Notifications
Clear all
Topic starter
10/06/2026 12:31 am
TL;DR: Tighter oversight, clearer accountability, and continuous access control now underpin IT governance as digital operations, compliance demands, and security risk converge, according to Zluri’s 2026 best-practices article. The underlying shift is that governance models built for static, human-paced IT no longer fit modern access patterns or identity sprawl.
NHIMG editorial — based on content published by Zluri: 8 IT governance best practices in 2026
By the numbers:
- 84% of small enterprises use at least one digital platform to share their products.
- 55% of small businesses report technology as a means of customer interaction.
Questions worth separating out
Q: How should security teams connect IT governance to identity governance?
A: They should map governance objectives to identity controls such as approvals, reviews, revocation, and ownership.
Q: Why do access reviews fail when discovery is incomplete?
A: Access reviews fail because teams can only certify what they can see.
Q: How do organisations know whether IT governance is actually working?
A: They should look for measurable evidence: current inventories, completed certifications, revocation records, and audit-ready changelogs.
Practitioner guidance
- Define governance as an identity control system Map each governance objective to a specific identity control such as approval routing, entitlement review, or revocation authority.
- Tie access certification to discovery coverage Verify that every application, service account, and privileged role in scope is discoverable before review cycles begin.
- Link approvals to lifecycle context Require approvers to see joiner-mover-leaver events, prior entitlement history, and current ownership before they approve or modify access.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step descriptions of the eight governance practices and how Zluri frames each one in implementation terms
- Detailed walkthroughs of approval workflows, changelog handling, and access certification features
- Product-specific examples showing how the platform positions discovery, remediation, and access reviews
- Customer-facing adoption and demo context that helps teams evaluate the vendor’s operational workflow
👉 Read Zluri's best practices guide on IT governance in 2026 →
IT governance and identity control: what teams need to change?
Explore further
10/06/2026 9:38 pm
Identity governance is now the operating layer of IT governance, not a downstream admin function. The article treats governance as a business discipline, but the controls it depends on are identity controls: approval chains, access certification, entitlement scope, and audit evidence. Once software access drives operational risk, the governance model lives or dies by how well it manages identities rather than by how elegantly it writes policy. Practitioners should treat IT governance and identity governance as one control system with different reporting layers.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: Who should be accountable when access decisions go wrong?
A: Accountability should sit with the named approver, control owner, and governance function that had decision authority at the time. Shared responsibility is not the same as unclear responsibility. If no one can be tied to the approval, recertification, or revocation step, the programme has a governance gap rather than a process issue.
👉 Read our full editorial: IT governance best practices in 2026 need identity-first control
