Next-gen IGA as system of record for human and NHI access

At a glance

What this is: This is an analysis of next-gen IGA as the system of record for identity, with the key finding that legacy, sync-based governance cannot keep pace with SaaS sprawl and non-human access.

Why it matters: It matters because IAM, IGA, PAM, and NHI teams need a unified source of truth to govern access accurately across human users, service accounts, bots, and APIs.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read Zluri's analysis of next-gen IGA as the system of record for identity

Context

Next-gen IGA is being positioned as the authoritative source for identity and access because the older model depends on delayed synchronisation from HR and directory systems. In SaaS-heavy environments, that delay creates stale access, missed revocations, and fragmented visibility across human and non-human identities.

The core governance problem is simple: if identity truth is split across multiple tools, access decisions are already behind reality. For IAM and NHI programmes, that means the control plane has to understand who or what has access, why it exists, and whether the entitlement is still justified.

This is not only an access review problem. It is a lifecycle problem spanning joiners, movers, leavers, service accounts, bots, and API access, which is why the NHI lifecycle model becomes relevant to IGA as soon as machine identities enter the environment.

Key questions

Q: How should security teams govern identity when access spans human and non-human accounts?

A: They should treat human users, contractors, service accounts, bots, and APIs as distinct governance subjects under one record model. The key is to preserve ownership, purpose, and lifecycle state for each identity type so reviews, revocation, and audit evidence reflect actual access rather than directory snapshots.

Q: Why do delayed sync cycles create governance risk in SaaS environments?

A: Delayed sync cycles let access drift between the moment it changes and the moment governance sees it. In SaaS estates, that means stale entitlements, missed revocations, and inaccurate certifications, especially when permissions are assigned directly inside apps rather than through the directory.

Q: What breaks when IGA cannot correlate identity fragments across systems?

A: Ownership becomes unclear, duplicate accounts persist, and auditors cannot reliably tell whether access is justified or removed. Once fragments are split across HR, directories, SaaS apps, and machine systems, the governance record stops being decision-ready and becomes a collection of partial truths.

Q: How do teams know whether next-gen IGA is actually improving governance?

A: Look for shorter revocation cycles, fewer orphaned accounts, and review evidence that ties access to current usage rather than static assignment. If the platform still depends on periodic batch updates, it is helping with inventory, but not yet functioning as the true system of record.

Technical breakdown

Why sync-based identity governance creates stale access

Traditional IGA usually waits for HR or directory updates before it can act, which means it governs from a lagging data set. In modern SaaS environments, that lag matters because access can change through app-native assignments, contractor churn, or manual provisioning outside the directory. The result is an identity model that looks clean on paper but diverges from actual entitlements in production. Once identity truth is fragmented, certifications become snapshots of old state rather than evidence of current access.

Practical implication: Treat delayed sync as a control gap and verify which entitlements are governed outside the HR and directory pipeline.

Identity graph correlation across human and non-human accounts

A usable system of record has to correlate identities across multiple sources, not merely import them. That includes employees, contractors, service accounts, bots, and API-driven access that may appear in different systems under different attributes. The technical challenge is reconciliation, where the platform normalises ownership, purpose, and entitlement history into one identity graph. Without that correlation, duplicate accounts and orphaned non-human identities persist, and no review process can reliably decide whether access is still legitimate.

Practical implication: Map every critical identity source to a single ownership model so duplicate and orphaned accounts can be governed consistently.

Usage-aware governance and real-time access decisions

Next-gen IGA is framed around signals, not schedules, so it can evaluate whether access is actually being used and whether current context still supports it. That moves governance beyond static role assignment into usage-aware decision-making. The practical difference is that dormant access, overbroad app permissions, and access granted directly inside SaaS tools can be detected sooner. In identity terms, the system of record is not just a registry, it is an operational control surface that supports timely revocation and audit evidence.

Practical implication: Use usage telemetry to shorten review cycles for high-risk access and to remove entitlements that no longer have a business basis.

NHI Mgmt Group analysis

Next-gen IGA only works as a system of record if it replaces, rather than depends on, delayed authority. The traditional assumption is that HR and directory systems can notify governance tooling fast enough for access decisions to stay accurate. That assumption breaks in SaaS-heavy estates where entitlements are created, changed, and revoked outside the primary directory. The implication is that identity governance must be built around authoritative correlation, not passive sync.

The identity sprawl problem is not just scale, it is category expansion. Human users, contractors, service accounts, bots, and APIs all create separate governance obligations, but legacy IGA often treats them as if they were variations of the same thing. That flattens lifecycle differences and hides machine identity ownership gaps. For practitioners, the real issue is not just more identities. It is more identity types with different trust boundaries.

Identity lifecycle and access review are the same discipline across actors, but the evidence needed to govern them is not. A human mover event, a service account handoff, and a bot permission change all require different proof that access is still justified. When the platform becomes the system of record, it has to preserve that evidence across joiner, mover, leaver, and machine lifecycle states. The conclusion is that governance maturity now depends on whether the record can follow the actor, not just the app.

Visibility without correlation is an audit comfort blanket, not a governance control. Many platforms can show that an account exists, yet still fail to connect that account to ownership, usage, and removal history. That is where access recertification becomes performative. Practitioners should judge IGA by whether it can resolve identity fragments into a decision-ready record.

Identity blast radius is the new governance metric. The more disconnected the identity record, the more places an access change can be missed before it becomes a security event. In practice, the system of record has to shrink the blast radius of stale permissions across SaaS, cloud, and non-human identities. That is the standard next-gen IGA now has to meet.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• Another finding from our research shows that 97% of NHIs carry excessive privileges, which broadens attack surface even when governance appears in place.
• For a lifecycle view of the control problem, read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the governance steps that keep identity records current.

What this signals

Identity sprawl now becomes a control-plane problem, not just a directory problem. When the governance layer cannot own the record, every downstream workflow inherits stale data, especially for service accounts and app-native access. The practical signal for teams is that the next IGA procurement decision should be judged by whether it can resolve identity truth across systems, not merely sync it.

Only 5.7% of organisations have full visibility into their service accounts, which tells you how far most programmes still are from a credible machine-identity record. That is why the governance discussion has to extend beyond certifications to lifecycle evidence and ownership traceability. For NHI programmes, the question is whether the system can explain why access exists before it decides whether to remove it.

Access review quality will increasingly depend on usage evidence, not periodic attestation. Teams that can link entitlement history to activity, role change, and removal trigger will be better positioned to defend their governance model in audit and incident review. That is the direction identity governance is moving, whether the platform label says IGA or not.

For practitioners

• Audit where identity truth actually lives Inventory which systems create, modify, and revoke identity data for employees, contractors, service accounts, bots, and APIs. Identify every place where access can exist without being reflected in the governance platform, then assign ownership for closing those gaps.
• Correlate human and non-human identities into one record Build a single ownership model that links account fragments across HR, directories, SaaS apps, and machine identity sources. Use that model to resolve duplicates, orphaned accounts, and unclear entitlement ownership before the next certification cycle.
• Replace schedule-only reviews with signal-driven governance Use usage telemetry, role changes, and app-native permission events to trigger reviews and revocation workflows when access becomes stale. Prioritise high-risk service accounts and dormant SaaS permissions first.
• Define lifecycle evidence requirements by actor type Specify what proof is required for humans, contractors, service accounts, and bots so access reviews do not treat all identities the same. Preserve the reason for access, the approver, and the removal trigger for each actor type.
• Measure governance against revocation speed Track how quickly the platform can remove access after a mover, leaver, or machine usage change is detected. If revocation still depends on batch sync, the system of record claim is not yet real.

Key takeaways

• Legacy IGA breaks down when identity truth is fragmented across HR, directories, SaaS apps, and machine systems.
• The governance gap is not just visibility, but correlation, lifecycle evidence, and revocation speed across actor types.
• Next-gen IGA has to function as a decision-ready system of record or it remains a reporting layer with better branding.

Key terms

• System of record: The authoritative source for a specific set of data or decisions. In identity governance, it must hold the current relationship between an identity, its entitlements, the reason those entitlements exist, and the evidence used to justify continuing access.
• Identity graph: A correlated view of identities and their relationships across systems. It links fragments from HR, directories, SaaS tools, and machine systems so governance can understand ownership, duplication, usage, and lifecycle state without relying on isolated records.
• Usage-aware governance: A governance model that uses actual activity as part of access decisions. Instead of certifying access only by role or schedule, it checks whether the entitlement is still being used, still justified, and still appropriate for the current context.
• Machine identity: A non-human identity used by software, workloads, bots, services, or APIs to authenticate and access resources. It requires lifecycle control, ownership, and revocation processes that are often different from human access governance, even when managed in the same platform.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Access Management Next Gen IGA As A System of Record. Read the original.