Omada and adesso extend identity governance partnership in DACH

At a glance

What this is: Omada and adesso are extending a partnership focused on identity governance, compliance, and sovereign control over access in regulated DACH organisations.

Why it matters: For IAM practitioners, this reinforces that identity governance is now a core control plane for sovereignty, auditability, and access lifecycle discipline across human, machine, and emerging AI initiatives.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read Omada Identity's article on the adesso partnership and identity governance strategy

Context

Identity governance is the discipline that decides who or what gets access, when that access is granted, and how it is reviewed, revoked, and audited. In regulated environments, that is no longer just an IAM housekeeping function. It is the control layer that connects digital sovereignty, compliance, and operational resilience across human identities, service accounts, and machine access.

This partnership announcement points to a familiar market reality: organisations can buy tooling, but they still struggle to operationalise identity governance across business process, regulatory requirements, and technology estates. The article is less about a single product change than about the growing need for advisory depth, implementation discipline, and auditable identity processes in the DACH region.

For teams mapping this problem space, the relevant starting point is the broader NHI and governance model, not the partner brand. NHIMG’s own reference material on the Ultimate Guide to NHIs is a useful anchor for understanding why access sprawl, over-privilege, and weak lifecycle controls keep showing up in mature environments.

Key questions

Q: How should organisations govern access when sovereignty and compliance are both priorities?

A: They should treat identity governance as an evidence-producing control layer. That means every access decision needs ownership, justification, traceability, and revocation logic that can survive audit. Sovereignty requirements become practical only when the organisation can show who has access, why they have it, and when that access will be removed.

Q: Why do orphaned and over-privileged accounts remain such a persistent risk?

A: Because they are created by process drift, not just technical failure. When access is granted faster than ownership changes and revocation is delayed until someone notices, accounts outlive their business purpose. That creates hidden attack paths, weak accountability, and poor audit evidence across regulated environments.

Q: What should identity teams measure to know if lifecycle governance is working?

A: They should measure whether access is granted and removed on the correct business events, whether every entitlement has a current owner, and whether review findings are actually remediated. If revocation, ownership, and evidence are missing, lifecycle governance is only partially operating.

Q: How do identity governance programmes support digital sovereignty in practice?

A: By making access decisions transparent, reviewable, and enforceable across the full identity lifecycle. The practical test is whether the organisation can prove control over identities, demonstrate compliance, and remove access when the business need ends. Without that, sovereignty claims do not survive scrutiny.

Technical breakdown

Digital sovereignty and identity governance

Digital sovereignty in identity terms means keeping meaningful control over identity data, access decisions, and audit evidence inside the organisation’s operating and legal boundaries. That matters because identity governance is where policy becomes enforceable: who receives access, under what conditions, with what traceability, and with what revocation path. In regulated sectors, the same control plane has to support compliance evidence, separation of duties, and demonstrable accountability. The article reflects a common pattern in Europe: sovereignty programmes increasingly depend on governance processes that are consistent, documentable, and resilient across complex estates.

Practical implication: map sovereignty objectives to identity governance controls before adding more tools.

Why identity lifecycle discipline matters in regulated environments

The article repeatedly points to access being granted from day one and revoked on the last working day, which is lifecycle governance in practice. Lifecycle discipline is not just joiner-mover-leaver administration. It is the operating model that prevents orphaned access, stale entitlements, and privilege creep from becoming permanent conditions. In cloud and hybrid environments, poor lifecycle execution often becomes invisible until audit, incident response, or third-party offboarding forces a review. That is why governance programmes need both process ownership and evidence that access changes actually happen when business context changes.

Practical implication: treat access provisioning and revocation as measurable governance outcomes, not ticket workflow outputs.

Orphaned and over-privileged accounts as control failure patterns

The article’s reference to orphaned and over-privileged accounts aligns with the most common NHI failure patterns. Orphaned accounts persist after their business owner, project, or supplier relationship changes. Over-privileged accounts accumulate exceptions because teams optimise for delivery speed and defer entitlement cleanup. In practice, those two conditions create broad attack paths and weak auditability. For identity teams, the issue is not merely that access exists, but that access outlives the justification for it. That is why visibility, review cadence, and revocation logic must be tied to business events rather than static permission grants.

Practical implication: require ownership, expiry, and review evidence for every non-human entitlement.

NHI Mgmt Group analysis

Identity governance has become a sovereignty control, not just an IAM discipline. The article frames identity management as a prerequisite for digital sovereignty, and that framing is directionally correct. When access decisions determine whether organisations can prove control, compliance, and traceability, governance becomes part of national, sector, and enterprise resilience. Practitioners should stop treating IGA as an administrative layer and start treating it as an evidence-producing control plane.

The market is moving toward implementation-led governance, not tool-only procurement. The partnership emphasis on consulting depth, process alignment, and regulated-industry delivery reflects a broader truth: identity programmes fail when policy, operating model, and audit requirements are not engineered together. That is especially visible in public sector and KRITIS-style environments, where documentation and lifecycle evidence matter as much as technical enforcement. Practitioners should re-evaluate whether their governance model can survive real audit pressure.

Orphaned access and privilege creep remain the clearest failure modes in sovereign identity programmes. The article’s examples point to a governance assumption that access can be granted once and cleaned up later. That assumption fails when business change outpaces cleanup, especially across suppliers, contractors, and cloud estates. The implication is not just stronger review processes. It is a redesign of how access ownership, expiry, and revocation are tied to business events.

Digital sovereignty will increasingly be judged by identity lifecycle evidence. A sovereign strategy without demonstrable provisioning, revocation, and auditability is mostly branding. Identity teams will be asked to show who approved access, when it was removed, and whether the process worked across both internal and external users. Practitioners should expect governance maturity to become a board-level proxy for operational control.

Cross-domain identity governance now spans human users, service accounts, and emerging AI-driven workflows. The article is about classic IAM and IGA, but the control logic it describes is the same logic organisations will need for NHI and autonomous access paths. The discipline is consistent even when the actor changes. Practitioners should use this moment to unify lifecycle governance across all identity types instead of maintaining separate exceptions.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows why lifecycle evidence remains hard to produce at scale.
• If you are mapping governance controls beyond the partner model discussed here, start with NHI Lifecycle Management Guide and Top 10 NHI Issues to tighten ownership and revocation discipline.

What this signals

Identity sovereignty will increasingly be judged by lifecycle evidence, not by platform breadth. Organisations that cannot show who owns access, when it was reviewed, and how revocation happens will struggle to prove control across regulated estates. The governance standard is moving toward auditable identity operations, not abstract policy statements.

The most useful next step for practitioners is to connect access governance to business events and supplier changes, then validate whether those events actually trigger revocation, review, and ownership updates. If not, the programme is still relying on manual cleanup and tribal knowledge.

With 79% of organisations having experienced secrets leaks, with 77% resulting in tangible damage, the broader message is that weak identity hygiene still converts directly into operational loss. The practical response is to align governance evidence with regulatory and audit perspectives before audit pressure arrives.

For practitioners

• Tie access to business events Require provisioning and revocation to follow joiner-mover-leaver events, supplier changes, and project end dates, with evidence that the entitlement was actually removed.
• Inventory orphaned and over-privileged accounts Run a focused review for accounts without an active owner, accounts with unused access, and accounts carrying permissions far beyond their current role.
• Strengthen audit-ready lifecycle evidence Store approval, ownership, review, and revocation artefacts in a way that can be produced quickly for regulators, internal audit, and incident response.
• Use sovereignty requirements to reset governance scope Align identity governance policy with regulated-sector expectations for traceability, documentation, and control over access decisions across internal and external identities.

Key takeaways

• Digital sovereignty depends on identity governance that can prove access decisions, not merely describe them.
• Orphaned access and privilege creep remain the two clearest signs that lifecycle controls are not keeping pace with business change.
• Practitioners should measure governance by ownership, revocation, and audit evidence, because that is where compliance and resilience meet.

Key terms

• Identity Governance And Administration: Identity Governance and Administration is the set of policies, workflows, and controls that decide who or what gets access, who approves it, and how that access is reviewed and removed. In practice, it turns identity policy into evidence that can be audited, enforced, and reported.
• Digital Sovereignty: Digital sovereignty is the ability to maintain meaningful control over digital systems, data, and access decisions within the organisation's legal and operational boundaries. In identity programmes, it depends on traceable governance, lifecycle discipline, and the ability to prove who has access and why.
• Orphaned Account: An orphaned account is an identity that still exists but no longer has a valid owner, business purpose, or active oversight. These accounts are risky because they often retain access longer than intended, making them hard to audit and easy to abuse.
• Privilege Creep: Privilege creep is the gradual accumulation of access rights beyond what an identity currently needs. It often happens when access is granted for a task or project and never fully cleaned up, leaving accounts with more power, broader exposure, and weaker accountability than intended.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Omada Identity: the continued adesso and Omada collaboration on identity management and digital sovereignty. Read the original.