Notifications
Clear all
Topic starter
03/06/2026 11:01 am
TL;DR: SOX in-scope access governance is becoming harder to execute consistently as environments expand, increasing audit scrutiny and compliance cost, according to Pathlock’s June 18, 2026 webinar with KPMG. The practical issue is not access policy alone, but whether identity controls still produce consistent evidence across systems and control owners.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should security teams run SOX access reviews across multiple in-scope systems?
A: Security teams should use one review standard for every in-scope system, with the same access categories, evidence requirements, and exception rules.
Q: Why do SOX access controls break down as environments get more complex?
A: They break down because governance often becomes inconsistent across platforms, owners, and account types.
Q: What do teams get wrong about non-human accounts in SOX governance?
A: Teams often treat service accounts and application identities as secondary to human access, even though they can carry the same or greater risk.
Practitioner guidance
- Standardise SOX access review criteria Define one review standard for all in-scope systems, including role scoping, approval evidence, and exception handling.
- Include non-human identities in the SOX control scope Map service accounts, shared admin accounts, and application identities into the same governance model used for human users.
- Reconcile evidence quality before expanding tooling Check whether the current platform reduces manual exceptions, stale ownership, and duplicate approvals before rolling it out to more systems.
That shift pushes IAM, IGA, and PAM teams toward inventory discipline and tighter ownership rather than more review volume?
👉 Register for Pathlock's webinar on rethinking SOX identity and access management →
Explore further
03/06/2026 11:04 am
SOX identity governance is becoming an evidence problem as much as a control problem. The webinar points to a familiar enterprise pattern: access control programmes may be funded and documented, yet still fail when environments expand faster than governance processes can normalise them. That means audit difficulty is not a side effect of growth, it is often the visible symptom of inconsistent identity evidence.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- A separate finding shows that 97% of NHIs carry excessive privileges, which is why access reviews that miss service identities create governance blind spots.
A question worth separating out:
Q: How can organisations tell whether SOX access governance is actually working?
A: Look for consistent review outcomes, clear ownership, and evidence that can be reconciled across all in-scope systems without manual cleanup. If the same control produces different answers depending on the platform, the programme is creating paperwork rather than assurance. Reliable SOX governance should be repeatable and auditable.
👉 Read our full editorial: SOX identity and access governance is under audit pressure
