Public-sector identity governance shows why IGA now carries more weight

At a glance

What this is: This is a public-sector IGA case study showing how centralised identity governance, automated lifecycle controls, and auditable access can satisfy both operational and compliance pressure.

Why it matters: It matters because public-sector IAM teams are dealing with the same sprawl, lifecycle, and non-human identity pressures that now shape enterprise governance programmes across NHI, autonomous, and human estates.

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Netwrix's analysis of the Cas d'Or public-sector identity governance win

Context

Identity governance in the public sector has to do more than tidy up directories. It has to keep access auditable across employees, contractors, temporary staff, technical accounts, and other non-human identities while also surviving budget scrutiny and regulatory change.

This case shows why identity governance and administration has moved from administration to control plane. When user populations are fragmented and systems are mixed across legacy and cloud, the programme that centralises entitlement decisions and lifecycle actions becomes the difference between manageable risk and permanent drift.

The same pressure is now visible across human IAM, NHI governance, and emerging autonomous systems. Public-sector identity teams are being forced to treat lifecycle control, access review, and privilege design as one discipline rather than separate operational chores.

Key questions

Q: How should public-sector teams govern identities across employees, contractors, and service accounts?

A: They should use one governed identity record, one lifecycle process, and one approval model wherever possible. Fragmented handling creates inconsistent access evidence and makes audits harder to defend. The goal is not to treat every identity the same in policy detail, but to make the control model consistent enough that review, revocation, and ownership are always traceable.

Q: Why does role modelling matter more than ad hoc access grants in regulated environments?

A: Role modelling reduces entitlement sprawl by tying access to business function instead of individual exceptions. That makes access easier to certify, easier to revoke, and easier to explain to auditors. In regulated organisations, the value is not just efficiency. It is the ability to prove that access decisions follow a repeatable policy rather than informal judgment.

Q: What breaks when joiner, mover, leaver processes are handled differently for technical accounts?

A: Governance breaks because access outlives the business condition that justified it. If human users are offboarded through workflow but service accounts are left to local administrators, the organisation loses control-plane consistency. That gap leads to stale privileges, weak accountability, and poor audit evidence across the identity estate.

Q: Who is accountable when access review and lifecycle ownership are split across teams?

A: Accountability usually becomes ambiguous, which is why access reviews drift into box-ticking. Ownership must sit with the business or system authority that can answer why access exists and when it should be removed. Frameworks such as the NIST Cybersecurity Framework 2.0 support that governance discipline by making accountability explicit across protect and govern activities.

Technical breakdown

Centralised identity repositories and why they change auditability

A central identity repository brings employees, contractors, service accounts, and other machine identities into one governance model. That matters because auditability depends on having a single entitlement record, not a scattered set of local system permissions and spreadsheet-owned exceptions. In IGA, the repository is the system of record for lifecycle state, role assignment, and approval traceability. It also reduces the control gap between who should have access and who actually does. For public-sector environments, the technical gain is not just visibility. It is the ability to prove governance across heterogeneous systems without rebuilding access logic in each one.

Practical implication: map every identity class to a governed source of truth before expanding policy coverage.

Joiner, mover, leaver automation in mixed identity estates

Joiner, mover, leaver workflows are the operational heart of identity governance. They translate HR, contractor, and system events into provisioning and deprovisioning actions, which prevents access from surviving after role changes or departures. In mixed estates, the same lifecycle logic must handle human users, technical accounts, and delegated access paths without depending on manual tickets. The technical challenge is consistency, because access risk emerges when one identity class is automated and another is still handled by exception. That is why lifecycle engines matter: they turn access changes into deterministic policy execution rather than human memory.

Practical implication: use lifecycle orchestration to remove stale access on the same event that changes role or status.

Business roles versus ad-hoc permissions

Business-role modelling groups access around job function rather than individual entitlements. This is the technical difference between scalable governance and permission sprawl. Instead of granting one-off rights system by system, the platform assigns a role with an auditable policy trail and then recalculates access when the person or account changes state. That approach is especially useful where public-sector structures are complex and user populations change often. It also improves recertification because reviewers evaluate a role and its business justification, not dozens of isolated permissions that no one can explain quickly.

Practical implication: replace discretionary grants with role models that can be certified, inherited, and revoked cleanly.

NHI Mgmt Group analysis

Public-sector IGA succeeds when it turns identity from an administrative queue into a governed control surface. The award signal here is not about ceremony. It is about a class of organisations proving that centralised lifecycle control, role logic, and audit-ready reporting can keep pace with fragmented estates and strict oversight. For identity leaders, the lesson is that IGA earns budget when it reduces both operational friction and compliance exposure.

Lifecycle fragmentation is the governance gap this case helps expose. When contractors, staff, and technical accounts are handled through different processes, the programme cannot produce a reliable access picture. That creates a control plane problem, not just an administrative one. Public-sector teams should read this as evidence that lifecycle consistency is now a prerequisite for defensible governance.

Business-role modelling is becoming the default answer to entitlement sprawl in regulated environments. Ad hoc permissions do not scale when access requests, audits, and legal accountability all have to line up. Role-based governance does not remove complexity, but it makes complexity explainable. That is what turns IGA from a helpdesk workflow into a policy system.

Identity governance now has to absorb non-human identity growth as part of the same operating model. The article points to AI agents and automation as the next pressure point, which is directionally right. Public-sector IGA programmes that were designed around human joiner-mover-leaver flows will start to fail if they cannot govern service accounts and other non-human identities with the same lifecycle discipline. The implication is that identity architecture must be built for mixed estates from the outset.

The market signal is that public-sector buyers want control they can explain to auditors and operators at the same time. That is why implementation quality matters as much as platform capability. A modern IGA programme has to prove who has access, why they have it, and how it disappears when the business condition changes. Practitioners should treat explainability as a control objective, not a reporting feature.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
• For the broader governance context, see Top 10 NHI Issues for how access sprawl, visibility gaps, and over-privilege compound identity risk.

What this signals

Lifecycle consistency is becoming the real differentiator in identity governance programmes. Public-sector teams will increasingly be judged not by whether they own an IGA tool, but by whether the tool can prove that access changes follow business status changes across every identity class. The control objective is traceability first, automation second.

Access review without ownership clarity will keep producing weak governance outcomes. When managers, system owners, and IT operations all believe someone else is responsible for revocation, access persists longer than intended. That is why lifecycle ownership has to be designed before certification cycles scale up.

The next governance gap is mixed estates. As AI agents and service accounts multiply, teams will need the same policy logic for human users and non-human identities, which is why the lifecycle processes for managing NHIs matter as much as the access catalog itself.

For practitioners

• Unify identity records across all subject types Create a single governed inventory for employees, contractors, service accounts, and other non-human identities so access decisions are made from one source of truth.
• Automate joiner, mover, leaver transitions Tie provisioning and deprovisioning to authoritative status changes so role changes and exits remove access without waiting for manual tickets.
• Replace ad hoc grants with business roles Model access around business function and recertify those roles instead of reviewing hundreds of isolated permissions that no reviewer can explain quickly.
• Treat compliance evidence as an operating requirement Build reporting that can show entitlement state, approval history, and revocation events across mixed estates before audit season forces the issue.
• Extend lifecycle discipline to non-human identities Apply the same offboarding, review, and ownership logic to service accounts and automation identities that you already expect for human users.

Key takeaways

• This case shows that IGA succeeds when it creates a single governable record for people, contractors, and technical accounts.
• The value signal is not award language, but the operational proof that lifecycle automation and role modelling reduce audit friction and access drift.
• Public-sector identity teams should now plan for mixed estates, where human IAM and NHI lifecycle discipline have to be governed under the same model.

Key terms

• Identity Governance And Administration: Identity governance and administration is the discipline for controlling who has access, why that access exists, and when it must be removed. It combines policy, workflow, review, and evidence so access decisions are explainable across humans, service accounts, and other non-human identities.
• Joiner, Mover, Leaver Lifecycle: The joiner, mover, leaver lifecycle is the process used to grant, adjust, and remove access as a person or account changes status. In mature governance programmes, it is the mechanism that prevents stale access, role drift, and ownership gaps across both human and machine identities.
• Business Role Modelling: Business role modelling groups permissions by job function or operating need rather than by individual entitlements. It makes access easier to approve, recertify, and revoke because reviewers evaluate a role definition instead of a long list of unrelated system permissions.
• Audit-Ready Reporting: Audit-ready reporting is evidence that shows who had access, who approved it, and when it changed or was removed. In identity governance, it is the proof layer that turns workflow into defensible control for auditors, operators, and risk owners.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Netwrix: A double win at the Cas d'Or 2026: what identity governance success looks like in the public sector. Read the original.