Notifications
Clear all
Topic starter
25/06/2026 1:34 pm
TL;DR: Identity security does not become simpler just because tools promise automation; SailPoint argues that large enterprises still face millions of entitlements, thousands of applications, and the need for autonomous decision-making to keep pace with business change. The governance lesson is that complexity must be managed, not hidden, because identity programmes fail when they are simplified beyond what the environment actually requires.
NHIMG editorial — based on content published by SailPoint: The (Identity Security) Easy Button
By the numbers:
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should organisations manage identity security in highly complex environments?
A: They should model identity security as a governance system, not a point solution.
Q: Why do simplified identity tools often fail at enterprise scale?
A: They fail because enterprise access is not uniform.
Q: What should security teams do before automating identity decisions?
A: They should decide which decisions are safe to automate, which require policy constraints, and which must remain human-approved.
Practitioner guidance
- Map the actual identity estate Inventory the number of identities, applications, entitlements, and ownership paths before evaluating any control model.
- Preserve exception handling Test whether the identity programme can represent edge cases without forcing them into spreadsheets or side channels.
- Separate simplicity from control reduction Challenge any design that removes entitlement depth, lifecycle checkpoints, or ownership metadata in the name of ease.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- The customer-scale identity example with 140,000 identities, 8,500 applications, and millions of entitlements.
- The article's own explanation of why the company sees autonomous identity decision-making as necessary in complex environments.
- The vendor's argument for simplifying identity work without stripping out core functionality.
- The broader positioning around why identity security should be treated as a foundational business capability.
👉 Read SailPoint's blog on why identity security has no easy button →
Identity security complexity: what IAM teams actually need?
Explore further
25/06/2026 3:35 pm
Identity security complexity is the control problem, not the side effect. The article is right to reject the idea that identity can be reduced to a simple button press. Identity governance exists precisely because enterprises accumulate applications, entitlements, exceptions, and ownership gaps faster than humans can manage them by hand. For practitioners, the lesson is that complexity is the operating condition of the programme, not a temporary nuisance to be abstracted away.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- Only 97% of NHIs carry excessive privileges in modern enterprises, which is why simplification without entitlement control usually shifts risk rather than removing it.
A question worth separating out:
Q: How do teams know whether identity simplification is creating risk?
A: Look for reduced visibility into entitlements, growing exception queues, and access changes that bypass normal lifecycle controls. If the programme is easier to use but harder to audit, it has likely traded operational convenience for governance weakness. That is usually a sign that hidden risk is increasing.
👉 Read our full editorial: Identity security has no easy button for complex enterprises
