Notifications
Clear all
Topic starter
08/06/2026 4:15 pm
TL;DR: As organisations add more applications, distributed teams and non-human identities, ConductorOne argues that manual reviews and static policies no longer scale, while industry analysts forecast AI identities will outnumber human users 25:1. The governance problem is not just volume, but whether identity programmes can keep up without collapsing into bottlenecks and inconsistent decisions.
NHIMG editorial — based on content published by ConductorOne: From Manual to Intelligent: Using AI to Mature Your IGA Program
By the numbers:
- Industry analysts predict that AI identities will soon outnumber human users 25:1.
Questions worth separating out
Q: How should security teams use AI in identity governance without losing control?
A: Use AI to accelerate review, enrich requests, and surface risk, but keep policy ownership and final accountability explicit.
Q: Why do manual access reviews stop working as identity estates grow?
A: Manual reviews depend on human time, consistent judgement, and stable queues.
Q: How can organisations tell whether contextual access decisions are improving governance?
A: Look for fewer routine exceptions, faster certification cycles, clearer audit trails, and reduced reviewer fatigue.
Practitioner guidance
- Separate policy automation from policy ownership Document which decisions the AI may recommend, which it may execute, and which remain human-only.
- Map review queues to identity type and risk Segment access reviews for employees, service accounts, and AI agents so high-volume non-human identities do not consume the same review workflow as human entitlements.
- Validate contextual inputs before they influence decisions Check that requestor metadata, login risk, entitlement sensitivity, and approver availability are accurate, current, and authorised for use in governance decisions.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- How Thomas automates request approval, denial, and routing decisions under policy
- How Copilot recommends access adjustments using request history and risk factors
- How MCP-connected signals influence governance decisions in real workflows
- How the helpdesk integration turns submitted tickets into processed access requests
👉 Read ConductorOne's blog on using AI to mature IGA governance →
AI-assisted IGA governance: are manual reviews still viable?
Explore further
08/06/2026 5:48 pm
AI-assisted IGA only works when the governance model is explicit about what the machine is deciding. If an AI system is approving, denying, recommending, or routing access, the control boundary has moved from workflow acceleration into delegated governance. That creates accountability questions for evidence, override paths, and policy drift. Practitioners should treat the AI as part of the decision chain, not as a productivity overlay.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often governance programmes lack basic coverage before automation enters the picture.
A question worth separating out:
Q: What is the difference between AI-assisted governance and full governance automation?
A: AI-assisted governance helps people make better decisions, while full automation lets the system decide or act without a human in the loop. The difference matters because accountability, escalation paths, and evidence requirements change once the machine moves from recommendation to execution. Teams should be precise about that boundary.
👉 Read our full editorial: AI maturity in IGA is shifting governance from manual review
