Notifications
Clear all
Topic starter
07/06/2026 8:40 pm
TL;DR: Identity maturity is failing as a destination model because teams cannot scale identity security without discovery, hygiene, contextual governance, and just-in-time privilege, according to ConductorOne. In an AI-native environment, access decisions are continuous, and programs built on static roles and manual review cycles fall behind faster than they can adapt.
NHIMG editorial — based on content published by ConductorOne: Identity Maturity in 2026: How the Best Teams Move Forward
Questions worth separating out
Q: How should security teams build identity maturity without over-automating too early?
A: Start with discovery and hygiene.
Q: Why does standing privilege still create so much identity risk?
A: Standing privilege keeps elevated access available long after the work that justified it has ended.
Q: What do teams get wrong about zero standing privilege?
A: They treat it as a feature rather than a maturity shift.
Practitioner guidance
- Inventory every identity class Map employees, vendors, service accounts, workload credentials, and AI agents into one authoritative discovery process so access can be measured rather than inferred.
- Remove stale access before automating reviews Clean unused permissions, orphaned identities, and outdated role assignments first, then automate certification only after the identity baseline is trustworthy.
- Convert standing privilege into task-scoped elevation Use just-in-time access for privileged work so elevated rights exist only for the duration of the task and do not persist as idle entitlement.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- Stage-by-stage identity maturity model with practical examples from discovery through autonomous identity.
- How the vendor frames trust, automation, and governance as the programme progresses.
- The specific maturity signals the article uses to judge whether a team is ready for just-in-time access.
- The article's own progression model for moving from manual identity work to continuous enforcement.
👉 Read ConductorOne's guide to identity maturity in 2026 →
Identity maturity in 2026: are your controls keeping up?
Explore further
08/06/2026 8:18 am
Identity maturity is now an operating model problem, not a tooling problem. The article is right to reject the idea that maturity is a destination. In practice, immature identity programmes fail because they do not create a repeatable way to discover, clean, govern, and retire access across every identity type. That is a governance design issue, not a product-selection issue. Practitioners should treat maturity as a lifecycle discipline that has to survive scale, sprawl, and AI adoption.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why maturity programmes stall at discovery before they reach governance.
A question worth separating out:
Q: How should IAM teams govern AI agents as identity programmes mature?
A: Treat AI agents as identities that need discovery, entitlement boundaries, and continuous oversight. They do not wait for ticket queues or static review cadences, so governance has to adapt to runtime behaviour. The practical test is whether the programme can control access at machine speed without relying on manual approval loops.
👉 Read our full editorial: Identity maturity in 2026 is becoming an operating model
