TL;DR: Access reviews, segregation of duties, privileged access visibility, and offboarding all depend on mapping every account to a real owner, because connector-based approaches miss legacy systems and non-standard schemas, according to Hydden. The governance failure is not missing tooling but incomplete identity resolution, which leaves critical decisions built on partial data.
NHIMG editorial — based on content published by Hydden: AI-driven identity mapping and access governance
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams handle account-to-owner mapping across legacy systems?
A: Security teams should treat account-to-owner mapping as a governance control, not a one-time data cleanup exercise.
Q: Why do access reviews fail when accounts are not mapped to people?
A: Access reviews fail because reviewers can only certify what they can identify.
Q: What do organisations get wrong about connector-based identity governance?
A: They assume a predefined connector can describe every application in the same way.
Practitioner guidance
- Audit unresolved accounts as a governance defect Inventory every application that still produces orphaned, misattributed, or manually maintained account mappings.
- Test mapping flexibility against legacy and non-standard schemas Validate whether your platform can pull identity-relevant metadata from SQL databases, ERP systems, and in-house tools without custom scripts for each edge case.
- Require explainable correlation for high-risk entitlements For privileged accounts, shared accounts, and accounts involved in SoD conflicts, document why the system resolved ownership the way it did.
What's in the full article
Hydden's full post covers the operational detail this analysis intentionally leaves for the source:
- Specific examples of how the Universal Collector discovers identity-relevant fields across non-standard applications.
- The field-by-field mapping logic used for systems such as Workday, Entra ID, SAP, Tableau, ServiceNow, and Oracle.
- The mechanics of AI-driven correlation across account names, employee IDs, and legacy naming conventions.
- The deployment pattern for keeping the identity graph updated as accounts are created, changed, and deactivated.
👉 Read Hydden's analysis of AI-driven identity mapping for access governance →
Identity mapping gaps: what they mean for access reviews and SoD?
Explore further
Incomplete identity resolution is a governance failure, not a coverage metric. If an organisation cannot map every account to a real owner, access reviews, SoD analysis, PAM governance, and offboarding all run on partial truth. That means the control framework can appear operational while still missing the accounts that matter most. Practitioners should treat unresolved mapping as a first-class governance defect, not a data-quality footnote.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when offboarding misses accounts outside the directory?
A: Accountability remains with the identity and application owners, not the process itself. If offboarding only revokes what is already known, the programme has accepted incomplete ownership data as a limit. The practical answer is to define who owns unresolved account exceptions and require closure before a leaver is considered complete.
👉 Read our full editorial: AI-driven identity mapping exposes gaps in access governance