The structural gaps in enterprise IAM and identity lifecycle governance

At a glance

What this is: This analysis argues that enterprise IAM breaks down at lifecycle boundaries, not in provisioning itself, and that misalignment with business intent drives residual access risk.

Why it matters: For IAM, NHI, and human identity programmes, the lesson is the same: if lifecycle governance is weak, automation simply accelerates stale access, drift, and shadow exposure.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

👉 Read Opnova's analysis of the structural gaps in enterprise IAM

Context

Enterprise IAM is not usually weakened by account creation itself. The larger failure is that identity governance often starts too late, after trust decisions have already been made and before lifecycle alignment has been established. In practice, that leaves access control operating without enough business context to stay accurate over time.

This matters because the same lifecycle gaps affect service accounts, application accounts, and AI agents as much as human users. When access is granted, moved, or retired without consistent governance, automation preserves the mismatch instead of correcting it. That is why lifecycle discipline has become a control plane issue, not just an operational one.

Key questions

Q: How should security teams align IAM with the identity lifecycle?

A: Security teams should start by defining where trust is established, where access changes are approved, and where removal is verified. IAM becomes reliable when those decisions are tied to business intent and enforced across onboarding, role changes, and offboarding, including disconnected systems that do not sit neatly inside the central directory.

Q: Why do role changes create more identity risk than provisioning alone?

A: Role changes create risk because new access is usually granted faster than old access is removed. That leaves entitlement drift, separation-of-duties conflicts, and residual permissions that no longer match the current job, which expands the blast radius if the account is misused or compromised.

Q: What breaks when offboarding is only checked in the primary directory?

A: What breaks is containment. Accounts can remain active in third-party portals, legacy apps, and vendor-managed systems even after the directory account is disabled, leaving shadow access in places the IAM team may not monitor closely enough to detect or prove.

Q: How do organisations know whether automation is improving identity governance?

A: Automation is helping only if it reduces residual access, shortens revocation paths, and improves evidence that access matches business intent. If it merely speeds up account creation and access changes while leaving offboarding and review gaps intact, it is scaling the problem instead of solving it.

Technical breakdown

Trust establishment before identity creation

Identity governance begins before an account exists. The real decision is whether a person, contractor, vendor, service, or agent should enter the operating environment at all, and under what constraints. If eligibility, role scope, and risk classification are unclear at intake, provisioning becomes a mechanical follow-on to a weak trust decision. That gap is especially visible in federated and delegated access, where the technical system can create access faster than the business can validate whether it should exist. In NIST CSF terms, this is a governance and identity assurance problem, not a workflow problem.

Practical implication: define trust criteria at intake so account creation cannot outrun approval, scope, and risk classification.

Role transitions and entitlement drift

Role change is where entitlement drift accumulates. People, service owners, and dependent systems often gain access quickly during moves, but outdated permissions are removed slowly, if at all. Over time, the access set becomes larger than the current job or function requires, which weakens separation of duties and broadens the blast radius of compromise or misuse. For NHI and human IAM alike, transition governance is where entitlement history becomes control debt. The issue is not merely excess access, but access that no longer has a current business owner.

Practical implication: make role transitions a removal-first event so obsolete permissions are explicitly retired, not left to pile up.

Offboarding and shadow access persistence

Offboarding is the point where many IAM programs assume removal has succeeded once the directory account is disabled. That assumption fails in disconnected applications, third-party portals, and legacy systems where identity is not centrally federated. Access can persist outside monitoring, turning retired identities into shadow accounts with ongoing visibility into data, filings, or operations. This is a lifecycle containment failure, not just a deprovisioning gap. The practical issue is that identity may remain active where the IAM team cannot see it, even though the business relationship has ended.

Practical implication: verify offboarding across disconnected systems, not just in the primary directory or HR-linked workflow.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity governance begins with trust, not account creation: The article's central claim is correct because provisioning is downstream of a decision that should already define eligibility, scope, and constraint. When organisations treat account creation as the start of governance, they miss the fact that the most important control decisions happen earlier. The implication is that lifecycle governance must be anchored in business intent before any technical workflow begins.

Lifecycle misalignment creates control debt that automation will scale: Automation does not repair weak lifecycle discipline, it accelerates it. Faster provisioning, faster changes, and faster offboarding only help when removal, recertification, and scope alignment are already reliable. Otherwise, identity programmes produce more access events without producing more control, which is why this issue becomes more dangerous at enterprise scale.

Role-transition entitlement drift: Access that survives a role change is the clearest example of governance built for static jobs in a dynamic organisation. The system assumes that permissions can be granted once and corrected later, but the business reality is that privileges accumulate faster than they are removed. Practitioners should treat this as a structural failure of ownership and lifecycle alignment, not a simple cleanup exercise.

Disconnected systems expose the limits of central IAM: When identity exists in applications outside federated control, the programme no longer has a complete view of who can still reach what. That makes offboarding, review, and evidence collection partial by design, not just imperfect. The practical conclusion is that central IAM coverage cannot be mistaken for enterprise coverage.

AI agents inherit broken permission structures rather than improving them: The article's AI point is strategically important because it shows that automation amplifies the existing model of governance. If access, scope, and lifecycle discipline are already inconsistent, AI agents will simply operate inside that inconsistency at greater speed. The practitioner conclusion is that agentic or automated access can only be governed well when the underlying lifecycle model is already coherent.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that removal gaps persist long after detection.
• See NHI Lifecycle Management Guide for lifecycle controls that keep provisioning, rotation, and offboarding aligned.

What this signals

Shadow access is now a lifecycle visibility problem, not a directory problem: when organisations cannot see service accounts clearly, they cannot prove that offboarding worked or that role changes removed the right entitlements. That is why IAM programmes need evidence across disconnected systems, not just cleaner workflows in the core directory.

Lifecycle control becomes the deciding factor for automation success: AI and automation do not correct weak ownership models, and they do not invent missing revocation paths. The programmes that will scale are the ones that can show who owns access, who retires it, and where the last mile of containment actually happens.

As IAM environments expand, the practical benchmark shifts from how fast access can be issued to how reliably access can be retired. Teams should expect lifecycle assurance to become a board-level control question, especially where service accounts and delegated systems sit outside normal review cycles.

For practitioners

• Map lifecycle controls before automating provisioning Document where trust is established, where role changes occur, and where access is actually removed across human, service, and application identities. Use that map to find where the workflow stops and the business decision continues, then close the gap before expanding automation.
• Make role transitions removal-first Require explicit revocation of obsolete entitlements before new access is granted during transfers or reorganisations. This reduces entitlement drift and prevents legacy permissions from surviving into the next role.
• Test offboarding in disconnected applications Sample non-federated portals, vendor-managed systems, and legacy UI-only apps to verify that access is actually gone after termination. Do not accept directory disablement as proof of complete removal.
• Treat AI and automation as governance multipliers Only expand automated access workflows after lifecycle ownership, evidence capture, and revocation paths are stable. Otherwise, automation will simply speed up the same residual exposure the programme already has.

Key takeaways

• Enterprise IAM fails most often at lifecycle boundaries, where trust, role change, and offboarding decisions drift away from business intent.
• The scale of the problem is visible in the persistence of shadow access and unmanaged service accounts, which automation can speed up but not correct.
• Practitioners should treat lifecycle alignment as the control that determines whether provisioning efficiency becomes governance strength or residual exposure.

Key terms

• Identity Lifecycle Governance: Identity lifecycle governance is the discipline of controlling access from initial trust decision through role changes and offboarding. It connects business intent to technical enforcement so access stays aligned over time, across human users, service accounts, applications, and other non-human identities.
• Entitlement Drift: Entitlement drift is the gradual accumulation of permissions that no longer match the current role or business need. It happens when access is granted faster than it is reviewed or removed, leaving residual privilege that widens risk and weakens separation of duties.
• Shadow Access: Shadow access is active access that remains outside normal IAM visibility, often in disconnected apps, portals, or legacy systems. It persists after the primary directory says access is gone, which makes revocation, audit evidence, and incident containment harder to prove.
• Business Intent: Business intent is the current organisational reason why a person or system should have access. In identity governance, it is the reference point that tells practitioners whether an entitlement is still justified, whether it should be changed, or whether it should be removed.

Deepen your knowledge

Identity lifecycle alignment across human, service, and AI-driven access is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are standardising governance across disconnected systems, it is worth exploring.

This post draws on content published by Opnova: The structural gaps in enterprise IAM. Read the original.