TL;DR: DSPM is becoming inseparable from identity governance, because data exposure now depends as much on who can reach information as on where it sits; Access Analyzer was named a Visionary in DSPM at the 2025 Global InfoSec Awards because it combines sensitive data discovery, access reporting, and automated remediation across cloud, on-premises, and hybrid environments, according to Netwrix.
NHIMG editorial — based on content published by Netwrix: Netwrix Named Visionary in DSPM at the 2025 Global InfoSec Awards
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should teams connect DSPM with identity governance?
A: Teams should connect DSPM with identity governance by mapping sensitive data to the identities, groups, roles, and tokens that can reach it.
Q: Why do data security programmes need identity-centric access reporting?
A: Because reports that only describe data do not prove whether access is justified.
Q: What breaks when access remediation is automated without ownership?
A: Automated remediation breaks when ownership, rollback, and exception handling are not defined.
Practitioner guidance
- Join data classification to entitlement mapping Build a workflow that links each sensitive dataset to the identities, groups, and tokens that can reach it.
- Use identity-centric reporting for recertification Require reports that show who has access to what and why, then route them into access review and certification processes.
- Scope automation to reversible entitlement changes Limit automated remediation to permissions that can be safely rolled back and tied to explicit ownership.
What's in the full analysis
Netwrix's full blog covers the product-specific detail this post intentionally leaves for the source:
- The named capabilities behind Access Analyzer's sensitive data discovery and access analytics workflow.
- The product-specific way Netwrix describes self-service access requests and data-owner approval.
- The vendor's explanation of how automated remediation is triggered and what identity signals it uses.
- The award context and implementation framing behind the DSPM recognition.
👉 Read Netwrix's analysis of identity-aware DSPM and access governance →
DSPM and identity-centric access control: what IAM teams need to know?
Explore further
Identity-aware DSPM is now a governance requirement, not a reporting feature. Data discovery by itself does not answer the question that matters to practitioners: which identities can actually reach sensitive information, and why. In hybrid estates, that access path is often spread across roles, groups, service accounts, and delegated approvals. The implication is that data security posture and identity posture must be governed as one control problem, not two separate programmes.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity-centric reporting remains a governance gap, not a reporting nicety.
A question worth separating out:
Q: Should organisations treat DSPM as part of IAM or data security?
A: Organisations should treat DSPM as part of both, because sensitive data exposure depends on identity paths as much as data location. If IAM and DSPM stay separate, teams can classify data accurately while leaving excessive access untouched. The operational answer is one control model across access, classification, and review.
👉 Read our full editorial: DSPM visibility and identity-aware access control for sensitive data