TL;DR: Modern identity security is shifting from compliance theatre to active defense, with passwordless, governance, and identity posture themes running through the resource hub, according to RSA Security. The signal for practitioners is that identity programmes need operational controls, not just policy coverage.
NHIMG editorial — based on content published by RSA Security: From Compliance Theater to Active Defense
Questions worth separating out
Q: How should IAM teams tell the difference between identity governance and compliance theatre?
A: IAM teams should look for evidence that controls change access outcomes, not just that policies exist.
Q: Why do passwordless programmes still need lifecycle governance?
A: Passwordless removes dependence on reusable passwords, but it does not solve ownership, recovery, recertification, or offboarding.
Q: What breaks when identity posture management is not tied to remediation?
A: The programme becomes a visibility engine rather than a control mechanism.
Practitioner guidance
- Measure identity controls by access change, not documentation volume Review whether passwordless, governance, and posture tools actually change who can authenticate, what can be accessed, and when access is revoked.
- Tie lifecycle events to control actions Link joiner, mover, leaver events, recertification outcomes, and ownership changes to automated entitlement updates, offboarding, or escalation paths.
- Define ownership for every non-human identity Assign a named owner for service accounts, tokens, and delegated access, then require review cadence and offboarding triggers for each.
What's in the full article
RSA Security's full report hub covers the operational detail this post intentionally leaves for the source:
- Specific coverage of passwordless deployments and identity security use cases across different environments.
- Additional resource pages on governance and lifecycle topics that translate identity strategy into operating practice.
- Case-study material showing how enterprises are applying RSA identity capabilities in real programmes.
- The broader resource catalogue for practitioners who want adjacent identity topics beyond this editorial summary.
👉 Read RSA Security’s identity reports on compliance, passwordless, and governance →
RSA Security identity reports: what active defense changes for IAM?
Explore further
Compliance theatre is the failure mode this kind of identity messaging exposes. When identity programmes emphasise policy coverage, certification activity, or feature adoption without demonstrating access change, the organisation may be managing evidence rather than risk. That gap is visible across human identity, NHI governance, and lifecycle operations. Practitioners should judge identity maturity by whether controls alter runtime access, not by whether the programme can produce a clean narrative.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- That same research found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and a further 47% reporting only partial visibility.
A question worth separating out:
Q: How should security teams govern non-human identities alongside human access?
A: They should assign ownership, review cadence, and offboarding triggers by identity type. Service accounts, tokens, and delegated access need lifecycle discipline just as human access does, but the controls must reflect how each identity is created, used, and retired. Governance fails when NHI access is left outside the same operational accountability model.
👉 Read our full editorial: RSA Security’s identity reports frame compliance as active defense