Continuous controls monitoring: what it means for IAM teams

TL;DR: Gartner’s 2025 Hype Cycle for Cyber-Risk Management places continuous controls monitoring as a high-impact innovation that can reduce manual control assurance and help teams prioritise remediation across complex application environments, according to Gartner and Pathlock. The signal for identity and governance teams is that control verification is shifting from periodic review to continuous evidence, which changes how risk, compliance, and operational accountability are managed.

NHIMG editorial — based on content published by Pathlock: its inclusion in Gartner’s 2025 Cyber-Risk Management Hype Cycle as a Sample Vendor for Continuous Controls Monitoring

By the numbers:

• CCM is projected to achieve mainstream adoption within 5 to 10 years.

Questions worth separating out

Q: How should organisations decide where to use continuous controls monitoring first?

A: Start with controls that can fail silently and create immediate business exposure, such as privileged access, segregation of duties, approval workflows, and transaction exceptions.

Q: Why do periodic audits miss control failures in enterprise applications?

A: Periodic audits often sample a small slice of activity after the fact, so they can miss control drift, transient exceptions, and repeated failures that occur between review cycles.

Q: What do security and audit teams get wrong about control assurance?

A: They often confuse documented control ownership with proven control operation.

Practitioner guidance

• Identify the controls that need continuous verification Start with controls whose failure would change business risk quickly, such as segregation of duties, privileged access, and exception approvals in ERP and SaaS platforms.
• Instrument the systems that create control evidence Connect identity, workflow, and transaction data so control effectiveness can be measured from live operational signals rather than spreadsheet-based attestations.
• Separate control existence from control effectiveness Review your current audit packs and mark which controls are only evidenced by process completion.

What's in the full analysis

Pathlock's full post covers the operational detail this post intentionally leaves for the source:

• How the CCM capability is positioned across SAP, Oracle, Workday, and other enterprise application environments
• The specific control-assurance and compliance use cases Pathlock links to real-time visibility
• The Gartner Hype Cycle context and wording around mainstream adoption timing
• Pathlock's own description of how it quantifies risk for remediation prioritisation

👉 Read Pathlock's analysis of continuous controls monitoring in cyber-risk management →

Continuous controls monitoring: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →