Solvency II compliance depends on auditable data lineage

At a glance

What this is: This is a Collibra analysis of how Solvency II compliance rests on data lineage, governance workflows, and consistent disclosure controls.

Why it matters: It matters to IAM and governance teams because the same accountability, auditability, and policy-to-control traceability problems appear across NHI, autonomous, and human identity programmes.

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read Collibra's analysis of Solvency II compliance and data governance

Context

Solvency II is a data-governance problem as much as a regulatory one. Firms have to prove that the numbers in capital calculations, risk models, and public disclosures are traceable, accurate, and backed by clear accountability. When lineage, quality, and ownership are weak, compliance becomes difficult to defend even if the final report looks complete.

For identity and access teams, the parallel is familiar. Whether the subject is a human analyst, a service account feeding a reporting pipeline, or an autonomous system making runtime decisions, regulators and auditors care about who can change inputs, who approves those changes, and whether the resulting trail is reconstructible after the fact.

Key questions

Q: How should organisations prove that regulated reporting data is trustworthy?

A: They should treat lineage, approval history, and data quality rules as evidence controls, not administrative extras. The goal is to show where each figure came from, who changed it, and how exceptions were handled. If a report cannot be reconstructed from source to disclosure, trust in the control environment is weak.

Q: Why does governance workflow matter for compliance programmes?

A: Because policy alone cannot prove accountability. A workflow records who approved a change, who owned the asset, and what happened when a request was rejected or escalated. That record is what auditors and regulators look for when they test whether governance is operational or merely documented.

Q: What do security teams get wrong about data lineage and access control?

A: They often treat both as separate documentation tasks instead of as evidence of control. In practice, lineage and access history solve the same problem: reconstructing how an outcome happened. When that reconstruction is impossible, the organisation cannot defend either reporting integrity or privileged change management.

Q: How should teams respond when a control path cannot be reconstructed?

A: They should pause reliance on that control for regulated outputs, identify the missing evidence step, and close the gap before the next reporting cycle. If the organisation cannot explain the path from source to decision, the safest assumption is that the control is not yet auditable.

Technical breakdown

Data lineage as an audit control

Data lineage is the ability to trace a data element from source through every transformation to its final report or model. In regulated environments, that trace is not just for debugging. It is evidence that calculations are reproducible and that the organisation can answer a regulator’s challenge without relying on tribal knowledge. Lineage becomes most valuable when multiple systems, manual overrides, and downstream aggregations all touch the same figure. Practical implication: map critical reporting fields to source systems and transformations before you need to defend them.

Practical implication: map critical reporting fields to source systems and transformations before you need to defend them.

Governance workflows and accountability

Governance workflows turn policy into a controlled sequence of approvals, ownership assignments, and recorded changes. For Solvency II, the key issue is not whether policy exists, but whether changes to critical data assets are routed through accountable owners and leave a durable record. That matters because ORSA-style oversight depends on proving control, not merely claiming it. In identity terms, this is the same control pattern used to manage privileged access and lifecycle changes. Practical implication: bind every high-value data asset to a named owner and an auditable change path.

Practical implication: bind every high-value data asset to a named owner and an auditable change path.

Reporting consistency across business terms

A business glossary and reference data management reduce ambiguity in regulated reporting. The issue is less technical than semantic: if business terms, codes, and report labels drift across teams, the same metric can be interpreted differently at each handoff. That creates avoidable reporting risk because disclosures depend on stable meaning as much as on accurate numbers. This is a governance problem that also shows up in IAM, where inconsistent entitlements and role names undermine review quality. Practical implication: standardise critical terms and codes before they propagate into reports and approvals.

Practical implication: standardise critical terms and codes before they propagate into reports and approvals.

NHI Mgmt Group analysis

Solvency II exposes a governance truth that identity teams already know: traceability matters only when it is operational. Collibra’s framing makes clear that compliance depends on being able to reconstruct how figures were produced, approved, and disclosed. That is the same governance expectation IAM teams face when they cannot explain who changed access, when, and under what authority. The practitioner conclusion is simple: if you cannot reconstruct the control path, you do not have a defensible control.

Data lineage is the reporting equivalent of access provenance. A regulator asking for the origin of an SFCR number is functionally similar to an auditor asking how an entitlement or secret reached a production system. Both questions test whether change history is preserved across systems, approvals, and exceptions. The broader lesson is that governance fails when provenance is treated as metadata instead of control evidence. Practitioners should treat lineage as a control surface, not a documentation layer.

Policy without workflow produces the same failure pattern in data governance that standing privilege produces in identity governance. Collibra’s emphasis on stewardship, approvals, and logged changes shows why written policy alone does not satisfy supervision requirements. If ownership can be asserted but not enforced, the control is ceremonial. The practitioner implication is to measure whether governance actions are executable and auditable, not whether the policy library is complete.

Solvency II also highlights the importance of semantic control, not just technical control. Business glossary management and reference data governance are reminders that consistent meaning is part of compliance. In identity programmes, the equivalent failure is inconsistent naming, role design, or entitlement classification across systems, which makes recertification and reporting unreliable. The field-level lesson is that governance maturity includes shared language, not just shared tooling. Practitioners should align semantics before they scale automation.

Named concept: audit-reconstructible governance. This post points to a broader requirement across regulated identity and data programmes: controls must be reconstructible after the fact, not merely active in the moment. That shifts the emphasis from policy declarations to evidence chains, from ownership claims to recorded decisions, and from process intent to verifiable outcomes. Practitioners should judge governance maturity by whether they can replay the control story end to end.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the same guide.
• Collibra’s emphasis on audit trails and accountability fits the control problem described in Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs, where evidence and lifecycle discipline determine whether governance is real.

What this signals

Audit-reconstructible governance: regulated programmes will increasingly be judged on whether they can replay the full control path, not simply show that a policy existed. That pushes identity, data, and risk teams toward shared evidence models that connect approval, change, and disclosure. For practitioners, the practical signal is that undocumented exceptions will become harder to defend in both audits and internal reviews.

As reporting and access environments become more automated, the boundary between data governance and identity governance keeps narrowing. Teams that already struggle to explain lineage or ownership in one domain usually have the same gap in the other, which makes convergence work more urgent than cosmetic. The next programme milestone is not another dashboard, but a control story that survives scrutiny across systems.

The strongest signal in this topic is that governance maturity is moving from static policy libraries to verifiable operating evidence. Organisations that cannot show who changed what, when, and under which approval path will find both compliance and access review work slower, more manual, and less defensible. Practitioners should prepare for tighter demands on traceability and exception handling.

For practitioners

• Map critical data paths end to end Identify which source systems, transformations, manual overrides, and report outputs influence Solvency II calculations, then document the lineage for each critical field so auditors can reconstruct the number without ad hoc explanation.
• Assign named owners to regulated data assets Tie each high-value reporting dataset to a steward or owner who is accountable for approvals, exceptions, and issue resolution, and ensure that ownership is reflected in the workflow rather than only in policy documents.
• Standardise business terms and reference codes Create one controlled glossary for report terms, codes, and definitions so finance, risk, and IT teams use the same meaning when preparing disclosures and responding to audit questions.
• Test whether control evidence is replayable Run a challenge exercise where the team must explain a material figure or change from origin to disclosure, then fix any step that depends on memory, email, or undocumented approval.

Key takeaways

• Solvency II compliance depends on proving how data was produced, changed, and disclosed, not just on producing a compliant-looking report.
• When lineage, stewardship, and terminology control are weak, governance becomes hard to defend even if individual calculations appear correct.
• Identity and data teams should measure whether control evidence can be replayed end to end, because that is where auditability is won or lost.

Key terms

• Data Lineage: Data lineage is the recorded path a data element follows from origin to final report or model output. In regulated environments, it provides evidence that calculations are reproducible, exceptions are traceable, and any material figure can be explained without relying on memory or undocumented handoffs.
• Governance Workflow: A governance workflow is the controlled sequence used to approve, record, and resolve changes to a governed asset. It turns policy into an auditable process by linking ownership, decision-making, and change history so that accountability can be verified after the fact.
• Reference Data Management: Reference data management is the discipline of controlling standard codes and shared values such as country, currency, or risk class identifiers. It prevents reporting drift by ensuring that every system and team uses the same approved terms, which is essential when disclosures must remain consistent across filings and reviews.

Deepen your knowledge

NHI governance, identity lifecycle management, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by Collibra: Solvency II, solved: 3 ways Collibra builds lasting compliance. Read the original.