TL;DR: Identity governance is moving toward visibility, explainability, and zero-trust decision support, not just workflow automation, according to Nexis, which says it was recognised by Gartner in the 2025 Hype Cycles for Digital Identity and Zero-Trust Technology, including Identity Visibility and Intelligence Platforms and AI for Access Administration, while also citing 130+ enterprise customers and regulatory alignment across GDPR, NIS2, and DORA.
At a glance
What this is: Nexis says its inclusion in two Gartner Hype Cycles points to growing demand for identity visibility, intelligence, and AI-assisted access administration.
Why it matters: For IAM, NHI, and human identity programmes, the signal is that governance tools are being judged on visibility, policy clarity, and operational credibility across regulated environments.
By the numbers:
- Today, over 130 leading enterprises across banking, insurance, manufacturing and automotive trust Nexis to strengthen their security posture and governance strategies.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Nexis's analysis of Gartner recognition in digital identity and zero trust
Context
Nexis's Gartner recognition sits inside a broader shift in identity governance: buyers are being pushed to prove visibility, explainability, and policy control, not just to automate approvals. In practical terms, that matters because identity programmes now span human users, service accounts, and AI-enabled access workflows, each with different governance failure modes.
For practitioners, the important question is not whether a vendor appears in a hype cycle, but what that placement suggests about market demand. Here the signal is that identity visibility, access intelligence, and zero-trust-aligned administration are becoming table stakes for organisations that need defensible governance across regulated and hybrid environments.
Key questions
Q: How should security teams evaluate identity platforms for governance coverage?
A: Security teams should evaluate whether the platform can connect identity inventory, entitlement usage, review evidence, and remediation in one workflow. If it only reports on access without changing access state, it improves visibility but not governance. The strongest test is whether a reviewer can trace an entitlement from owner to usage to removal without leaving the control plane.
Q: Why does identity visibility matter so much in zero-trust programmes?
A: Zero trust depends on knowing what an identity is allowed to do at the moment access is requested. If you cannot see service accounts, tokens, third parties, or delegated access clearly, policy enforcement becomes inconsistent and trust assumptions reappear through the back door. Visibility is what makes continuous verification operational.
Q: What do organisations get wrong about AI-assisted access administration?
A: They often treat AI as an efficiency layer and ignore the need for explainability, approval provenance, and challengeable decisions. In identity governance, speed without traceability creates audit risk and makes it harder to correct bad entitlements. AI should support policy decisions, not obscure how those decisions were made.
Q: How can IAM teams decide whether to modernise governance or keep current workflows?
A: Teams should modernise when current workflows cannot reliably connect entitlement ownership, usage, and revocation across human and non-human identities. If review outcomes do not flow into policy enforcement, the programme is generating paperwork rather than control. Modernisation should be judged by measurable closure of identity risk, not by feature count.
Technical breakdown
Identity visibility and intelligence platforms in practice
Identity visibility and intelligence platforms try to build a higher-fidelity picture of who or what has access, how that access is used, and where entitlements drift from policy. In NHI-heavy environments, that means service accounts, API keys, tokens, and third-party access paths can no longer sit outside the same governance view as human users. The technical value is not the dashboard itself, but the ability to correlate identities, privileges, and usage into evidence that can support review, remediation, and audit.
Practical implication: consolidate identity telemetry before you try to optimise policy, or you will automate blind spots instead of reducing them.
AI for access administration and explainable governance
AI-assisted access administration is only useful when it can explain why an entitlement exists, why it was approved, and what policy logic supported the decision. Without explainability, AI becomes a speed layer on top of weak governance rather than a control surface. In zero-trust programmes, that matters because access decisions must remain inspectable by security, audit, and compliance teams, especially where machine identities or delegated access paths create non-obvious privilege chains.
Practical implication: require decision provenance and policy traceability before allowing AI to influence access administration.
Zero trust changes the burden on identity administration
Zero Trust Architecture assumes no implicit trust in the request path, so identity administration has to become more context-aware and continuously verifiable. That shifts the technical burden from static grants toward ongoing entitlement validation, tighter access boundaries, and stronger linkage between identity state and resource access. For NHIs, this is particularly hard because credentials and service relationships often outlive the business process that created them.
Practical implication: tie identity administration to verification loops, not just provisioning events, especially where non-human access persists.
NHI Mgmt Group analysis
Identity visibility is becoming the market's real differentiator. Gartner-style recognition is less about prestige than about where the category is heading: tools are being evaluated on whether they can turn fragmented identity data into governance evidence. That matters because modern identity estates include humans, service accounts, and delegated machine access, all of which create different audit problems. Practitioners should read this as a signal that visibility is no longer a reporting feature, but the foundation for defensible identity control.
Identity intelligence is only valuable when it is operationalised. A platform can surface access relationships, but if those findings do not feed review, remediation, and policy enforcement, the programme still fails at governance. The same logic applies across IGA, PAM, and NHI oversight, where alerts without lifecycle action become noise. The implication is that teams should judge identity intelligence tools by whether they close the loop, not by how many entities they can display.
Explainable AI for access administration is a governance requirement, not a marketing claim. Once AI influences who gets access, the programme must be able to answer why a decision was made and how it can be challenged. That is especially relevant where delegated or machine identities create complex entitlement chains that humans cannot inspect manually at scale. Practitioners should treat explainability as part of the control, not as a nice-to-have interface detail.
Zero-trust-aligned identity administration is pulling governance closer to runtime. The article reflects a broader industry shift away from static approval models toward continuous verification and policy-backed access decisions. That shift affects human IAM, NHI governance, and emerging agentic access paths in the same direction, even if the controls differ. Practitioners should expect identity administration to become more evidence-driven, more contextual, and less tolerant of standing privilege.
Identity governance visibility debt: programmes that cannot connect identity data to real access decisions will keep producing reports without improving control. The article's value lies in showing that market recognition is increasingly tied to visibility and intelligence rather than workflow volume. That is a reminder that governance maturity is measured by traceability, not by the number of approved requests. Practitioners should use this to reset evaluation criteria for identity platforms.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- NHI Lifecycle Management Guide shows why lifecycle processes for provisioning, rotation, and offboarding need to be tied to evidence, not just policy.
What this signals
Identity governance visibility debt: as identity programmes expand into NHIs and AI-assisted administration, the organisations that cannot correlate ownership, entitlement, and usage will keep finding gaps at audit time rather than at review time. The practical response is to move toward evidence-linked governance, not another reporting layer, and to anchor that work in the NIST Cybersecurity Framework 2.0.
The market signal here is that platforms will increasingly be judged on whether they can support policy enforcement as well as visibility. For practitioners, that means evaluating whether identity intelligence can drive change in entitlement state, especially where access spans service accounts and delegated machine use cases.
With 97% of NHIs carrying excessive privileges, the baseline problem is not one of isolated misconfiguration but of systemic over-entitlement. Teams should expect board, audit, and security stakeholders to ask for proof that governance loops actually reduce privilege rather than documenting it.
For practitioners
- Map identity visibility across all actor types Inventory where human identities, service accounts, tokens, and delegated access paths are currently managed in separate tools. Then define a single evidence model for entitlement ownership, usage, and review so audit trails are consistent across IAM, PAM, and NHI workflows.
- Require explainability for access decisions If AI assists access administration, require decision provenance, policy references, and reviewable rationale before deployment. Tie that evidence to access certification and exception handling so security and audit teams can challenge the outcome without reverse-engineering the model.
- Link visibility findings to remediation workflows Do not let identity intelligence stop at dashboards. Wire findings into entitlement cleanup, offboarding, and privilege reduction tasks so the control loop ends with a changed access state, not a report.
- Reassess zero-trust controls for non-human access Check whether your zero-trust implementation treats service accounts and AI-assisted access paths with the same verification standard as humans. The goal is to remove standing assumptions about trusted identity state and force access validation at the point of use.
Key takeaways
- Nexis's Gartner placement reflects a broader market shift toward identity visibility, intelligence, and explainable access administration.
- The governance challenge is not just seeing identities, but turning that visibility into review, remediation, and policy enforcement across human and non-human access.
- Practitioners should use this signal to reassess whether their identity programme can prove control, not merely produce reports.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Identity visibility and rotation gaps are central to the article's governance message. |
| NIST CSF 2.0 | PR.AC-4 | The article focuses on access administration and traceable privilege control. |
| NIST Zero Trust (SP 800-207) | Zero-trust alignment is explicit in the source and central to the analysis. |
Map non-human identities to owner, purpose, and lifecycle state, then enforce rotation and review against NHI-03.
Key terms
- Identity Visibility: Identity visibility is the ability to discover, classify, and track identities, entitlements, and access paths across systems. In practice, it means knowing who or what has access, why that access exists, and whether the current state still matches policy or business need.
- Identity Intelligence Platform: An identity intelligence platform correlates identity data, entitlement relationships, and usage signals into a governance view. Its value is measured by whether it can support review, remediation, and audit evidence, not just by how many identities it can display.
- Explainable Access Administration: Explainable access administration means access decisions can be traced to a policy, a reason, and an accountable owner. This matters because AI-assisted or delegated administration can become opaque unless the programme preserves decision provenance and challengeability.
- Zero Trust Identity Administration: Zero trust identity administration applies continuous verification and least privilege to access decisions rather than relying on a trusted network or static approval state. For non-human access, it requires tighter linkage between identity state, purpose, and actual use.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.
This post draws on content published by Nexis: Analysts Nexis Recognized by Gartner in Two 2025 Hype Cycles. Read the original.
Published by the NHIMG editorial team on 2025-10-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
