a blast-radius problem, not a convenience problem.

Orphaned machine identities are the hidden persistence layer in public-sector risk. Machine accounts used for AI and RPA can remain active after the process, integration, or owner changes, which means the account survives even when the business need does not. That is a governance gap, not a tooling issue. The implication is that state identity teams need lifecycle ownership for every non-human identity that can reach production systems.

Cloud infrastructure governance cannot be separated from core identity security. The article's cloud section makes clear that IaaS access is still identity access, even when it is mediated through a modern SaaS control plane. That means cloud modernization does not reduce identity burden, it shifts where controls must operate. State agencies that do not extend lifecycle, review, and revocation into cloud entitlements will carry the same access risk into a new environment.

Identity blast radius should become a named control objective for state agencies. The combination of employees, third parties, machines, and cloud access means a single excess entitlement can create cross-domain exposure. This is where NIST Cybersecurity Framework 2.0 and zero trust align in practice: reduce privilege scope, shorten access duration, and make revocation reliable. Practitioners should measure whether modernization is shrinking or expanding identity blast radius.

From our research:

• Only 44% of organizations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
• Organisations that describe themselves as confident in their AI deployment actually experience a 72% security incident rate, compared to 33% for those who remain cautious.
• For a broader view of identity governance across human and machine access, see the Ultimate Guide to NHIs.

What this signals

State agencies should expect identity programmes to be judged less on login coverage and more on whether they can prove continuous privilege reduction across people, partners, and machines. The governance challenge is no longer access grant volume, it is how quickly access can be narrowed when business context changes, especially in cloud and automation-heavy environments.

Identity blast radius: the real programme risk is not how many identities exist, but how many can still reach critical data after their original need has passed. That is why lifecycle revocation, entitlement cleanup, and machine account ownership have become core operating disciplines for state security teams.

With 70% of organisations already granting AI systems more access than human employees, the next wave of public-sector modernization will pressure state teams to distinguish between convenient automation and governable access. The operational signal to watch is whether identity review cycles can keep pace with new machine and AI-driven workflows.

For practitioners

• Inventory every non-human identity Build a current inventory of machine accounts, service identities, and automation credentials across state systems, cloud services, and RPA tools. Assign ownership, business purpose, and retirement criteria so orphaned accounts can be removed instead of left active indefinitely.
• Re-score access after every role or service change Trigger access reviews when employees move, partners rotate, or workflows change, then remove permissions that no longer match the current job or integration. Focus on broad cloud entitlements and shared accounts where stale privileges create the largest blast radius.
• Tie zero trust to lifecycle revocation Use zero trust not as a network label but as a lifecycle control pattern, with explicit approval, revocation, and validation steps for each identity type. The goal is to make permission removal as routine as permission granting.
• Extend governance into cloud entitlements Treat IaaS permissions as part of the same identity programme that governs applications and data. Reconcile cloud access to the same lifecycle triggers used for internal identities, especially for administrative roles and automation accounts.

Key takeaways

• State identity programmes now sit at the centre of cybersecurity, AI governance, cloud access, and data protection.
• Overprovisioned access and orphaned machine identities are the two patterns most likely to widen the attack surface during modernization.
• The practical response is lifecycle discipline: inventory, ownership, review triggers, and dependable revocation across all identity types.

Key terms

• Identity Lifecycle Governance: Identity lifecycle governance is the process of managing access from creation through change to removal. In practice it covers joiner-mover-leaver events, entitlement review, and offboarding for humans, partners, machine identities, and automation accounts so access does not survive its business need.
• Machine Identity: A machine identity is a non-human identity used by software, services, or automation to authenticate and access resources. These identities can be service accounts, API credentials, or cloud workload identities, and they require ownership, scope, and retirement controls just like human accounts.
• Identity Blast Radius: Identity blast radius is the amount of damage an account can cause when its access is misused or left active too long. The broader the permissions and the longer the lifecycle gap, the larger the blast radius across applications, data, and cloud infrastructure.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Aligning your state identity program goals to key NASCIO 2025 priorities. Read the original.