Notifications
Clear all
Topic starter
07/06/2026 9:01 pm
TL;DR: Manual access reviews, spreadsheet-driven approvals, and delayed joiner-mover-leaver updates no longer scale across hybrid estates, and the article argues that AI and automation can reduce review cycles, surface anomalies, and keep governance closer to real time, according to SecurEnds. The deeper issue is that governance models built for quarterly checkpoints now collide with continuously changing identities and entitlements, so the control assumption itself is outdated.
NHIMG editorial — based on content published by SecurEnds: AI-driven identity governance and the shift from manual reviews to autonomous controls
Questions worth separating out
Q: How should security teams automate identity governance without losing control?
A: Start by automating the highest-volume, lowest-risk identity changes first, then keep human review for exceptions and policy breaches.
Q: Why do quarterly access reviews fail in modern enterprises?
A: Quarterly reviews fail because the entitlement picture changes long before the review cycle ends.
Q: What do teams get wrong about AI in identity governance?
A: Teams often assume AI can fix governance without improving the underlying data and policy model.
Practitioner guidance
- Map where manual approvals still gate high-volume access changes Identify the applications, roles, and identity populations that still depend on spreadsheet-based review or email approval.
- Automate provisioning and deprovisioning around authoritative lifecycle events Tie joiner, mover, and leaver events to HR, directory, and application sources so access changes happen from a single trusted trigger.
- Separate low-risk auto-approval from exception handling Define the criteria that allow routine requests to pass automatically, then require human review only when the request exceeds policy or risk thresholds.
What's in the full article
SecurEnds' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of how AI-assisted user access reviews are routed and closed.
- Product-specific explanations of automated provisioning, deprovisioning, and dashboard workflows.
- Details on role mining, risk analytics, and pre-built integrations across directory and SaaS systems.
- The platform's own view of how autonomous governance is implemented in practice.
👉 Read SecurEnds' analysis of AI-driven identity governance and automation →
AI-driven identity governance: what it means for IAM teams?
Explore further
08/06/2026 8:46 am
Manual IGA is no longer a scale model for modern identity estates. Quarterly reviews, spreadsheet reconciliation, and email-based approvals were designed for slower access change and smaller application sets. That assumption fails when enterprises manage thousands of users, vendors, bots, and cloud entitlements at once. The implication is that governance programmes must stop treating delay as a tolerable inconvenience and start treating it as a structural control defect.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to GitGuardian & CyberArk's research.
A question worth separating out:
Q: How do organisations know if autonomous governance is actually working?
A: Look for shorter decision cycles, fewer stale entitlements, and an audit trail that records every grant, revoke, and exception in real time. If the programme still relies on quarterly cleanup to find obvious drift, it is not autonomous governance. It is still manual governance with faster tooling.
👉 Read our full editorial: AI-driven identity governance exposes the limits of manual IGA
