By NHI Mgmt Group Editorial TeamPublished 2026-05-28Domain: Governance & RiskSource: Commvault

TL;DR: GDPR pressure, infrastructure as code, and API-driven access controls can support rapid growth without stalling delivery, according to Commvault and monday.com, while highlighting the limits of manual permission management and static governance. Security becomes scalable when access, auditing, and infrastructure are designed to move with the business.


At a glance

What this is: This is an operator-focused discussion of how data security, compliance, and automation were combined to support rapid growth without blocking delivery.

Why it matters: It matters because IAM, IGA, and security architects need governance models that can handle expanding access, audit pressure, and faster infrastructure changes without relying on manual control.

👉 Read Commvault's discussion of operationalizing data security at scale


Context

The core problem is not GDPR alone. It is the combination of regional compliance, fast-growing data access, and infrastructure timelines that outpace manual approval and review processes. When permissions expand faster than governance can keep up, visibility and accountability start to fragment.

In this context, data security is really an identity governance problem. Access to analytics platforms, data warehouses, and infrastructure must be managed as part of the lifecycle of users, roles, and service-driven processes, or the organisation ends up with permission sprawl and brittle audits.

For teams building modern data platforms, the question is no longer whether security can be added later. It is whether access control, auditability, and operational change can be treated as design constraints from the beginning.


Key questions

Q: How should teams scale data access controls without creating permission sprawl?

A: Use role-based access as a starting point, then tighten access through automation, logging, and recurring entitlement reviews. The goal is to make permissions reproducible and removable, not just easy to grant. When access is handled through structured identity workflows, teams can scale faster without losing sight of who can reach sensitive data.

Q: Why do infrastructure as code and IAM need to work together?

A: Because infrastructure changes and access changes usually happen together. If infrastructure is automated but permissions are handled manually, the result is inconsistency and audit gaps. Linking the two gives security teams a single change path for infrastructure, access, and evidence, which makes governance easier to sustain as environments grow.

Q: How do organisations know whether data access governance is actually working?

A: Look for evidence that permissions are current, logs are complete, and access reviews lead to real removals rather than paperwork. If teams cannot show who has access, why they have it, and whether that access changed with the environment, the programme is not operationalised. Working governance leaves an audit trail that is usable without heroic effort.

Q: What should compliance and security leaders do when growth outpaces manual controls?

A: Prioritise controls that scale automatically, especially policy-driven access, infrastructure as code, and continuous visibility. Manual control paths tend to collapse under growth because they depend on individual follow-up. Leaders should shift attention from isolated approvals to the repeatable identity and governance processes that keep access aligned with business change.


Technical breakdown

Why infrastructure as code changes data governance

Infrastructure as code turns access, roles, and environment setup into versioned configuration rather than manual tickets. That matters because governance becomes reproducible, reviewable, and faster to audit. Instead of treating each permission change as a one-off event, the organisation can track configuration drift and tie access decisions to the same deployment workflow as infrastructure changes. This is especially useful when data platforms need to scale quickly across regions or teams.

Practical implication: move repeatable access and environment changes into code so governance can be reviewed and tested like any other configuration.

How API-driven access control reduces permission sprawl

API-driven access control lets teams create, update, and revoke permissions programmatically. That reduces the chance that access accumulates in ad hoc ways across tickets, spreadsheets, or manual exceptions. The real value is not automation for its own sake, but consistency. When access is assigned through systems instead of memory, it is easier to trace who has what, why they have it, and when it should be removed. That is the difference between controlled growth and permission sprawl.

Practical implication: connect entitlement changes to identity workflows and APIs so revocation is as routine as provisioning.

Why visibility and fine-grained permissions matter for analytics teams

Analytics environments create a tension between data access and data minimisation. Teams need enough access to do their work, but broad access quickly makes audits harder and increases the risk of overexposure. Fine-grained permissions help align access with role and purpose, while visibility lets security teams verify that actual use matches intended scope. Without both, compliance becomes reactive and access reviews become box-ticking exercises rather than meaningful governance.

Practical implication: pair role-based access with detailed logging and periodic entitlement checks to keep analytics access aligned with business need.


NHI Mgmt Group analysis

Security at scale is an identity governance problem disguised as an infrastructure problem. When organisations grow fast, access to data, analytics, and tooling expands faster than manual review cycles can absorb. That makes permission governance the control plane for compliance, not a back-office task. The implication is that IAM and IGA teams need to treat data platform access as a lifecycle discipline, not a one-time setup.

Automation only improves governance when it is tied to clear entitlement models. Programmatic access changes remove ticket bottlenecks, but they also make bad policy more repeatable if the underlying roles are sloppy. The real lesson is that automation must encode the right access boundaries, not merely accelerate change. Practitioners should assume that speed without structure simply scales confusion.

Fine-grained access is the practical answer to permission sprawl. Broad roles may help teams move quickly at first, but they become brittle as data usage expands across functions. Once analytics, engineering, and compliance all depend on the same platforms, access needs to reflect purpose, not convenience. Security teams should expect access models to become more granular as data becomes more central to operations.

Operationalised security means the audit trail is part of the architecture. If controls are only visible at review time, they are already too late to support fast-moving environments. Logging, monitoring, and configuration history need to be designed into the platform so that compliance evidence is produced continuously. That is what makes security scale with the business rather than slowing it down.

Data residency and access governance now move together. Regional hosting alone does not satisfy the governance problem if users can still reach data without precise control and evidence. The market is moving toward programmes where location, access, and auditability are treated as one operating model. Practitioners should expect future data security discussions to focus less on storage location and more on controllable identity paths into data.

From our research:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
  • For a broader view of lifecycle governance, see NHI Lifecycle Management Guide for the operational controls that make access changes auditable.

What this signals

The operational lesson for practitioners is that governance has to follow the change rate of the environment. If access, infrastructure, and compliance controls are still managed on separate timelines, the programme will keep producing exceptions that nobody can confidently reconcile.

Permission drift: when broad roles, manual updates, and incomplete logging accumulate faster than review cycles can clear them, the audit model stops reflecting reality. That is the point where data security becomes a reporting problem instead of a control problem.

With 1 in 4 organisations already investing in dedicated NHI security capabilities, per The State of Non-Human Identity Security, the market signal is clear: identity governance is moving closer to the data plane, not away from it.


For practitioners

  • Codify permissions as infrastructure Represent roles, access policies, and environment setup in version-controlled configuration so changes can be reviewed, tested, and rolled back consistently.
  • Tie access changes to identity workflows Connect provisioning and revocation to API-driven identity processes rather than relying on tickets, spreadsheets, or manual approvals for routine changes.
  • Reduce broad roles in analytics environments Review shared access patterns across data teams and replace catch-all permissions with tighter role definitions that reflect actual job functions.
  • Build continuous audit evidence into the platform Capture access logs, change history, and configuration drift automatically so audit preparation does not depend on manual evidence gathering.

Key takeaways

  • Fast-growing data platforms break manual governance first, not just manual operations.
  • Automation only improves security when access models, logging, and change control are aligned.
  • Practitioners should treat auditability, least privilege, and infrastructure as code as one operating model.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Role and permission control is central to the article's governance model.
NIST SP 800-53 Rev 5AC-6Least privilege directly matches the article's focus on fine-grained access and permission sprawl.
ISO/IEC 27001:2022A.5.15Access control policy is directly relevant to scalable governance over data environments.
GDPRArt.32The article centres on GDPR-driven security and auditable processing.

Apply Art.32 by ensuring access controls and logging support security of processing for data platforms.


Key terms

  • Permission Sprawl: Permission sprawl is the slow accumulation of access rights beyond what teams actually need. It happens when roles are added, copied, or expanded without strong lifecycle control, making it harder to know who can access sensitive data and why that access still exists.
  • Infrastructure as Code: Infrastructure as code is the practice of defining environments, permissions, and deployment settings in machine-readable configuration. In governance terms, it creates repeatable, reviewable change paths that support auditing, consistency, and faster recovery from drift.
  • Operationalised Security: Operationalised security means security controls are built into day-to-day workflows rather than added after the fact. It combines visibility, automation, and auditability so controls can keep pace with business change instead of becoming a bottleneck.

What's in the full article

Commvault's full discussion covers the operational detail this post intentionally leaves at the governance level:

  • How monday.com structured its European data warehouse and access model in practice
  • The implementation lessons behind standing up a compliant environment in under two weeks
  • Specific ways automation and API-driven controls replaced manual permission handling
  • The operational tradeoffs between analytics velocity, visibility, and auditability

👉 Commvault's full episode adds the implementation detail behind governance, automation, and rapid infrastructure change.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-28.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org