TL;DR: Graph-based identity models help organisations map relationships between identities, permissions, systems, and facilities for faster access analysis, role mining, and toxic-role detection, according to Gathid. The governance shift is less about visualisation and more about making complex entitlement paths reviewable before they turn into compliance and security failures.
NHIMG editorial — based on content published by Gathid: graph technology for identity governance and access analysis
Questions worth separating out
Q: How should identity teams use graph technology in access governance?
A: Identity teams should use graph technology to expose how access is inherited, shared, and combined across systems.
Q: Why do toxic role combinations matter in IAM programmes?
A: Toxic role combinations matter because they create access states that violate separation of duties or the principle of least privilege.
Q: How can security teams tell if role mining is actually improving governance?
A: Role mining is working when it reduces exceptions, lowers reviewer effort, and produces roles that match how people actually work.
Practitioner guidance
- Inventory identity relationship sources Identify every authoritative source that contributes identities, entitlements, group memberships, and system relationships, including legacy and air-gapped environments.
- Model inherited access paths Trace how permissions flow through roles, groups, applications, and system dependencies so reviewers can see the full path, not only the final entitlement.
- Target toxic role combinations first Prioritise roles that combine sensitive data access, administrative reach, and separation-of-duties conflicts.
What's in the full article
Gathid's full article covers the operational detail this post intentionally leaves for the source:
- How the Identity Graph models air-gapped, on-premise, cloud, and operational technology access in one structure
- The specific ways graph analysis supports 360° relationship queries and entity-level zoom for investigations
- Examples of how graph-driven role mining can sharpen RBAC and ABAC policy updates as systems change
- How toxic role combinations are surfaced and used to drive remediation and compliance reporting
👉 Read Gathid's analysis of graph technology for identity governance and access analysis →
Identity graphs and toxic roles: what IAM teams need to know?
Explore further
Identity governance has become a relationship problem, not a record-keeping problem. The central failure in many programmes is not that identities are unknown, but that their access paths are fragmented across systems that cannot be reasoned over together. Graph technology matters because it turns disconnected entitlement records into a queryable structure. Practitioners should treat relationship visibility as the prerequisite for every downstream governance decision.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how thin identity governance confidence remains in practice.
A question worth separating out:
Q: What should organisations do before building a graph-based identity model?
A: Organisations should first inventory all authoritative identity and access sources, including legacy applications, cloud platforms, and operational systems. They should then define which relationships matter for governance, such as group membership, inherited entitlements, and role dependencies. A graph without trusted source coverage will simply reproduce existing blind spots in a more elegant form.
👉 Read our full editorial: Graph technology is reshaping identity governance visibility and access analysis