Traditional IGA breaks at scale in modern environments

At a glance

What this is: This is an analysis of why large, static identity governance and administration programs break down in modern environments and why phased rollout is more workable.

Why it matters: It matters to IAM and NHI practitioners because the same operating conditions that strain human access governance also amplify non-human identity sprawl, entitlement drift, and review fatigue.

👉 Read RSA Security's analysis of why traditional IGA breaks at scale

Context

Traditional identity governance and administration was built for a slower environment, with stable roles, fewer systems, and access patterns that changed infrequently. In cloud, SaaS, distributed work, contractors, and machine identities, that model becomes brittle because the control surface changes faster than the governance program can absorb it.

For NHI governance, the lesson is direct: the more identities and entitlements change, the less value there is in treating governance as a one-time transformation. NHIs and service accounts need lifecycle controls, visibility, and review models that can move in smaller increments, which is why phased governance has become the more realistic operating model.

The article's starting position is typical for organizations still trying to force enterprise-wide consistency into a dynamic environment. That mismatch is now common, not exceptional.

Key questions

Q: How should security teams implement phased IGA in environments with many NHIs?

A: Start with one high-risk application or identity population and prove visibility before expanding scope. Then add reviews, approval logic, and lifecycle automation in the same order that risk appears. For NHIs, that usually means inventory first, control second, and rotation or offboarding third. A phased model works because it reduces uncertainty before teams scale governance across the rest of the environment.

Q: Why do NHIs make traditional identity governance harder to sustain?

A: NHIs increase both the number of identities and the speed at which access changes. Service accounts, API keys, tokens, and certificates often persist outside normal human workflows, so periodic reviews miss real-time drift. Traditional IGA struggles because it assumes stable entitlements, while NHI risk is usually defined by volume, privilege, and lifecycle gaps.

Q: What breaks when identity reviews are too broad and infrequent?

A: Reviewers lose context, dormant access stays active, and the process turns into a completion exercise instead of a control. Broad reviews also hide the identities that matter most, especially high-risk service accounts and shared entitlements. When the review scope is too large, teams can satisfy the process without actually reducing exposure.

Q: How should organisations respond when a major IGA program cannot be completed at once?

A: Treat that as a signal to redesign the rollout, not to expand the timeline. Narrow the use case, define a measurable control outcome, and move to the next scope only after the first one is stable. For many teams, the right response is to build a governance sequence that starts with visibility and ends with lifecycle automation.

Background and context

Why big-bang IGA programs stall in dynamic environments

A big-bang IGA program tries to define all roles, onboard all applications, and implement full governance in one coordinated effort. That approach assumes stable systems, clear ownership, and enough time to finish before the environment changes. In practice, access models drift while the program is still being built, reviewers lose context, and manual certification becomes a compliance exercise rather than a risk control. The failure is architectural, not just procedural: static control design cannot keep pace with distributed cloud, SaaS, and machine-driven access patterns.

Practical implication: Break large governance programs into scoped use cases that can deliver control value before entitlement drift overtakes the rollout.

Static roles and entitlement reviews lose accuracy quickly

Traditional IGA leans on fixed roles and periodic review cycles. That works only when job functions, system boundaries, and access needs change slowly. In modern environments, roles accumulate exceptions, entitlements get reused across teams, and dormant access remains hidden between review cycles. For NHI governance, the problem is sharper because service accounts, API keys, and tokens often sit outside human approval paths while still carrying persistent access. The control model must therefore cover both entitlement assignment and ongoing usage context, not just ownership on paper.

Practical implication: Pair periodic access reviews with continuous visibility into which privileges are actually being used and by whom or what.

Phased governance fits lifecycle control better than transformation projects

A phased approach starts with visibility, then moves to governance, and only then expands into lifecycle automation. That sequence matters because governance decisions are only as good as the inventory beneath them. For NHIs, lifecycle control includes provisioning, rotation, offboarding, and exception handling, all of which benefit from scope reduction before scale-up. This is closer to operational security engineering than program management: prove the control in one domain, then extend it where the same control logic applies.

Practical implication: Use a lifecycle-first rollout for NHIs so visibility and rotation improvements precede broader policy automation.

NHI Mgmt Group analysis

Big-bang identity governance is now a control-risk pattern, not a delivery preference. The article describes a recurring failure mode where programs try to solve everything at once and deliver nothing quickly enough to matter. That pattern is especially dangerous in environments with NHIs, because entitlement volume and change rate make delayed control value equivalent to no control value. Practitioners should treat large-bang governance as a risk indicator, not a maturity signal.

Phased governance is the right operating model for NHI-heavy environments. The article's strongest argument is that organizations need to start with one measurable problem and expand from there. That aligns with NHI reality, where visibility, access review, rotation, and offboarding are easier to secure in stages than through one enterprise transformation. The practical conclusion is to build control coverage by use case, not by abstract program design.

Identity blast radius is the real unit of governance. A focused IGA model works because it reduces the number of identities, entitlements, and systems affected by each change. For NHIs, that means prioritizing the accounts and tokens that can create the widest misuse path if left unmanaged. The discipline should shift from broad completeness to contained exposure, and teams should measure success by reduced blast radius, not by program size.

Dynamic governance should replace static entitlement thinking. The article correctly rejects the assumption that roles and policies can remain fixed long enough to be fully designed in advance. In modern IAM and NHI settings, governance must adapt as systems, workloads, and service accounts change. The practitioner takeaway is to design controls that can be updated continuously without requiring a program reset.

Lifecycle control is where NHI governance becomes operational. Visibility alone does not manage risk if provisioning, rotation, and offboarding remain manual or inconsistent. The more machine identities an organization carries, the more important it becomes to connect governance decisions to identity lifecycle events. Teams should therefore move from governance as review to governance as continuous lifecycle enforcement.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For lifecycle context, see Ultimate Guide to NHIs, Lifecycle Processes for Managing NHIs for how rotation, provisioning, and offboarding reduce exposure.

What this signals

Identity governance is shifting from program completeness to control precision. Teams that keep trying to model every role up front will continue to lose time to drift, exceptions, and review fatigue. The more practical approach is to define a small number of high-value control points and prove them before scaling the programme across the rest of the estate.

With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, broad governance programmes are failing where the blast radius is widest. That figure is a reminder that the governance problem is not abstract policy design, but containment of over-privileged identities that can turn one oversight into systemic exposure.

Identity blast radius should become a planning metric for IAM and NHI teams. The practical question is no longer whether a program covers every system, but whether it reduces the number of identities that can move from low-risk to high-impact access without friction. That is the control outcome boards and auditors can actually understand.

For practitioners

• Implement phased governance around one high-risk domain Pick a single application, workload cluster, or access population with clear risk and measurable outcomes. Deliver visibility first, then add review and lifecycle controls only after the inventory is credible enough to support them.
• Prioritize the identities that expand blast radius Rank NHIs and human accounts by privilege scope, reuse, and downstream access to sensitive systems. Focus on the few identities that can create disproportionate exposure if left unmanaged.
• Replace broad review cycles with scoped access decisions Use shorter review loops for sensitive entitlements and tie each review to actual usage, ownership, and business need. Where possible, connect the process to lifecycle events such as provisioning, rotation, and offboarding.
• Align governance controls with lifecycle automation Automate the repetitive parts of entitlement control once the initial use case is stable. For NHIs, that means building repeatable handling for credentials, tokens, and certificates before expanding coverage to adjacent systems.

Key takeaways

• Traditional IGA fails when it assumes the environment will stay stable long enough for a full transformation.
• NHIs magnify the problem because privilege, change, and lifecycle gaps move faster than periodic review cycles can handle.
• Phased governance, starting with visibility and moving toward lifecycle automation, is the more durable operating model.

Key terms

• Identity governance and administration: Identity governance and administration is the set of policies, workflows, and controls used to decide who or what should have access, approve it, and review it over time. In modern environments, it must account for cloud, SaaS, and machine identities, not just employee accounts.
• Non-human identity: A non-human identity is any digital identity used by software, services, or automation instead of a person. This includes service accounts, API keys, tokens, certificates, workloads, bots, and AI agents, all of which need lifecycle control and privilege management.
• Identity blast radius: Identity blast radius is the amount of damage a single identity can cause if it is misused or compromised. It is shaped by privilege scope, credential persistence, and downstream reach, making it a useful way to prioritise controls in both IAM and NHI programmes.
• Lifecycle automation: Lifecycle automation is the controlled handling of identity creation, rotation, review, and removal with minimal manual intervention. For NHIs, it reduces the chance that credentials, tokens, or certificates remain valid longer than necessary or survive beyond their intended use.

Deepen your knowledge

Identity governance and administration phasing is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building lifecycle controls and access review discipline in a similar environment, it is worth exploring.

This post draws on content published by RSA Security: Why Traditional IGA Breaks in Modern Environments and How a More Focused Approach Can Fix It. Read the original.