TL;DR: Easier access request configuration, full visibility into child assignment status for reviewers, and Docker-based Cloud Application Gateway deployment are among the additions in Omada Identity Cloud’s April 2026 release, according to Omada Identity. These changes tighten governance workflows, but they do not remove the need for disciplined lifecycle controls and review design.
At a glance
What this is: Omada Identity Cloud’s April 2026 release focuses on request, review, and gateway management improvements for identity governance teams.
Why it matters: These changes matter because access governance fails when requests are hard to configure, reviewers cannot see downstream assignment state, or operational deployment is fragmented across environments.
👉 Read Omada Identity’s April 2026 release notes on access governance updates
Context
Identity governance gets weaker when request flows are difficult to configure and reviewers cannot see the downstream effect of an approval. In practice, that creates blind spots in access certification, especially when child assignments and inherited entitlements sit outside the reviewer’s immediate view.
Omada Identity Cloud’s April 2026 release addresses operational friction in those two places and adds a deployment option for the Cloud Application Gateway. The relevant question for practitioners is not whether the release is feature-rich, but whether it reduces governance noise enough to make access decisions more accurate and auditable.
Key questions
Q: How should IAM teams improve access request governance without adding friction?
A: Start by simplifying the request model, not by adding more approval layers. Each request template should map to a specific entitlement set, an explicit approver path, and a clear business purpose. That reduces ambiguity, shortens manual handling, and makes the resulting approval decisions easier to audit and defend.
Q: Why does child assignment visibility matter in access reviews?
A: Because reviewers need to see the access that actually exists, not only the top-level role or group that produced it. Nested and inherited entitlements can create a much larger effective privilege footprint than the parent assignment suggests, which means incomplete visibility leads to weak certification decisions and poor audit evidence.
Q: What should teams check before using Docker-based deployment for identity infrastructure?
A: Teams should confirm who owns packaging, versioning, configuration review, and rollback procedures. A containerised deployment model can make rollout more consistent, but it still needs lifecycle control and secure configuration management. Without that, deployment convenience can turn into operational drift across environments.
Q: How do organisations know whether access removal workflows are actually working?
A: They should verify that removal requests revoke both direct and downstream access, and then confirm that reports and certifications show the final revoked state. If the workflow ends but child assignments remain visible, the process has not actually removed privilege, only modified one part of it.
How it works in practice
Access request configuration and approval routing
Access request configuration determines how entitlement paths, approval steps, and recipient groups are exposed to users and governable by administrators. In identity governance terms, the mechanism matters because poorly structured requests create shadow workflows, duplicate approvals, or overly broad request options that dilute least privilege. When request design is cleaner, the organisation can standardise how entitlements are presented without forcing every business unit into bespoke process handling.
Practical implication: review request templates, approver routing, and entitlement groupings so the request model matches the actual governance model.
Child assignment visibility in access reviews
Child assignment status refers to downstream or inherited access that exists because of a parent role, group, or entitlement chain. Reviewers need that visibility because certification decisions based only on the parent assignment can miss the actual privilege footprint. The technical issue is not just reporting detail, but whether the system exposes the full access graph in a way that supports meaningful attestation and removal decisions.
Practical implication: validate that reviewers can see inherited and nested access before relying on access certifications for audit evidence.
Docker-based deployment for the Cloud Application Gateway
Docker-based deployment changes how the Cloud Application Gateway is packaged, deployed, and centrally managed across environments. For identity teams, the technical value lies in deployment consistency, but the governance requirement remains the same: the gateway still needs controlled lifecycle management, version discipline, and clear operational ownership. Deployment convenience does not remove the need for secure configuration and maintenance boundaries.
Practical implication: treat the gateway as a governed service component, not just a deployment artifact, and assign clear ownership for its lifecycle.
NHI Mgmt Group analysis
Reviewer visibility is only meaningful when it includes downstream assignment state. Access certification breaks when reviewers can approve a parent entitlement without seeing what that approval actually propagates into. Omada’s focus on child assignment visibility points to a broader governance truth: attestation quality depends on the completeness of the privilege picture, not the volume of review activity. Practitioners should treat nested and inherited access as first-class review data, not secondary context.
Access request design is a control surface, not just a user experience concern. When request flows are hard to configure, teams compensate with manual workarounds, inconsistent approval paths, and entitlement sprawl. That weakens IAM governance because the request layer becomes detached from the actual access model. The practical conclusion is that request configuration quality directly affects how enforceable least privilege is across the programme.
Deployment flexibility does not reduce operational governance responsibility. Docker-based delivery for the Cloud Application Gateway may simplify rollout, but it also widens the need for controlled versioning, configuration review, and environment consistency. Identity programmes often underestimate this layer because they focus on access policy while treating supporting infrastructure as incidental. Practitioners should govern gateway deployment as part of the identity control plane.
Identity governance maturity is increasingly measured by visibility into process outcomes, not just control existence. The release reflects a market shift toward observable governance, where teams need to see request paths, review outcomes, and operational states in one place. That aligns with NIST CSF and Zero Trust thinking: access controls are only credible when they can be inspected, validated, and repeated. Practitioners should assess whether their tooling exposes governance evidence or merely enforces workflow.
From our research:
- 4.6% of all public GitHub repositories contain at least one hardcoded secret, according to The State of Secrets Sprawl 2025.
- 15% of commit authors have leaked at least one secret in their contribution history, according to The State of Secrets Sprawl 2025.
- For lifecycle control, see NHI Lifecycle Management Guide for provisioning, rotation, and offboarding discipline.
What this signals
Request governance is becoming an evidence problem as much as a workflow problem. Teams that cannot show why a request was approved, what it expanded into, and how it was later removed will struggle to defend access decisions in audit and recertification cycles. That is why visibility into child assignments matters as a governance signal, not just a UI enhancement.
Operational simplicity should not be confused with control reduction. Docker-based deployment may make the Cloud Application Gateway easier to roll out, but identity teams still need environment consistency, configuration review, and ownership clarity. The broader signal is that identity control planes are being judged on their ability to stay observable as they become more distributed.
For teams maturing their access governance model, the practical benchmark is whether request, review, and removal states are visible end to end. The Ultimate Guide to NHIs is a useful companion when lifecycle discipline and governance evidence need to be assessed together.
For practitioners
- Tighten request template design Map each access request template to a single entitlement family, named approver path, and explicit approval condition so users cannot drift into broad or ambiguous requests.
- Audit nested assignment visibility Confirm reviewers can see child assignments, inherited entitlements, and downstream role effects before you rely on certifications as audit evidence.
- Govern gateway deployment as a service Assign ownership for packaging, version control, configuration review, and rollback handling for the Cloud Application Gateway so deployment changes do not bypass identity governance.
- Test access removal workflows end to end Validate that access removal paths resolve parent and child assignments consistently, and that reporting reflects the final revoked state after the workflow completes.
Key takeaways
- The release is most relevant where identity governance breaks down at the handoff between request, review, and removal.
- Child assignment visibility matters because reviewers need the downstream privilege footprint, not just the parent entitlement.
- Practical value depends on whether teams convert these features into cleaner approvals, stronger certifications, and auditable removals.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Access request and review improvements support identity assurance and access governance. |
| NIST Zero Trust (SP 800-207) | AC-2 | The release strengthens access lifecycle handling and decision visibility. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle control and revocation discipline are relevant to managed non-human access. |
Map request, approval, and removal flows to AC-2 and confirm access is continuously revalidated.
Key terms
- Child Assignment: An entitlement that exists because it is inherited or derived from another access object such as a role, group, or parent assignment. Reviewers need to see child assignments because the effective access footprint is often larger than the top-level item suggests, especially in complex governance models.
- Access Request Template: A predefined request structure that determines what users can ask for, who approves it, and what context is required. In mature IAM programmes, the template is a governance control, not just a convenience feature, because it shapes entitlement paths and prevents ambiguous approvals.
- Identity Control Plane: The operational layer where identity policy, workflows, approvals, and lifecycle state are enforced and observed. It includes the systems that translate governance decisions into access outcomes, which makes visibility, consistency, and auditability essential to its design.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Omada Identity: Omada Identity Cloud April 2026 Release. Read the original.
Published by the NHIMG editorial team on 2026-04-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
