Notifications
Clear all
Topic starter
25/06/2026 10:30 pm
TL;DR: Identity and access challenges are increasingly cross-domain, spanning mobile, privileged, vendor, and access compliance use cases, according to Imprivata, as Imprivata Connect and the Mobile Access Management User Briefing point to a familiar enterprise problem. The practical issue is not the event format itself, but the unresolved governance gap across identity programmes.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern mobile access, privileged access, and vendor access together?
A: Treat them as one identity governance problem with different risk classes.
Q: Why do access programmes fail when they focus only on authentication?
A: Because authentication proves a login happened, not that access was appropriate, limited, and removed on time.
Practitioner guidance
- Map every access path to a lifecycle owner Identify who approves, reviews, and revokes access for mobile users, privileged users, and third parties.
- Separate privileged access policy from standard access policy Keep the approval thresholds, session controls, and review cadence for privileged access distinct from ordinary enterprise access.
- Build offboarding evidence into the access process Require proof that access was removed after the need ended, not just proof that it was granted.
What to expect at the briefing
Imprivata's full event page covers the briefing format and product context this post intentionally leaves at a higher level:
- The specific user briefing format and how Imprivata positions the session for attendees.
- The access and mobility context behind the event listing, including the related product area.
- The surrounding event navigation and resource pages that frame the briefing within Imprivata's access portfolio.
👉 Read Imprivata's Mobile Access Management User Briefing page →
Identity and access briefings: what practitioners still miss?
Explore further
25/06/2026 11:03 pm
Identity programmes still fail when they are organised around access events instead of access lifecycles. Briefings like this reflect a broader industry problem: organisations have too many control points and too little governance continuity. The gap is not visibility alone, but the absence of one operating model for grant, review, escalation, and removal across access types. Practitioners should treat access governance as a lifecycle discipline, not an authentication project.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how weak identity inventory remains across machine access.
A question worth separating out:
Q: Who is accountable when third-party access remains active after the engagement ends?
A: The business owner, access owner, and third-party sponsor all share accountability, but the identity programme must make that accountability visible. If offboarding is not built into the access lifecycle, vendors can retain access long after their work ends. That is a governance failure, not a technical edge case.
👉 Read our full editorial: Identity and access briefing format still leaves practitioner gaps
