Notifications
Clear all
Topic starter
02/06/2026 6:54 pm
TL;DR: Traditional IGA programs fail when they try to govern cloud, SaaS, contractors, and machine access through one large transformation, because static roles and manual reviews age faster than the environment they are meant to control, according to RSA Security. The practical answer is phased governance focused on the highest-risk access first, not a single enterprise-wide redesign.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams implement phased IGA in environments with many NHIs?
A: Start with one high-risk application or identity population and prove visibility before expanding scope.
Q: Why do NHIs make traditional identity governance harder to sustain?
A: NHIs increase both the number of identities and the speed at which access changes.
Q: What breaks when identity reviews are too broad and infrequent?
A: Reviewers lose context, dormant access stays active, and the process turns into a completion exercise instead of a control.
Practitioner guidance
- Implement phased governance around one high-risk domain Pick a single application, workload cluster, or access population with clear risk and measurable outcomes.
- Prioritize the identities that expand blast radius Rank NHIs and human accounts by privilege scope, reuse, and downstream access to sensitive systems.
- Replace broad review cycles with scoped access decisions Use shorter review loops for sensitive entitlements and tie each review to actual usage, ownership, and business need.
The more practical approach is to define a small number of high-value control points and prove them before scaling the programme across the rest of the estate?
👉 Read RSA Security's analysis of why traditional IGA breaks at scale →
Explore further
02/06/2026 7:08 pm
Big-bang identity governance is now a control-risk pattern, not a delivery preference. The article describes a recurring failure mode where programs try to solve everything at once and deliver nothing quickly enough to matter. That pattern is especially dangerous in environments with NHIs, because entitlement volume and change rate make delayed control value equivalent to no control value. Practitioners should treat large-bang governance as a risk indicator, not a maturity signal.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: How should organisations respond when a major IGA program cannot be completed at once?
A: Treat that as a signal to redesign the rollout, not to expand the timeline. Narrow the use case, define a measurable control outcome, and move to the next scope only after the first one is stable. For many teams, the right response is to build a governance sequence that starts with visibility and ends with lifecycle automation.
👉 Read our full editorial: Traditional IGA breaks at scale in modern environments
