Public sector identity transformation needs a common access blueprint

At a glance

What this is: This is a public sector identity governance discussion showing that remote work and legacy estates are forcing organisations to move from perimeter security to identity-led access control.

Why it matters: It matters because IAM, IGA, and PAM teams must support consistent joiner-leaver governance, role-based access, and certification across fragmented public sector environments.

By the numbers:

• There are at least 43 separate organisations in the policing authorities looking for a baseline blueprint for access and identity control.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read SailPoint's blog on public sector identity transformation

Context

Public sector identity management is no longer a back-office control problem. When staff work remotely, the organisation has to prove who is accessing data, at what time, and for what purpose, because perimeter-based assumptions no longer hold. In practice, that shifts identity from an operational support function to the control plane for access, approval, and accountability.

The article reflects a common public sector reality: multiple organisations, legacy systems, and uneven governance create pressure for a shared access blueprint. That is not just an implementation challenge. It is an identity governance problem that touches human users, privileged access processes, and the growing need to standardise joiner, mover, and leaver controls across distributed services.

Key questions

Q: How should public sector organisations govern access when staff work remotely?

A: They should move access decisions to the identity layer and make them role-based, time-aware, and reviewable. Remote work weakens any model that depends on a trusted internal network, so organisations need clear approval paths, certification, and offboarding rules that keep access aligned to current duties and service need.

Q: Why do fragmented agencies struggle to standardise IAM controls?

A: Because each organisation often builds its own approval rules, role models, and governance habits, which makes a shared control baseline difficult. Without a common blueprint, identity decisions become inconsistent across agencies, and that creates gaps in accountability, auditability, and lifecycle management.

Q: What breaks when joiner and leaver processes are not defined upfront?

A: Access tends to become inconsistent, slow to revoke, and dependent on manual follow-up. That leaves people with entitlements that no longer match their role or tenure, which increases residual access and makes governance harder to prove during audits or investigations.

Q: Who should own role-based access certification in public sector IAM?

A: Business and service owners should own it, because they understand whether access still matches the job or service requirement. IAM teams can run the process, but they cannot replace the accountability needed to approve, reject, or remove entitlements with confidence.

Technical breakdown

Why perimeter security fails in distributed public sector access

Perimeter security assumes trusted internal networks and relatively stable access paths. Remote work breaks that model because users connect from outside the organisation, often across multiple services, while the decision to allow access must happen at the identity layer. In that environment, identity becomes the policy enforcement point for authentication, authorisation, and auditability. The technical shift is from network trust to identity context, where access must be evaluated based on who the user is, what they need, and whether that entitlement still fits the role.

Practical implication: build access policy around identity context rather than network location or legacy perimeter assumptions.

Role-based access control and certification as governance mechanics

Role-based access control groups access by job function, while certification campaigns test whether those entitlements still make sense. In public sector environments, this matters because access often accumulates across teams, agencies, and shared services. Certification is not just a compliance exercise. It is the mechanism that exposes whether a role still reflects current duties, whether approvals are traceable, and whether dormant access is lingering after organisational change. Without that governance loop, RBAC becomes static entitlements with little operational oversight.

Practical implication: connect RBAC to recurring access certification so role sprawl and stale entitlements can be removed.

Joiner and leaver processes as the core identity lifecycle

Joiner and leaver controls define how identity is provisioned, changed, and removed over the lifecycle of employment or service. The article makes clear that this lifecycle must be designed upfront, not bolted on after rollout. That means mapping approval paths, defining baseline roles, and ensuring the right assets are reachable only while the relationship exists. Lifecycle governance is especially important in public sector bodies with frequent transfers and multiple departments, because inconsistent offboarding creates residual access that outlives the person or role that justified it.

Practical implication: formalise joiner-leaver workflows before rollout so offboarding and entitlement removal are not left to manual follow-up.

NHI Mgmt Group analysis

Identity is the control plane when the perimeter disappears: This article shows that public sector access can no longer rely on network location or organisational boundaries as the primary trust signal. When users work remotely, the decision point moves to identity, where authentication, purpose, and entitlement must be evaluated in real time. For IAM leaders, that means identity policy now carries the burden that perimeter security used to absorb.

Common blueprint is a governance requirement, not an architecture preference: The need for a baseline access model across 43 policing organisations is a governance problem as much as a technical one. Different local implementations create uneven approval standards, role definitions, and certification practices, which makes cross-organisation accountability difficult. The practitioner conclusion is straightforward: shared identity rules matter when multiple bodies depend on the same service outcomes.

Lifecycle control is the real test of identity maturity: Joiner and leaver management is where identity programmes either prove they are operational or reveal that they are mostly descriptive. The article makes clear that access must be defined, approved, and withdrawn against a known tenure footprint. That aligns directly with NIST CSF and OWASP-NHI lifecycle thinking. The implication is that lifecycle discipline, not feature depth, determines whether identity governance actually reduces risk.

Role-based certification only works when ownership is real: Certification campaigns build confidence only if role owners understand what they are signing off and can act on the result. In public sector settings, that requires business ownership, not just IAM tooling. This is where access governance often stalls: the technical workflow exists, but the decision-making authority is too diffuse. Practitioners should treat certification as an accountability mechanism, not a reporting function.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That same governance gap is why the NHI Lifecycle Management Guide is the right next resource for teams formalising lifecycle control.

What this signals

Identity governance will keep absorbing work that used to sit behind the network boundary: As remote and hybrid access normalises, public sector programmes will be judged on whether identity decisions are consistent across departments, not just whether sign-in succeeds. The practical shift is toward shared rules for approval, certification, and offboarding, with fewer exceptions and less dependence on local process variation.

Lifecycle discipline is the difference between a functioning programme and a policy set: Organisations that cannot remove access cleanly will struggle to prove control over time. That is why the operational focus should move to joiner-leaver automation, authoritative role ownership, and recurring review cycles, rather than new labels on the same fragmented process.

For public sector identity teams, the next maturity jump is blueprint-driven governance: The question is no longer whether identity matters. It is whether multiple organisations can align on one access model without losing local accountability. That is where standards-based governance and lifecycle consistency matter most, especially when access is shared across services and departments.

For practitioners

• Define a shared identity blueprint early Map baseline access rules, approval paths, and role definitions before deploying new identity tooling across departments or agencies. Use that blueprint to reduce local variation in how joiners, leavers, and role changes are handled.
• Tie role governance to recurring certification Run access certification campaigns against named role owners so each entitlement has an accountable approver. Remove access that cannot be justified against current duties or service needs.
• Automate joiner and leaver workflows Create standard provisioning and revocation flows for staff moves, transfers, and departures so offboarding does not depend on manual cleanup. Make removal of access part of the lifecycle process, not a separate task.
• Replace perimeter assumptions with identity context Use identity as the policy layer for remote access decisions, especially where multiple organisations share services and data. Focus on who the user is, what they need, and whether the access still matches the role.

Key takeaways

• Public sector identity management is moving from perimeter assumptions to identity-led control as remote work becomes normal.
• A common access blueprint matters because fragmented organisations cannot sustain consistent approval, certification, and offboarding without it.
• Lifecycle governance is the control that turns identity from a policy aspiration into an operational security model.

Key terms

• Identity blueprint: A shared model for how access is approved, assigned, reviewed, and removed across an organisation or group of organisations. In public sector environments, it reduces variation between teams and helps make identity governance repeatable instead of locally improvised.
• Role-based access control: A method of assigning permissions through defined roles rather than giving access one entitlement at a time. In practice, RBAC only works well when roles are maintained, reviewed, and linked to current duties, otherwise it turns into static access accumulation.
• Joiner-leaver process: The set of lifecycle steps used to provision access when someone starts, changes role, or leaves. Strong joiner-leaver governance ensures access is created quickly, changes with the role, and is revoked promptly so residual privileges do not survive the relationship.
• Access certification: A recurring review process where owners confirm whether existing access is still justified. It is a governance control, not just a compliance task, because it forces decisions about stale entitlements, role drift, and whether the current access model still matches reality.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SailPoint: Identity Transformation in the Public Sector. Read the original.