TL;DR: Identity governance programs can satisfy audits through completed certifications, documented attestations, and clean evidence trails while access exposure barely changes, according to OpenIAM. The real issue is that oversight proves process existence, not whether high-risk privileges, toxic combinations, or unnecessary access are actually shrinking.
At a glance
What this is: This is an analysis of why identity governance can look compliant on paper while leaving access exposure largely unchanged.
Why it matters: It matters because IAM, IGA, PAM, NHI, and human identity teams need outcome measures that prove risk reduction, not just audit completion.
👉 Read OpenIAM's analysis of why identity governance passes audits but still misses risk reduction
Context
Identity governance can be procedurally correct and still fail operationally. In many enterprises, certification campaigns finish on time, attestations are documented, and auditors see the evidence they expect, while excess access continues to accumulate across applications and privilege does not materially shrink.
The core problem is that audit validation and exposure reduction are different objectives. A programme built to prove oversight will naturally optimise for completion rates, timestamps, and traceability, but practitioners need measures that show whether access risk is actually going down across human identities, service accounts, and other non-human identities.
Key questions
Q: How do identity governance teams prove risk reduction instead of just audit completion?
A: They must measure outcome change, not only workflow completion. That means tracking whether high-risk entitlements are removed, toxic combinations shrink, and dormant access is deprovisioned over time. Audit evidence still matters, but it should confirm that governance executed, while exposure metrics prove that the environment became safer.
Q: Why do identity governance programs often look mature without lowering access risk?
A: Because many programmes optimise for evidence production. Certification completion, attestation timestamps, and clean documentation show that oversight occurred, but they do not prove that privilege creep slowed or that unnecessary access was removed. A programme can therefore satisfy auditors while leaving the actual access landscape almost unchanged.
Q: What do security teams get wrong about access certifications?
A: They often treat a completed certification as a risk-reduction event rather than a control check. A review only shows that access was examined. It does not guarantee that excess access was revoked, that dormant accounts were closed, or that the identity estate is becoming less exposed.
Q: Who is accountable when governance passes audit but exposure stays high?
A: Accountability sits with the identity governance owner, the system owners who approve entitlements, and the security leadership that accepted audit completion as a success metric. Standards such as the NIST Cybersecurity Framework 2.0 expect governance outcomes to support resilience, not just documentation.
Technical breakdown
Audit validation versus exposure reduction
Audit validation checks whether governance controls were executed and whether evidence exists. Exposure reduction asks a different question: did the access landscape actually become safer? In practice, these two outcomes diverge when certification campaigns are treated as proof of security rather than proof of control operation. A completed review can show that someone looked at access, but it does not automatically mean toxic combinations were removed or standing privilege was reduced. The technical mistake is measuring process artefacts instead of entitlement change.
Practical implication: measure entitlement movement, not just review completion, if you want governance to reduce real risk.
Why certification metrics miss privilege accumulation
Certification completion, attestation timestamping, and documentation traceability are control evidence, not exposure metrics. They tell you whether a governance workflow ran, but not whether dormant accounts were removed, excessive entitlements were revoked, or high-risk combinations declined over time. This is why organisations can score well in audits while privilege creep continues in the background. The system is working as designed, but the design is oriented toward proof, not reduction. That gap is especially visible when access spans human users, service accounts, and shared operational identities.
Practical implication: add outcome metrics such as privilege removal rates, toxic combination counts, and dormant access reduction to governance reporting.
How audit-driven governance becomes a control architecture problem
The structural issue is architectural orientation. If the governance model is built around producing evidence, then the control stack will favour documentation quality over access contraction. That means reviews can be regular, clean, and well signed off while the underlying access footprint remains stable. The failure is not necessarily in execution discipline. It is in the fact that the programme never encoded exposure reduction as a primary control objective. In identity terms, the environment becomes easier to defend in a report than in reality.
Practical implication: redesign governance scorecards so evidence confirms control execution and exposure metrics confirm security improvement.
NHI Mgmt Group analysis
Audit success is not a proxy for identity risk reduction. Many governance programmes are built to prove that reviews happened, not that access exposure declined. That distinction matters because compliance evidence can be complete while privilege creep, dormant access, and toxic entitlements remain in place. The implication is straightforward: identity governance must be judged by entitlement outcomes, not by campaign hygiene alone.
Evidence-centric governance creates a false sense of maturity. When certification completion and attestation traceability become the primary success measures, the programme optimises for auditor satisfaction. That design can mask the fact that the access graph has not materially changed, especially across large human and non-human identity estates. Practitioners should treat clean audits as necessary control evidence, not as proof that risk is being reduced.
Exposure reduction is the missing control objective. The article exposes a common failure mode in identity governance: the programme measures process performance but not the shrinking of attack surface. In NIST Cybersecurity Framework 2.0 terms, identification and protection activities are present, but outcome verification is weak. The field needs to stop confusing review completion with governance effectiveness.
Privilege persistence is the real governance signal. If high-risk entitlements survive multiple review cycles, the organisation has a governance problem even when auditors report no findings. That is especially relevant in hybrid estates where human users, service accounts, and shared operational identities all accumulate access differently. The practitioner conclusion is that persistent privilege, not audit formality, should be the primary indicator of governance quality.
Identity governance must be measured as a lifecycle discipline. Access review is only one point in the lifecycle. Provisioning, change, recertification, and offboarding all shape whether exposure declines or simply gets re-documented. In an environment governed by NIST Cybersecurity Framework 2.0 and the NHI Lifecycle Management Guide, the question is whether the lifecycle actually removes excess access. Practitioners should redesign governance around lifecycle outcomes, not audit artefacts.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- In the same research, enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one governance failure can repeat.
- That is why teams should use the NHI Lifecycle Management Guide to connect review cycles to rotation, offboarding, and entitlement reduction rather than treating audit evidence as the end state.
What this signals
Identity governance maturity is shifting from evidence management to exposure management. Teams that still report success through completion rates alone will miss the more important signal, which is whether access is actually shrinking. The practical test is simple: if you cannot show entitlement reduction, you do not yet have risk reduction.
Persistent access is becoming the clearest indicator of programme weakness. The organisations most exposed are not necessarily the ones with failed reviews, but the ones where reviews happen repeatedly without materially changing the access graph. That is where lifecycle controls, recertification design, and privileged access oversight need to be reconnected to operational outcomes.
With 72% of organisations already reporting or suspecting NHI compromise, the governance baseline is no longer theoretical. Even mature-looking programmes can hide unmanaged access unless they measure actual reduction across identities and lifecycles. Practitioners should expect more scrutiny of outcome-based controls, not just audit artefacts.
For practitioners
- Replace completion metrics with exposure metrics Track whether high-risk entitlements decline quarter over quarter, whether toxic combinations are removed, and whether dormant access is actually deprovisioned across the estate.
- Tie recertification to entitlement change Require each access review cycle to produce a measurable change in the access graph, such as revoked privileges, removed exceptions, or closed orphaned accounts.
- Measure privilege creep by identity type Separate reporting for human accounts, service accounts, and other non-human identities so hidden accumulation in one class does not get masked by good performance in another.
- Treat audit evidence as a control input Use certificates, attestations, and review artefacts to validate execution, then verify with downstream metrics that the review actually reduced exposure in production systems.
Key takeaways
- Identity governance can satisfy auditors while leaving access exposure materially unchanged.
- Completion metrics prove that reviews ran, but they do not prove that privilege creep was reduced.
- Practitioners need lifecycle and entitlement-outcome measures if they want governance to lower risk.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access governance is central to the article's gap between review and exposure reduction. |
| OWASP Non-Human Identity Top 10 | NHI-03 | The article's core issue is unmanaged persistence of excessive access across identities. |
| NIST SP 800-63 | Federation and lifecycle assurance help frame identity proofing and governance evidence. |
Map governance reporting to PR.AC-4 and verify that reviews reduce excess access, not just document it.
Key terms
- Identity governance effectiveness: The degree to which governance controls reduce actual access exposure, not just demonstrate that a review or approval process ran. Effective governance changes the entitlement state of the environment by removing unnecessary access, shrinking privilege creep, and limiting persistent risk across identities.
- Audit validation: Evidence that governance processes were executed according to expectation and can be demonstrated to an auditor. Audit validation confirms control operation, but it does not by itself prove that privileges declined, exposure shrank, or the environment became less risky.
- Exposure reduction: A measurable decrease in the amount of unnecessary, high-risk, or stale access present in an environment. In identity programmes, exposure reduction is shown by removed entitlements, closed dormant accounts, fewer toxic combinations, and less persistent privilege over time.
- Privilege creep: The gradual accumulation of access rights beyond what an identity needs to perform its current work. It often survives through repeated approvals, inherited roles, or weak offboarding, and it becomes a governance problem when review cycles record it without actually reducing it.
What's in the full article
OpenIAM's full blog post covers the operational detail this post intentionally leaves for the source:
- How the article distinguishes certification evidence from measurable exposure reduction in enterprise IAM programmes
- The governance metrics OpenIAM says boards and auditors tend to accept, but which do not show whether access risk is actually falling
- Practical examples of where privilege accumulation persists even after completed access reviews
- The article's framing for moving from audit-driven governance to outcome-driven identity controls
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-03-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org