Notifications
Clear all
Topic starter
22/06/2026 1:41 pm
TL;DR: Identity hygiene fails when access reviews, group governance, ownership and rotation are treated as separate tasks rather than a daily discipline, according to SPHERE podcast highlights with JetBlue’s Angie Woodruff. The operational lesson is that AI will amplify messy identity data unless human and non-human access foundations are cleaned first.
NHIMG editorial — based on content published by SPHERE: Smells Like Identity Hygiene podcast highlights with JetBlue's Angie Woodruff
Questions worth separating out
Q: How should teams reduce identity hygiene risk across human and non-human accounts?
A: Start by cleaning the identity foundation before expanding controls.
Q: Why do orphaned service accounts create so much governance risk?
A: Orphaned service accounts are dangerous because they keep privileges without an accountable owner.
Q: How do you know if identity hygiene controls are actually working?
A: Look for signs that access is becoming easier to explain and harder to overstate.
Practitioner guidance
- Map and collapse nested groups Inventory deeply nested Active Directory and application groups, then remove inheritance patterns that obscure effective access.
- Assign named owners to every non-human account Require a human owner for each service account, bot and script, and tie that ownership to review, rotation and retirement obligations.
- Expand access reviews beyond SOX-only scope Move certifications from a narrow compliance subset to the full application estate where business access actually lives.
What's in the full article
SPHERE Technology Solutions' full post covers the operational detail this post intentionally leaves for the source:
- How JetBlue operationalised access reviews across employees and contractors without overwhelming business users
- How the team approached group cleanup, ownership assignment and admin access practices in day-to-day governance
- How AI was being positioned after identity data and ownership foundations were stabilised
- How the organisation expanded review coverage from SOX applications toward broader application governance
👉 Read SPHERE Technology Solutions' podcast highlights on JetBlue identity hygiene →
Identity hygiene at scale: what IAM teams need to operationalise?
Explore further
This topic was modified 3 hours ago by Mr NHI
22/06/2026 1:45 pm
Identity hygiene is not a cleanliness exercise, it is the operating model for trust. The article reinforces a basic truth of modern IAM: access quality determines control quality. When groups are nested, ownership is vague and reviews are incomplete, governance becomes performative rather than protective. The practitioner conclusion is simple: if the identity data is dirty, every downstream control inherits that weakness.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
A question worth separating out:
Q: What should organisations do before using AI to automate identity governance?
A: They should verify that the underlying identity data is accurate, current and complete. AI cannot correct broken ownership records or stale entitlement structures, and it will often accelerate bad governance if those inputs remain dirty. The right sequence is data cleanup first, automation second.
👉 Read our full editorial: Identity hygiene at scale depends on ownership, reviews and clean data
