TL;DR: Siemens' identity transformation shows how large-scale Zero Trust and automated provisioning can cut onboarding delays, reduce help desk load, and strengthen security at the same time, according to EmpowerID. The lesson is that identity modernisation is increasingly an operational accelerator, not just a defensive control layer.
At a glance
What this is: This is a case study about Siemens' identity transformation at very large enterprise scale, showing that automated identity controls can remove onboarding friction while improving security.
Why it matters: It matters because identity teams across NHI, autonomous, and human programmes are being asked to prove that access governance can improve speed, resilience, and control together.
By the numbers:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
👉 Read EmpowerID's Siemens identity transformation case study
Context
Siemens' example is really about identity governance at industrial scale. When an enterprise is managing hundreds of thousands of identities and millions of entitlement changes, manual provisioning, fragmented ownership, and slow approval chains stop being inconveniences and become operational risk.
The governance gap is not just speed. It is the mismatch between how identity is administered and how modern access environments actually behave, especially when multiple providers, service accounts, and workforce identities all need consistent lifecycle control. For background on the broader NHI operating model, see the Ultimate Guide to NHIs.
The article frames Zero Trust as the enabling model, but the practical lesson is broader: identity programmes can now be measured by whether they reduce friction without weakening control. That is the standard enterprises need to apply across human access, machine identities, and emerging autonomous workloads.
Key questions
Q: How should security teams prove identity modernisation is worth the investment?
A: Prove it with operational metrics as well as security metrics. Track onboarding time, ticket reduction, exception volume, and audit effort alongside access risk measures. If the programme only reports control outcomes, executives will see cost. If it also shows throughput and productivity gains, identity becomes part of business enablement.
Q: Why do large identity environments need automation before they can support Zero Trust?
A: Because Zero Trust depends on consistent, timely access decisions at scale. In environments with many identities and providers, manual provisioning creates delays, policy drift, and inconsistent exceptions. Automation turns identity governance into a repeatable operating model, which is the only way to reduce friction without losing control.
Q: What breaks when access governance is managed locally by each provider?
A: Governance breaks into fragments. Different teams apply different approval paths, entitlement names, and review cadences, which makes lifecycle control inconsistent and reporting unreliable. The result is slower onboarding, weaker visibility, and more effort spent reconciling access than governing it.
Q: What frameworks best align with identity modernisation at enterprise scale?
A: NIST Cybersecurity Framework 2.0 and Zero Trust Architecture are the clearest anchors for this kind of programme because they connect access governance to risk management and continuous verification. Teams should use them to structure policy, reporting, and remediation around measurable identity outcomes.
Technical breakdown
Identity sprawl and provisioning drift at enterprise scale
Large enterprises often end up with fragmented identity ownership, where different teams manage access based on local needs rather than a shared governance model. The result is provisioning drift: inconsistent approvals, duplicate workflows, and delays that accumulate across workforce onboarding and service-provider access. At Siemens scale, even small inefficiencies multiply into millions of changes. The core technical issue is not just volume, but the lack of a unified entitlement model that can enforce consistent policy across directories, applications, and providers.
Practical implication: centralise entitlement governance so access decisions are policy-driven rather than provider-specific.
Zero Trust as an identity operations model
In this context, Zero Trust is not only a network security stance. It becomes an identity operations model that replaces standing access assumptions with continuous verification, scoped permissions, and automated lifecycle decisions. The technical value comes from reducing the time between joiner events, entitlement changes, and access availability while preserving control points for logging, review, and exception handling. This is why identity modernisation can improve both user experience and defensive posture when done correctly.
Practical implication: treat Zero Trust as an access orchestration pattern, not a perimeter slogan.
Self-service access and automation as control multipliers
Self-service provisioning reduces help desk dependency only when it is tied to strong policy enforcement. If the workflow is merely faster, it can scale bad approvals instead of good ones. The stronger model combines role-aware automation, approval logic for sensitive access, and continuous reporting so teams can see where requests are delayed, over-broad, or repeatedly remediated. That creates operational leverage without giving up governance visibility.
Practical implication: automate low-risk access paths first and preserve manual review for privileged or sensitive entitlements.
NHI Mgmt Group analysis
Identity modernisation now has to be judged as operational infrastructure, not overhead. Siemens' story shows that large identity programmes can reduce onboarding delay, lower ticket volume, and still improve control when access administration is unified. The important shift is conceptual: identity is no longer just a compliance layer sitting on top of operations, it is part of the operating model itself. Practitioners should treat provisioning latency and governance quality as one problem.
Strategic security investment only becomes defensible when it changes throughput. The article's strongest signal is that identity controls created measurable business acceleration, not just risk reduction. That matters because executive buyers rarely fund security on protection alone when the programme also can be asked to support growth, productivity, and resilience. Practitioners should connect identity metrics to business cycle time, not just audit outcomes.
The named concept here is identity acceleration without governance loss. That is the condition Siemens appears to have achieved: faster access delivery without abandoning control objectives. The model is attractive because it reframes modernisation from a trade-off into an operating pattern, but only if access policy, automation, and reporting remain coupled. Practitioners should look for this pattern in every large-scale identity redesign.
Zero Trust is becoming the practical language for scaling identity governance across workforce and machine access. In complex environments, the value of Zero Trust is less about slogans and more about forcing continuous, contextual access decisions instead of static entitlement assumptions. That creates common ground between human IAM, NHI governance, and future autonomous access models. Practitioners should align architecture discussions around decision quality, not product category.
From our research:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- For the broader lifecycle lens, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding change when identity sprawl becomes the operating norm.
What this signals
Identity programmes that only optimise for speed will miss the real shift. The Siemens pattern suggests that access governance is becoming an operational platform problem, where provisioning latency and policy quality are now measured together. As identity estates expand into service accounts, cloud entitlements, and eventually AI-driven access patterns, the programme that wins will be the one that can prove both control and throughput.
Identity acceleration without governance loss is the new programme benchmark. The strongest teams will use identity metrics to show that automation can remove friction without increasing standing privilege or entitlement drift. In practice, that means tying your internal reporting to Zero Trust outcomes and using the OWASP Non-Human Identity Top 10 where machine access is part of the same governance estate.
With 70% of organisations already granting AI systems more access than they would give a human employee, per the 2026 Infrastructure Identity Survey, the next phase of identity modernisation will be judged by whether programmes can scale trust decisions as quickly as they scale access. That is a direct test for IAM, IGA, and PAM teams, especially where machine identity and emerging autonomous access overlap.
For practitioners
- Measure identity throughput alongside security controls Track provisioning time, help desk ticket volume, and access exception rates together so identity modernisation is judged on both control and operating speed. Build this into quarterly programme reporting rather than leaving it as an IT-only metric.
- Standardise entitlement policy across providers Remove provider-by-provider access logic where possible and define a shared entitlement model for common joiner, mover, and leaver paths. This prevents local teams from re-creating the same governance process in different tools.
- Automate low-risk access, keep privileged access gated Use self-service only for predefined, low-risk access paths and retain approval steps for sensitive entitlements, admin roles, and exceptions. That keeps the efficiency gains while preserving control where the blast radius is highest.
- Link identity reporting to Zero Trust objectives Map access lifecycle metrics to Zero Trust outcomes such as reduced standing access, faster remediation, and better entitlement visibility. If the programme cannot show those links, it is likely automating friction rather than improving governance.
Key takeaways
- Siemens illustrates that identity governance can remove onboarding friction and improve security at the same time when access administration is unified.
- The scale of the environment, with hundreds of thousands of identities and millions of monthly entitlement changes, shows why local, manual identity handling does not hold up.
- Teams should measure identity modernisation by throughput, governance consistency, and reduction in standing access, not by security controls alone.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access management at Siemens scale depends on least privilege and controlled entitlement changes. |
| NIST Zero Trust (SP 800-207) | The article frames Zero Trust as continuous verification for access at scale. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | The same operational patterns apply to service accounts and machine identities in large estates. |
Apply NHI lifecycle controls to machine access paths so automation does not expand unmanaged privilege.
Key terms
- Identity sprawl: Identity sprawl is the accumulation of too many accounts, entitlements, service providers, and ownership paths for a team to govern consistently. In practice, it creates duplicate approvals, uneven lifecycle handling, and weak visibility across human and machine access alike.
- Provisioning drift: Provisioning drift is the gap that appears when access is created differently across teams, tools, or regions even though the underlying business need is the same. It leads to inconsistent policy enforcement, slower onboarding, and poor reconciliation during audits or access reviews.
- Standing access: Standing access is persistent permission that remains available until someone removes it. In high-scale identity environments, it is one of the main reasons privilege accumulates unnoticed, because no one has to re-justify access at the moment it is used.
- Zero Trust: Zero Trust is an identity and access model that requires continuous verification instead of assuming trust based on network location or prior access. For modern enterprises, it shifts the focus toward contextual, policy-driven decisions that can scale across workforce, service, and emerging autonomous identities.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by EmpowerID: The Siemens Discovery. Read the original.
Published by the NHIMG editorial team on 2025-08-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
