Identity mapping gaps: what they mean for access reviews and SoD

TL;DR: Access reviews, segregation of duties, privileged access visibility, and offboarding all depend on mapping every account to a real owner, because connector-based approaches miss legacy systems and non-standard schemas, according to Hydden. The governance failure is not missing tooling but incomplete identity resolution, which leaves critical decisions built on partial data.

NHIMG editorial — based on content published by Hydden: AI-driven identity mapping and access governance

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams handle account-to-owner mapping across legacy systems?

A: Security teams should treat account-to-owner mapping as a governance control, not a one-time data cleanup exercise.

Q: Why do access reviews fail when accounts are not mapped to people?

A: Access reviews fail because reviewers can only certify what they can identify.

Q: What do organisations get wrong about connector-based identity governance?

A: They assume a predefined connector can describe every application in the same way.

Practitioner guidance

• Audit unresolved accounts as a governance defect Inventory every application that still produces orphaned, misattributed, or manually maintained account mappings.
• Test mapping flexibility against legacy and non-standard schemas Validate whether your platform can pull identity-relevant metadata from SQL databases, ERP systems, and in-house tools without custom scripts for each edge case.
• Require explainable correlation for high-risk entitlements For privileged accounts, shared accounts, and accounts involved in SoD conflicts, document why the system resolved ownership the way it did.

What's in the full article

Hydden's full post covers the operational detail this analysis intentionally leaves for the source:

• Specific examples of how the Universal Collector discovers identity-relevant fields across non-standard applications.
• The field-by-field mapping logic used for systems such as Workday, Entra ID, SAP, Tableau, ServiceNow, and Oracle.
• The mechanics of AI-driven correlation across account names, employee IDs, and legacy naming conventions.
• The deployment pattern for keeping the identity graph updated as accounts are created, changed, and deactivated.

👉 Read Hydden's analysis of AI-driven identity mapping for access governance →

Identity mapping gaps: what they mean for access reviews and SoD?

Explore further

View Full Forum →  |  NHI Foundation Course →