Notifications
Clear all
Topic starter
25/06/2026 5:10 pm
TL;DR: Static privileges no longer match dynamic enterprise behavior, and access review models now have to contend with faster, more fluid identity decisions, according to SailPoint. The company argues that enterprises need an adaptive identity model that unifies identity, data, and security context across humans, agents, and applications, with just-in-time access and in-line response as core capabilities.
NHIMG editorial — based on content published by SailPoint: The future of security is adaptive identity
Questions worth separating out
Q: How should security teams govern access when identity decisions need to change in real time?
A: They should move high-risk access into a continuous authorization model where identity, data sensitivity, and security signals are evaluated together.
Q: Why do adaptive identity models matter for NHI and agent governance?
A: Because non-human identities and AI agents often need access that is shorter-lived, more context-dependent, and more operationally sensitive than human access.
Q: What breaks when organisations rely only on periodic access reviews?
A: Periodic reviews miss access that changes between certification windows, which leaves risk hidden until after the fact.
Practitioner guidance
- Map access decisions to identity, data, and security context Identify where entitlement approvals still ignore data sensitivity or active risk signals, then place those signals into the same decision path for high-impact systems.
- Separate shared policy from actor-specific lifecycle controls Use one governance policy layer for humans, NHIs, and agents, but keep distinct certification, offboarding, and privilege review rules for each actor type.
- Shift sensitive access to time-bound, continuously evaluated workflows Prioritise just-in-time access for privileged and data-sensitive entitlements, then tie revocation to session context rather than periodic review dates.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- Platform architecture details for Atlas, the control plane, and the real-time layer
- The vendor's breakdown of just-in-time access variants, including policy-driven and real-time models
- Examples of how the platform ties identity events to investigative and remediation workflows
- The product-specific explanation of Agent Identity Security and privilege risk modelling
👉 Read SailPoint's analysis of adaptive identity and AI agent governance →
Adaptive identity for AI agents: what IAM teams need to know?
Explore further
25/06/2026 5:43 pm
Adaptive identity is a response to access volatility, not a replacement for governance fundamentals. The article correctly identifies that static privilege models struggle when application estates, users, and digital workers change faster than review cycles. That does not make governance less important. It makes identity context more central to every access decision, from provisioning through response. For practitioners, the lesson is to treat adaptive behaviour as an operating model change, not a tooling slogan.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting only partial visibility, according to the State of Non-Human Identity Security.
- Only 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months.
A question worth separating out:
Q: Which frameworks help teams align identity governance with dynamic access control?
A: NIST Cybersecurity Framework 2.0 and Zero Trust Architecture both support the shift from static entitlements toward continuous verification and risk-aware access. For identity-heavy programmes, that means mapping governance, detection, and response into one operating model rather than handling them as separate workstreams. The practical goal is to make access decisions more adaptive without losing accountability.
👉 Read our full editorial: Adaptive identity and AI agent governance are colliding
