Security-first identity and access management closes enterprise gaps

At a glance

What this is: This is a vendor analysis of security-first identity and access management, arguing that fragmented identity stores and manual lifecycle processes are the main sources of enterprise risk.

Why it matters: It matters because IAM teams must govern human, non-human, and delegated access together, or persistent privilege and blind spots will remain across the programme.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

👉 Read SafePaaS's article on security-first identity access management

Context

Identity and access management breaks down when each platform creates its own account model, policy set, and review process. In that environment, security teams lose the ability to see who or what has access, why the access exists, and whether it still matches the business need. That is the primary identity and access management problem this article is trying to solve.

The article also reflects a broader governance reality: modern enterprises now manage people, contractors, service accounts, bots, and AI-driven access patterns through the same operational stack. If lifecycle controls, privilege checks, and audit evidence stay fragmented, the programme can look compliant while still leaving large gaps in access governance. For background on the non-human side of that problem, see the Ultimate Guide to NHIs.

Key questions

Q: How should security teams reduce privilege creep across human and non-human identities?

A: Start by tying access to authoritative lifecycle events, not manual tickets or periodic clean-up. Then enforce time-bound entitlements for privileged access, require recertification for exceptions, and revoke abandoned accounts promptly. The goal is to make standing access the exception, not the default, across employees, contractors, service accounts, and bots.

Q: Why do fragmented identity stores increase access risk?

A: Because no single team can reliably see which identities exist, what they can do, or whether the same access has been granted multiple times in different systems. Fragmentation creates duplicate records, inconsistent policy enforcement, and incomplete audit evidence, which makes both abuse and remediation easier for attackers and insiders.

Q: What breaks when lifecycle management is still mostly manual?

A: Manual lifecycle handling leaves access active after role changes, project exits, and departures, which creates orphaned accounts and stale privileges. It also slows down deprovisioning, weakens auditability, and increases the chance that old access paths remain usable long after they should have been removed.

Q: Who should own governance when people and service accounts share the same environment?

A: Accountability should sit with the identity governance function, but operational ownership must be split by actor type. Human access, non-human credentials, and privileged workflows all need different controls, yet they should roll up into one governance model so policy, evidence, and revocation are consistent.

Technical breakdown

Identity fragmentation across cloud, SaaS, and on-prem systems

Identity fragmentation happens when each system keeps its own identity store, entitlement logic, and approval trail. That creates duplicate identities, inconsistent policy enforcement, and review evidence that cannot be reconciled cleanly across environments. In practice, teams end up with multiple sources of truth for the same user or workload, which makes risk scoring and access certification unreliable. The technical issue is not just visibility loss. It is that governance controls cannot operate consistently when identity records are split across platforms.

Practical implication: Centralise identity sources and entitlement data before expanding review and certification workflows.

Lifecycle automation and just-in-time privilege controls

Manual onboarding, role changes, and offboarding create stale entitlements that persist after the business need has ended. Lifecycle automation reduces that delay by tying provisioning and deprovisioning to authoritative events, while just-in-time privilege limits how long high-risk access remains active. For non-human identities, the same logic matters even more because API keys, service accounts, and tokens often outlive the task they were created for. The goal is to shorten the standing access window and remove abandoned privileges before they become an attack path.

Practical implication: Move high-risk access to event-driven provisioning and short-lived privilege rather than periodic cleanup.

Embedded governance, risk, and compliance in access decisions

Embedded GRC means access decisions, logging, and evidence collection happen inside the identity workflow rather than in a separate audit process. That matters because static reviews cannot reliably reconstruct who approved what, when policy exceptions were granted, or whether segregation-of-duties conflicts were present at the time of access. When governance is built into the workflow, reviewers can trace decisions to policy, entitlement, and business need without relying on spreadsheets and manual evidence gathering. This is the difference between audit readiness and audit scramble.

Practical implication: Require policy checks and evidence capture at the point of access request and approval.

Threat narrative

Attacker objective: The objective is to reach persistent access that is hard to detect, hard to unwind, and useful for fraud, exfiltration, or operational disruption.

1. Entry begins with identity fragmentation, where duplicated users, manual fixes, and inconsistent policies create untracked access paths across cloud, SaaS, and legacy systems.
2. Escalation follows privilege creep and lifecycle mismanagement, as stale permissions and ghost accounts remain active long after role changes or departures.
3. Impact comes when attackers or insiders exploit that residual access to move laterally, violate segregation of duties, or trigger compliance failures and data exposure.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity fragmentation is not a visibility issue alone. It is a governance failure that prevents one access model from spanning humans, contractors, and non-human identities. Once each platform maintains its own identity logic, policy drift becomes normal and access reviews become partial by design. The result is not just more admin work. It is a programme that cannot prove who had access across the full environment, which means practitioners must treat fragmentation as a control boundary problem, not an inventory problem.

Privilege creep and orphaned accounts are the clearest signal that identity lifecycle governance is lagging business change. The article is right to frame manual provisioning as a root cause, because access that outlives the role or the relationship becomes residual risk. That same lifecycle weakness applies to service accounts and API credentials, where no one remembers to revoke what still works. Practitioners should read this as evidence that lifecycle governance, not periodic clean-up, is the real control plane.

Embedded GRC is the named concept this topic points to: governance must be enforced inside the access workflow, not after the fact. Compliance evidence is only useful when it reflects the state of access at the moment it was granted or changed. If approvals, SoD checks, and audit trails live in separate tools or spreadsheets, the organisation inherits a false sense of control. The practitioner takeaway is to design governance as an active system of record, not a retrospective reporting exercise.

Security-first IAM increasingly has to govern digital actors alongside people, and the same lifecycle discipline applies across all of them. The article’s mention of bots and service accounts is a reminder that the access problem is no longer human-only, even when the business process still is. That means IAM, PAM, and lifecycle teams must coordinate around the actor type, because the entitlement failure mode changes with the subject. Practitioners should align policy, review, and revocation logic to the identity being governed.

Compliance gaps are downstream symptoms of weak operational control, not a separate problem to solve later. When evidence is fragmented, the organisation is usually also fragmented in provisioning, review, and exception handling. Frameworks such as the NIST Cybersecurity Framework 2.0 and the OWASP Non-Human Identity Top 10 both reinforce the same point: access governance must be continuous, not episodic. The practical conclusion is that auditability improves only after identity operations become consistent.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
• For the control patterns behind that gap, see Ultimate Guide to NHIs - Lifecycle Processes for Managing NHIs.

What this signals

Embedded governance, risk, and compliance is becoming the dividing line between visible identity control and paper compliance. When access decisions are made outside the workflow, the organisation inherits incomplete evidence and slower remediation. The practical signal is that identity teams should expect more scrutiny of proof at the point of access, not just during quarterly reviews.

Identity fragmentation will keep exposing programme gaps until service accounts, contractors, and users are governed through one operating model. The environment described in the article is already the norm in many enterprises, and it will become harder to manage as digital actors multiply. Teams should treat visibility into service accounts as a priority baseline, not a maturity milestone.

Security-first IAM now depends on lifecycle controls that can span human identity and NHI governance. If onboarding and offboarding stay manual, privilege creep and orphaned access will continue to outpace remediation. Practitioners should align access policy, review cadence, and revocation tooling around the identity subject rather than the application silo.

For practitioners

• Map every identity store to a single governance owner Inventory cloud, SaaS, on-prem, and directory systems, then assign one accountable team for entitlement data quality, review cadence, and exception handling across them.
• Automate joiner-mover-leaver events for all actor types Tie provisioning and deprovisioning to authoritative HR, vendor-management, and workload events so stale access is removed when the business relationship changes.
• Move privileged access to short-lived approvals Use just-in-time access for elevated roles and high-risk administrative functions so standing privilege does not remain available between tasks.
• Make access certification evidence-native Capture approvals, policy checks, and segregation-of-duties results inside the workflow so reviewers can see what happened without reconstructing it later.
• Close the orphaned account problem first Prioritise dormant users, abandoned service accounts, and unmanaged third-party access because those identities often persist longest and create the easiest abuse path.

Key takeaways

• Fragmented identity stores turn access governance into a partial view of the enterprise, which is why duplicate accounts and inconsistent policies keep reappearing.
• Manual lifecycle management is the main reason stale privileges and orphaned accounts survive long enough to become security and compliance exposure.
• Practitioners should treat continuous governance inside the access workflow as the control that reduces both risk and audit pain.

Key terms

• Identity Fragmentation: Identity fragmentation is the condition where different systems maintain separate account records, entitlement rules, and approval evidence for the same enterprise. It weakens governance because no single control plane can reliably answer who has access, why it exists, and whether it is still valid.
• Privilege Creep: Privilege creep is the gradual accumulation of access rights beyond what a role, task, or relationship requires. It usually emerges through role changes, temporary exceptions, and incomplete revocation, then becomes a durable attack surface unless lifecycle controls remove it.
• Orphaned Account: An orphaned account is an identity that remains active after the person, system, vendor, or workload that should own it has changed or disappeared. In practice, it is often the clearest sign that offboarding, revocation, or ownership tracking has failed.
• Embedded Governance: Embedded governance means policy checks, approvals, evidence capture, and exception handling happen inside the access workflow rather than in a separate audit process. It reduces manual reconstruction, improves accountability, and makes access decisions easier to verify later.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SafePaaS: security-first identity and access management software for enterprise resilience. Read the original.