TL;DR: A French public-sector identity governance project won two Cas d'Or 2026 awards for Cyber Governance and Risk Management and Public Sector after centralising identities, automating provisioning, and tightening auditability, according to Netwrix. The signal is that IGA is now a strategic control layer for complex identity populations, not a back-office admin task.
NHIMG editorial — based on content published by Netwrix: A double win at the Cas d'Or 2026: what identity governance success looks like in the public sector
By the numbers:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
A: They should use one governed identity record, one lifecycle process, and one approval model wherever possible.
Q: Why does role modelling matter more than ad hoc access grants in regulated environments?
A: Role modelling reduces entitlement sprawl by tying access to business function instead of individual exceptions.
Q: What breaks when joiner, mover, leaver processes are handled differently for technical accounts?
A: Governance breaks because access outlives the business condition that justified it.
Practitioner guidance
- Unify identity records across all subject types Create a single governed inventory for employees, contractors, service accounts, and other non-human identities so access decisions are made from one source of truth.
- Automate joiner, mover, leaver transitions Tie provisioning and deprovisioning to authoritative status changes so role changes and exits remove access without waiting for manual tickets.
- Replace ad hoc grants with business roles Model access around business function and recertify those roles instead of reviewing hundreds of isolated permissions that no reviewer can explain quickly.
What's in the full analysis
Netwrix's full article covers the implementation and award context this post intentionally leaves for the source:
- How the French public-sector project was structured end to end, including the deployment approach and partner delivery model
- Which operational controls and reporting features the public-sector organisation used to prove governance and compliance
- How the platform handled integration across Active Directory, ITSM, and ERP systems in a real environment
- Why the channel partner model mattered for procurement, rollout constraints, and user-population complexity
👉 Read Netwrix's analysis of the Cas d'Or public-sector identity governance win →
Public-sector IGA success: what identity teams should take from it?
Explore further
Public-sector IGA succeeds when it turns identity from an administrative queue into a governed control surface. The award signal here is not about ceremony. It is about a class of organisations proving that centralised lifecycle control, role logic, and audit-ready reporting can keep pace with fragmented estates and strict oversight. For identity leaders, the lesson is that IGA earns budget when it reduces both operational friction and compliance exposure.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
A question worth separating out:
Q: Who is accountable when access review and lifecycle ownership are split across teams?
A: Accountability usually becomes ambiguous, which is why access reviews drift into box-ticking. Ownership must sit with the business or system authority that can answer why access exists and when it should be removed. Frameworks such as the NIST Cybersecurity Framework 2.0 support that governance discipline by making accountability explicit across protect and govern activities.
👉 Read our full editorial: Public-sector identity governance shows why IGA now carries more weight