Omada ownership change signals a new phase for identity governance

At a glance

What this is: Omada’s ownership change underscores how identity governance is being positioned as a cloud-native control layer for AI, machine identity, and compliance-heavy environments.

Why it matters: For IAM practitioners, this matters because IGA is moving closer to core security architecture, where lifecycle governance, access visibility, and operational scale now influence both risk and resilience.

By the numbers:

• Customers typically see value within 90 days, shorten deployment times by 80 percent, and reduce helpdesk tickets by 60 percent.

👉 Read Omada Identity’s ownership-change announcement and IGA strategy

Context

Identity governance is the control layer that determines who or what gets access, when that access should be granted, and how it is removed. In this announcement, the underlying issue is not ownership change by itself, but the continuing shift of IGA toward cloud-native administration, AI-assisted decisioning, and machine identity lifecycle control.

That matters because many identity programmes still treat governance as a back-office certification function rather than an operating model for modern digital estates. As environments become more hybrid and more automated, lifecycle governance becomes a security and resilience issue, not just an audit requirement.

Key questions

Q: How should organisations extend identity governance to machine identities?

A: Start by inventorying service accounts, API keys, tokens, and certificates under the same ownership model used for human accounts. Then apply lifecycle controls for provisioning, review, rotation, and offboarding so machine access is not left to ad hoc administration. Governance should be continuous, because machine identities often persist long after the use case that created them has changed.

Q: When does AI help identity governance, and when does it create new risk?

A: AI helps when it reduces review overload, prioritises anomalies, and speeds entitlement analysis. It creates risk when organisations treat its output as authority instead of decision support. The control boundary must stay clear: policy ownership, approval rights, and exception handling remain with accountable identity teams, not with the model generating recommendations.

Q: What breaks when machine identities are left outside IGA?

A: Governance becomes incomplete because the identities with the least visibility often retain the most persistent access. That creates hidden privilege, weak offboarding, and poor accountability when access needs to be explained to auditors or security teams. The result is a control gap, not just an administrative inconvenience, and it tends to grow over time.

Q: Who should own access governance in cloud-native environments?

A: Ownership should sit with the identity governance function, but it must be tightly aligned with cloud, application, and security teams. The key is to make policy enforcement consistent across environments while keeping business approval paths and remediation responsibilities clear. Without explicit ownership, governance becomes fragmented and exceptions become permanent.

Technical breakdown

Cloud-native IGA as an operating control layer

Cloud-native identity governance platforms centralise entitlement workflows, approvals, certifications, and lifecycle events across distributed applications. Multi-tenant delivery changes the operating model because configuration, policy enforcement, and workflow execution must scale without brittle custom code. The practical point is that modern IGA is less about one-off provisioning and more about repeatable control over joiner, mover, leaver, and access review processes across hybrid environments.

Practical implication: evaluate whether your IGA platform can enforce lifecycle controls consistently across cloud and on-premises systems.

AI-assisted identity governance and decision support

AI in IGA is most useful when it helps classify access, prioritise review queues, and surface anomalies in entitlement patterns. It does not replace governance authority, because the control decision still needs policy, accountability, and exception handling. In practice, AI becomes a decision-support layer for high-volume identity operations, especially where manual review cannot keep pace with the number of entitlements or the speed of organisational change.

Practical implication: treat AI features as review acceleration and pattern detection tools, not as a substitute for governance ownership.

Machine identity lifecycle and the next governance boundary

Machine identity management extends IGA beyond human users to service accounts, workloads, tokens, and API-driven access. The technical challenge is that machine identities often outlive their original use case, accumulate standing privileges, and remain poorly visible to governance teams. When the identity subject is not a person, lifecycle discipline matters even more because offboarding, rotation, and entitlement scoping are the real control points.

Practical implication: extend governance workflows to non-human accounts before machine identity sprawl becomes an unmanaged access layer.

NHI Mgmt Group analysis

IGA is becoming a frontline control plane, not a compliance backstop. The announcement reflects a broader market reality: identity governance now sits closer to operational security than traditional access administration. As cloud estates, AI-assisted workflows, and machine identities expand, certification alone is no longer the whole job. Practitioners should interpret IGA as a control plane for access risk, not just an audit support function.

Machine identity governance is now part of the core IGA mandate. The article’s emphasis on machine identity is not a side note, because service accounts and workload credentials increasingly carry the same business risk as human access, but with weaker lifecycle discipline. That moves governance from periodic review into continuous visibility, ownership, and lifecycle enforcement. Teams that keep machine identities outside the governance model are leaving a real control gap unaddressed.

Cloud-native delivery is changing what “effective governance” looks like. A cloud-native, multi-tenant IGA model lowers operational friction, but it also raises the bar for consistent policy enforcement across heterogeneous environments. The issue is not the deployment model alone, but whether governance can remain precise at scale. For identity leaders, the test is whether the platform can standardise policy without flattening the exceptions that real enterprises need.

Access governance is becoming a board-level resilience issue. The article connects identity governance to compliance, security, automation, and digital transformation, which is the right framing for the current market. Governance failures now have direct operational consequences because access errors can slow delivery, widen attack surfaces, and weaken audit posture at the same time. Practitioners should treat governance maturity as an enterprise resilience metric, not a back-office metric.

From our research:

• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, even though 92% agree that governing AI agents is critical to enterprise security.
• Read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the governance pattern that turns access scope into a lifecycle problem.

What this signals

With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, the governance problem is no longer theoretical. Identity teams should expect pressure to widen policy scope from human accounts to machine and AI-driven access paths, especially where entitlement review is already stretched.

Access scope drift: when governance models track who approved access but not whether the actor type has changed, lifecycle control starts to fail silently. That matters for identity programmes because the next wave of risk will come from systems that are formally authenticated but only loosely governed.

For readers building an IGA roadmap, the practical question is how quickly governance can be extended into machine identity and AI-adjacent workflows without breaking operational throughput. The organisations that wait for a perfect model will end up normalising exceptions, which is usually how access control debt starts.

For practitioners

• Reassess governance scope beyond human users Map which service accounts, API tokens, and workload identities are still governed outside your IGA programme, then fold them into the same ownership and review model.
• Validate lifecycle controls across hybrid environments Test whether joiner, mover, leaver, and certification workflows behave consistently across SaaS, on-premises, and cloud applications without relying on manual exceptions.
• Separate AI assistance from governance authority Use AI to prioritise reviews and detect entitlement anomalies, but keep approval, exception handling, and policy ownership with accountable identity teams.
• Measure governance outcomes, not just workflow volume Track whether access recertifications reduce excess privilege, shorten remediation cycles, and improve visibility into who or what still has standing access.

Key takeaways

• Identity governance is shifting from certification management to active control over human, machine, and AI-linked access.
• Cloud-native delivery makes scale easier, but it does not remove the need for explicit ownership, lifecycle control, and consistent policy enforcement.
• Practitioners should extend governance scope now, because machine identity and AI access patterns are already creating the next layer of access risk.

Key terms

• Identity Governance and Administration: Identity Governance and Administration is the discipline that controls how access is requested, approved, reviewed, and removed. It ties policy to identity lifecycle processes so organisations can reduce excess privilege, prove accountability, and keep access aligned to business need across human and machine identities.
• Machine Identity: A machine identity is a non-human identity used by software, workloads, services, or automation to authenticate and authorise access. It includes service accounts, tokens, certificates, and keys, and it requires lifecycle governance because its privileges can persist long after the original workload changes.
• Access Recertification: Access recertification is the periodic review of existing permissions to confirm they are still justified. In modern identity programmes, it must cover both human and non-human identities, because the risk is not only unused access but also access that remains approved without current ownership.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Omada Identity: its ownership change and identity governance strategy announcement. Read the original.