Notifications
Clear all
Topic starter
07/06/2026 8:33 pm
TL;DR: Incremental sync replaces hourly full-state pulls with event-driven updates so identity data reflects changes faster, reducing stale access views and improving governance decisions, according to ConductorOne. The core issue is not sync speed alone, but whether reviews, approvals, and least-privilege controls are still being based on reality instead of lagging snapshots.
NHIMG editorial — based on content published by ConductorOne: Incremental Sync: How C1 Keeps Identity Data Fresh in Real Time
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams reduce stale identity data in access reviews?
A: Security teams should tie review and approval decisions to data freshness, not just to system ownership.
Q: Why does sync lag create risk for NHI governance?
A: Sync lag extends the time that service accounts, API keys, and other non-human identities can appear valid after their real state has changed.
Q: What breaks when access changes are only captured on a schedule?
A: Scheduled-only capture creates a mismatch between real access and governed access.
Practitioner guidance
- Set freshness thresholds for governance decisions Define the maximum acceptable lag between a source-system change and its appearance in the governance platform.
- Prioritise event-capable connectors for high-change systems Use event feeds, audit logs, or change notifications for directories, SaaS apps, and NHI platforms that change frequently.
- Reconcile stale access before review cycles close Run targeted checks for memberships, entitlements, and service account permissions that changed since the last sync window.
What's in the full article
ConductorOne's full blog covers the operational detail this post intentionally leaves for the source:
- Connector behaviour across upstream services such as Okta and Google Workspace
- How event feeds and audit logs are consumed to detect specific identity changes
- The operational difference between full-state polling and change-based sync
- Why the connector model matters for faster access review decisions
👉 Read ConductorOne's explanation of incremental sync for identity governance →
Incremental sync and stale identity data: are your reviews current?
Explore further
07/06/2026 10:29 pm
Freshness is a governance control, not a back-end optimisation. Incremental sync matters because identity decisions are only as trustworthy as the state they observe. If the governance layer is still seeing hourly snapshots while access changes are happening continuously, the programme is certifying yesterday's reality. Practitioners should treat stale identity visibility as control failure, not mere operational latency.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly remediation can lag behind exposure.
A question worth separating out:
Q: How do organisations know whether incremental sync is working?
A: Look for shorter entitlement lag, fewer review exceptions caused by stale records, and faster reflection of joiner-mover-leaver events in the governance platform. If access changes are still taking a full cycle to appear, the sync model is not supporting real-time governance even if the connector is technically functioning.
👉 Read our full editorial: Incremental sync and real-time identity governance: what changes now
