Notifications
Clear all
Topic starter
25/06/2026 1:36 pm
TL;DR: Least privilege is hard to sustain when identity teams cannot see how access is actually used across disparate systems, according to SailPoint. Activity data changes certification from guesswork into evidence, but the deeper issue is that access review programmes fail when usage telemetry is missing.
NHIMG editorial — based on content published by SailPoint: Improve security with the principle of least privilege
Questions worth separating out
Q: How should security teams make least privilege reviews evidence-based?
A: Security teams should tie access reviews to observed usage, not just role assignments or manager memory.
Q: Why do manual IGA processes struggle to maintain least privilege?
A: Manual IGA processes struggle because they usually cannot reconstruct effective access across multiple systems.
Q: What do identity teams get wrong about access creep?
A: Identity teams often treat access creep as a cleanup exercise when it is really a visibility problem.
Practitioner guidance
- Use activity evidence in every certification cycle Require reviewers to see actual usage patterns, not only entitlement ownership, before they approve retained access.
- Compare access use against peer baselines Use peer comparisons to identify identities whose access patterns diverge materially from similar roles.
- Consolidate usage visibility across systems Bring login and entitlement evidence into one operational view so managers can assess whether access is still needed.
What's in the full article
SailPoint's full blog covers the operational detail this post intentionally leaves for the source:
- How Activity Insights surfaces entitlement usage patterns inside the identity security cloud workflow
- How managers can compare access use against peers during certification decisions
- How AI and machine learning feed role recommendations, anomaly context, and risk scoring
- How activity evidence supports compliance demonstrations during access review
👉 Read SailPoint's blog on improving least privilege with Activity Insights →
Least privilege and activity insights: are your reviews evidence-based?
Explore further
25/06/2026 3:36 pm
Least privilege collapses when access reviews are built on entitlement assignment instead of observed use. The control assumption is that managers can judge necessity from role and request context alone. That assumption fails when identity activity is invisible across systems, because dormant access and truly required access look the same on paper. The implication is that certification programmes must be judged by evidence quality, not by how many access items they process.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- That same research found only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which shows how often confidence runs ahead of control maturity.
A question worth separating out:
Q: How can organisations reduce privileged access without hurting productivity?
A: Organisations can reduce privileged access safely by removing only access that is clearly unused or misaligned with the worker’s actual activity pattern. The key is to use peer comparison and activity evidence so reviewers avoid stripping legitimate access that supports real work. That keeps least privilege aligned with productivity.
👉 Read our full editorial: Least privilege needs activity data, not certification guesswork
