Pathlock Community London 2026: governance insights and product roadmap

At a glance

What this is: This is Pathlock’s London customer event, focused on strategic insights, product updates, customer success stories, and governance, risk, and compliance discussion.

Why it matters: It matters because practitioner events often reveal how vendors are positioning control priorities, which helps IAM, PAM, and GRC teams compare roadmap claims against their own governance gaps.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Register for Pathlock Community London to hear the governance and roadmap discussion

Context

The real issue behind customer events like this is governance maturity, not the event agenda itself. In NHI and access management programmes, teams still struggle to connect roadmap promises to the practical work of controlling entitlement sprawl, offboarding, and privileged access across human and non-human identities.

Pathlock’s London session is framed around strategy, product direction, and customer experience, which makes it a useful marker for how the vendor wants to be understood by practitioners. For security leaders, the key question is whether the discussion helps clarify operational control gaps in IAM, PAM, and GRC, or simply rephrases them in product terms.

Key questions

Q: How should IAM teams use customer events to assess governance maturity?

A: Treat customer events as control signals, not promotional noise. The useful test is whether the discussion exposes how access review, privileged access, and lifecycle processes are actually enforced. If the event produces only vision language and no operational clues, it tells you more about positioning than governance maturity.

Q: What should security teams look for in governance and compliance product roadmaps?

A: Look for evidence that the roadmap addresses control ownership, lifecycle enforcement, and exception handling rather than just reporting. A mature roadmap should help teams answer who approves access, when it expires, and how revocation is verified. Without those answers, the programme remains descriptive instead of enforceable.

Q: Why do PAM and lifecycle processes need to be evaluated together?

A: Because privileged access is only safe when the lifecycle process removes it promptly and consistently. PAM can control elevation, but lifecycle governance decides whether that elevation persists beyond its business need. If those two functions are separated, standing privilege becomes an accepted operating state.

Q: What does standing access reveal about identity governance risk?

A: Standing access shows that entitlement cleanup is not keeping pace with business change. It creates audit blind spots, weakens least privilege, and makes it harder to prove that access was removed when the original need ended. In practice, it is often a signal of weak ownership rather than a single technical misconfiguration.

Background and context

Strategic governance sessions: what they usually surface

Customer events often surface the gap between governance theory and implementation reality. Strategic overviews tend to reveal how a vendor frames access review, privileged access, and compliance workflows across the identity lifecycle. For practitioners, the useful signal is whether those sessions map to concrete control ownership, evidence collection, and exception handling, or remain high-level messaging about vision and roadmap.

Practical implication: Use the strategic sessions to test whether your current control model has clear owners for access decisions, review evidence, and exception remediation.

Customer success stories and GRC controls

Customer success content is most valuable when it shows how governance controls behaved under real operational conditions. In practice, that means hearing how organisations handled recertification, privileged access, and audit evidence when business pressure, legacy systems, or mixed identity estates complicated the process. The strongest examples usually expose where policy design and day-to-day enforcement diverge.

Practical implication: Compare the customer examples against your own audit trail, review cadence, and exception handling process to see where controls are failing in practice.

PAM, access review, and lifecycle management across identities

Identity governance becomes difficult when the same control family must cover employees, service accounts, and privileged workflows. PAM governs high-risk access, but lifecycle processes decide whether that access is revoked, re-certified, or left to drift. For teams running mixed estates, the technical challenge is less about individual tools and more about keeping entitlement records, review triggers, and offboarding actions aligned.

Practical implication: Check whether your PAM and lifecycle workflows cover service identities as rigorously as human accounts, especially where access changes outside standard HR-driven processes.

NHI Mgmt Group analysis

Customer events are governance signals, not just marketing events. When a vendor gathers customers around roadmap, success stories, and strategic direction, practitioners should treat that as a window into which identity problems are most commercially active. The discussion usually reflects where the market thinks control gaps still exist across PAM, access review, and lifecycle governance. The implication is to compare those themes against your own control backlog, not your product shortlist.

Identity governance is still being sold as a programme, but operated as a set of disconnected controls. Customer success narratives often mask the hard part, which is aligning policy, entitlement data, review cadence, and revocation actions across human and non-human identities. That fragmentation is why many teams can describe their governance model but cannot prove consistent enforcement. The practical conclusion is that operating model cohesion matters more than feature depth.

Standing privilege is the quiet failure mode behind many governance conversations. Events like this frequently expose how often access remains in place long after its original business need has ended. That is not a tooling problem alone; it is a lifecycle accountability problem that spans IAM, PAM, and NHI governance. The practitioner takeaway is that access must be treated as time-bound evidence, not permanent entitlement.

Pathlock Community London should be read as a signal about market direction toward broader control consolidation. When product strategy, customer stories, and peer discussion sit in the same room, the category is usually moving toward bundled governance narratives rather than isolated point controls. That can help teams simplify evaluation, but it also risks obscuring which controls actually close the largest identity gaps. The implication is to preserve independent control assessment even when the market narrative becomes more integrated.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means many governance teams are still certifying what they cannot reliably see.
• For a broader view of where the category is heading, see Ultimate Guide to NHIs , The NHI Market for the market structure behind NHI control decisions.

What this signals

Entitlement drift becomes harder to ignore when governance teams cannot see the full identity estate. Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs. That means events focused on strategy and roadmap should be read through an operational lens: visibility, not messaging, is the limiting factor.

Lifecycle accountability is the pressure point for mixed identity programmes. When offboarding and revocation remain weak, human IAM and NHI governance start failing for the same reason, access outlives its business purpose. Teams should expect more vendor messaging around governance consolidation, but the programme risk still sits in the handoff between approval, enforcement, and removal.

For practitioners, the next question is not whether governance tools can report on access, but whether they can prove removal at the same pace business change occurs. That is where the difference between policy and enforcement becomes visible.

For practitioners

• Map the roadmap to control ownership Use the strategic overview to identify which teams own access reviews, privileged access, entitlement cleanup, and exception approval. If no one can name the control owner for each step, the governance model is already weaker than the event language suggests.
• Pressure-test customer stories against your audit evidence For every success story you hear, ask whether the same outcome would be visible in your logs, certification records, and remediation tickets. If the answer is no, the issue is not education but evidence quality.
• Check lifecycle coverage beyond human accounts Review whether your joiner-mover-leaver process, recertification cadence, and offboarding steps explicitly cover service accounts, API keys, and privileged identities. Many programmes still protect employees better than the identities that actually power systems.
• Audit standing access before it becomes accepted drift Look for permissions that persist across projects, teams, or vendor relationships without a fresh business justification. Standing access is often tolerated because it is familiar, not because it is safe.

Key takeaways

• The event is best read as a governance signal, because roadmap and customer-success content reveal where identity control gaps remain most commercially relevant.
• Our research shows that only 20% of organisations have formal offboarding and revocation processes for API keys, which underscores how weak lifecycle discipline remains.
• Practitioners should use the event to test control ownership, lifecycle coverage, and standing-access cleanup rather than accepting strategic language at face value.

Key terms

• Identity Governance: Identity governance is the set of policies, processes, and controls used to decide who or what should have access, for how long, and under what approval model. In practice, it turns access into something that can be reviewed, revoked, and evidenced rather than assumed.
• Standing Privilege: Standing privilege is access that remains continuously available instead of being granted only when needed. It creates governance risk because it reduces the pressure to justify access at the moment of use and often survives long after the original business need has ended.
• Lifecycle Management: Lifecycle management is the governance discipline that tracks access from creation through review, change, and removal. For service accounts and other non-human identities, it matters because offboarding and revocation are often weaker than provisioning, allowing unnecessary access to linger.

Deepen your knowledge

Identity governance, PAM, and NHI lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme from the same starting point, it is worth exploring.

This post draws on content published by Pathlock: Pathlock Community London customer quarterly event. Read the original.