Notifications
Clear all
Topic starter
27/06/2026 1:02 pm
TL;DR: IAM programmes still struggle with orphaned accounts, static permission models, and slow recertification cycles, while one CSS Insurance case study cited by Nexis shows role-based governance reducing recertification from five months to eight weeks. The lesson is that governance velocity now matters as much as governance coverage, especially where identities and entitlements keep changing.
NHIMG editorial — based on content published by Nexis: NEXIS Impulse, July 8, 2025
Questions worth separating out
Q: How should IAM teams reduce recertification backlogs without weakening governance?
A: They should reduce campaign scope, improve entitlement data quality, and remove roles that no longer match real access patterns.
Q: Why do static role models create governance problems in IAM programmes?
A: Static role models create problems when they stop reflecting how people and systems actually use access.
Q: How do organisations know if their access review process is actually working?
A: They should look for shorter campaign duration, fewer unresolved exceptions, cleaner ownership data, and a smaller volume of stale entitlements after each cycle.
Practitioner guidance
- Rebuild role models around actual access usage Map high-churn entitlements back to business functions and remove role fragments that exist only to satisfy historical exceptions.
- Shorten certification scope before shortening certification windows Reduce the number of entitlements per campaign by splitting high-risk application sets, stale permissions, and low-value access into separate review tracks.
- Normalise ownership for every connected system Require an accountable owner, a review cadence, and a revocation path for each application and entitlement source.
What's in the full analysis
Nexis's full article covers the operational detail this post intentionally leaves for the source:
- The CSS Insurance implementation context behind the 3,300-role model and what changed in practice during recertification.
- The webinar agendas on integrated IAM and GRC, including how compliance and audit readiness are presented to practitioners.
- The step-by-step IAM hygiene advice on orphaned accounts, Excel replacement, and explainable AI support for recertification.
- The SaaS versus on-premises positioning with the deployment trade-offs Nexis uses for evaluation.
👉 Read Nexis's July 2025 issue on IAM hygiene, governance, and deployment choices →
IAM hygiene and recertification backlogs: what teams need to fix?
Explore further
27/06/2026 2:12 pm
IAM governance fails when role models become a substitute for live access intelligence. The CSS example shows what happens when organisations try to govern a dynamic environment with a static entitlement structure. A role model can improve transparency, but only if it stays aligned with actual access patterns and system semantics. Practitioners should treat role drift as a governance defect, not just a maintenance issue.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: What should security teams do when IAM governance spans human and machine identities?
A: They should apply the same lifecycle discipline to both populations while preserving identity-specific review logic. That means ownership, offboarding, recertification, and entitlement scope must be defined consistently, even if the workflow steps differ between people and non-human identities.
👉 Read our full editorial: IAM hygiene and recertification backlogs are still slowing governance
