TL;DR: Identity governance has shifted from audit support to direct risk control, with access reviews, just-in-time access, and owner-based entitlement governance now doing the security work once left to compliance processes, according to ConductorOne. The practical shift is clear: security-led IGA closes standing privilege and orphaned access gaps that checkbox controls leave behind.
At a glance
What this is: The post argues that identity governance must move from compliance-led checkbox activity to security-led risk reduction, with JIT access and access reviews used to reduce standing privilege and dormant access.
Why it matters: That matters because IAM teams now have to govern human, NHI, and agentic access decisions as security controls, not just audit artefacts.
👉 Read ConductorOne's analysis of security vs compliance in identity governance
Context
Security and compliance are related but not interchangeable. Compliance proves that controls exist and can be evidenced, while security is about reducing real access risk as identity moves across cloud, SaaS, and production environments. In identity governance, that difference matters because the same process can either satisfy an auditor or actually limit blast radius.
The article frames identity governance and administration as a security function that should validate ownership, remove dormant access, and prevent standing privilege. That is a useful shift for programmes that still treat access reviews as a quarterly paperwork exercise rather than a control surface spanning human identities, service accounts, and other non-human identities. For broader NHI governance context, see the Ultimate Guide to NHIs.
Key questions
Q: How should security teams turn access reviews into real risk reduction?
A: Security teams should use access reviews to remove dormant access, orphaned accounts, and privileges that no longer match the work being performed. The review should end with revocation or re-scoping, not just attestation. The goal is to reduce exposure, especially in production systems and high-risk applications where excessive access has immediate security impact.
Q: When does just-in-time access reduce risk more than it adds complexity?
A: JIT access reduces risk when the alternative is standing privilege for elevated or sensitive access. It is most effective when teams need time-bound, task-scoped access with clear approval, logging, and expiry. If the workflow becomes so slow that teams create exceptions, the control loses value and standing access returns through the back door.
Q: What do organisations get wrong about compliance-led identity governance?
A: They often mistake evidence of process for evidence of control effectiveness. A completed quarterly review can satisfy an auditor while leaving excess privilege, orphaned access, and stale ownership untouched. Mature governance proves that the access surface actually changed, not just that paperwork was completed.
Q: How do you know if identity governance is actually working?
A: Look for measurable reduction in standing privilege, faster removal of unnecessary access, and fewer entitlements without clear ownership. If access reviews produce findings but not removals, the programme is generating compliance evidence rather than lowering risk. Effective governance changes the identity surface, especially in production and privileged environments.
Technical breakdown
Why compliance-led identity governance creates weak control outcomes
Compliance-led IGA optimises for evidence, not necessarily for reduced exposure. Quarterly user access reviews, approvals, and ticket trails can show that a process exists, but they do not guarantee that excessive privilege is removed quickly or that access is scoped to actual operational need. In practice, this means dormant access, orphaned entitlements, and production access can remain in place long enough to become exploitable. Security-led governance changes the unit of value from audit completeness to risk reduction.
Practical implication: measure identity governance by privilege reduction and access removal speed, not by whether a review was completed.
How just-in-time access changes standing privilege
Just-in-time access replaces persistent entitlement with time-bound access granted for a specific task, duration, or context. That matters because standing privilege is what turns a one-time request into an ongoing exposure window. When JIT is paired with granular request workflows and contextual policy, teams can preserve auditability while making access expire by default. The control is not simply faster approval, but a narrower and more accountable authorization model that reduces the amount of privilege that exists outside active need.
Practical implication: use JIT for elevated and production access where persistent entitlements create unnecessary blast radius.
What owner-based entitlement review does that manual recertification misses
Owner-based entitlement review forces each access right to have a known accountable party, which is especially important for service accounts and orphaned identities. Manual recertification often confirms that a reviewer clicked approve, but does not ensure that every entitlement still has a real business owner or operational purpose. That gap matters because identity sprawl is often a lifecycle problem as much as a permissions problem. Governance fails when no one can reliably say why an access path still exists.
Practical implication: tie every entitlement to an accountable owner and remove anything that cannot be justified in operational terms.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Snowflake breach — Snowflake breach compromised Ticketmaster, Santander and others via cloud credential abuse.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Compliance is the floor, not the control objective. This post correctly separates audit assurance from risk reduction, but the larger point is that identity governance fails when evidence becomes the end state. SOX, PCI, and ISO can define minimum proof requirements, yet they do not by themselves remove excessive privilege, dormant access, or inaccessible ownership chains. The practitioner conclusion is that the programme must be evaluated by exposure reduced, not paperwork completed.
Security-first IGA is now the only defensible posture for modern identity. Once identity controls sit at the center of cloud and SaaS risk, quarterly certification alone is too slow to matter. The field should stop treating access reviews as a compliance ritual and start treating them as a continuous security control tied to real privilege decay. The practitioner conclusion is that governance cadence must be aligned to risk, not to the audit calendar.
Standing privilege is the operational failure mode this debate keeps exposing. Access that persists after the work is done creates the gap between compliance intent and security outcome. JIT, owner assignment, and production access review are not separate themes here, they are responses to the same underlying problem of privilege outliving need. The practitioner conclusion is that standing access should be the exception, not the programme default.
Identity governance now has to cover human and non-human access with the same discipline. The article focuses on IGA, but the same control logic applies across users, service accounts, API keys, and delegated access paths. If a programme cannot prove ownership and revocation discipline for non-human identities, it will not hold up as identity becomes more machine-driven. The practitioner conclusion is that IGA design must span all identity types, not just employees.
Access proof without access reduction is the wrong success metric. The governance model that satisfies an auditor while leaving excess privilege intact is not mature enough for current threat conditions. The right question is whether the control actually changed the access surface. The practitioner conclusion is to treat certification outcomes as a security signal, not a finish line.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- The governance implication is clear: privilege reduction and lifecycle controls must move together, which is why the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the right next reference point.
What this signals
Access-proof debt: identity programmes that optimise for attestation create a growing gap between what can be proven and what has actually been reduced. For teams managing production access, that gap matters more than the annual review itself, because exposure lives in the interval between certifications. Organisations should pair review cycles with revocation metrics and ownership cleanup.
The next governance shift is to treat human and non-human access as one control problem with different actors, not as separate operating models. As cloud estates and SaaS platforms accumulate service accounts, API keys, and delegated access paths, the same entitlement discipline that governs employees must extend to machine-issued access. Zero Trust thinking only holds when identity inventory and access expiry are both real.
For practitioners, the practical signal is whether your IGA programme can name an owner, justify access, and remove it without manual exception handling. If that sounds difficult, the problem is not policy language but entitlement sprawl and lifecycle weakness. Start by aligning with the NIST Cybersecurity Framework 2.0 govern and protect functions, then map the most error-prone access paths back to ownership.
For practitioners
- Reframe access reviews as risk-removal exercises Use user access reviews to identify dormant accounts, unnecessary entitlements, and production access that no longer matches operational need. Require reviewers to remove, not just attest to, excess access where the business justification is weak or stale.
- Convert elevated access to just-in-time access Apply JIT workflows to privileged and production access so entitlements exist only for the duration of a specific task. Pair the request with contextual policy such as location, sensitivity, and duration so the approval is both auditable and tightly bounded.
- Assign accountable owners to every entitlement Inventory service accounts, orphaned accounts, and shared access paths, then map each one to a named business or system owner. If no accountable owner exists, treat the entitlement as a candidate for removal or reauthorization.
- Measure governance by privilege reduction Track how quickly excess access is revoked after review, how much standing privilege remains in production, and how many entitlements survive without a valid purpose. Those metrics show whether IGA is reducing exposure or just generating evidence.
Key takeaways
- Compliance and security are different outcomes, and identity governance has to be judged by the one that removes risk.
- Standing privilege and stale ownership are the recurring failure modes behind weak access governance.
- The practical answer is not more paperwork, but tighter entitlement ownership, JIT access, and measurable privilege reduction.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access permissions management maps directly to this post's privilege-reduction focus. |
| NIST Zero Trust (SP 800-207) | SP 800-207 | Zero Trust requires continuous authorization, not quarterly proof of access. |
| NIST SP 800-63 | Federation and assurance logic informs identity proofing and accountable access. |
Apply identity assurance principles where entitlement ownership must be clearly tied to an accountable subject.
Key terms
- Identity Governance And Administration: Identity Governance and Administration is the control layer that manages access approvals, reviews, and revocation across a programme. In practice, it should prove who has access, why they have it, and whether that access still belongs there. Strong IGA reduces exposure, not just audit findings.
- Just-In-Time Access: Just-in-time access is temporary privilege granted only when a task requires it and removed immediately after use. It reduces standing exposure by replacing always-on access with time-bound, task-scoped permissions. For non-human and privileged access, the benefit is smaller blast radius and clearer accountability.
- Standing Privilege: Standing privilege is access that remains active beyond the moment it is needed. It is a common source of unnecessary exposure because unused credentials, elevated roles, and persistent entitlements increase the chance of misuse or compromise. Good governance aims to minimise how much privilege is left waiting to be abused.
- Entitlement Ownership: Entitlement ownership is the assignment of a clear business or system owner to each access right. It is the difference between access that can be justified and access that survives by inertia. Without ownership, reviews become ceremonial and revocation becomes slow or impossible.
Deepen your knowledge
Identity governance, access reviews, and just-in-time privilege are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to bridge compliance proof and real access reduction, it is a relevant next step.
This post draws on content published by ConductorOne: Security vs. Compliance: Bridging the Gap with C1. Read the original.
Published by the NHIMG editorial team on 2025-09-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
