TL;DR: Remote and hybrid work have exposed the limits of spreadsheet-driven, quarterly IGA, because access changes faster than manual certification cycles can track, according to SecurEnds. Continuous governance now matters more than periodic clean-up, and the real challenge is keeping entitlements, offboarding, and audit evidence aligned with how people actually work.
At a glance
What this is: This is an analysis of why remote and hybrid work break legacy IGA assumptions and push identity governance toward automation, continuous monitoring, and cloud-connected controls.
Why it matters: It matters because IAM teams have to govern faster-moving access across human users, cloud apps, and distributed endpoints without losing compliance or visibility.
👉 Read SecurEnds' analysis of IGA for remote and hybrid work
Context
Remote and hybrid work changed identity governance because access is no longer created, used, and reviewed inside a controlled office network. In practice, every login can come from a different device, location, and application path, which makes static certification cycles too slow for the way employees actually work.
The governance problem is not just mobility. Shadow IT, silent permission growth, and delayed offboarding all expand the attack surface while audit expectations still demand least privilege and traceable approvals. That is why modern IGA has to connect to cloud systems, automate entitlement changes, and keep evidence current rather than retrospective.
Key questions
Q: How should security teams govern access in remote and hybrid work environments?
A: They should move from periodic certification to event-driven governance tied to role changes, app access, and offboarding. Remote work creates faster identity change than manual reviews can handle, so controls need direct integrations, automated entitlement updates, and continuous evidence capture to keep access aligned with current business need.
Q: Why do traditional IGA models break down in remote work?
A: They rely on static review cadences, slow approvals, and on-prem assumptions that no longer match how people access systems. When users move across locations, devices, and cloud apps, access changes faster than quarterly governance can react, which leaves stale entitlements, delayed removals, and audit gaps.
Q: What do teams get wrong about continuous compliance in identity governance?
A: They often treat compliance as reporting rather than control. In remote environments, the evidence must be created by the workflow itself, including approvals, removals, and exceptions, or the organisation ends up reconstructing access history after the fact instead of governing it in real time.
Q: Who is accountable when orphaned access appears after offboarding?
A: Accountability sits with the identity governance process owner, the HR-to-IT workflow owner, and the application owner if integrations fail to remove access. In practice, offboarding is only complete when the entitlement change is propagated across every connected system and recorded in the audit trail.
Technical breakdown
Why static access reviews fail in remote work
Traditional IGA was designed around predictable office-based workflows, where managers could review entitlements on a calendar and the application landscape changed slowly. Remote work breaks that cadence. Access decisions now have to keep pace with shifting roles, cloud apps, and distributed endpoints, which means quarterly certification often captures yesterday's reality instead of today's risk. The technical failure is not only delay, but also stale context. By the time an approver acts, the user's role, device, or app portfolio may already have changed.
Practical implication: replace coarse review cycles with event-driven review triggers tied to role change, app access, and privileged entitlement drift.
How cloud-native governance closes the connector gap
Cloud-native IGA uses APIs and direct integrations to manage access across SaaS and on-prem environments from a common control plane. That matters because legacy connectors often fail to reflect remote-work changes quickly enough, especially when HR, IAM, and application systems are distributed across different platforms. Cloud-first governance also reduces the delay between a business event and the identity action that should follow. Without that bridge, onboarding, offboarding, and policy enforcement drift apart and create orphaned access.
Practical implication: prioritise API-based integrations for HR, directory, and SaaS systems before expanding manual governance coverage.
Why continuous compliance is now part of identity control
Continuous compliance means the audit trail is built into the control path, not reconstructed after the fact. In remote environments, that matters because access changes happen too often for spreadsheet-based evidence gathering to remain reliable. Automated certification, real-time policy enforcement, and logged approval history turn governance into an always-on function. The technical point is simple: if the system cannot show who approved access, when it changed, and when it was removed, it cannot support modern audit expectations with confidence.
Practical implication: instrument access approvals, removals, and exceptions so audit evidence is generated as part of normal operations.
Threat narrative
Attacker objective: The objective is to exploit slow identity governance and overextended access paths to gain durable, hard-to-detect misuse opportunities.
- Entry occurs when employees sign in from home networks, airports, or hotel Wi-Fi, which increases exposure to unmanaged endpoints and weak local trust signals.
- Escalation follows when shadow IT, shared credentials, or lingering permissions expand access beyond what the original role justified.
- Impact is broader audit risk, orphaned accounts, and a larger window for misuse because governance cannot keep pace with identity change.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Remote-work IGA is no longer an access review problem, it is a control latency problem. The article's central point is that access changes faster than quarterly governance can observe, certify, and remove. That makes timing the failure mode, not merely manual effort. The practical conclusion is that identity programmes must be measured by how quickly they close the gap between business change and access change.
Stale certification windows are the core governance debt in hybrid work. Traditional review campaigns assume access remains stable long enough to be reviewed, but remote work produces a moving target across devices, apps, and job changes. That assumption is weak even in moderately dynamic enterprises. Practitioners should treat review lag as a first-class governance metric, not an administrative inconvenience.
Cloud connectivity is now a governance requirement, not an architectural preference. If HR, directory, and SaaS systems do not exchange identity state quickly, offboarding and entitlement correction will always trail reality. That creates orphaned access and audit exposure even when policy language looks strong on paper. Identity teams should judge governance platforms by their integration depth and event responsiveness.
Continuous compliance turns IGA from retrospective reporting into operational control. The article correctly points toward real-time enforcement and evidence capture because auditors now expect traceability to be built into the process. That does not replace policy design, but it changes what good governance looks like in practice. The implication for practitioners is that audit readiness must be engineered into access workflows, not assembled after the quarter closes.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which shows how often governance expectations outpace operational behaviour.
- That gap is why identity teams should pair access governance with the NHI Lifecycle Management Guide when they are tightening provisioning, rotation, and offboarding controls.
What this signals
Access review cadence will keep failing until identity teams measure change speed, not just policy coverage. Remote work turns governance into a timing problem, so the programme signal to watch is how quickly entitlements converge after HR, app, or role changes. Teams that still rely on slow certification rounds will keep discovering stale access after the fact instead of preventing it.
Identity lifecycle discipline now determines whether cloud governance stays credible. If offboarding, provisioning, and entitlement updates are not event-driven, the organisation will keep creating orphaned access even when the policy framework looks complete. That is where the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs becomes relevant, because lifecycle speed is the control plane that remote work stresses first.
Remote-work governance increasingly blends IAM, audit, and secrets handling into one operating model. The practical signal is whether the team can prove who had access, when it changed, and when it was removed without manual reconstruction. For programmes already dealing with distributed workforce access, pairing governance with the NIST Cybersecurity Framework 2.0 provides a cleaner way to anchor control ownership and evidence.
For practitioners
- Shorten review cycles around identity change events Tie access recertification to role changes, privileged assignments, and application additions so reviews reflect current entitlements instead of quarter-end snapshots.
- Automate joiner-mover-leaver actions across cloud and on-prem systems Use event-driven provisioning and deprovisioning so HR updates, role changes, and exits trigger immediate access correction in connected applications.
- Prioritise high-risk access for continuous monitoring Focus continuous checks on privileged users, shared accounts, and accounts with broad SaaS reach, because those identities create the highest governance drift.
- Build audit evidence into the control path Log approvals, exceptions, removals, and certification outcomes automatically so compliance teams can reconstruct access history without spreadsheet recovery.
Key takeaways
- Remote and hybrid work expose the gap between slow identity governance processes and fast-moving access change.
- Legacy quarterly review models create stale entitlements, orphaned accounts, and audit risk when users, apps, and roles move continuously.
- Automated provisioning, continuous evidence capture, and cloud-connected controls are now the practical baseline for remote-work IGA.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Remote work access needs continuous entitlement management and least privilege. |
| NIST Zero Trust (SP 800-207) | SC-7 | Hybrid work increases the need for continuous verification across distributed endpoints. |
| NIST SP 800-63 | Federated access and assurance matter when users sign in from many locations and devices. |
Use federation-aware identity assurance controls to keep remote authentication aligned with risk.
Key terms
- Identity Governance And Administration: Identity Governance and Administration is the set of processes and controls used to decide who should have access, who currently has it, and whether that access remains justified. In remote work, the discipline depends on timely integration, automated review, and accurate evidence rather than manual spreadsheet reconciliation.
- Orphan Account: An orphan account is an identity that remains active after the person or system that should own it has changed or left. In hybrid environments, orphan accounts often appear when offboarding and entitlement removal do not propagate across connected cloud and on-prem systems quickly enough.
- Continuous Compliance: Continuous compliance is the practice of building audit readiness into normal control operations instead of reconstructing evidence later. For identity programmes, it means approvals, removals, exceptions, and certifications are logged automatically so governance can be verified as events happen.
- Access Sprawl: Access sprawl is the uncontrolled growth of entitlements across users, apps, and systems until the organisation can no longer explain why access exists. Remote work accelerates sprawl because more tools, more locations, and more temporary permissions expand the number of identities that must be governed.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by SecurEnds: IGA for remote work and hybrid work environments. Read the original.
Published by the NHIMG editorial team on 2025-10-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
