TL;DR: Public sector cyberattacks now account for 34% of incidents in Spain, and 2025 activity rose 40% year over year, according to Soffid, as bot-driven scanning industrializes access exploitation and turns identity control into a service continuity issue. Compliance now depends on governance that can verify, recertify, and revoke without disrupting operations.
At a glance
What this is: This is a public-sector IAM and compliance analysis showing that identity control failures, not just perimeter weaknesses, are driving rising attack exposure and operational risk.
Why it matters: It matters because public-sector IAM teams must secure large, mixed identity populations, including non-human identities, while still preserving service availability and meeting NIS2 and GDPR obligations.
By the numbers:
- Cyberattacks on the public sector were 34% of the total in Spain in 2024.
- Public sector cyberattacks increased 40% in 2025 over the previous year.
👉 Read Soffid's analysis of public-sector digital identity compliance and cybersecurity
Context
Public sector digital identity management is the control layer that determines who and what can access government, health, education, and defence systems. In this article's framing, the core problem is not only attack volume but governance failure across millions of identities, including non-human entities, in environments that cannot afford access friction.
The article ties that governance gap to regulatory pressure, especially NIS2 and GDPR, where public bodies must strengthen risk analysis, incident response, oversight, and auditability. The operational tension is straightforward: access control must be strict enough to reduce abuse, but simple enough that essential services keep running.
Key questions
Q: How should public-sector teams govern non-human identities without slowing operations?
A: Public-sector teams should govern non-human identities with separate ownership, lifecycle controls, and review cadences rather than forcing them into human access workflows. The goal is to keep service accounts, tokens, and certificates visible and revocable while preserving service availability. That usually means automating approval, recertification, and logging around the identities that matter most.
Q: Why do non-human identities create more compliance risk in government environments?
A: Non-human identities create more compliance risk because they often hold persistent permissions, move faster than human review cycles, and are easier to forget during offboarding or system changes. In government environments, that becomes a compliance issue when auditors expect clear evidence of ownership, revocation, and oversight across the full identity estate.
Q: What breaks when identity reviews are built only for employee accounts?
A: What breaks is coverage. Service accounts, API keys, and other machine identities can retain access long after the operational need has ended, and those identities may never appear in standard employee recertification workflows. The result is privilege creep, poor auditability, and unnecessary exposure in systems that rely on delegated access.
Q: Who is accountable when public-sector identity controls fail under NIS2?
A: Accountability falls on the organisation that owns the service, the identity governance process, and the operational systems that expose access, not on a single tool or team. Under NIS2, public bodies must be able to show oversight, rapid response, and demonstrable control evidence across the identity lifecycle.
Technical breakdown
Why identity governance fails in public-sector environments
Public-sector IAM breaks down when identity sprawl grows faster than governance can track it. The article describes large populations of users with very different profiles, plus non-human entities that can include service accounts, tokens, and other machine identities. Without lifecycle visibility, permission reviews become incomplete, revocation becomes slow, and audit evidence becomes fragmented. In that situation, attackers do not need to defeat the whole environment. They only need one identity path that was never reviewed, never revoked, or never properly bounded.
Practical implication: map every identity population to an owner, lifecycle state, and review cadence before adding more access paths.
How NIS2, ENS, and auditability change identity controls
The article links public-sector identity management directly to regulatory compliance, especially the need to document controls, analyse risk, and respond quickly to incidents. That means IAM is no longer just an operational service. It becomes evidence-producing infrastructure. Recertification, access logging, and permission revocation must all be demonstrable, because regulators and auditors will expect proof that access is governed continuously rather than asserted at provisioning time.
Practical implication: treat identity evidence as a control output, not a by-product, and make reporting part of the operating model.
Why non-human identities raise the baseline for access governance
Non-human identities expand the attack surface because they often hold persistent privileges, interact at machine speed, and are harder to monitor through human-oriented processes. In public-sector environments, that matters because the same governance model cannot be assumed to fit both staff accounts and service identities. The technical issue is not simply volume. It is that non-human access frequently outlives the operational need that created it, especially in legacy and hybrid systems.
Practical implication: apply separate lifecycle, review, and revocation rules to service accounts, API keys, and certificates rather than folding them into human IAM workflows.
NHI Mgmt Group analysis
Identity governance, not perimeter hardening, is the decisive control plane in public sector security. The article makes clear that attackers are industrializing discovery through massive scans and then exploiting identity weaknesses once they find them. That means the real battle is over who can access what, under what conditions, and for how long. Public-sector programmes that still treat IAM as a back-office function are defending the wrong layer.
Non-human identity sprawl is now part of the public-sector compliance problem. Public administrations do not only manage employees and citizens, they also manage service accounts, integrations, and other machine identities that often escape normal review cycles. This is where NHI governance becomes essential: excessive privilege, weak offboarding, and poor visibility turn routine automation into persistent exposure. Practitioners should assume machine identities are part of the regulated surface, not an exception.
NIS2 forces identity governance to prove operability, not just policy intent. The article's emphasis on oversight, rapid response, and audit evidence reflects a broader shift in regulatory expectations. It is no longer enough to declare that access is controlled. Public-sector teams must show that access can be changed, revoked, and evidenced without interrupting service delivery. That makes lifecycle discipline a core resilience requirement, not an administrative task.
Operational simplicity and security are not competing goals when IAM is designed correctly. The article argues that public institutions need control without friction, and that is the right standard. Centralized identity management, automated recertification, and consistent logging reduce both attack opportunity and administrative burden when they are properly scoped. The practical conclusion is that simplified user experience should be built on stronger governance, not used as a reason to weaken it.
From our research:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- That remediation gap is one reason the 52 NHI Breaches Analysis remains relevant when teams assess revocation latency and blast radius.
What this signals
Identity control in the public sector is moving from access administration to continuous governance. As attack volume rises and regulations demand evidence, teams should expect more pressure to prove who approved access, who reviewed it, and how quickly it can be revoked. The practical shift is toward control loops that are auditable by default, not stitched together after an incident.
Public-sector programmes will need separate handling for machine identities and delegated access paths. Service accounts and API-driven integrations are now part of the compliance surface, and the governance model must reflect that. With 96% of organisations storing secrets outside secrets managers in vulnerable locations, according to our Ultimate Guide to NHIs, identity hygiene is no longer a narrow technical concern; it is an operational resilience issue.
For practitioners
- Inventory every identity type that can access public-sector systems Build a single inventory that includes employees, contractors, service accounts, API keys, certificates, and integration identities. Assign each identity to an owner, purpose, and review cadence so that the access model reflects the real environment, not just the HR directory.
- Separate human and non-human access governance Do not run service accounts through the same review logic as staff accounts. Define distinct lifecycle controls for machine identities, including creation approval, permission recertification, and revocation triggers tied to system ownership and operational change.
- Make audit evidence automatic Generate logs, recertification records, and revocation evidence as part of normal IAM operations. Public-sector teams need proof of control for ENS, NIS2, and GDPR style oversight, and manual evidence gathering creates delay and inconsistency.
- Reduce standing access where operationally possible Replace permanent permissions with time-bound access where the task allows it, especially for administrative, third-party, and integration pathways. Focus first on identities that can reach sensitive data or system control planes.
Key takeaways
- Public-sector attacks are increasingly driven by identity weaknesses, especially where review and revocation lag behind access growth.
- The combination of regulatory pressure and operational continuity means IAM teams must prove control, not just describe policy.
- Non-human identities belong in the same governance conversation as staff accounts, because they now represent part of the regulated attack surface.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity permissions and access governance are central to the article's public-sector control model. |
| NIST SP 800-53 Rev 5 | IA-5 | Credential and authenticator management matters where public-sector identities require revocation and auditability. |
| NIST Zero Trust (SP 800-207) | Zero Trust assumptions fit the article's emphasis on continuous verification and access governance. | |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy is directly relevant to public-sector governance and audit obligations. |
Design identity controls so access is verified continuously rather than trusted because it was provisioned once.
Key terms
- Digital Identity Governance: The discipline of controlling who and what can access systems, data, and services, then proving that control over time. In public-sector environments it must cover people, contractors, service accounts, and integrations while remaining compatible with service continuity and audit expectations.
- Non-human Identity: A non-human identity is a machine or software identity such as a service account, API key, token, or certificate. These identities often hold persistent access and are easy to overlook in human-centric review processes, which makes lifecycle ownership and revocation critical.
- Identity Recertification: Identity recertification is the periodic revalidation of whether access is still needed and still appropriate. For public-sector programmes, it is more than a compliance task, because it is one of the few ways to reduce privilege creep across both human and non-human identities.
- NIS2 Oversight: NIS2 oversight refers to the governance and accountability requirements organisations must demonstrate for cybersecurity risk management, incident response, and operational resilience. In identity programmes, it pushes access control toward traceable decisions, timely revocation, and evidence that controls actually work.
What's in the full article
Soffid's full article covers the operational detail this post intentionally leaves for the source:
- How its unified IAM, IGA, PAM, and risk management stack is positioned for public-sector environments.
- How the vendor describes automated recertification, incident logging, and reporting for compliance evidence.
- How the article frames compatibility with legacy systems and low-friction deployment in public institutions.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org